10:48 p.m.
When imaging memory on a live VM system to do analysis for malware
Volatililty does not recognize it (see below). Is there anyone on this
mailing list that has the knowledge on how I can remedy this without
shutting the system down and grabbing the VMEM file?
Is it possible to substitute a valid DTB from another image into the
memdump of a live VM machine with a Hex editor? And if it can be done does
anyone know the addresses of that space to take out and substitute? I hope
that made sense......
If you look at a normal image of memory in a hex editor you can clearly see
the difference between that and a VM dump from a live system, there seems
to be some extra padded stuff right up front.
Volatile Systems Volatility Framework 2.0
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature fou
WindowsCrashDumpSpace32: Header signature invali
JKIA32PagedMemory: No valid DTB found
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Thanks
Lou
4:57 p.m.
Lou,
I don't know the answer to your question, but you could 'plan B' collect
memory with a memory capture program to keep your analysis going while you find the
answer. I have an XPx86 and use windd32 to collect the memory, it works fine for me.
Best,
Mike
Date: Fri, 10 Feb 2012 22:48:54 -0500
From: louislarocca(a)gmail.com
To: vol-users(a)volatilityfoundation.org
Subject: [Vol-users] VM image of memory- This is not a VMEM file
When imaging memory on a live VM system to do analysis for malware Volatililty does not
recognize it (see below). Is there anyone on this mailing list that has the knowledge on
how I can remedy this without shutting the system down and grabbing the VMEM file?
Is it possible to substitute a valid DTB from another image into the memdump of a live VM
machine with a Hex editor? And if it can be done does anyone know the addresses of that
space to take out and substitute? I hope that made sense......
If you look at a normal image of memory in a hex editor you can clearly see the difference
between that and a VM dump from a live system, there seems to be some extra padded stuff
right up front.
Volatile Systems Volatility Framework 2.0
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature fou
WindowsCrashDumpSpace32: Header signature invali
JKIA32PagedMemory: No valid DTB found
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Thanks
Lou
_______________________________________________ Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
6:36 p.m.
Lou,
On Fri, Feb 10, 2012 at 10:48 PM, Lou LaRocca <louislarocca(a)gmail.com> wrote:
When imaging memory on a live VM system to do analysis
for malware
Volatililty does not recognize it (see below). Is there anyone on this
mailing list that has the knowledge on how I can remedy this without
shutting the system down and grabbing the VMEM file?
You shouldn't have to shut the system down, if you're using VMware
(which it sounds like you are from the "VMEM"), then you can just
suspend it and the contents of memory will be flushed to the .vmem
file.
What's the OS version of the VMware system and what was the
command-line that you used (i.e. did you use the right --profile)?
MHL
Is it possible to substitute a valid DTB from another
image into the memdump
of a live VM machine with a Hex editor? And if it can be done does anyone
know the addresses of that space to take out and substitute? I hope that
made sense......
If you look at a normal image of memory in a hex editor you can clearly see
the difference between that and a VM dump from a live system, there seems to
be some extra padded stuff right up front.
Volatile Systems Volatility Framework 2.0
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature fou
WindowsCrashDumpSpace32: Header signature invali
JKIA32PagedMemory: No valid DTB found
JKIA32PagedMemoryPae: No valid DTB found
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
Thanks
Lou
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
1:31 p.m.
Thanks for the responses, the VM is running 2003 server sp1. And I didnt capture it with
the normal image tools. I used EnCase Enterprise to connect to the system and grab memory,
however now that I think about it I'll try to use a capture tool and DD it. That may
solve it, EnCase doesn't do a DD image..unless I use a stand alone tool Winen that
comes packaged with EnCase.
I'll grab another dump and post back with my command line options after the dump.
Sent from my iPad
On Feb 12, 2012, at 6:36 PM, Michael Hale Ligh <michael.hale(a)gmail.com> wrote:
Lou,
On Fri, Feb 10, 2012 at 10:48 PM, Lou LaRocca <louislarocca(a)gmail.com> wrote:
When imaging memory on a live VM system to do
analysis for malware
Volatililty does not recognize it (see below). Is there anyone on this
mailing list that has the knowledge on how I can remedy this without
shutting the system down and grabbing the VMEM file?
You shouldn't have to shut the system down, if you're using VMware
(which it sounds like you are from the "VMEM"), then you can just
suspend it and the contents of memory will be flushed to the .vmem
file.
What's the OS version of the VMware system and what was the
command-line that you used (i.e. did you use the right --profile)?
MHL
> Is it possible to substitute a valid DTB from another image into the memdump
> of a live VM machine with a Hex editor? And if it can be done does anyone
> know the addresses of that space to take out and substitute? I hope that
> made sense......
>
> If you look at a normal image of memory in a hex editor you can clearly see
> the difference between that and a VM dump from a live system, there seems to
> be some extra padded stuff right up front.
>
>
>
>
>
>
>
> Volatile Systems Volatility Framework 2.0
> No suitable address space mapping found
> Tried to open image as:
> WindowsHiberFileSpace32: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> JKIA32PagedMemory: No base Address Space
> JKIA32PagedMemoryPae: No base Address Space
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> WindowsHiberFileSpace32: No xpress signature fou
> WindowsCrashDumpSpace32: Header signature invali
> JKIA32PagedMemory: No valid DTB found
> JKIA32PagedMemoryPae: No valid DTB found
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> FileAddressSpace: Must be first Address Space
>
> Thanks
>
> Lou
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 
1:50 p.m.
Lou,
Try FTK Imager Lite v2.9.0. You can run it off a thumbdrive and it will
capture RAM in a format suitable for Volatility.
It's much better than Linen and has a pretty light footprint as far as
artifacts go.
http://accessdata.com/support/adownloads
Andre' M. DiMino
Deep End Research
http://deependresearch.org
http://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
On 02/13/2012 01:31 PM, Lou wrote:
Thanks for the responses, the VM is running 2003
server sp1. And I didnt capture it with the normal image tools. I used EnCase Enterprise
to connect to the system and grab memory, however now that I think about it I'll try
to use a capture tool and DD it. That may solve it, EnCase doesn't do a DD
image..unless I use a stand alone tool Winen that comes packaged with EnCase.
I'll grab another dump and post back with my command line options after the dump.
Sent from my iPad
On Feb 12, 2012, at 6:36 PM, Michael Hale Ligh <michael.hale(a)gmail.com> wrote:
Lou,
On Fri, Feb 10, 2012 at 10:48 PM, Lou LaRocca <louislarocca(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users When imaging memory on a live VM system to do
analysis for malware
Volatililty does not recognize it (see below). Is there anyone on this
mailing list that has the knowledge on how I can remedy this without
shutting the system down and grabbing the VMEM file?
You shouldn't have to shut the system down, if you're using VMware
(which it sounds like you are from the "VMEM"), then you can just
suspend it and the contents of memory will be flushed to the .vmem
file.
What's the OS version of the VMware system and what was the
command-line that you used (i.e. did you use the right --profile)?
MHL
> Is it possible to substitute a valid DTB from another image into the memdump
> of a live VM machine with a Hex editor? And if it can be done does anyone
> know the addresses of that space to take out and substitute? I hope that
> made sense......
>
> If you look at a normal image of memory in a hex editor you can clearly see
> the difference between that and a VM dump from a live system, there seems to
> be some extra padded stuff right up front.
>
>
>
>
>
>
>
> Volatile Systems Volatility Framework 2.0
> No suitable address space mapping found
> Tried to open image as:
> WindowsHiberFileSpace32: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> JKIA32PagedMemory: No base Address Space
> JKIA32PagedMemoryPae: No base Address Space
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> WindowsHiberFileSpace32: No xpress signature fou
> WindowsCrashDumpSpace32: Header signature invali
> JKIA32PagedMemory: No valid DTB found
> JKIA32PagedMemoryPae: No valid DTB found
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> FileAddressSpace: Must be first Address Space
>
> Thanks
>
> Lou
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
3:25 p.m.
Ok will do...and it is v6
Sent from my iPad
On Feb 13, 2012, at 1:50 PM, "Andre' M. DiMino"
<adimino(a)sempersecurus.org> wrote:
Lou,
Try FTK Imager Lite v2.9.0. You can run it off a thumbdrive and it will
capture RAM in a format suitable for Volatility.
It's much better than Linen and has a pretty light footprint as far as
artifacts go.
http://accessdata.com/support/adownloads
Andre' M. DiMino
Deep End Research
http://deependresearch.org
http://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
On 02/13/2012 01:31 PM, Lou wrote:
Thanks for the responses, the VM is running 2003
server sp1. And I didnt capture it with the normal image tools. I used EnCase Enterprise
to connect to the system and grab memory, however now that I think about it I'll try
to use a capture tool and DD it. That may solve it, EnCase doesn't do a DD
image..unless I use a stand alone tool Winen that comes packaged with EnCase.
I'll grab another dump and post back with my command line options after the dump.
Sent from my iPad
On Feb 12, 2012, at 6:36 PM, Michael Hale Ligh <michael.hale(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Lou,
On Fri, Feb 10, 2012 at 10:48 PM, Lou LaRocca <louislarocca(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users When imaging memory on a live VM system to do
analysis for malware
Volatililty does not recognize it (see below). Is there anyone on this
mailing list that has the knowledge on how I can remedy this without
shutting the system down and grabbing the VMEM file?
You shouldn't have to shut the system down, if you're using VMware
(which it sounds like you are from the "VMEM"), then you can just
suspend it and the contents of memory will be flushed to the .vmem
file.
What's the OS version of the VMware system and what was the
command-line that you used (i.e. did you use the right --profile)?
MHL
> Is it possible to substitute a valid DTB from another image into the memdump
> of a live VM machine with a Hex editor? And if it can be done does anyone
> know the addresses of that space to take out and substitute? I hope that
> made sense......
>
> If you look at a normal image of memory in a hex editor you can clearly see
> the difference between that and a VM dump from a live system, there seems to
> be some extra padded stuff right up front.
>
>
>
>
>
>
>
> Volatile Systems Volatility Framework 2.0
> No suitable address space mapping found
> Tried to open image as:
> WindowsHiberFileSpace32: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> JKIA32PagedMemory: No base Address Space
> JKIA32PagedMemoryPae: No base Address Space
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> WindowsHiberFileSpace32: No xpress signature fou
> WindowsCrashDumpSpace32: Header signature invali
> JKIA32PagedMemory: No valid DTB found
> JKIA32PagedMemoryPae: No valid DTB found
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> FileAddressSpace: Must be first Address Space
>
> Thanks
>
> Lou
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
7:10 p.m.
Hey Lou,
Also I remembered something about 2003 Server that you could try. A
few of my 2003 Server images have multiple KDBG signatures -
Volatility uses the first KDBG it finds which is sometimes the wrong
one. Can you run the kdbgscan and imageinfo plugins and paste the
results? If kdbgscan shows multiple KDBG addresses, try doing
--profile=Win2K3SP1x86 --kdbg=ADDRESS (for each KDBG) on command-line
and see if that solves anything?
Thanks,
MHL
On Mon, Feb 13, 2012 at 3:25 PM, Lou <louislarocca(a)gmail.com> wrote:
Ok will do...and it is v6
Sent from my iPad
On Feb 13, 2012, at 1:50 PM, "Andre' M. DiMino"
<adimino(a)sempersecurus.org> wrote:
Lou,
Try FTK Imager Lite v2.9.0. You can run it off a thumbdrive and it will
capture RAM in a format suitable for Volatility.
It's much better than Linen and has a pretty light footprint as far as
artifacts go.
http://accessdata.com/support/adownloads
Andre' M. DiMino
Deep End Research
http://deependresearch.org
http://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
On 02/13/2012 01:31 PM, Lou wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Thanks for the responses, the VM is running 2003
server sp1. And I didnt capture it with the normal image tools. I used EnCase Enterprise
to connect to the system and grab memory, however now that I think about it I'll try
to use a capture tool and DD it. That may solve it, EnCase doesn't do a DD
image..unless I use a stand alone tool Winen that comes packaged with EnCase.
I'll grab another dump and post back with my command line options after the dump.
Sent from my iPad
On Feb 12, 2012, at 6:36 PM, Michael Hale Ligh <michael.hale(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Lou,
On Fri, Feb 10, 2012 at 10:48 PM, Lou LaRocca <louislarocca(a)gmail.com> wrote:
> When imaging memory on a live VM system to do analysis for malware
> Volatililty does not recognize it (see below). Is there anyone on this
> mailing list that has the knowledge on how I can remedy this without
> shutting the system down and grabbing the VMEM file?
You shouldn't have to shut the system down, if you're using VMware
(which it sounds like you are from the "VMEM"), then you can just
suspend it and the contents of memory will be flushed to the .vmem
file.
What's the OS version of the VMware system and what was the
command-line that you used (i.e. did you use the right --profile)?
MHL
> Is it possible to substitute a valid DTB from another image into the memdump
> of a live VM machine with a Hex editor? And if it can be done does anyone
> know the addresses of that space to take out and substitute? I hope that
> made sense......
>
> If you look at a normal image of memory in a hex editor you can clearly see
> the difference between that and a VM dump from a live system, there seems to
> be some extra padded stuff right up front.
>
>
>
>
>
>
>
> Volatile Systems Volatility Framework 2.0
> No suitable address space mapping found
> Tried to open image as:
> WindowsHiberFileSpace32: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> JKIA32PagedMemory: No base Address Space
> JKIA32PagedMemoryPae: No base Address Space
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> WindowsHiberFileSpace32: No xpress signature fou
> WindowsCrashDumpSpace32: Header signature invali
> JKIA32PagedMemory: No valid DTB found
> JKIA32PagedMemoryPae: No valid DTB found
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> FileAddressSpace: Must be first Address Space
>
> Thanks
>
> Lou
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users 
10:23 a.m.
Good point. We might want to add some troubleshooting documentation that includes
multiple KDBG signatures.
For some reason I didn't reply to the list yesterday with my response to Lou.
I'll give the gist here in case anyone else might be interested.
One thing I had suggested was to convert the EnCase file to DD format with FTK Imager.
I had also asked Lou if he had v6 or v7. Lou confirmed that it is v6 so it should be
supported (well it was anyway when I tested). EnCase v7 file format is different and not
currently supported. However, this is probably low priority since most people don't
seem anxious to move to v7 anytime soon ;-)
All the best,
-Gleeda
-----Original Message-----
From: Michael Hale Ligh <michael.hale(a)gmail.com>
Sender: vol-users-bounces(a)volatilesystems.com
Date: Mon, 13 Feb 2012 19:10:31
To: Lou<louislarocca(a)gmail.com>
Cc: vol-users@volatilesystems.com<vol-users@volatilesystems.com>
Subject: Re: [Vol-users] VM image of memory- This is not a VMEM file
Hey Lou,
Also I remembered something about 2003 Server that you could try. A
few of my 2003 Server images have multiple KDBG signatures -
Volatility uses the first KDBG it finds which is sometimes the wrong
one. Can you run the kdbgscan and imageinfo plugins and paste the
results? If kdbgscan shows multiple KDBG addresses, try doing
--profile=Win2K3SP1x86 --kdbg=ADDRESS (for each KDBG) on command-line
and see if that solves anything?
Thanks,
MHL
On Mon, Feb 13, 2012 at 3:25 PM, Lou <louislarocca(a)gmail.com> wrote:
Ok will do...and it is v6
Sent from my iPad
On Feb 13, 2012, at 1:50 PM, "Andre' M. DiMino"
<adimino(a)sempersecurus.org> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
Lou,
Try FTK Imager Lite v2.9.0. You can run it off a thumbdrive and it will
capture RAM in a format suitable for Volatility.
It's much better than Linen and has a pretty light footprint as far as
artifacts go.
http://accessdata.com/support/adownloads
Andre' M. DiMino
Deep End Research
http://deependresearch.org
http://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
On 02/13/2012 01:31 PM, Lou wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
Thanks for the responses, the VM is running 2003
server sp1. And I didnt capture it with the normal image tools. I used EnCase Enterprise
to connect to the system and grab memory, however now that I think about it I'll try
to use a capture tool and DD it. That may solve it, EnCase doesn't do a DD
image..unless I use a stand alone tool Winen that comes packaged with EnCase.
I'll grab another dump and post back with my command line options after the dump.
Sent from my iPad
On Feb 12, 2012, at 6:36 PM, Michael Hale Ligh <michael.hale(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
Lou,
On Fri, Feb 10, 2012 at 10:48 PM, Lou LaRocca <louislarocca(a)gmail.com> wrote:
> When imaging memory on a live VM system to do analysis for malware
> Volatililty does not recognize it (see below). Is there anyone on this
> mailing list that has the knowledge on how I can remedy this without
> shutting the system down and grabbing the VMEM file?
You shouldn't have to shut the system down, if you're using VMware
(which it sounds like you are from the "VMEM"), then you can just
suspend it and the contents of memory will be flushed to the .vmem
file.
What's the OS version of the VMware system and what was the
command-line that you used (i.e. did you use the right --profile)?
MHL
> Is it possible to substitute a valid DTB from another image into the memdump
> of a live VM machine with a Hex editor? And if it can be done does anyone
> know the addresses of that space to take out and substitute? I hope that
> made sense......
>
> If you look at a normal image of memory in a hex editor you can clearly see
> the difference between that and a VM dump from a live system, there seems to
> be some extra padded stuff right up front.
>
>
>
>
>
>
>
> Volatile Systems Volatility Framework 2.0
> No suitable address space mapping found
> Tried to open image as:
> WindowsHiberFileSpace32: No base Address Space
> WindowsCrashDumpSpace32: No base Address Space
> JKIA32PagedMemory: No base Address Space
> JKIA32PagedMemoryPae: No base Address Space
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> WindowsHiberFileSpace32: No xpress signature fou
> WindowsCrashDumpSpace32: Header signature invali
> JKIA32PagedMemory: No valid DTB found
> JKIA32PagedMemoryPae: No valid DTB found
> IA32PagedMemoryPae: Module disabled
> IA32PagedMemory: Module disabled
> FileAddressSpace: Must be first Address Space
>
> Thanks
>
> Lou
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilesystems.com
> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
4657
days inactive
4660
days old
vol-users@lists.volatilityfoundation.org
7 comments
6 participants
participants (6)
-
Andre' M. DiMino -
Jamie Levy -
Lou -
Lou LaRocca
-
Michael Hale Ligh -
Mike Lambert