12:27 p.m.
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
and...
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com> wrote:
Can you paste the command line invocation you are
running Vol with?
On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote:
I am using the 2.1 Windows standalone exe.
I have a dd image of memory from the subject operating system and when
I try
to use pslist with the Win2008SP1x86 profile I
get the following errors:
Traceback (most recent call last):
File "<string>", line 185, in <module>
File "<string>", line 176, in main
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
line 111, in execute
File "C:\volatility\volatility\plugins\taskmods.py", line 138, in
render_text
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
line 72, in pslist
File
"C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with
kdbgscan
When I try to verify my profile with kdbgscan I get the following for
all
profiles:
**************************************************
Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
Offset (V) : 0x8193ec90
Offset (P) : 0x193ec90
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008SP1x86
Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
PsActiveProcessHead : 0x81954990 (0 processes)
PsLoadedModuleList : 0x8195ec70 (0 modules)
KernelBase : 0x81847000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 0
KPCR : 0x8193f800 (CPU 0)
KPCR : 0x803d1000 (CPU 1)
Any help would be greatly appreciated.
Jon
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
12:40 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
Hey Jon,
Was there any more output from kdbgscan (other than what you pasted in the
first email)? If so can you paste the entire output of kdbgscan, please?
The fact that psscan doesn't show results is definitely strange. What about
the modscan command?
Thanks!
MHL
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
and...
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Can you paste the command line invocation you are
running Vol with?
On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote:
I am using the 2.1 Windows standalone exe.
I have a dd image of memory from the subject operating system and when
I try
to use pslist with the Win2008SP1x86 profile I
get the following
errors:
Traceback (most recent call last):
File "<string>", line 185, in <module>
File "<string>", line 176, in main
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
line 111, in execute
File "C:\volatility\volatility\plugins\taskmods.py", line 138, in
render_text
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
line 72, in pslist
File
"C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with
kdbgscan
When I try to verify my profile with kdbgscan I get the following for
all
profiles:
**************************************************
Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
Offset (V) : 0x8193ec90
Offset (P) : 0x193ec90
KDBG owner tag check : True
Profile suggestion (KDBGHeader): Win2008SP1x86
Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
PsActiveProcessHead : 0x81954990 (0 processes)
PsLoadedModuleList : 0x8195ec70 (0 modules)
KernelBase : 0x81847000 (Matches MZ: True)
Major (OptionalHeader) : 6
Minor (OptionalHeader) : 0
KPCR : 0x8193f800 (CPU 0)
KPCR : 0x803d1000 (CPU 1)
Any help would be greatly appreciated.
Jon
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
12:46 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
As far as modscan I also just get the header and nothing further.
On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh
<michael.hale(a)gmail.com>wrote:
Hey Jon,
Was there any more output from kdbgscan (other than what you pasted in the
first email)? If so can you paste the entire output of kdbgscan, please?
The fact that psscan doesn't show results is definitely strange. What
about the modscan command?
Thanks!
MHL
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
and...
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Can you paste the command line invocation you are
running Vol with?
On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote:
> I am using the 2.1 Windows standalone exe.
>
> I have a dd image of memory from the subject operating system and
when I try
> to use pslist with the Win2008SP1x86 profile I get the following
errors:
>
> Traceback (most recent call last):
> File "<string>", line 185, in <module>
> File "<string>", line 176, in main
> File
>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
> line 111, in execute
> File "C:\volatility\volatility\plugins\taskmods.py", line 138, in
> render_text
> File
>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
> line 72, in pslist
> File
"C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
> line 40, in processes
> AttributeError: Could not list tasks, please verify your --profile
with
> kdbgscan
>
>
> When I try to verify my profile with kdbgscan I get the following for
all
> profiles:
>
> **************************************************
> Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
> Offset (V) : 0x8193ec90
> Offset (P) : 0x193ec90
> KDBG owner tag check : True
> Profile suggestion (KDBGHeader): Win2008SP1x86
> Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
> Service Pack (CmNtCSDVersion) : 1
> Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
> PsActiveProcessHead : 0x81954990 (0 processes)
> PsLoadedModuleList : 0x8195ec70 (0 modules)
> KernelBase : 0x81847000 (Matches MZ: True)
> Major (OptionalHeader) : 6
> Minor (OptionalHeader) : 0
> KPCR : 0x8193f800 (CPU 0)
> KPCR : 0x803d1000 (CPU 1)
>
> Any help would be greatly appreciated.
>
> Jon
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
12:54 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
Hey Jon,
Was there any more output from kdbgscan (other than
what you pasted
in the first email)? If so can you paste the entire output of kdbgscan,
please?
You didn't answer that question above...does that mean there is *not* any
additional kdbgscan output other than what you pasted in the first email?
Any you're supplying --profile=Win2008SP1x86 to the psscan and modscan
commands also? What software was used to acquire the memory dump?
Thanks,
MHL
On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
As far as modscan I also just get the header and
nothing further.
On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh <
michael.hale(a)gmail.com> wrote:
Hey Jon,
Was there any more output from kdbgscan (other than what you pasted in
the first email)? If so can you paste the entire output of kdbgscan, please?
The fact that psscan doesn't show results is definitely strange. What
about the modscan command?
Thanks!
MHL
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
and...
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com> wrote:
> Can you paste the command line invocation you are running Vol with?
>
> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote:
> > I am using the 2.1 Windows standalone exe.
> >
> > I have a dd image of memory from the subject operating system and
> when I try
> > to use pslist with the Win2008SP1x86 profile I get the following
> errors:
> >
> > Traceback (most recent call last):
> > File "<string>", line 185, in <module>
> > File "<string>", line 176, in main
> > File
> >
> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
> > line 111, in execute
> > File "C:\volatility\volatility\plugins\taskmods.py", line 138, in
> > render_text
> > File
> >
>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
> > line 72, in pslist
> > File
> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
> > line 40, in processes
> > AttributeError: Could not list tasks, please verify your --profile
> with
> > kdbgscan
> >
> >
> > When I try to verify my profile with kdbgscan I get the following
> for all
> > profiles:
> >
> > **************************************************
> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
> > Offset (V) : 0x8193ec90
> > Offset (P) : 0x193ec90
> > KDBG owner tag check : True
> > Profile suggestion (KDBGHeader): Win2008SP1x86
> > Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
> > Service Pack (CmNtCSDVersion) : 1
> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
> > PsActiveProcessHead : 0x81954990 (0 processes)
> > PsLoadedModuleList : 0x8195ec70 (0 modules)
> > KernelBase : 0x81847000 (Matches MZ: True)
> > Major (OptionalHeader) : 6
> > Minor (OptionalHeader) : 0
> > KPCR : 0x8193f800 (CPU 0)
> > KPCR : 0x803d1000 (CPU 1)
> >
> > Any help would be greatly appreciated.
> >
> > Jon
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users(a)volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
12:59 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
The answer to that question was in previous email where I posted the entire
kdbgscan output. I believe the mdd was used to acquire the image.
On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh
<michael.hale(a)gmail.com>wrote:
Hey Jon,
Was there any more output from kdbgscan (other
than what you pasted
in the first email)? If so can you paste the entire output of kdbgscan,
please?
You didn't answer that question above...does that mean there is *not* any
additional kdbgscan output other than what you pasted in the first email?
Any you're supplying --profile=Win2008SP1x86 to the psscan and modscan
commands also? What software was used to acquire the memory dump?
Thanks,
MHL
On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
As far as modscan I also just get the header and
nothing further.
On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh <
michael.hale(a)gmail.com> wrote:
Hey Jon,
Was there any more output from kdbgscan (other than what you pasted in
the first email)? If so can you paste the entire output of kdbgscan, please?
The fact that psscan doesn't show results is definitely strange. What
about the modscan command?
Thanks!
MHL
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
>
> and...
>
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
>
> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com>wrote:
>
>> Can you paste the command line invocation you are running Vol with?
>>
>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote:
>> > I am using the 2.1 Windows standalone exe.
>> >
>> > I have a dd image of memory from the subject operating system and
>> when I try
>> > to use pslist with the Win2008SP1x86 profile I get the following
>> errors:
>> >
>> > Traceback (most recent call last):
>> > File "<string>", line 185, in <module>
>> > File "<string>", line 176, in main
>> > File
>> >
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>> > line 111, in execute
>> > File "C:\volatility\volatility\plugins\taskmods.py", line 138,
in
>> > render_text
>> > File
>> >
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>> > line 72, in pslist
>> > File
>> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>> > line 40, in processes
>> > AttributeError: Could not list tasks, please verify your --profile
>> with
>> > kdbgscan
>> >
>> >
>> > When I try to verify my profile with kdbgscan I get the following
>> for all
>> > profiles:
>> >
>> > **************************************************
>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
>> > Offset (V) : 0x8193ec90
>> > Offset (P) : 0x193ec90
>> > KDBG owner tag check : True
>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>> > Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
>> > Service Pack (CmNtCSDVersion) : 1
>> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
>> > PsActiveProcessHead : 0x81954990 (0 processes)
>> > PsLoadedModuleList : 0x8195ec70 (0 modules)
>> > KernelBase : 0x81847000 (Matches MZ: True)
>> > Major (OptionalHeader) : 6
>> > Minor (OptionalHeader) : 0
>> > KPCR : 0x8193f800 (CPU 0)
>> > KPCR : 0x803d1000 (CPU 1)
>> >
>> > Any help would be greatly appreciated.
>> >
>> > Jon
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users(a)volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>>
>
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
1:02 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
Cool, no worries. I'm guessing it was missed in the crossfire.
Just looking at your directory listing I might have guessed it was
FTK: G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd
of course I could be wrong since "AD" may refer to something else...
Try as many "scanning" plugins as you can muster and see if anything
comes out while we think of something else. BTW, we aren't helping
you cheat are we? ;-) The thought occurred to me that this sample
could be intentionally broken.
On Wed, Aug 22, 2012 at 12:59 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
The answer to that question was in previous email
where I posted the entire
kdbgscan output. I believe the mdd was used to acquire the image.
On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh <michael.hale(a)gmail.com>
wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
Hey Jon,
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Was there any more output from kdbgscan (other
than what you pasted
in the first email)? If so can you paste the entire output of kdbgscan,
please?
You didn't answer that question above...does that mean there is *not* any
additional kdbgscan output other than what you pasted in the first email?
Any you're supplying --profile=Win2008SP1x86 to the psscan and modscan
commands also? What software was used to acquire the memory dump?
Thanks,
MHL
On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
As far as modscan I also just get the header and nothing further.
On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
Hey Jon,
Was there any more output from kdbgscan (other than what you pasted in
the first email)? If so can you paste the entire output of kdbgscan, please?
The fact that psscan doesn't show results is definitely strange. What
about the modscan command?
Thanks!
MHL
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
>
>
>
> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
>>
>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
>>
>> and...
>>
>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
>>
>> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com>
>> wrote:
>>>
>>> Can you paste the command line invocation you are running Vol with?
>>>
>>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote:
>>> > I am using the 2.1 Windows standalone exe.
>>> >
>>> > I have a dd image of memory from the subject operating system and
>>> > when I try
>>> > to use pslist with the Win2008SP1x86 profile I get the following
>>> > errors:
>>> >
>>> > Traceback (most recent call last):
>>> > File "<string>", line 185, in <module>
>>> > File "<string>", line 176, in main
>>> > File
>>> >
>>> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>>> > line 111, in execute
>>> > File "C:\volatility\volatility\plugins\taskmods.py", line
138, in
>>> > render_text
>>> > File
>>> >
>>> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>>> > line 72, in pslist
>>> > File
>>> >
"C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>>> > line 40, in processes
>>> > AttributeError: Could not list tasks, please verify your --profile
>>> > with
>>> > kdbgscan
>>> >
>>> >
>>> > When I try to verify my profile with kdbgscan I get the following
>>> > for all
>>> > profiles:
>>> >
>>> > **************************************************
>>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
>>> > Offset (V) : 0x8193ec90
>>> > Offset (P) : 0x193ec90
>>> > KDBG owner tag check : True
>>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>>> > Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
>>> > Service Pack (CmNtCSDVersion) : 1
>>> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
>>> > PsActiveProcessHead : 0x81954990 (0 processes)
>>> > PsLoadedModuleList : 0x8195ec70 (0 modules)
>>> > KernelBase : 0x81847000 (Matches MZ: True)
>>> > Major (OptionalHeader) : 6
>>> > Minor (OptionalHeader) : 0
>>> > KPCR : 0x8193f800 (CPU 0)
>>> > KPCR : 0x803d1000 (CPU 1)
>>> >
>>> > Any help would be greatly appreciated.
>>> >
>>> > Jon
>>> >
>>> > _______________________________________________
>>> > Vol-users mailing list
>>> > Vol-users(a)volatilityfoundation.org
>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> >
>>
>>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
1:07 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
No cheating taking place. I am teaching the class. I just started to have
the students use vol for memory analysis. It worked on two other images
from the same scenario, which I would think were acquired the same way. One
was a Vista box and the other Win2K3.
On Wed, Aug 22, 2012 at 1:02 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
Cool, no worries. I'm guessing it was missed in
the crossfire.
Just looking at your directory listing I might have guessed it was
FTK: G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd
of course I could be wrong since "AD" may refer to something else...
Try as many "scanning" plugins as you can muster and see if anything
comes out while we think of something else. BTW, we aren't helping
you cheat are we? ;-) The thought occurred to me that this sample
could be intentionally broken.
On Wed, Aug 22, 2012 at 12:59 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
The answer to that question was in previous email
where I posted the
entire
kdbgscan output. I believe the mdd was used to
acquire the image.
On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh <
michael.hale(a)gmail.com>
wrote:
>
> Hey Jon,
>
> > Was there any more output from kdbgscan (other than what you pasted
> > in the first email)? If so can you paste the entire output of
kdbgscan,
> > please?
>
> You didn't answer that question above...does that mean there is *not*
any
> additional kdbgscan output other than what
you pasted in the first
email?
>
> Any you're supplying --profile=Win2008SP1x86 to the psscan and modscan
> commands also? What software was used to acquire the memory dump?
>
> Thanks,
> MHL
>
> On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
>>
>> As far as modscan I also just get the header and nothing further.
>>
>>
>> On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh
>> <michael.hale(a)gmail.com> wrote:
>>>
>>> Hey Jon,
>>>
>>> Was there any more output from kdbgscan (other than what you pasted in
>>> the first email)? If so can you paste the entire output of kdbgscan,
please?
>>>
>>> The fact that psscan doesn't show results is definitely strange. What
>>> about the modscan command?
>>>
>>> Thanks!
>>> MHL
>>>
>>>
>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com>
wrote:
>>>>
>>>>
>>>>
>>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com>
wrote:
>>>>>
>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe
-f
>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
kdbgscan
>>>>>>
>>>>>> and...
>>>>>
>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe
-f
>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
pslist
>>>>>
>>>>> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case
<atcuno(a)gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Can you paste the command line invocation you are running Vol
with?
>>>>>>
>>>>>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson
<dotcop(a)gmail.com>
wrote:
>>>>>> > I am using the 2.1
Windows standalone exe.
>>>>>> >
>>>>>> > I have a dd image of memory from the subject operating
system and
>>>>>> > when I try
>>>>>> > to use pslist with the Win2008SP1x86 profile I get the
following
>>>>>> > errors:
>>>>>> >
>>>>>> > Traceback (most recent call last):
>>>>>> > File "<string>", line 185, in
<module>
>>>>>> > File "<string>", line 176, in main
>>>>>> > File
>>>>>> >
>>>>>> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>>>>>> > line 111, in
execute
>>>>>> > File
"C:\volatility\volatility\plugins\taskmods.py", line 138,
in
>>>>>> > render_text
>>>>>> > File
>>>>>> >
>>>>>> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>>>>>> > line 72, in pslist
>>>>>> > File
>>>>>> >
"C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>>>>>> > line 40, in
processes
>>>>>> > AttributeError: Could not list tasks, please verify your
--profile
>>>>>> > with
>>>>>> > kdbgscan
>>>>>> >
>>>>>> >
>>>>>> > When I try to verify my profile with kdbgscan I get the
following
>>>>>> > for all
>>>>>> > profiles:
>>>>>> >
>>>>>> > **************************************************
>>>>>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001
32bit)
>>>>>> > Offset (V)
: 0x8193ec90
>>>>>> > Offset (P) : 0x193ec90
>>>>>> > KDBG owner tag check : True
>>>>>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>>>>>> > Version64 : 0x8193ec68 (Major: 15,
Minor:
6001)
>>>> > Service Pack (CmNtCSDVersion) :
1
>>>> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
>>>> > PsActiveProcessHead : 0x81954990 (0 processes)
>>>> > PsLoadedModuleList : 0x8195ec70 (0 modules)
>>>> > KernelBase : 0x81847000 (Matches MZ: True)
>>>> > Major (OptionalHeader) : 6
>>>> > Minor (OptionalHeader) : 0
>>>> > KPCR : 0x8193f800 (CPU 0)
>>>> > KPCR : 0x803d1000 (CPU 1)
>>>> >
>>>> > Any help would be greatly appreciated.
>>>> >
>>>> > Jon
>>>> >
>>>> > _______________________________________________
>>>> > Vol-users mailing list
>>>> > Vol-users(a)volatilityfoundation.org
>>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>> >
>>>
>>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
1:54 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
psscan, modscan, driverscan, filescan, mutantscan, symlinkscan, thrdscan,
and netscan produced no output other than the header.
impscan, svcscan, and cmdscan all returned errors. hivescan returned a
bunch of offsets with no other info:
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=VistaSP1x86
--kdbg=0x8193ec90 cmdscan
Volatile Systems Volatility Framework 2.1
Traceback (most recent call last):
File "<string>", line 185, in <module>
File "<string>", line 176, in main
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
line 111, in execute
File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 670,
in render_text
File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 656,
in calculate
File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 624,
in cmdhistory_process_filter
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
line 72, in pslist
File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with
kdbgscan
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 hivescan
Volatile Systems Volatility Framework 2.1
Offset(P)
----------
0x00553008
0x01ca9008
0x01d09008
0x0cbea008
0x4072b008
0x48c31008
0x4cdfa008
0x4f4ee008
0x53217850
0x5841d008
0x62aa0008
0x6dc6a850
0x7d5a6850
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 svcscan
Volatile Systems Volatility Framework 2.1
Traceback (most recent call last):
File "<string>", line 185, in <module>
File "<string>", line 176, in main
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
line 111, in execute
File "C:\volatility\volatility\plugins\malware\svcscan.py", line 307, in
render_text
File "C:\volatility\volatility\plugins\malware\svcscan.py", line 271, in
calculate
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
line 72, in pslist
File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with
kdbgscan
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 impscan
Volatile Systems Volatility Framework 2.1
IAT Call Module Function
---------- ---------- -------------------- --------
Traceback (most recent call last):
File "<string>", line 185, in <module>
File "<string>", line 176, in main
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
line 111, in execute
File "C:\volatility\volatility\plugins\malware\impscan.py", line 361, in
render_text
File "C:\volatility\volatility\plugins\malware\impscan.py", line 253, in
calculate
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
line 72, in pslist
File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with
kdbgscan
On Wed, Aug 22, 2012 at 1:02 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
Cool, no worries. I'm guessing it was missed in
the crossfire.
Just looking at your directory listing I might have guessed it was
FTK: G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd
of course I could be wrong since "AD" may refer to something else...
Try as many "scanning" plugins as you can muster and see if anything
comes out while we think of something else. BTW, we aren't helping
you cheat are we? ;-) The thought occurred to me that this sample
could be intentionally broken.
On Wed, Aug 22, 2012 at 12:59 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
The answer to that question was in previous email
where I posted the
entire
kdbgscan output. I believe the mdd was used to
acquire the image.
On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh <
michael.hale(a)gmail.com>
wrote:
>
> Hey Jon,
>
> > Was there any more output from kdbgscan (other than what you pasted
> > in the first email)? If so can you paste the entire output of
kdbgscan,
> > please?
>
> You didn't answer that question above...does that mean there is *not*
any
> additional kdbgscan output other than what
you pasted in the first
email?
>
> Any you're supplying --profile=Win2008SP1x86 to the psscan and modscan
> commands also? What software was used to acquire the memory dump?
>
> Thanks,
> MHL
>
> On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
>>
>> As far as modscan I also just get the header and nothing further.
>>
>>
>> On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh
>> <michael.hale(a)gmail.com> wrote:
>>>
>>> Hey Jon,
>>>
>>> Was there any more output from kdbgscan (other than what you pasted in
>>> the first email)? If so can you paste the entire output of kdbgscan,
please?
>>>
>>> The fact that psscan doesn't show results is definitely strange. What
>>> about the modscan command?
>>>
>>> Thanks!
>>> MHL
>>>
>>>
>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com>
wrote:
>>>>
>>>>
>>>>
>>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com>
wrote:
>>>>>
>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe
-f
>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
kdbgscan
>>>>>>
>>>>>> and...
>>>>>
>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe
-f
>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
pslist
>>>>>
>>>>> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case
<atcuno(a)gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Can you paste the command line invocation you are running Vol
with?
>>>>>>
>>>>>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson
<dotcop(a)gmail.com>
wrote:
>>>>>> > I am using the 2.1
Windows standalone exe.
>>>>>> >
>>>>>> > I have a dd image of memory from the subject operating
system and
>>>>>> > when I try
>>>>>> > to use pslist with the Win2008SP1x86 profile I get the
following
>>>>>> > errors:
>>>>>> >
>>>>>> > Traceback (most recent call last):
>>>>>> > File "<string>", line 185, in
<module>
>>>>>> > File "<string>", line 176, in main
>>>>>> > File
>>>>>> >
>>>>>> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>>>>>> > line 111, in
execute
>>>>>> > File
"C:\volatility\volatility\plugins\taskmods.py", line 138,
in
>>>>>> > render_text
>>>>>> > File
>>>>>> >
>>>>>> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>>>>>> > line 72, in pslist
>>>>>> > File
>>>>>> >
"C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>>>>>> > line 40, in
processes
>>>>>> > AttributeError: Could not list tasks, please verify your
--profile
>>>>>> > with
>>>>>> > kdbgscan
>>>>>> >
>>>>>> >
>>>>>> > When I try to verify my profile with kdbgscan I get the
following
>>>>>> > for all
>>>>>> > profiles:
>>>>>> >
>>>>>> > **************************************************
>>>>>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001
32bit)
>>>>>> > Offset (V)
: 0x8193ec90
>>>>>> > Offset (P) : 0x193ec90
>>>>>> > KDBG owner tag check : True
>>>>>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>>>>>> > Version64 : 0x8193ec68 (Major: 15,
Minor:
6001)
>>>> > Service Pack (CmNtCSDVersion) :
1
>>>> > Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
>>>> > PsActiveProcessHead : 0x81954990 (0 processes)
>>>> > PsLoadedModuleList : 0x8195ec70 (0 modules)
>>>> > KernelBase : 0x81847000 (Matches MZ: True)
>>>> > Major (OptionalHeader) : 6
>>>> > Minor (OptionalHeader) : 0
>>>> > KPCR : 0x8193f800 (CPU 0)
>>>> > KPCR : 0x803d1000 (CPU 1)
>>>> >
>>>> > Any help would be greatly appreciated.
>>>> >
>>>> > Jon
>>>> >
>>>> > _______________________________________________
>>>> > Vol-users mailing list
>>>> > Vol-users(a)volatilityfoundation.org
>>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>> >
>>>
>>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users(a)volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
6:39 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
Hey Jon,
On Wed, Aug 22, 2012 at 1:54 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
psscan, modscan, driverscan, filescan, mutantscan,
symlinkscan, thrdscan,
and netscan produced no output other than the header.
So the main three reasons I can think of for these scanners failing are:
1) the image is corrupt (i.e. the acquisition tool didn't capture several
areas of memory)
2) malware modified pool tags (i.e. DKOM)
3) the wrong profile is being used
So they are all possibilities, but let's discuss their likelihood. #1 is
unlikely IMO because kdbgscan was able to print lines like these:
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
Those values are extracted from the ntoskrnl.exe kernel driver, which means
at least one module is in memory...yet modscan doesn't pick it up. #2 is
unlikely because malware that uses DKOM typically does so to hide an
individual process, not overwrite an object's pool tags (although its
possible). Plus I'd expect if malware did overwrite pool tags, it would do
it for certain objects only (i.e. just processes and threads or just
network objects) and not all tags associated with all objects. #3 is
unlikely - we know from kdbgscan output that its SP1 something. We know its
x86 and not x64 because kdbgscan is able to find a valid DTB. Out of the
kdbgscan suggestions, you've already tried both VistaSP1x86 and
Win2008SP1x86 and neither seemed to work.
So pretty strange, I don't know what the problem is at this point. If its
just a testing/training image (i.e. doesn't contain sensitive information)
and you can share it with the volatility dev team, we'll be glad to take a
look and report back what we find. That would reduce the number of emails
back and forth and is probably your best bet to figuring it out. If you
want, we have private drop boxes where you can upload the image and it will
only be accessible by a few devs. Let me know.
impscan, svcscan, and cmdscan all returned errors.
That makes sense. Although they have "scan" in the name, these three
plugins scan process memory as opposed to the ones you listed above
(psscan, modscan, etc...). Thus if no processes can be found (i.e. pslist
fails) then all 3 of these will fail with the same error.
hivescan returned a bunch of offsets with no other
info
That's OK. The output of hivescan is supposed to only contain offsets. See
[1]. Perhaps you could try hivelist which lists the offsets plus the path
to the hive. See [2].
[1]. http://code.google.com/p/volatility/wiki/CommandReference21#hivescan
[2]. http://code.google.com/p/volatility/wiki/CommandReference21#hivelist
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=VistaSP1x86
--kdbg=0x8193ec90 cmdscan
Volatile Systems Volatility Framework 2.1
Traceback (most recent call last):
File "<string>", line 185, in <module>
File "<string>", line 176, in main
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
line 111, in execute
File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 670,
in render_text
File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 656,
in calculate
File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line 624,
in cmdhistory_process_filter
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
line 72, in pslist
File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with
kdbgscan
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 hivescan
Volatile Systems Volatility Framework 2.1
Offset(P)
----------
0x00553008
0x01ca9008
0x01d09008
0x0cbea008
0x4072b008
0x48c31008
0x4cdfa008
0x4f4ee008
0x53217850
0x5841d008
0x62aa0008
0x6dc6a850
0x7d5a6850
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 svcscan
Volatile Systems Volatility Framework 2.1
Traceback (most recent call last):
File "<string>", line 185, in <module>
File "<string>", line 176, in main
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
line 111, in execute
File "C:\volatility\volatility\plugins\malware\svcscan.py", line 307, in
render_text
File "C:\volatility\volatility\plugins\malware\svcscan.py", line 271, in
calculate
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
line 72, in pslist
File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with
kdbgscan
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
=VistaSP1x86 --kdbg=0x8193ec90 impscan
Volatile Systems Volatility Framework 2.1
IAT Call Module Function
---------- ---------- -------------------- --------
Traceback (most recent call last):
File "<string>", line 185, in <module>
File "<string>", line 176, in main
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
line 111, in execute
File "C:\volatility\volatility\plugins\malware\impscan.py", line 361, in
render_text
File "C:\volatility\volatility\plugins\malware\impscan.py", line 253, in
calculate
File
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
line 72, in pslist
File "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line 40, in processes
AttributeError: Could not list tasks, please verify your --profile with
kdbgscan
On Wed, Aug 22, 2012 at 1:02 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
Cool, no worries. I'm guessing it was missed
in the crossfire.
Just looking at your directory listing I might have guessed it was
FTK: G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd
of course I could be wrong since "AD" may refer to something else...
Try as many "scanning" plugins as you can muster and see if anything
comes out while we think of something else. BTW, we aren't helping
you cheat are we? ;-) The thought occurred to me that this sample
could be intentionally broken.
On Wed, Aug 22, 2012 at 12:59 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
The answer to that question was in previous email
where I posted the
entire
kdbgscan output. I believe the mdd was used to
acquire the image.
On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh <
michael.hale(a)gmail.com>
wrote:
>
> Hey Jon,
>
> > Was there any more output from kdbgscan (other than what you pasted
> > in the first email)? If so can you paste the entire output of
kdbgscan,
> > please?
>
> You didn't answer that question above...does that mean there is *not*
any
> additional kdbgscan output other than what
you pasted in the first
email?
>
> Any you're supplying --profile=Win2008SP1x86 to the psscan and modscan
> commands also? What software was used to acquire the memory dump?
>
> Thanks,
> MHL
>
> On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
>>
>> As far as modscan I also just get the header and nothing further.
>>
>>
>> On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh
>> <michael.hale(a)gmail.com> wrote:
>>>
>>> Hey Jon,
>>>
>>> Was there any more output from kdbgscan (other than what you pasted
in
>>> the first email)? If so can you paste
the entire output of kdbgscan,
please?
>>>
>>> The fact that psscan doesn't show results is definitely strange. What
>>> about the modscan command?
>>>
>>> Thanks!
>>> MHL
>>>
>>>
>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com>
wrote:
>>>>
>>>>
>>>>
>>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com>
wrote:
>>>>>
>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe
-f
>>>>>
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
kdbgscan
>>>>>>
>>>>>> and...
>>>>>
>>>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe
-f
>>>>>
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86
pslist
>>>>>
>>>>> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case
<atcuno(a)gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Can you paste the command line invocation you are running Vol
with?
>>>>>>
>>>>>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson
<dotcop(a)gmail.com>
wrote:
>>>>>> > I am using the 2.1
Windows standalone exe.
>>>>>> >
>>>>>> > I have a dd image of memory from the subject operating
system
and
>>>>>> > when I try
>>>>>> > to use pslist with the Win2008SP1x86 profile I get the
following
>>>>>> > errors:
>>>>>> >
>>>>>> > Traceback (most recent call last):
>>>>>> > File "<string>", line 185, in
<module>
>>>>>> > File "<string>", line 176, in main
>>>>>> > File
>>>>>> >
>>>>>> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>>>>>> > line 111, in
execute
>>>>>> > File
"C:\volatility\volatility\plugins\taskmods.py", line
138, in
>>>>>> > render_text
>>>>>> > File
>>>>>> >
>>>>>> >
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>>>>>> > line 72, in pslist
>>>>>> > File
>>>>>> >
"C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>>>>>> > line 40, in
processes
>>>>>> > AttributeError: Could not list tasks, please verify your
--profile
>>>>>> > with
>>>>>> > kdbgscan
>>>>>> >
>>>>>> >
>>>>>> > When I try to verify my profile with kdbgscan I get the
following
>>>>>> > for all
>>>>>> > profiles:
>>>>>> >
>>>>>> > **************************************************
>>>>>> > Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001
32bit)
>>>>>> > Offset (V)
: 0x8193ec90
>>>>>> > Offset (P) : 0x193ec90
>>>>>> > KDBG owner tag check : True
>>>>>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>>>>>> > Version64 : 0x8193ec68 (Major: 15,
Minor:
6001)
>>>>> > Service Pack (CmNtCSDVersion) : 1
>>>>> > Build string (NtBuildLab) :
6001.18000.x86fre.longhorn_rtm.0
>>>>> > PsActiveProcessHead : 0x81954990 (0 processes)
>>>>> > PsLoadedModuleList : 0x8195ec70 (0 modules)
>>>>> > KernelBase : 0x81847000 (Matches MZ: True)
>>>>> > Major (OptionalHeader) : 6
>>>>> > Minor (OptionalHeader) : 0
>>>>> > KPCR : 0x8193f800 (CPU 0)
>>>>> > KPCR : 0x803d1000 (CPU 1)
>>>>> >
>>>>> > Any help would be greatly appreciated.
>>>>> >
>>>>> > Jon
>>>>> >
>>>>> > _______________________________________________
>>>>> > Vol-users mailing list
>>>>> > Vol-users(a)volatilityfoundation.org
>>>>> >
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>> >
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
7:09 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
Thanks for the detailed response. I would be more than happy to share the
image. Just tell me where to upload it to.
On Aug 22, 2012 6:39 PM, "Michael Hale Ligh" <michael.hale(a)gmail.com>
wrote:
Hey Jon,
On Wed, Aug 22, 2012 at 1:54 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
psscan, modscan, driverscan, filescan,
mutantscan, symlinkscan, thrdscan,
and netscan produced no output other than the header.
So the main three reasons I can think of for these scanners failing are:
1) the image is corrupt (i.e. the acquisition tool didn't capture several
areas of memory)
2) malware modified pool tags (i.e. DKOM)
3) the wrong profile is being used
So they are all possibilities, but let's discuss their likelihood. #1 is
unlikely IMO because kdbgscan was able to print lines like these:
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
Those values are extracted from the ntoskrnl.exe kernel driver, which
means at least one module is in memory...yet modscan doesn't pick it up. #2
is unlikely because malware that uses DKOM typically does so to hide an
individual process, not overwrite an object's pool tags (although its
possible). Plus I'd expect if malware did overwrite pool tags, it would do
it for certain objects only (i.e. just processes and threads or just
network objects) and not all tags associated with all objects. #3 is
unlikely - we know from kdbgscan output that its SP1 something. We know its
x86 and not x64 because kdbgscan is able to find a valid DTB. Out of the
kdbgscan suggestions, you've already tried both VistaSP1x86 and
Win2008SP1x86 and neither seemed to work.
So pretty strange, I don't know what the problem is at this point. If its
just a testing/training image (i.e. doesn't contain sensitive information)
and you can share it with the volatility dev team, we'll be glad to take a
look and report back what we find. That would reduce the number of emails
back and forth and is probably your best bet to figuring it out. If you
want, we have private drop boxes where you can upload the image and it will
only be accessible by a few devs. Let me know.
impscan, svcscan, and cmdscan all returned
errors.
That makes sense. Although they have "scan" in the name, these three
plugins scan process memory as opposed to the ones you listed above
(psscan, modscan, etc...). Thus if no processes can be found (i.e. pslist
fails) then all 3 of these will fail with the same error.
hivescan returned a bunch of offsets with no
other info
That's OK. The output of hivescan is supposed to only contain offsets. See
[1]. Perhaps you could try hivelist which lists the offsets plus the path
to the hive. See [2].
[1]. http://code.google.com/p/volatility/wiki/CommandReference21#hivescan
[2]. http://code.google.com/p/volatility/wiki/CommandReference21#hivelist
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=VistaSP1x86
> --kdbg=0x8193ec90 cmdscan
> Volatile Systems Volatility Framework 2.1
> Traceback (most recent call last):
> File "<string>", line 185, in <module>
> File "<string>", line 176, in main
> File
> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
> line 111, in execute
> File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line
> 670, in render_text
> File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line
> 656, in calculate
> File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line
> 624, in cmdhistory_process_filter
> File
>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
> line 72, in pslist
> File
> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line
> 40, in processes
> AttributeError: Could not list tasks, please verify your --profile with
> kdbgscan
>
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
> =VistaSP1x86 --kdbg=0x8193ec90 hivescan
> Volatile Systems Volatility Framework 2.1
> Offset(P)
> ----------
> 0x00553008
> 0x01ca9008
> 0x01d09008
> 0x0cbea008
> 0x4072b008
> 0x48c31008
> 0x4cdfa008
> 0x4f4ee008
> 0x53217850
> 0x5841d008
> 0x62aa0008
> 0x6dc6a850
> 0x7d5a6850
>
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
> =VistaSP1x86 --kdbg=0x8193ec90 svcscan
> Volatile Systems Volatility Framework 2.1
> Traceback (most recent call last):
> File "<string>", line 185, in <module>
> File "<string>", line 176, in main
> File
> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
> line 111, in execute
> File "C:\volatility\volatility\plugins\malware\svcscan.py", line 307,
> in render_text
> File "C:\volatility\volatility\plugins\malware\svcscan.py", line 271,
> in calculate
> File
>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
> line 72, in pslist
> File
> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line
> 40, in processes
> AttributeError: Could not list tasks, please verify your --profile with
> kdbgscan
>
> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
> =VistaSP1x86 --kdbg=0x8193ec90 impscan
> Volatile Systems Volatility Framework 2.1
> IAT Call Module Function
> ---------- ---------- -------------------- --------
> Traceback (most recent call last):
> File "<string>", line 185, in <module>
> File "<string>", line 176, in main
> File
> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
> line 111, in execute
> File "C:\volatility\volatility\plugins\malware\impscan.py", line 361,
> in render_text
> File "C:\volatility\volatility\plugins\malware\impscan.py", line 253,
> in calculate
> File
>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
> line 72, in pslist
> File
> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py", line
> 40, in processes
> AttributeError: Could not list tasks, please verify your --profile with
> kdbgscan
>
>
> On Wed, Aug 22, 2012 at 1:02 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
>
>> Cool, no worries. I'm guessing it was missed in the crossfire.
>>
>> Just looking at your directory listing I might have guessed it was
>> FTK: G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd
>>
>> of course I could be wrong since "AD" may refer to something else...
>>
>> Try as many "scanning" plugins as you can muster and see if anything
>> comes out while we think of something else. BTW, we aren't helping
>> you cheat are we? ;-) The thought occurred to me that this sample
>> could be intentionally broken.
>>
>>
>>
>> On Wed, Aug 22, 2012 at 12:59 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
>> > The answer to that question was in previous email where I posted the
>> entire
>> > kdbgscan output. I believe the mdd was used to acquire the image.
>> >
>> >
>> > On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh <
>> michael.hale(a)gmail.com>
>> > wrote:
>> >>
>> >> Hey Jon,
>> >>
>> >> > Was there any more output from kdbgscan (other than what you
pasted
>> >> > in the first email)? If so can you paste the entire output of
>> kdbgscan,
>> >> > please?
>> >>
>> >> You didn't answer that question above...does that mean there is
*not*
>> any
>> >> additional kdbgscan output other than what you pasted in the first
>> email?
>> >>
>> >> Any you're supplying --profile=Win2008SP1x86 to the psscan and
modscan
>> >> commands also? What software was used to acquire the memory dump?
>> >>
>> >> Thanks,
>> >> MHL
>> >>
>> >> On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson <dotcop(a)gmail.com>
>> wrote:
>> >>>
>> >>> As far as modscan I also just get the header and nothing further.
>> >>>
>> >>>
>> >>> On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh
>> >>> <michael.hale(a)gmail.com> wrote:
>> >>>>
>> >>>> Hey Jon,
>> >>>>
>> >>>> Was there any more output from kdbgscan (other than what you
pasted
>> in
>> >>>> the first email)? If so can you paste the entire output of
>> kdbgscan, please?
>> >>>>
>> >>>> The fact that psscan doesn't show results is definitely
strange.
>> What
>> >>>> about the modscan command?
>> >>>>
>> >>>> Thanks!
>> >>>> MHL
>> >>>>
>> >>>>
>> >>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson
<dotcop(a)gmail.com>
>> wrote:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson
<dotcop(a)gmail.com>
>> wrote:
>> >>>>>>
>> >>>>>>
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe
>> -f
>> >>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd
--profile=Win2008SP1x86
>> kdbgscan
>> >>>>>>
>> >>>>>> and...
>> >>>>>>
>> >>>>>>
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe
>> -f
>> >>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd
--profile=Win2008SP1x86
>> pslist
>> >>>>>>
>> >>>>>> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case
<atcuno(a)gmail.com>
>> >>>>>> wrote:
>> >>>>>>>
>> >>>>>>> Can you paste the command line invocation you are
running Vol
>> with?
>> >>>>>>>
>> >>>>>>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson
<dotcop(a)gmail.com>
>> wrote:
>> >>>>>>> > I am using the 2.1 Windows standalone exe.
>> >>>>>>> >
>> >>>>>>> > I have a dd image of memory from the subject
operating system
>> and
>> >>>>>>> > when I try
>> >>>>>>> > to use pslist with the Win2008SP1x86 profile I
get the
>> following
>> >>>>>>> > errors:
>> >>>>>>> >
>> >>>>>>> > Traceback (most recent call last):
>> >>>>>>> > File "<string>", line 185, in
<module>
>> >>>>>>> > File "<string>", line 176, in
main
>> >>>>>>> > File
>> >>>>>>> >
>> >>>>>>> >
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>> >>>>>>> > line 111, in execute
>> >>>>>>> > File
"C:\volatility\volatility\plugins\taskmods.py", line
>> 138, in
>> >>>>>>> > render_text
>> >>>>>>> > File
>> >>>>>>> >
>> >>>>>>> >
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>> >>>>>>> > line 72, in pslist
>> >>>>>>> > File
>> >>>>>>> >
>> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>> >>>>>>> > line 40, in processes
>> >>>>>>> > AttributeError: Could not list tasks, please
verify your
>> --profile
>> >>>>>>> > with
>> >>>>>>> > kdbgscan
>> >>>>>>> >
>> >>>>>>> >
>> >>>>>>> > When I try to verify my profile with kdbgscan I
get the
>> following
>> >>>>>>> > for all
>> >>>>>>> > profiles:
>> >>>>>>> >
>> >>>>>>> >
**************************************************
>> >>>>>>> > Instantiating KDBG using: Kernel AS
Win2008SP1x86 (6.0.6001
>> 32bit)
>> >>>>>>> > Offset (V) : 0x8193ec90
>> >>>>>>> > Offset (P) : 0x193ec90
>> >>>>>>> > KDBG owner tag check : True
>> >>>>>>> > Profile suggestion (KDBGHeader): Win2008SP1x86
>> >>>>>>> > Version64 : 0x8193ec68
(Major: 15, Minor:
>> 6001)
>> >>>>>>> > Service Pack (CmNtCSDVersion) : 1
>> >>>>>>> > Build string (NtBuildLab) :
>> 6001.18000.x86fre.longhorn_rtm.0
>> >>>>>>> > PsActiveProcessHead : 0x81954990 (0
processes)
>> >>>>>>> > PsLoadedModuleList : 0x8195ec70 (0
modules)
>> >>>>>>> > KernelBase : 0x81847000
(Matches MZ: True)
>> >>>>>>> > Major (OptionalHeader) : 6
>> >>>>>>> > Minor (OptionalHeader) : 0
>> >>>>>>> > KPCR : 0x8193f800 (CPU
0)
>> >>>>>>> > KPCR : 0x803d1000 (CPU
1)
>> >>>>>>> >
>> >>>>>>> > Any help would be greatly appreciated.
>> >>>>>>> >
>> >>>>>>> > Jon
>> >>>>>>> >
>> >>>>>>> >
_______________________________________________
>> >>>>>>> > Vol-users mailing list
>> >>>>>>> > Vol-users(a)volatilityfoundation.org
>> >>>>>>> >
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >>>>>>> >
>> >>>>>>
>> >>>>>>
>> >>>>>
>> >>>>>
>> >>>>> _______________________________________________
>> >>>>> Vol-users mailing list
>> >>>>> Vol-users(a)volatilityfoundation.org
>> >>>>>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >>>>>
>> >>>>
>> >>>
>> >>
>> >
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users(a)volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>>
>>
>>
>> --
>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>
>
>
12:21 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
Hey Jon,
Thanks for sending the image. Well as much as I hate concluding an analysis
with "your image is corrupt" that's unfortunately what I've determined.
I
checked with a few other tools, including windbg and none of them can
analyze the image. It appears like mdd freaked out and not only corrupted
the page tables, but wrote a large amount of bogus data to the image. For
example, I count 1806358 blocks (each 1024 bytes) of all 0xFF bytes. That
means 1849710592 of the total 4293001216 bytes in the file are 0xFF (about
44% of your image is filled with garbage). For comparison, I counted
only 3213 blocks of 0xFF in a random 5GB image of my own (not taken with
mdd) - that's about 0.06%.
So in summary the reason volatility can't find data in your image is
because its simply not there to be found. I'd suggest if you want a Windows
2008 SP1 sample for your class, try imaging another system - without using
mdd ;-)
MHL
On Wed, Aug 22, 2012 at 7:09 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
Thanks for the detailed response. I would be more than
happy to share the
image. Just tell me where to upload it to.
On Aug 22, 2012 6:39 PM, "Michael Hale Ligh" <michael.hale(a)gmail.com>
wrote:
> Hey Jon,
>
> On Wed, Aug 22, 2012 at 1:54 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
>
>> psscan, modscan, driverscan, filescan, mutantscan, symlinkscan,
>> thrdscan, and netscan produced no output other than the header.
>
>
> So the main three reasons I can think of for these scanners failing are:
>
> 1) the image is corrupt (i.e. the acquisition tool didn't capture several
> areas of memory)
> 2) malware modified pool tags (i.e. DKOM)
> 3) the wrong profile is being used
>
> So they are all possibilities, but let's discuss their likelihood. #1 is
> unlikely IMO because kdbgscan was able to print lines like these:
>
> Service Pack (CmNtCSDVersion) : 1
> Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
>
> Those values are extracted from the ntoskrnl.exe kernel driver, which
> means at least one module is in memory...yet modscan doesn't pick it up. #2
> is unlikely because malware that uses DKOM typically does so to hide an
> individual process, not overwrite an object's pool tags (although its
> possible). Plus I'd expect if malware did overwrite pool tags, it would do
> it for certain objects only (i.e. just processes and threads or just
> network objects) and not all tags associated with all objects. #3 is
> unlikely - we know from kdbgscan output that its SP1 something. We know its
> x86 and not x64 because kdbgscan is able to find a valid DTB. Out of the
> kdbgscan suggestions, you've already tried both VistaSP1x86 and
> Win2008SP1x86 and neither seemed to work.
>
> So pretty strange, I don't know what the problem is at this point. If its
> just a testing/training image (i.e. doesn't contain sensitive information)
> and you can share it with the volatility dev team, we'll be glad to take a
> look and report back what we find. That would reduce the number of emails
> back and forth and is probably your best bet to figuring it out. If you
> want, we have private drop boxes where you can upload the image and it will
> only be accessible by a few devs. Let me know.
>
>
>> impscan, svcscan, and cmdscan all returned errors.
>
>
> That makes sense. Although they have "scan" in the name, these three
> plugins scan process memory as opposed to the ones you listed above
> (psscan, modscan, etc...). Thus if no processes can be found (i.e. pslist
> fails) then all 3 of these will fail with the same error.
>
>
>> hivescan returned a bunch of offsets with no other info
>
>
> That's OK. The output of hivescan is supposed to only contain offsets.
> See [1]. Perhaps you could try hivelist which lists the offsets plus the
> path to the hive. See [2].
>
> [1]. http://code.google.com/p/volatility/wiki/CommandReference21#hivescan
> [2]. http://code.google.com/p/volatility/wiki/CommandReference21#hivelist
>
>
>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=VistaSP1x86
>> --kdbg=0x8193ec90 cmdscan
>> Volatile Systems Volatility Framework 2.1
>> Traceback (most recent call last):
>> File "<string>", line 185, in <module>
>> File "<string>", line 176, in main
>> File
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>> line 111, in execute
>> File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line
>> 670, in render_text
>> File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line
>> 656, in calculate
>> File "C:\volatility\volatility\plugins\malware\cmdhistory.py", line
>> 624, in cmdhistory_process_filter
>> File
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>> line 72, in pslist
>> File
>> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line
>> 40, in processes
>> AttributeError: Could not list tasks, please verify your --profile with
>> kdbgscan
>>
>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
>> =VistaSP1x86 --kdbg=0x8193ec90 hivescan
>> Volatile Systems Volatility Framework 2.1
>> Offset(P)
>> ----------
>> 0x00553008
>> 0x01ca9008
>> 0x01d09008
>> 0x0cbea008
>> 0x4072b008
>> 0x48c31008
>> 0x4cdfa008
>> 0x4f4ee008
>> 0x53217850
>> 0x5841d008
>> 0x62aa0008
>> 0x6dc6a850
>> 0x7d5a6850
>>
>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
>> =VistaSP1x86 --kdbg=0x8193ec90 svcscan
>> Volatile Systems Volatility Framework 2.1
>> Traceback (most recent call last):
>> File "<string>", line 185, in <module>
>> File "<string>", line 176, in main
>> File
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>> line 111, in execute
>> File "C:\volatility\volatility\plugins\malware\svcscan.py", line
307,
>> in render_text
>> File "C:\volatility\volatility\plugins\malware\svcscan.py", line
271,
>> in calculate
>> File
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>> line 72, in pslist
>> File
>> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line
>> 40, in processes
>> AttributeError: Could not list tasks, please verify your --profile with
>> kdbgscan
>>
>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile
>> =VistaSP1x86 --kdbg=0x8193ec90 impscan
>> Volatile Systems Volatility Framework 2.1
>> IAT Call Module Function
>> ---------- ---------- -------------------- --------
>> Traceback (most recent call last):
>> File "<string>", line 185, in <module>
>> File "<string>", line 176, in main
>> File
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>> line 111, in execute
>> File "C:\volatility\volatility\plugins\malware\impscan.py", line
361,
>> in render_text
>> File "C:\volatility\volatility\plugins\malware\impscan.py", line
253,
>> in calculate
>> File
>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>> line 72, in pslist
>> File
>> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
line
>> 40, in processes
>> AttributeError: Could not list tasks, please verify your --profile with
>> kdbgscan
>>
>>
>> On Wed, Aug 22, 2012 at 1:02 PM, Jamie Levy <jamie.levy(a)gmail.com>
>> wrote:
>>
>>> Cool, no worries. I'm guessing it was missed in the crossfire.
>>>
>>> Just looking at your directory listing I might have guessed it was
>>> FTK: G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd
>>>
>>> of course I could be wrong since "AD" may refer to something
else...
>>>
>>> Try as many "scanning" plugins as you can muster and see if
anything
>>> comes out while we think of something else. BTW, we aren't helping
>>> you cheat are we? ;-) The thought occurred to me that this sample
>>> could be intentionally broken.
>>>
>>>
>>>
>>> On Wed, Aug 22, 2012 at 12:59 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
>>> > The answer to that question was in previous email where I posted the
>>> entire
>>> > kdbgscan output. I believe the mdd was used to acquire the image.
>>> >
>>> >
>>> > On Wed, Aug 22, 2012 at 12:54 PM, Michael Hale Ligh <
>>> michael.hale(a)gmail.com>
>>> > wrote:
>>> >>
>>> >> Hey Jon,
>>> >>
>>> >> > Was there any more output from kdbgscan (other than what you
pasted
>>> >> > in the first email)? If so can you paste the entire output of
>>> kdbgscan,
>>> >> > please?
>>> >>
>>> >> You didn't answer that question above...does that mean there is
>>> *not* any
>>> >> additional kdbgscan output other than what you pasted in the first
>>> email?
>>> >>
>>> >> Any you're supplying --profile=Win2008SP1x86 to the psscan and
>>> modscan
>>> >> commands also? What software was used to acquire the memory dump?
>>> >>
>>> >> Thanks,
>>> >> MHL
>>> >>
>>> >> On Wed, Aug 22, 2012 at 12:46 PM, Jon Nelson
<dotcop(a)gmail.com>
>>> wrote:
>>> >>>
>>> >>> As far as modscan I also just get the header and nothing
further.
>>> >>>
>>> >>>
>>> >>> On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh
>>> >>> <michael.hale(a)gmail.com> wrote:
>>> >>>>
>>> >>>> Hey Jon,
>>> >>>>
>>> >>>> Was there any more output from kdbgscan (other than what
you
>>> pasted in
>>> >>>> the first email)? If so can you paste the entire output of
>>> kdbgscan, please?
>>> >>>>
>>> >>>> The fact that psscan doesn't show results is definitely
strange.
>>> What
>>> >>>> about the modscan command?
>>> >>>>
>>> >>>> Thanks!
>>> >>>> MHL
>>> >>>>
>>> >>>>
>>> >>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson
<dotcop(a)gmail.com>
>>> wrote:
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson
<dotcop(a)gmail.com>
>>> wrote:
>>> >>>>>>
>>> >>>>>>
>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>>> >>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd
>>> --profile=Win2008SP1x86 kdbgscan
>>> >>>>>>
>>> >>>>>> and...
>>> >>>>>>
>>> >>>>>>
>>> C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
>>> >>>>>> G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd
>>> --profile=Win2008SP1x86 pslist
>>> >>>>>>
>>> >>>>>> On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case
<atcuno(a)gmail.com>
>>> >>>>>> wrote:
>>> >>>>>>>
>>> >>>>>>> Can you paste the command line invocation you
are running Vol
>>> with?
>>> >>>>>>>
>>> >>>>>>> On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson
<dotcop(a)gmail.com>
>>> wrote:
>>> >>>>>>> > I am using the 2.1 Windows standalone exe.
>>> >>>>>>> >
>>> >>>>>>> > I have a dd image of memory from the
subject operating system
>>> and
>>> >>>>>>> > when I try
>>> >>>>>>> > to use pslist with the Win2008SP1x86
profile I get the
>>> following
>>> >>>>>>> > errors:
>>> >>>>>>> >
>>> >>>>>>> > Traceback (most recent call last):
>>> >>>>>>> > File "<string>", line
185, in <module>
>>> >>>>>>> > File "<string>", line
176, in main
>>> >>>>>>> > File
>>> >>>>>>> >
>>> >>>>>>> >
>>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
>>> >>>>>>> > line 111, in execute
>>> >>>>>>> > File
"C:\volatility\volatility\plugins\taskmods.py", line
>>> 138, in
>>> >>>>>>> > render_text
>>> >>>>>>> > File
>>> >>>>>>> >
>>> >>>>>>> >
>>>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
>>> >>>>>>> > line 72, in pslist
>>> >>>>>>> > File
>>> >>>>>>> >
>>>
"C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
>>> >>>>>>> > line 40, in processes
>>> >>>>>>> > AttributeError: Could not list tasks,
please verify your
>>> --profile
>>> >>>>>>> > with
>>> >>>>>>> > kdbgscan
>>> >>>>>>> >
>>> >>>>>>> >
>>> >>>>>>> > When I try to verify my profile with
kdbgscan I get the
>>> following
>>> >>>>>>> > for all
>>> >>>>>>> > profiles:
>>> >>>>>>> >
>>> >>>>>>> >
**************************************************
>>> >>>>>>> > Instantiating KDBG using: Kernel AS
Win2008SP1x86 (6.0.6001
>>> 32bit)
>>> >>>>>>> > Offset (V) : 0x8193ec90
>>> >>>>>>> > Offset (P) : 0x193ec90
>>> >>>>>>> > KDBG owner tag check : True
>>> >>>>>>> > Profile suggestion (KDBGHeader):
Win2008SP1x86
>>> >>>>>>> > Version64 : 0x8193ec68
(Major: 15, Minor:
>>> 6001)
>>> >>>>>>> > Service Pack (CmNtCSDVersion) : 1
>>> >>>>>>> > Build string (NtBuildLab) :
>>> 6001.18000.x86fre.longhorn_rtm.0
>>> >>>>>>> > PsActiveProcessHead : 0x81954990
(0 processes)
>>> >>>>>>> > PsLoadedModuleList : 0x8195ec70
(0 modules)
>>> >>>>>>> > KernelBase : 0x81847000
(Matches MZ: True)
>>> >>>>>>> > Major (OptionalHeader) : 6
>>> >>>>>>> > Minor (OptionalHeader) : 0
>>> >>>>>>> > KPCR : 0x8193f800
(CPU 0)
>>> >>>>>>> > KPCR : 0x803d1000
(CPU 1)
>>> >>>>>>> >
>>> >>>>>>> > Any help would be greatly appreciated.
>>> >>>>>>> >
>>> >>>>>>> > Jon
>>> >>>>>>> >
>>> >>>>>>> >
_______________________________________________
>>> >>>>>>> > Vol-users mailing list
>>> >>>>>>> > Vol-users(a)volatilityfoundation.org
>>> >>>>>>> >
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> >>>>>>> >
>>> >>>>>>
>>> >>>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> _______________________________________________
>>> >>>>> Vol-users mailing list
>>> >>>>> Vol-users(a)volatilityfoundation.org
>>> >>>>>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> >>>>>
>>> >>>>
>>> >>>
>>> >>
>>> >
>>> >
>>> > _______________________________________________
>>> > Vol-users mailing list
>>> > Vol-users(a)volatilityfoundation.org
>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> >
>>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>>
>>
>>
12:57 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
Jon,
total 4293001216 bytes in the file <
Do you know, by chance, how much memory the Windows 2008 Enterprise
server was configured with? MDD has a documented limitation of 4 GiB.
Windows 2008 Enterprise Server is able to address more than 4 GiB, even
with the 32-bit version. If the server was equipped with more than 4
GiB MDD would have failed to acquire the portion above 4 GiB causing
analysis to fail. Obviously, this memory "image" would appear to have
other problems as MHL noted. But I throw that out as an additional
consideration.
Regards,
gmg.
1:14 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
Correction: It looks like MDD version 1.3 fixed the specific bug to
which I referred in my last post. There still another another bug which
causes it to underestimate the amount of physical memory present on a
system (due to its reliance on GlobalMemoryStatusEx to size physical
memory). So the problem remains, just not for the reason previously stated.
On 8/24/2012 12:57 PM, George M. Garner Jr. wrote:
Jon,
total 4293001216 bytes in the file <
Do you know, by chance, how much memory the Windows 2008 Enterprise
server was configured with? MDD has a documented limitation of 4 GiB.
Windows 2008 Enterprise Server is able to address more than 4 GiB, even
with the 32-bit version. If the server was equipped with more than 4
GiB MDD would have failed to acquire the portion above 4 GiB causing
analysis to fail. Obviously, this memory "image" would appear to have
other problems as MHL noted. But I throw that out as an additional
consideration.
Regards,
gmg.
1:15 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
Thanks. The image was made before my time. Time to make new images...
On Aug 24, 2012 12:58 PM, "George M. Garner Jr." <
ggarner_online(a)gmgsystemsinc.com> wrote:
Jon,
total 4293001216 bytes in the file <
Do you know, by chance, how much memory the Windows 2008 Enterprise server
was configured with? MDD has a documented limitation of 4 GiB. Windows
2008 Enterprise Server is able to address more than 4 GiB, even with the
32-bit version. If the server was equipped with more than 4 GiB MDD would
have failed to acquire the portion above 4 GiB causing analysis to fail.
Obviously, this memory "image" would appear to have other problems as MHL
noted. But I throw that out as an additional consideration.
Regards,
gmg.
______________________________**_________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lis…
12:54 p.m.
New subject: Win 2008 Enterprise Server SP1 Errors
I have to ask: what was used to acquire the memory image?
On Wed, Aug 22, 2012 at 12:40 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
Hey Jon,
Was there any more output from kdbgscan (other than what you pasted in the
first email)? If so can you paste the entire output of kdbgscan, please?
The fact that psscan doesn't show results is definitely strange. What about
the modscan command?
Thanks!
MHL
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
On Wed, Aug 22, 2012 at 12:27 PM, Jon Nelson <dotcop(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 kdbgscan
and...
C:\Users\student\Desktop\Volatility>volatility-2.1.standalone.exe -f
G:\FIWE-Scenarios\Final\AD\RAM\10010AD.dd --profile=Win2008SP1x86 pslist
On Wed, Aug 22, 2012 at 12:21 PM, Andrew Case <atcuno(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Can you paste the command line invocation you are running Vol with?
On Wed, Aug 22, 2012 at 8:58 AM, Jon Nelson <dotcop(a)gmail.com> wrote:
> I am using the 2.1 Windows standalone exe.
>
> I have a dd image of memory from the subject operating system and when
> I try
> to use pslist with the Win2008SP1x86 profile I get the following
> errors:
>
> Traceback (most recent call last):
> File "<string>", line 185, in <module>
> File "<string>", line 176, in main
> File
>
> "C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.commands",
> line 111, in execute
> File "C:\volatility\volatility\plugins\taskmods.py", line 138, in
> render_text
> File
>
>
"C:\volatility\build\pyi.win32\pyinstaller\vol.pkz\volatility.win32.tasks",
> line 72, in pslist
> File
> "C:\volatility\volatility\plugins\overlays\windows\kdbg_vtypes.py",
> line 40, in processes
> AttributeError: Could not list tasks, please verify your --profile
> with
> kdbgscan
>
>
> When I try to verify my profile with kdbgscan I get the following for
> all
> profiles:
>
> **************************************************
> Instantiating KDBG using: Kernel AS Win2008SP1x86 (6.0.6001 32bit)
> Offset (V) : 0x8193ec90
> Offset (P) : 0x193ec90
> KDBG owner tag check : True
> Profile suggestion (KDBGHeader): Win2008SP1x86
> Version64 : 0x8193ec68 (Major: 15, Minor: 6001)
> Service Pack (CmNtCSDVersion) : 1
> Build string (NtBuildLab) : 6001.18000.x86fre.longhorn_rtm.0
> PsActiveProcessHead : 0x81954990 (0 processes)
> PsLoadedModuleList : 0x8195ec70 (0 modules)
> KernelBase : 0x81847000 (Matches MZ: True)
> Major (OptionalHeader) : 6
> Minor (OptionalHeader) : 0
> KPCR : 0x8193f800 (CPU 0)
> KPCR : 0x803d1000 (CPU 1)
>
> Any help would be greatly appreciated.
>
> Jon
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
4465
days inactive
4467
days old
vol-users@lists.volatilityfoundation.org
14 comments
4 participants
participants (4)
-
George M. Garner Jr. -
Jamie Levy -
Jon Nelson -
Michael Hale Ligh