5:46 p.m.
Have never seen this error when trying to dump a process. Any
suggestions? tried -u as well with the same results.
vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p 1684
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire process AS
7:44 p.m.
This means that the DTB (page directory) for the process doesn't appear
valid, which is typically because the process has exited (although the
_EPROCESS structure itself may still exist, its page tables can be
corrupt). Can you check the exit time for this process with pslist or
psscan?
MHL
On Mon, Oct 29, 2012 at 5:46 PM, Dewhirst, Rob <robdewhirst(a)gmail.com>wrote:
Have never seen this error when trying to dump a
process. Any
suggestions? tried -u as well with the same results.
vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p 1684
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire process AS
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
12:07 p.m.
The process doesn't appear to have exited based on pslist (and it was
still generating network traffic while I dumped ram)
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x8b3802a8 System 4 0 127 -------- ------
0
0x89be3290 smss.exe 312 4 2 -------- ------
0 2012-10-26 02:29:26
[...]
0x89b1e020 redactedxx.e 1684 432 15 -------- ------
0 2012-10-26 02:29:39
Don't know if this helps
psxview
Volatile Systems Volatility Framework 2.2
Offset(P) Name PID pslist psscan thrdproc pspcdid csrss
---------- -------------------- ------ ------ ------ -------- ------- -----
0x09b17b70 svchost.exe 2632 True True False False False
[...]
0x09b1e020 redactedxx.e 1684 True True False False False
psscan
sansforensics@SIFT-Workstation:~/Desktop$ vol.py -f
~/Desktop/image.raw --profile Win2003SP2x86 psscan
Volatile Systems Volatility Framework 2.2
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
-------------------- --------------------
0x09b1e020 redactedxx.e 1684 432 0xcf3392c0 2012-10-26 02:29:39
On Mon, Oct 29, 2012 at 6:44 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
This means that the DTB (page directory) for the
process doesn't appear
valid, which is typically because the process has exited (although the
_EPROCESS structure itself may still exist, its page tables can be corrupt).
Can you check the exit time for this process with pslist or psscan?
MHL
On Mon, Oct 29, 2012 at 5:46 PM, Dewhirst, Rob <robdewhirst(a)gmail.com>
wrote:
Have never seen this error when trying to dump a process. Any
suggestions? tried -u as well with the same results.
vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p 1684
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire process
AS
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
12:24 p.m.
Rob,
Did you get an error log when you acquired the physical memory. If so,
look at what pages could not be acquired and compare that to the DTB of
the suspect process. Also, inspect the DTB physical page in the memory
"dump" using a hex editor and see if it looks like a DTB.
Regards,
George.
12:47 p.m.
Rob,
According to the psscan output you posted the PDB (Process directory
base) is 0xcf3392c0. This is clearly an invalid address since a DTB is
always aligned on page boundaries.
Can you dump other processes from this image? Is it possible that you
dont have the correct profile chosen for your image?
Michael.
On 30 October 2012 17:07, Dewhirst, Rob <robdewhirst(a)gmail.com> wrote:
The process doesn't appear to have exited based on
pslist (and it was
still generating network traffic while I dumped ram)
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x8b3802a8 System 4 0 127 -------- ------
0
0x89be3290 smss.exe 312 4 2 -------- ------
0 2012-10-26 02:29:26
[...]
0x89b1e020 redactedxx.e 1684 432 15 -------- ------
0 2012-10-26 02:29:39
Don't know if this helps
psxview
Volatile Systems Volatility Framework 2.2
Offset(P) Name PID pslist psscan thrdproc pspcdid csrss
---------- -------------------- ------ ------ ------ -------- ------- -----
0x09b17b70 svchost.exe 2632 True True False False False
[...]
0x09b1e020 redactedxx.e 1684 True True False False False
psscan
sansforensics@SIFT-Workstation:~/Desktop$ vol.py -f
~/Desktop/image.raw --profile Win2003SP2x86 psscan
Volatile Systems Volatility Framework 2.2
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
-------------------- --------------------
0x09b1e020 redactedxx.e 1684 432 0xcf3392c0 2012-10-26 02:29:39
On Mon, Oct 29, 2012 at 6:44 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
This means that the DTB (page directory) for the
process doesn't appear
valid, which is typically because the process has exited (although the
_EPROCESS structure itself may still exist, its page tables can be corrupt).
Can you check the exit time for this process with pslist or psscan?
MHL
On Mon, Oct 29, 2012 at 5:46 PM, Dewhirst, Rob <robdewhirst(a)gmail.com>
wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Have never seen this error when trying to dump a process. Any
suggestions? tried -u as well with the same results.
vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p 1684
Volatile Systems Volatility Framework 2.2
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire process
AS
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
3:32 p.m.
I know I have the right profile but hearing something like this makes
me question the image. I took a new image with a different tool and
can now dump the process without error.
FWIW I used Dumpit for the first image and FTK Imager for the second.
On Tue, Oct 30, 2012 at 11:47 AM, Michael Cohen <scudette(a)gmail.com> wrote:
Rob,
According to the psscan output you posted the PDB (Process directory
base) is 0xcf3392c0. This is clearly an invalid address since a DTB is
always aligned on page boundaries.
Can you dump other processes from this image? Is it possible that you
dont have the correct profile chosen for your image?
Michael.
On 30 October 2012 17:07, Dewhirst, Rob <robdewhirst(a)gmail.com> wrote:
> The process doesn't appear to have exited based on pslist (and it was
> still generating network traffic while I dumped ram)
>
> Offset(V) Name PID PPID Thds Hnds Sess
> Wow64 Start Exit
> ---------- -------------------- ------ ------ ------ -------- ------
> ------ -------------------- --------------------
> 0x8b3802a8 System 4 0 127 -------- ------
> 0
> 0x89be3290 smss.exe 312 4 2 -------- ------
> 0 2012-10-26 02:29:26
> [...]
> 0x89b1e020 redactedxx.e 1684 432 15 -------- ------
> 0 2012-10-26 02:29:39
>
> Don't know if this helps
>
> psxview
>
> Volatile Systems Volatility Framework 2.2
> Offset(P) Name PID pslist psscan thrdproc pspcdid csrss
> ---------- -------------------- ------ ------ ------ -------- ------- -----
> 0x09b17b70 svchost.exe 2632 True True False False False
> [...]
> 0x09b1e020 redactedxx.e 1684 True True False False False
>
> psscan
>
> sansforensics@SIFT-Workstation:~/Desktop$ vol.py -f
> ~/Desktop/image.raw --profile Win2003SP2x86 psscan
> Volatile Systems Volatility Framework 2.2
> Offset(P) Name PID PPID PDB Time created
> Time exited
> ---------- ---------------- ------ ------ ----------
> -------------------- --------------------
> 0x09b1e020 redactedxx.e 1684 432 0xcf3392c0 2012-10-26 02:29:39
>
>
> On Mon, Oct 29, 2012 at 6:44 PM, Michael Hale Ligh
> <michael.hale(a)gmail.com> wrote:
>> This means that the DTB (page directory) for the process doesn't appear
>> valid, which is typically because the process has exited (although the
>> _EPROCESS structure itself may still exist, its page tables can be corrupt).
>> Can you check the exit time for this process with pslist or psscan?
>>
>> MHL
>>
>> On Mon, Oct 29, 2012 at 5:46 PM, Dewhirst, Rob <robdewhirst(a)gmail.com>
>> wrote:
>>>
>>> Have never seen this error when trying to dump a process. Any
>>> suggestions? tried -u as well with the same results.
>>>
>>> vol.exe -f image.raw --profile Win2003SP2x86 procexedump -D dump/ -p 1684
>>> Volatile Systems Volatility Framework 2.2
>>> Process(V) ImageBase Name Result
>>> ---------- ---------- -------------------- ------
>>> 0x89b1e020 ---------- redactedxxxxx.e Error: Cannot acquire process
>>> AS
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
5:49 p.m.
Rob,
Glad that you solved your problem. Just to clarify something, if PAE is
enabled the DirectoryTableBase member of the _KPROCESS structure
contains the physical address of the PDP which is aligned along 20h byte
boundaries and not page boundaries. See e.g.
PROCESS 85ba45e8 SessionId: 0 Cid: 090c Peb: 7ffd8000 ParentCid: 0228
DirBase: 7ef6c400 ObjectTable: 98a20180 HandleCount: 350.
Image: svchost.exe
0: kd> dq /p /c2 7ef6c400 L4
7ef6c400 00000000`26f2e801 00000000`086bf801
7ef6c410 00000000`27100801 00000000`26d69801
The physical address cf3392c0h is aligned for a possible x86 PDP, except
that it is within a physical address range that typically is reserved
for use by the PCI bus (c0000000h-100000000h). However, some recent AMD
systems have begun using some addresses above c0000000h for RAM physical
addresses. So without knowing more about the design of the system and
motherboard chipset I cannot say whether or not that is a valid PDP
physical address (assuming that you have PAE enabled, which is typical
for server systems). I suppose that you rebooted the system in between
samples so that we cannot compare the DTB values from the two memory
"dumps" directly?
Regards,
George.
11:26 a.m.
Hi George,
Yeah I forgot that pae images do not have to have page tables
aligned to page size. You are correct.
It would be interesting to know if the original address range was
captured in the image in the first place. As you pointed out that
address is toward the top end of the address range on 32 bit machines.
I know that win32dd has a bug where it would truncate the image short
(thus missing the top of the address space) but I thought this was
fixed in dumpit (see Issue 198
https://code.google.com/p/volatility/issues/detail?id=198)
Is the address 3476263616 (0xcf3392c0) within the image? Is the image
at least 3.4gb large? Do both images produced from the different
tools have the same size?
Michael.
On 30 October 2012 22:49, George M. Garner Jr.
<ggarner_online(a)gmgsystemsinc.com> wrote:
Rob,
Glad that you solved your problem. Just to clarify something, if PAE is
enabled the DirectoryTableBase member of the _KPROCESS structure contains
the physical address of the PDP which is aligned along 20h byte boundaries
and not page boundaries. See e.g.
PROCESS 85ba45e8 SessionId: 0 Cid: 090c Peb: 7ffd8000 ParentCid: 0228
DirBase: 7ef6c400 ObjectTable: 98a20180 HandleCount: 350.
Image: svchost.exe
0: kd> dq /p /c2 7ef6c400 L4
7ef6c400 00000000`26f2e801 00000000`086bf801
7ef6c410 00000000`27100801 00000000`26d69801
The physical address cf3392c0h is aligned for a possible x86 PDP, except
that it is within a physical address range that typically is reserved for
use by the PCI bus (c0000000h-100000000h). However, some recent AMD systems
have begun using some addresses above c0000000h for RAM physical addresses.
So without knowing more about the design of the system and motherboard
chipset I cannot say whether or not that is a valid PDP physical address
(assuming that you have PAE enabled, which is typical for server systems).
I suppose that you rebooted the system in between samples so that we cannot
compare the DTB values from the two memory "dumps" directly?
Regards,
George.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4397
days inactive
4399
days old
vol-users@lists.volatilityfoundation.org
7 comments
4 participants
participants (4)
-
Dewhirst, Rob -
George M. Garner Jr. -
Michael Cohen -
Michael Hale Ligh