9:56 a.m.
I know we can't work on Windows Server 2008 with Volatility at this time.
What products are capable of examining Windows Server 2008?
Thanks,
Mike
10:31 a.m.
Do you have a specific issue with Server 2008 (other than not knowing
it was supported since 2.0)?
On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
I know we can't work on Windows Server 2008 with
Volatility at this time.
What products are capable of examining Windows Server 2008?
Thanks,
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
10:58 a.m.
Oooppss, I did not put "64 bit" in the message. I imagine that 2.1 will support
it. I am looking foreward to that.
Date: Mon, 2 Jul 2012 10:31:31 -0400
Subject: Re: [Vol-users] Windows Server 2008
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Do you have a specific issue with Server 2008 (other than not knowing
it was supported since 2.0)?
On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
> I know we can't work on Windows Server 2008 with Volatility at this time.
> What products are capable of examining Windows Server 2008?
>
> Thanks,
> Mike
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
10:59 a.m.
Windbg.
Troy
________________________________
From: vol-users-bounces(a)volatilityfoundation.org [vol-users-bounces(a)volatilesystems.com]
on behalf of Mike Lambert [dragonforen(a)hotmail.com]
Sent: Monday, July 02, 2012 7:58 AM
To: Michael Hale
Cc: Volatility List
Subject: RE: [Vol-users] Windows Server 2008
Oooppss, I did not put "64 bit" in the message. I imagine that 2.1 will support
it. I am looking foreward to that.
Date: Mon, 2 Jul 2012 10:31:31 -0400
Subject: Re: [Vol-users] Windows Server 2008
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
Do you have a specific issue with Server 2008 (other than not knowing
it was supported since 2.0)?
On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
> I know we can't work on Windows Server 2008 with Volatility at this time.
> What products are capable of examining Windows Server 2008?
>
> Thanks,
> Mike
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
1:45 p.m.
On 7/2/2012 10:59 AM, Troy Larson (NETSEC) wrote:
Windbg.
Troy
One of my favorite tools, aside from KnTList. To my mind it is an
essential tool if you want to get serious about memory analysis. But
then you need to be able to convert your memory dumps to MS crashdump
format.
While I am on the subject, the version of Windbg that ships with w8 RC
WDK includes a .segmentation command which is useful when using Windbg
to analyze 64-bit memory images. Basically, you enter the following two
commands after opening a 64-bit crashdump and all will be joy (with Windbg):
.segmentation /V /X /a
.effmach . (note literal dot).
4:06 p.m.
George,
I will often use livekd -o for generating memory dumps. If I want to get a clean kernel
dump, then I use livekd -m -o.
Troy
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilesystems.com] On Behalf Of George M. Garner Jr.
Sent: Monday, July 02, 2012 10:45 AM
To: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Windows Server 2008
On 7/2/2012 10:59 AM, Troy Larson (NETSEC) wrote:
Windbg.
Troy
One of my favorite tools, aside from KnTList. To my mind it is an essential tool if you
want to get serious about memory analysis. But then you need to be able to convert your
memory dumps to MS crashdump format.
While I am on the subject, the version of Windbg that ships with w8 RC WDK includes a
.segmentation command which is useful when using Windbg to analyze 64-bit memory images.
Basically, you enter the following two commands after opening a 64-bit crashdump and all
will be joy (with Windbg):
.segmentation /V /X /a
.effmach . (note literal dot).
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
5:51 p.m.
Windbg is a valuable resource for sure, one of the main reasons we
brought back the raw2dmp plugin [1]. Sometimes its not practical to
install Debugging Tools for Windows on a suspect machine in order to
dump memory with livekd, so in those cases you can acquire with KntDD
and either analyze with volatility, KnTList, or convert to MS
crashdump with raw2dmp then use WinDbg on your analysis machine.
Everyone has their favorite methods ;-)
MHL
[1]. https://code.google.com/p/volatility/wiki/CommandReference21#raw2dmp
On Mon, Jul 2, 2012 at 4:06 PM, Troy Larson (NETSEC)
<troyla(a)microsoft.com> wrote:
George,
I will often use livekd -o for generating memory dumps. If I want to get a clean kernel
dump, then I use livekd -m -o.
Troy
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilesystems.com] On Behalf Of George M. Garner Jr.
Sent: Monday, July 02, 2012 10:45 AM
To: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Windows Server 2008
On 7/2/2012 10:59 AM, Troy Larson (NETSEC) wrote:
Windbg.
Troy
One of my favorite tools, aside from KnTList. To my mind it is an essential tool if you
want to get serious about memory analysis. But then you need to be able to convert your
memory dumps to MS crashdump format.
While I am on the subject, the version of Windbg that ships with w8 RC WDK includes a
.segmentation command which is useful when using Windbg to analyze 64-bit memory images.
Basically, you enter the following two commands after opening a 64-bit crashdump and all
will be joy (with Windbg):
.segmentation /V /X /a
.effmach . (note literal dot).
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users 
5:56 p.m.
Troy,
Would you care to share what type of analysis you are performing with
windbg? How frequently are you doing this type of analysis? I'm sure
people would be interested in the types of things you look for and the
steps you typically take to find them. While I use windbg for a number of
things, I don't typically use it during investigations.
As for acquisition, have you ever measured the impact of using livekd as
your acquisition mechanism? Have you found any limitations associated with
this approach? Have you ever run into instances where it conflicted with
installed security software? Do you install livekd as a part of your IR
process?
Thanks,
AW
On Mon, 2 Jul 2012, Troy Larson (NETSEC) wrote:
George,
I will often use livekd -o for generating memory dumps. If I want to get a clean kernel
dump, then I use livekd -m -o.
Troy
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilityfoundation.org] On Behalf Of George M. Garner Jr.
Sent: Monday, July 02, 2012 10:45 AM
To: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Windows Server 2008
On 7/2/2012 10:59 AM, Troy Larson (NETSEC) wrote:
Windbg.
Troy
One of my favorite tools, aside from KnTList. To my mind it is an
essential tool if you want to get serious about memory analysis. But
then you need to be able to convert your memory dumps to MS crashdump
format.
While I am on the subject, the version of Windbg that ships with w8 RC
WDK includes a .segmentation command which is useful when using Windbg
to analyze 64-bit memory images. Basically, you enter the following two
commands after opening a 64-bit crashdump and all will be joy (with
Windbg):
.segmentation /V /X /a
.effmach . (note literal dot).
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
11:42 a.m.
Aaron,
As a matter of policy, I don't discuss what I actually do, per se, but rather some of
the things that can be done with respect to Windows forensics.
I have a variety of tools that I can use for memory imaging and analysis. Unfortunately,
I don't have access to Mr. Garner's tools, as I moved teams.
The Microsoft debugging tools can be used for both imaging and analysis. My environment
is primarily x64, Windows 7, with a large and growing base of Windows 8. We have to be
flexible in our tools and procedures due to the fact that external tools usually lag our
environment by several months to a year or more.
For imaging memory, one can use LiveKD, a SysInternals tool, which uses kd.exe to do the
memory imaging. It is not necessary to install the debugging tools on the system you are
going to image. One just needs to provide a folder with LiveKD and the debugging tools
appropriate to the processor environment (x86/x64). You may need no more in the folder
than a few of the executables and dlls from the Windows debugging tools, but I haven't
extensively tested which files are absolutely necessary.
To use LiveKD to image, you must first set the symbol path. This can be done at the
command line by the following:
Set _NT_SYMBOL_PATH=srv*[drive letter]:\[local path] \Symbols
*http://msdl.microsoft.com/download/symbols
The actual command to dump memory is as follows:
Livekd.exe -o memory.dmp
To capture a consistent kernel dump, one can add the -m switch:
Livekd.exe -m -o memory.dmp
(See: http://technet.microsoft.com/en-us/sysinternals/bb897415)
One of the potential drawbacks to LiveKD imaging is that the process requires access to
the Microsoft symbol servers to pull the kernel symbols for the system you are imaging.
This process can be controlled by providing the correct symbols file for the kernel in
location specified by Set _NT_SYMBOL_PATH=srv*[drive letter]:\[local path] \Symbols. To
obtain the correct symbol file for the kernel, copy off the kernel file (Ntoskrnl.exe),
and run symchk:
symchk /if [local path]\ Ntoskrnl.exe /s srv*[local
path]:\DebugSymbols*http://msdl.microsoft.com/download/symbols
See: Windows Sysinternals Administrator's Reference
LiveKD can also be used to image the memory of a Hyper-V guest VM from the root OS.
Livekd -hvl
will list the VMs.
Livekd -o [local path]\dumpfilename.dmp -hv [VM GUID]
Will create a dump of the VM memory of the specified VM from the root OS.
Process memory can be imaged by using the SysInternals tool Procdump with the -ma switch.
(See: http://technet.microsoft.com/en-us/sysinternals/dd996900 )
To capture a memory dump for all process, one can use a for loop to pipe the output of
PSList (SysInternals) to Procdump iteratively.
As for analysis, a good deal of malware shows itself when the modules are listed in the
debugger. For example, Stuxnet:
8d793000 8d79d000 nsiproxy (private pdb symbols)
C:\Debuggers\sym\nsiproxy.pdb\C05F47CD56124B77BD71E3DFB669D4FF1\nsiproxy.pdb
8d79d000 8d79e680 msvmmouf (private pdb symbols)
C:\Debuggers\sym\msvmmouf.pdb\1234775836E14C2B869818BF740FE8DE1\msvmmouf.pdb
8d79f000 8d7a9000 mssmbios (private pdb symbols)
C:\Debuggers\sym\mssmbios.pdb\B9453B9B745D45DE974BA45D910B78481\mssmbios.pdb
8d7a9000 8d7ab980 mrxnet (no symbols)
8d7ac000 8d7b0d80 mrxcls (no symbols)
8d7b1000 8d7bd000 discache (private pdb symbols)
C:\Debuggers\sym\discache.pdb\1F3066C30EA34CC381D3006454C11BD11\discache.pdb
8d7bd000 8d7ca000 CompositeBus (private pdb symbols)
C:\Debuggers\sym\CompositeBus.pdb\F0E80E78F49541FDB4CF0AEB667653381\CompositeBus.pdb
8d7ca000 8d7dc000 AgileVpn (private pdb symbols)
C:\Debuggers\sym\AgileVpn.pdb\F9ABC733237047E898B7404203D52EDE1\AgileVpn.pdb
8d7dc000 8d7f4000 rasl2tp (private pdb symbols)
C:\Debuggers\sym\rasl2tp.pdb\6F6760EF4A3149DC9C430CE8A37585B12\rasl2tp.pdb
For more examples of analysis, see:
http://blogs.msdn.com/b/ntdebugging/archive/2012/05/23/debugging-a-crash-fo…
http://www.reconstructer.org/
or search for windbg and malware.
I would be interested in any drawbacks or inadequacies people might see with any of these
approaches.
Thanks.
Troy Larson
-----Original Message-----
From: AAron Walters [mailto:awalters@4tphi.net]
Sent: Monday, July 02, 2012 2:57 PM
To: Troy Larson (NETSEC)
Cc: George M. Garner Jr.; vol-users(a)volatilityfoundation.org
Subject: RE: [Vol-users] Windows Server 2008
Troy,
Would you care to share what type of analysis you are performing with windbg? How
frequently are you doing this type of analysis? I'm sure people would be interested in
the types of things you look for and the steps you typically take to find them. While I
use windbg for a number of things, I don't typically use it during investigations.
As for acquisition, have you ever measured the impact of using livekd as your acquisition
mechanism? Have you found any limitations associated with this approach? Have you ever run
into instances where it conflicted with installed security software? Do you install livekd
as a part of your IR process?
Thanks,
AW
On Mon, 2 Jul 2012, Troy Larson (NETSEC) wrote:
George,
I will often use livekd -o for generating memory dumps. If I want to get a clean kernel
dump, then I use livekd -m -o.
Troy
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilesystems.com] On Behalf Of George M. Garner Jr.
Sent: Monday, July 02, 2012 10:45 AM
To: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Windows Server 2008
On 7/2/2012 10:59 AM, Troy Larson (NETSEC) wrote:
Windbg.
Troy
One of my favorite tools, aside from KnTList. To my mind it is an
essential tool if you want to get serious about memory analysis. But
then you need to be able to convert your memory dumps to MS crashdump
format.
While I am on the subject, the version of Windbg that ships with w8 RC
WDK includes a .segmentation command which is useful when using Windbg
to analyze 64-bit memory images. Basically, you enter the following
two commands after opening a 64-bit crashdump and all will be joy
(with
Windbg):
.segmentation /V /X /a
.effmach . (note literal dot).
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
12:26 p.m.
Troy,
I would be interested in any drawbacks or inadequacies
people might
see with any of these approaches. <
I will address at present only the first method, using LiveKd to acquire
memory from the root OS. As we know, sophisticated malware can jump out
of common VM's to the root partition. So you have to be certain that
the root partition is clean before you can reliably acquire memory from
the other partitions.
LiveKd does produce a nice clean dump in MS crashdump format. However,
the method does have a few disadvantages of which readers should be
aware. The first disadvantage, as Aaron has already noted, is that
LiveKd requires that you have Windbg installed. Readers of the list who
are required to follow a forensic methodology may find that
objectionable. However, more importantly, LiveKd essentially attaches a
debugger to the system. Attaching a debugger to a contemporary version
of Windows makes some significant changes to the operating system. For
example, the values of nt!KdDebuggerEnabled and nt!KdDebuggerNotPresent
are changed. On x64 systems the nt!KdDebuggerDataBlock is decoded and
important operating system components (e.g. Patchguard) are disabled. A
lot of contemporary malware will monitor the values of
nt!KdDebuggerEnabled and/or nt!KdDebuggerNotPresent and either change
behavior or melt when a debugger is present.
A third problem is that LiveKd (like most memory forensic acquisition
tools) only acquires physical memory within the OS physical memory map.
It is relatively trivial, using undocumented but exported OS API's, to
remove memory from the physical memory map so that the critical evidence
is never acquired for analysis by most contemporary memory forensic
acquisition tools. Also, some important memory artifacts may be found
outside of the physical memory map even in the absence of more advanced
hiding techniques. For example, the real mode interrupt vector table is
located outside of the physical memory map. When BIOS or bootkits load,
they typically copy some real mode code to the top of real mode memory
in an area that is outside of the physical memory map. It is true that
most bootkits today will attempt to remove those artifacts. However, as
is often the case, installing the malicious code and then removing it is
not the same as never having installed the code at all. Subtle changes
remain which may be your only indication that you need to investigate
this system further. The ACPI tables are not part of the physical
memory map. NVRAM is not part of the physical memory map. Processor
MSR registers and IOAPIC are not part of the physical memory map. Yet
they both can be used to alter the flow of execution. Michael may wish
to believe that this additional information "may be irrelevant for many
investigations."
http://lists.volatilityfoundation.org/pipermail/vol-users/2012-March/000350….
However, those are the cases that bite you in the ass.
There is no magic bullet. Every investigative method has its advantages
and disadvantages. However, whatever method you choose, it is important
to understand how the method may affect the outcome of the
investigation. At GMG Systems, we generally adopt the philosophy that
more evidence is better than less. If you acquire enough evidence you
are free to disregard some of it if you do not believe it pertinent to
the current investigation. You still can come back to it later when you
realize that you may have made a mistake. If you do not acquire some
evidence, that pretty much limits your options for the future. Whatever
method you choose, the "bad guys" will find out about it and look for
its weaknesses. That is one reason why it is important to properly test
your tools: So you are not the only one who does not know what those
weaknesses are.
When the operating system creates a memory dump it saves the current
processor state to Pcr->Prcb.ProcessorState. The debug engine (i.e.
Windbg) reads a value from that processor state to determine the
segmentation (16-bit real mode, 32-bit or 64-bit proteccted mode) of the
memory dump. We don't want to write anything to
Pcr->Prcb.ProcessorState because we make a forensic tool and the
information that would be overwritten might be relevant to some
investigation. For example, it might contain the state from the last
time the system hibernated. Most often though it just contains zeroes,
which makes Windbg think that this is a 16-bit real mode memory dump.
The irony is that Windbg uses a 64-bit linear address to look up
Pcr->Prcb.ProcessorState. So it already knows that this is not a 16-bit
memory dump (like that is ever going to happen on a contemporary version
of Windows). Until the latest version of Windbg there was no way to
tell Windbg that it had made a mistake (aside from attaching another
instance of Windbg and stuffing values into the debug engine. But now
we can.
... external tools usually lag our environment by
several months
to a year or more. <
Think in terms of days, not weeks.
Regards,
George.
1:06 p.m.
George,
Thanks very much. This is good.
This is probably quibbling over semantics, but it is not necessary to install WinDBG on
the system whose memory you want to image. You can run LiveKD from a USB drive or mapped
share. I have used LiveKD to image locally and remotely without installing anything on
the host. LiveKD, kd.exe, and several other files from the Microsoft debugging toolset
have to be available to the system being imaged, however.
Everything you said makes sense, and it is quite valuable to have called out--especially
by one of the top guys in the field. In fact, I was hoping you and others would speak up
to poke all the holes you could. If I or anyone else used the procedures I outlined, they
should be fully informed regarding potential drawbacks.
If your memory toolset is already Windows 8 and Server 21012 ready, I will have to see if
we can fit it in the budget. Having used your tools in the past, I wouldn't hesitate
to employ them again.
As for lag in the rest of our tool set, unfortunately for too many tools, it is too often
several months to years more us. Many very well-known forensics tools are not really NTFS
reliable, and we have no tools yet for Windows 8 WinInet artifacts or the new file system.
Since we have tens of thousands of Windows 8 and 2012 systems running already, we have
already been feeling the lag.
Thank you very much. And don't be hesitant to take any of my suggestions or
procedures to task.
Troy
-----Original Message-----
From: vol-users-bounces(a)volatilityfoundation.org
[mailto:vol-users-bounces@volatilesystems.com] On Behalf Of George M. Garner Jr.
Sent: Tuesday, July 03, 2012 9:27 AM
Cc: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Windows Server 2008
Troy,
I would be interested in any drawbacks or inadequacies
people might see with any of these approaches. <
I will address at present only the first method, using LiveKd to acquire memory from the
root OS. As we know, sophisticated malware can jump out of common VM's to the root
partition. So you have to be certain that the root partition is clean before you can
reliably acquire memory from the other partitions.
LiveKd does produce a nice clean dump in MS crashdump format. However, the method does
have a few disadvantages of which readers should be
aware. The first disadvantage, as Aaron has already noted, is that
LiveKd requires that you have Windbg installed. Readers of the list who are required to
follow a forensic methodology may find that objectionable. However, more importantly,
LiveKd essentially attaches a debugger to the system. Attaching a debugger to a
contemporary version of Windows makes some significant changes to the operating system.
For example, the values of nt!KdDebuggerEnabled and nt!KdDebuggerNotPresent are changed.
On x64 systems the nt!KdDebuggerDataBlock is decoded and important operating system
components (e.g. Patchguard) are disabled. A lot of contemporary malware will monitor the
values of nt!KdDebuggerEnabled and/or nt!KdDebuggerNotPresent and either change behavior
or melt when a debugger is present.
A third problem is that LiveKd (like most memory forensic acquisition
tools) only acquires physical memory within the OS physical memory map.
It is relatively trivial, using undocumented but exported OS API's, to remove memory
from the physical memory map so that the critical evidence is never acquired for analysis
by most contemporary memory forensic acquisition tools. Also, some important memory
artifacts may be found outside of the physical memory map even in the absence of more
advanced hiding techniques. For example, the real mode interrupt vector table is located
outside of the physical memory map. When BIOS or bootkits load, they typically copy some
real mode code to the top of real mode memory in an area that is outside of the physical
memory map. It is true that most bootkits today will attempt to remove those artifacts.
However, as is often the case, installing the malicious code and then removing it is not
the same as never having installed the code at all. Subtle changes remain which may be
your only indication that you need to investigate this system further. The ACPI tables
are not part of the physical memory map. NVRAM is not part of the physical memory map.
Processor MSR registers and IOAPIC are not part of the physical memory map. Yet they both
can be used to alter the flow of execution. Michael may wish to believe that this
additional information "may be irrelevant for many investigations."
http://lists.volatilityfoundation.org/pipermail/vol-users/2012-March/000350….
However, those are the cases that bite you in the ass.
There is no magic bullet. Every investigative method has its advantages and
disadvantages. However, whatever method you choose, it is important to understand how the
method may affect the outcome of the investigation. At GMG Systems, we generally adopt
the philosophy that more evidence is better than less. If you acquire enough evidence you
are free to disregard some of it if you do not believe it pertinent to the current
investigation. You still can come back to it later when you realize that you may have
made a mistake. If you do not acquire some evidence, that pretty much limits your options
for the future. Whatever method you choose, the "bad guys" will find out about
it and look for its weaknesses. That is one reason why it is important to properly test
your tools: So you are not the only one who does not know what those weaknesses are.
When the operating system creates a memory dump it saves the current processor state to
Pcr->Prcb.ProcessorState. The debug engine (i.e.
Windbg) reads a value from that processor state to determine the segmentation (16-bit real
mode, 32-bit or 64-bit proteccted mode) of the memory dump. We don't want to write
anything to
Pcr->Prcb.ProcessorState because we make a forensic tool and the
information that would be overwritten might be relevant to some investigation. For
example, it might contain the state from the last time the system hibernated. Most often
though it just contains zeroes, which makes Windbg think that this is a 16-bit real mode
memory dump.
The irony is that Windbg uses a 64-bit linear address to look up
Pcr->Prcb.ProcessorState. So it already knows that this is not a 16-bit
memory dump (like that is ever going to happen on a contemporary version of Windows).
Until the latest version of Windbg there was no way to tell Windbg that it had made a
mistake (aside from attaching another instance of Windbg and stuffing values into the
debug engine. But now we can.
... external tools usually lag our environment by
several months > to a year or more. <
Think in terms of days, not weeks.
Regards,
George.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
11:14 a.m.
Is anyone unfortunate enough to still be using Windows Vista (x86 or
x64)? :-) I received a free copy when it first came out and never
installed it.
11:27 a.m.
Hey George,
We have a test systems, is there someone you need tested?
MHL
On Mon, Jul 2, 2012 at 11:14 AM, George M. Garner Jr.
<ggarner_online(a)gmgsystemsinc.com> wrote:
Is anyone unfortunate enough to still be using Windows
Vista (x86 or x64)?
:-) I received a free copy when it first came out and never installed it.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
11:30 a.m.
Michael,
Sorry, it was an attempt at humor (hence the emoticon). Obviously, the
attempt failed. :-)
Regards,
G.
11:36 a.m.
Haha no problem. I just want to make sure that we do fully support
Vista and 2008 both x86 and x64 since we claim to support them...even
if they're not widely used.
MHL
On Mon, Jul 2, 2012 at 11:30 AM, George M. Garner Jr.
<ggarner_online(a)gmgsystemsinc.com> wrote:
Michael,
Sorry, it was an attempt at humor (hence the emoticon). Obviously, the
attempt failed. :-)
Regards,
G.
12:19 p.m.
Sadly, I still have a machine at work running Vista 64. Hoping to be given
a budget someday so I can upgrade it.
Ken
On Mon, Jul 2, 2012 at 10:30 AM, George M. Garner Jr. <
ggarner_online(a)gmgsystemsinc.com> wrote:
Michael,
Sorry, it was an attempt at humor (hence the emoticon). Obviously, the
attempt failed. :-)
Regards,
G.
______________________________**_________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lis…
12:35 p.m.
Hi Ken,
Nice to see you here :-)
We'd be grateful if you could run through some commands on a mem dump from your work
machine and report any issues. We plan to announce 2.1 RC1 shortly but nothing major
should change regarding the vista/2008 profiles between now and then, so you should be
able to get a head start by just checking out the latest svn trunk.
Thanks all!
MHL
Sent from my iPhone
On Jul 2, 2012, at 12:19 PM, Ken Pryor <kdpryor(a)gmail.com> wrote:
Sadly, I still have a machine at work running Vista
64. Hoping to be given a budget someday so I can upgrade it.
Ken
On Mon, Jul 2, 2012 at 10:30 AM, George M. Garner Jr.
<ggarner_online(a)gmgsystemsinc.com> wrote:
Michael,
Sorry, it was an attempt at humor (hence the emoticon). Obviously, the attempt failed.
:-)
Regards,
G.
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
11:14 a.m.
Yes 2.1 has support for the following profiles (available in svn now
if you want to test):
$ python vol.py --info
--------
VistaSP0x64 - A Profile for Windows Vista SP0 x64
VistaSP0x86 - A Profile for Windows Vista SP0 x86
VistaSP1x64 - A Profile for Windows Vista SP1 x64
VistaSP1x86 - A Profile for Windows Vista SP1 x86
VistaSP2x64 - A Profile for Windows Vista SP2 x64
VistaSP2x86 - A Profile for Windows Vista SP2 x86
Win2003SP0x86 - A Profile for Windows 2003 SP0 x86
Win2003SP1x64 - A Profile for Windows 2003 SP1 x64
Win2003SP1x86 - A Profile for Windows 2003 SP1 x86
Win2003SP2x64 - A Profile for Windows 2003 SP2 x64
Win2003SP2x86 - A Profile for Windows 2003 SP2 x86
Win2008R2SP0x64 - A Profile for Windows 2008 R2 SP0 x64
Win2008R2SP1x64 - A Profile for Windows 2008 R2 SP1 x64
Win2008SP1x64 - A Profile for Windows 2008 SP1 x64
Win2008SP1x86 - A Profile for Windows 2008 SP1 x86
Win2008SP2x64 - A Profile for Windows 2008 SP2 x64
Win2008SP2x86 - A Profile for Windows 2008 SP2 x86
Win7SP0x64 - A Profile for Windows 7 SP0 x64
Win7SP0x86 - A Profile for Windows 7 SP0 x86
Win7SP1x64 - A Profile for Windows 7 SP1 x64
Win7SP1x86 - A Profile for Windows 7 SP1 x86
WinXPSP1x64 - A Profile for Windows XP SP1 x64
WinXPSP2x64 - A Profile for Windows XP SP2 x64
WinXPSP2x86 - A Profile for Windows XP SP2 x86
WinXPSP3x86 - A Profile for Windows XP SP3 x86
On Mon, Jul 2, 2012 at 10:58 AM, Mike Lambert <dragonforen(a)hotmail.com> wrote:
Oooppss, I did not put "64 bit" in the
message. I imagine that 2.1
will support it. I am looking foreward to that.
Date: Mon, 2 Jul 2012 10:31:31 -0400
Subject: Re: [Vol-users] Windows Server 2008
From: michael.hale(a)gmail.com
To: dragonforen(a)hotmail.com
CC: vol-users(a)volatilityfoundation.org
>
> Do you have a specific issue with Server 2008 (other than not knowing
> it was supported since 2.0)?
>
> On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert <dragonforen(a)hotmail.com>
> wrote:
> > I know we can't work on Windows Server 2008 with Volatility at this
> > time.
> > What products are capable of examining Windows Server 2008?
> >
> > Thanks,
> > Mike
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users(a)volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> > 
10:59 a.m.
Perhaps it's an issue of plugins...I've only worked with a 2008R2 image,
but found than many of the plugins failed to work properly. Some would (I
believe it was the '*scan' ones), but many did not. I would be interested
in any tips or tricks for analyzing such images as well...
Cheers,
Jesse
On Mon, Jul 2, 2012 at 10:31 AM, Michael Hale Ligh
<michael.hale(a)gmail.com>wrote:
Do you have a specific issue with Server 2008 (other
than not knowing
it was supported since 2.0)?
On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert <dragonforen(a)hotmail.com>
wrote:
--
Jesse Bowling
I know we can't work on Windows Server 2008
with Volatility at this time.
What products are capable of examining Windows Server 2008?
Thanks,
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
11:14 a.m.
Hi Jesse,
Would you be able to remember which plugins failed and provide any
output from the failed plugins (i.e. anything that'd help us
troubleshoot the issues)?
MHL
On Mon, Jul 2, 2012 at 10:59 AM, Jesse Bowling <jessebowling(a)gmail.com> wrote:
Perhaps it's an issue of plugins...I've only
worked with a 2008R2 image, but
found than many of the plugins failed to work properly. Some would (I
believe it was the '*scan' ones), but many did not. I would be interested in
any tips or tricks for analyzing such images as well...
Cheers,
Jesse
On Mon, Jul 2, 2012 at 10:31 AM, Michael Hale Ligh <michael.hale(a)gmail.com>
wrote:
Do you have a specific issue with Server 2008 (other than not knowing
it was supported since 2.0)?
On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert <dragonforen(a)hotmail.com>
wrote:
--
Jesse Bowling
I know we can't work on Windows Server 2008
with Volatility at this
time.
What products are capable of examining Windows Server 2008?
Thanks,
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users 
12:52 p.m.
Also, there are two Windows 2008 x64 profiles: One for Windows 2008
x64 (related to Vista x64) and one for R2 (related to Win 7 x64). Are
you sure you used the correct profile for R2?
On Mon, Jul 2, 2012 at 11:14 AM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
Hi Jesse,
Would you be able to remember which plugins failed and provide any
output from the failed plugins (i.e. anything that'd help us
troubleshoot the issues)?
MHL
On Mon, Jul 2, 2012 at 10:59 AM, Jesse Bowling <jessebowling(a)gmail.com> wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
Perhaps it's an issue of plugins...I've
only worked with a 2008R2 image, but
found than many of the plugins failed to work properly. Some would (I
believe it was the '*scan' ones), but many did not. I would be interested in
any tips or tricks for analyzing such images as well...
Cheers,
Jesse
On Mon, Jul 2, 2012 at 10:31 AM, Michael Hale Ligh <michael.hale(a)gmail.com>
wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Do you have a specific issue with Server 2008 (other than not knowing
it was supported since 2.0)?
On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert <dragonforen(a)hotmail.com>
wrote:
--
Jesse Bowling
I know we can't work on Windows Server 2008
with Volatility at this
time.
What products are capable of examining Windows Server 2008?
Thanks,
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
1:02 p.m.
Jesse,
Could you provide some extra context:
1) Hardware Architecture (x86, x64)
2) File Format (raw, dmp, etc)
3) How the sample was collected?
When the scan plugins are successful and the rest fail, it is
generally a format issue.
Thanks,
AW
PS. I still owe you a call ;(.
On Mon, 2 Jul 2012, Jesse Bowling wrote:
Perhaps it's an issue of plugins...I've only
worked with a 2008R2 image,
but found than many of the plugins failed to work properly. Some would (I
believe it was the '*scan' ones), but many did not. I would be interested
in any tips or tricks for analyzing such images as well...
Cheers,
Jesse
On Mon, Jul 2, 2012 at 10:31 AM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
Do you have a specific issue with Server 2008 (other than not
knowing
it was supported since 2.0)?
On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert
<dragonforen(a)hotmail.com> wrote:
I know we can't work on Windows Server 2008
with Volatility
at this time.
What products are capable of examining Windows
Server 2008?
Thanks,
Mike
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
Jesse Bowling
1:44 p.m.
Hi AAron,
On Mon, Jul 2, 2012 at 1:02 PM, AAron Walters <awalters(a)4tphi.net> wrote:
...Anytime. Once this damnable lack of power passes, I'd even offer to
exchange the call for beer-while-I-pick-your-brain. :)
1) Hardware Architecture (x86, x64)
x86_64
2) File Format (raw, dmp, etc)
3) How the sample was collected?
This was a VMWare 4.1 virtual machine that was paused, and the vmss file
copied out.
Much later I head referenced that pausing the virtual machine actually
causes a lot of information to be removed from memory due to the way VMWare
prepares the OS to pause... :( (Can you or anyone speak to the truth-iness
of this?)
This line produces output:
vol.py --profile=Win2008R2SP1x64 --dtb=0x187000 -f myimage.vmss psscan
While others like pslist or imageinfo fail to produce output at all, and
appear to hang (or at least, run longer than my patience, several hours at
one point):
# vol.py --profile=Win2008R2SP1x64 --dtb=0x187000 --verbose -d -f
myimage.vmss pslist
Volatile Systems Volatility Framework 2.1_alpha
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from
Win7SP01x64Syscalls
DEBUG : volatility.obj : Applying modification from Win7x64Tcpip
DEBUG : volatility.obj : Applying modification from
WinSyscallsAttribute
DEBUG : volatility.obj : Applying modification from WindowsVTypes
DEBUG : volatility.obj : Applying modification from HiberWin7SP01x64
DEBUG : volatility.obj : Applying modification from
Win64SyscallVTypes
DEBUG : volatility.obj : Applying modification from WindowsOverlay
DEBUG : volatility.obj : Applying modification from EThreadCreateTime
DEBUG : volatility.obj : Applying modification from MalwarePspCid
DEBUG : volatility.obj : Applying modification from UserAssistVTypes
DEBUG : volatility.obj : Applying modification from VistaWin7KPCR
DEBUG : volatility.obj : Applying modification from Win7x64Hiber
DEBUG : volatility.obj : Applying modification from
WinPEObjectClasses
DEBUG : volatility.obj : Applying modification from WinPEVTypes
DEBUG : volatility.obj : Applying modification from
WindowsObjectClasses
DEBUG : volatility.obj : Applying modification from
CmdHistoryObjectClasses
DEBUG : volatility.obj : Applying modification from
CmdHistoryVTypesWin7x64
DEBUG : volatility.obj : Applying modification from ExFastRefx64
DEBUG : volatility.obj : Applying modification from MalwareDrivers
DEBUG : volatility.obj : Applying modification from
MalwareObjectClasesXP
DEBUG : volatility.obj : Applying modification from MalwareSvcRecent
DEBUG : volatility.obj : Applying modification from
MalwareSvcRecentVTypesx64
DEBUG : volatility.obj : Applying modification from
UserAssistWin7VTypes
DEBUG : volatility.obj : Applying modification from Win2003MMVad
DEBUG : volatility.obj : Applying modification from Win7KDBG
DEBUG : volatility.obj : Applying modification from Win7ObjectClasses
DEBUG : volatility.obj : Applying modification from WinPEx64VTypes
DEBUG : volatility.obj : Applying modification from Windows64Overlay
DEBUG : volatility.obj : Applying modification from VistaMMVAD
DEBUG : volatility.obj : Applying modification from Win7x64DTB
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x37dfa10>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x3d86710>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
Offset(V) Name PID PPID Thds Hnds Time
---------- -------------------- ------ ------ ------ ------
-------------------
<here I hit Ctrl-C>
When the scan plugins are successful and the rest
fail, it is generally a
format issue.
Thanks,
AW
I'm happy to try any advice to get this working; although this is an old
case, I'm sure I'll have more like this and would love to be able to
properly collect and analyze 2008R2 from a VMWare instance...All advice
welcome. :)
Cheers,
Jesse
PS. I still owe you a call ;(.
On Mon, 2 Jul 2012, Jesse Bowling wrote:
Perhaps it's an issue of plugins...I've only worked with a 2008R2 image,
> but found than many of the plugins failed to work properly. Some would (I
> believe it was the '*scan' ones), but many did not. I would be interested
> in any tips or tricks for analyzing such images as well...
>
> Cheers,
>
> Jesse
>
> On Mon, Jul 2, 2012 at 10:31 AM, Michael Hale Ligh
> <michael.hale(a)gmail.com> wrote:
> Do you have a specific issue with Server 2008 (other than not
> knowing
> it was supported since 2.0)?
>
> On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert
> <dragonforen(a)hotmail.com> wrote:
> > I know we can't work on Windows Server 2008 with Volatility
> at this time.
> > What products are capable of examining Windows Server 2008?
> >
> > Thanks,
> > Mike
> >
> > ______________________________**_________________
> > Vol-users mailing list
> > Vol-users(a)volatilityfoundation.org
> >
http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lis…
> >
> ______________________________**_________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
>
http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lis…
>
>
>
>
> --
> Jesse Bowling
>
>
>
>
>
--
Jesse Bowling
12:48 a.m.
Jesse,
Much later I head referenced that pausing the virtual
machine actually
causes a lot of information to be removed from memory due to the way
VMWare prepares the OS to pause... :( (Can you or anyone speak to the
truth-iness of this?)
This is definitely something to take in consideration with this particular
acquisition method. I think you are referring to a comment that MHL made
previously about vmware tools. A similar thing happens when people
attempt to use hibernation files. Intuitively, what does it mean to resume
a network connection that disappeared hours, if not days, earlier? In some
instances, it is possible to still extract associated artifacts from
unallocated regions, a technique most debuggers don't handle very well.
...Anytime. Once this damnable lack of power passes,
I'd even offer to
exchange the call for beer-while-I-pick-your-brain. :)
Sounds like a plan. Send me a message off-list. If you have time in
October, you should also make plans to attend OMFW. The whole Vol dev
team and analysts will be in town.
Thanks for the emails!
AW
3:29 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hiya Jesse,
So in answer to your question, I believe vmware changed their memory
storage state when they stopped using .vmem (which was just a raw ram
image) and went to .vmss. I know someone was working on writing
address space for vmss, but unfortunately this early in the morning I
don't remember who. It's something we need to look into, so thanks
for bringing this to our attention...
Mike 5:)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iEYEARECAAYFAk/yn2gACgkQu7rWomwgFXrX0gCeM7gA1PA8boNhNPuTiQZ0HH3U
tDIAoIpV3KEL18iV/8YnQsBEUfeCEQTa
=XUsh
-----END PGP SIGNATURE-----
10:40 a.m.
Hey Jesse,
Coincidentally there was a code submission today that adds a vmss/vmsn
address space layer to volatility. If you have cycles to test with
your vmss, perhaps you could post some feedback on the issue?
https://code.google.com/p/volatility/issues/detail?id=288
If nothing else, this probably confirms that vmss are a slightly
different format than raw/vmem, thus your experiences with them in the
past is likely not specific to Server2008, its just a format thing
like AW suspected. But just to corroborate, can I ask a few questions:
* Have you tried analyzing a vmss from profiles other than Server2008?
If so, did any of the non-scanning plugins work?
* Have you tried acquiring memory from Server2008 using a method other
than suspending and copying out the vmss?
Thanks!
MHL
On Mon, Jul 2, 2012 at 1:44 PM, Jesse Bowling <jessebowling(a)gmail.com> wrote:
Hi AAron,
On Mon, Jul 2, 2012 at 1:02 PM, AAron Walters <awalters(a)4tphi.net> wrote:
1) Hardware Architecture (x86, x64)
x86_64
2) File Format (raw, dmp, etc)
3) How the sample was collected?
This was a VMWare 4.1 virtual machine that was paused, and the vmss file
copied out.
Much later I head referenced that pausing the virtual machine actually
causes a lot of information to be removed from memory due to the way VMWare
prepares the OS to pause... :( (Can you or anyone speak to the truth-iness
of this?)
This line produces output:
vol.py --profile=Win2008R2SP1x64 --dtb=0x187000 -f myimage.vmss psscan
While others like pslist or imageinfo fail to produce output at all, and
appear to hang (or at least, run longer than my patience, several hours at
one point):
# vol.py --profile=Win2008R2SP1x64 --dtb=0x187000 --verbose -d -f
myimage.vmss pslist
Volatile Systems Volatility Framework 2.1_alpha
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from
Win7SP01x64Syscalls
DEBUG : volatility.obj : Applying modification from Win7x64Tcpip
DEBUG : volatility.obj : Applying modification from
WinSyscallsAttribute
DEBUG : volatility.obj : Applying modification from WindowsVTypes
DEBUG : volatility.obj : Applying modification from HiberWin7SP01x64
DEBUG : volatility.obj : Applying modification from
Win64SyscallVTypes
DEBUG : volatility.obj : Applying modification from WindowsOverlay
DEBUG : volatility.obj : Applying modification from EThreadCreateTime
DEBUG : volatility.obj : Applying modification from MalwarePspCid
DEBUG : volatility.obj : Applying modification from UserAssistVTypes
DEBUG : volatility.obj : Applying modification from VistaWin7KPCR
DEBUG : volatility.obj : Applying modification from Win7x64Hiber
DEBUG : volatility.obj : Applying modification from
WinPEObjectClasses
DEBUG : volatility.obj : Applying modification from WinPEVTypes
DEBUG : volatility.obj : Applying modification from
WindowsObjectClasses
DEBUG : volatility.obj : Applying modification from
CmdHistoryObjectClasses
DEBUG : volatility.obj : Applying modification from
CmdHistoryVTypesWin7x64
DEBUG : volatility.obj : Applying modification from ExFastRefx64
DEBUG : volatility.obj : Applying modification from MalwareDrivers
DEBUG : volatility.obj : Applying modification from
MalwareObjectClasesXP
DEBUG : volatility.obj : Applying modification from MalwareSvcRecent
DEBUG : volatility.obj : Applying modification from
MalwareSvcRecentVTypesx64
DEBUG : volatility.obj : Applying modification from
UserAssistWin7VTypes
DEBUG : volatility.obj : Applying modification from Win2003MMVad
DEBUG : volatility.obj : Applying modification from Win7KDBG
DEBUG : volatility.obj : Applying modification from Win7ObjectClasses
DEBUG : volatility.obj : Applying modification from WinPEx64VTypes
DEBUG : volatility.obj : Applying modification from Windows64Overlay
DEBUG : volatility.obj : Applying modification from VistaMMVAD
DEBUG : volatility.obj : Applying modification from Win7x64DTB
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x37dfa10>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x3d86710>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
Offset(V) Name PID PPID Thds Hnds Time
---------- -------------------- ------ ------ ------ ------
-------------------
<here I hit Ctrl-C>
When the scan plugins are successful and the rest fail, it is generally a
format issue.
Thanks,
AW
I'm happy to try any advice to get this working; although this is an old
case, I'm sure I'll have more like this and would love to be able to
properly collect and analyze 2008R2 from a VMWare instance...All advice
welcome. :)
Cheers,
Jesse
PS. I still owe you a call ;(.
...Anytime. Once this damnable lack of power passes, I'd even offer to
exchange the call for beer-while-I-pick-your-brain. :)
On Mon, 2 Jul 2012, Jesse Bowling wrote:
> Perhaps it's an issue of plugins...I've only worked with a 2008R2 image,
> but found than many of the plugins failed to work properly. Some would (I
> believe it was the '*scan' ones), but many did not. I would be interested
> in any tips or tricks for analyzing such images as well...
>
> Cheers,
>
> Jesse
>
> On Mon, Jul 2, 2012 at 10:31 AM, Michael Hale Ligh
> <michael.hale(a)gmail.com> wrote:
> Do you have a specific issue with Server 2008 (other than not
> knowing
> it was supported since 2.0)?
>
> On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert
> <dragonforen(a)hotmail.com> wrote:
> > I know we can't work on Windows Server 2008 with Volatility
> at this time.
> > What products are capable of examining Windows Server 2008?
> >
> > Thanks,
> > Mike
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users(a)volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>
>
> --
> Jesse Bowling
>
>
>
>
--
Jesse Bowling
10:58 a.m.
Hi,
I'm the writer of the VMSS file format.
I joined the mailing list since this conversation was posted there,
hopefully I could shad some light over the issue.
as far as i can tell installing the VMSS address space plugin should solve
this issue.
the VMSS format is a hybrid of text and binary encoding, but most of the
memory indeed remains intact (there's an option to compress/encrypt but i
have never seen it used)
the format holds memory regions raw, so it's pretty easy to extract them
directly from the file.
from the tests I've made(a bulk of vmss files from different
ESXi/workstation installations), if there's no *.vmem attached to the image
the memory is probably embedded inside the VMSS/VMSN files and should
be available using my code.
if this isn't the case I'd love to get the VMSS file (if possible) and
check what's wrong with it.
cheers,
- Nir.
On Wed, Jul 4, 2012 at 5:40 PM, Michael Hale Ligh <michael.hale(a)gmail.com>wrote:
Hey Jesse,
Coincidentally there was a code submission today that adds a vmss/vmsn
address space layer to volatility. If you have cycles to test with
your vmss, perhaps you could post some feedback on the issue?
https://code.google.com/p/volatility/issues/detail?id=288
If nothing else, this probably confirms that vmss are a slightly
different format than raw/vmem, thus your experiences with them in the
past is likely not specific to Server2008, its just a format thing
like AW suspected. But just to corroborate, can I ask a few questions:
* Have you tried analyzing a vmss from profiles other than Server2008?
If so, did any of the non-scanning plugins work?
* Have you tried acquiring memory from Server2008 using a method other
than suspending and copying out the vmss?
Thanks!
MHL
On Mon, Jul 2, 2012 at 1:44 PM, Jesse Bowling <jessebowling(a)gmail.com>
wrote:
VMWare
image,
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Hi AAron,
On Mon, Jul 2, 2012 at 1:02 PM, AAron Walters <awalters(a)4tphi.net>
wrote:
1) Hardware Architecture (x86, x64)
x86_64
2) File Format (raw, dmp, etc)
3) How the sample was collected?
This was a VMWare 4.1 virtual machine that was paused, and the vmss file
copied out.
Much later I head referenced that pausing the virtual machine actually
causes a lot of information to be removed from memory due to the way prepares the OS to pause... :( (Can you or anyone
speak to the
truth-iness
of this?)
This line produces output:
vol.py --profile=Win2008R2SP1x64 --dtb=0x187000 -f myimage.vmss psscan
While others like pslist or imageinfo fail to produce output at all, and
appear to hang (or at least, run longer than my patience, several hours
at
one point):
# vol.py --profile=Win2008R2SP1x64 --dtb=0x187000 --verbose -d -f
myimage.vmss pslist
Volatile Systems Volatility Framework 2.1_alpha
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from
Win7SP01x64Syscalls
DEBUG : volatility.obj : Applying modification from Win7x64Tcpip
DEBUG : volatility.obj : Applying modification from
WinSyscallsAttribute
DEBUG : volatility.obj : Applying modification from WindowsVTypes
DEBUG : volatility.obj : Applying modification from
HiberWin7SP01x64
DEBUG : volatility.obj : Applying
modification from
Win64SyscallVTypes
DEBUG : volatility.obj : Applying modification from WindowsOverlay
DEBUG : volatility.obj : Applying modification from
EThreadCreateTime
DEBUG : volatility.obj : Applying
modification from MalwarePspCid
DEBUG : volatility.obj : Applying modification from
UserAssistVTypes
DEBUG : volatility.obj : Applying
modification from VistaWin7KPCR
DEBUG : volatility.obj : Applying modification from Win7x64Hiber
DEBUG : volatility.obj : Applying modification from
WinPEObjectClasses
DEBUG : volatility.obj : Applying modification from WinPEVTypes
DEBUG : volatility.obj : Applying modification from
WindowsObjectClasses
DEBUG : volatility.obj : Applying modification from
CmdHistoryObjectClasses
DEBUG : volatility.obj : Applying modification from
CmdHistoryVTypesWin7x64
DEBUG : volatility.obj : Applying modification from ExFastRefx64
DEBUG : volatility.obj : Applying modification from MalwareDrivers
DEBUG : volatility.obj : Applying modification from
MalwareObjectClasesXP
DEBUG : volatility.obj : Applying modification from
MalwareSvcRecent
DEBUG : volatility.obj : Applying
modification from
MalwareSvcRecentVTypesx64
DEBUG : volatility.obj : Applying modification from
UserAssistWin7VTypes
DEBUG : volatility.obj : Applying modification from Win2003MMVad
DEBUG : volatility.obj : Applying modification from Win7KDBG
DEBUG : volatility.obj : Applying modification from
Win7ObjectClasses
DEBUG : volatility.obj : Applying
modification from WinPEx64VTypes
DEBUG : volatility.obj : Applying modification from
Windows64Overlay
DEBUG : volatility.obj : Applying
modification from VistaMMVAD
DEBUG : volatility.obj : Applying modification from Win7x64DTB
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0x37dfa10>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x3d86710>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
Offset(V) Name PID PPID Thds Hnds Time
---------- -------------------- ------ ------ ------ ------
-------------------
<here I hit Ctrl-C>
>
> When the scan plugins are successful and the rest fail, it is generally
a
format
issue.
Thanks,
AW
I'm happy to try any advice to get this working; although this is an old
case, I'm sure I'll have more like this and would love to be able to
properly collect and analyze 2008R2 from a VMWare instance...All advice
welcome. :)
Cheers,
Jesse
PS. I still owe you a call ;(.
...Anytime. Once this damnable lack of power passes, I'd even offer to
exchange the call for beer-while-I-pick-your-brain. :)
>
>
> On Mon, 2 Jul 2012, Jesse Bowling wrote:
>
>> Perhaps it's an issue of plugins...I've only worked with a 2008R2 >> but found than many of the plugins failed
to work properly. Some would
(I
>> believe it was the '*scan' ones),
but many did not. I would be
interested
> in
any tips or tricks for analyzing such images as well...
>
> Cheers,
>
> Jesse
>
> On Mon, Jul 2, 2012 at 10:31 AM, Michael Hale Ligh
> <michael.hale(a)gmail.com> wrote:
> Do you have a specific issue with Server 2008 (other than not
> knowing
> it was supported since 2.0)?
>
> On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert
> <dragonforen(a)hotmail.com> wrote:
> > I know we can't work on Windows Server 2008 with Volatility
> at this time.
> > What products are capable of examining Windows Server 2008?
> >
> > Thanks,
> > Mike
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users(a)volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>
>
> --
> Jesse Bowling
>
>
>
>
--
Jesse Bowling
6:30 p.m.
Nir,
Thanks for the patch and joining the list. We will definitely provide
feedback as we start testing. What versions of ESX did you test with?
How often have you seen instances where a regionsCount is specified?
Jesse,
Have you tried Nir's address space with your sample?
Thanks,
AW
On Wed, 4 Jul 2012, nir izraeli wrote:
Hi,I'm the writer of the VMSS file format.
I joined the mailing list since this conversation was posted there, hopefully I
could shad some light over the issue.
as far as i can tell installing the VMSS address space plugin should solve this
issue.
the VMSS format is a hybrid of text and binary encoding, but most of the memory
indeed remains intact (there's an option to compress/encrypt but i have never
seen it used)
the format holds memory regions raw, so it's pretty easy to extract them
directly from the file.
from the tests I've made(a bulk of vmss files from different ESXi/workstation
installations), if there's no *.vmem attached to the image the memory is
probably embedded inside the VMSS/VMSN files and should be available using my
code.
if this isn't the case I'd love to get the VMSS file (if possible) and check
what's wrong with it.
cheers,
- Nir.
On Wed, Jul 4, 2012 at 5:40 PM, Michael Hale Ligh <michael.hale(a)gmail.com>
wrote:
Hey Jesse,
Coincidentally there was a code submission today that adds a
vmss/vmsn
address space layer to volatility. If you have cycles to test with
your vmss, perhaps you could post some feedback on the issue?
https://code.google.com/p/volatility/issues/detail?id=288
If nothing else, this probably confirms that vmss are a slightly
different format than raw/vmem, thus your experiences with them in
the
past is likely not specific to Server2008, its just a format thing
like AW suspected. But just to corroborate, can I ask a few
questions:
* Have you tried analyzing a vmss from profiles other than
Server2008?
If so, did any of the non-scanning plugins work?
* Have you tried acquiring memory from Server2008 using a method
other
than suspending and copying out the vmss?
Thanks!
MHL
On Mon, Jul 2, 2012 at 1:44 PM, Jesse Bowling
<jessebowling(a)gmail.com> wrote:
vmss file
an
old
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Hi AAron,
On Mon, Jul 2, 2012 at 1:02 PM, AAron Walters
<awalters(a)4tphi.net>
wrote:
1) Hardware Architecture (x86, x64)
x86_64
2) File Format (raw, dmp, etc)
3) How the sample was collected?
This was a VMWare 4.1 virtual machine that was paused, and the copied out.
Much later I head referenced that pausing the virtual machine
actually
causes a lot of information to be removed from
memory due to the
way VMWare
prepares the OS to pause... :( (Can you or anyone
speak to the
truth-iness
of this?)
This line produces output:
vol.py --profile=Win2008R2SP1x64 --dtb=0x187000 -f myimage.vmss
psscan
While others like pslist or imageinfo fail to produce output at
all, and
appear to hang (or at least, run longer than my
patience, several
hours at
one point):
# vol.py --profile=Win2008R2SP1x64 --dtb=0x187000 --verbose -d -f
myimage.vmss pslist
Volatile Systems Volatility Framework 2.1_alpha
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG : volatility.obj : Applying modification from
BasicObjectClasses
DEBUG : volatility.obj : Applying modification from
Win7SP01x64Syscalls
DEBUG : volatility.obj : Applying modification from
Win7x64Tcpip
DEBUG : volatility.obj : Applying
modification from
WinSyscallsAttribute
DEBUG : volatility.obj : Applying modification from
WindowsVTypes
DEBUG : volatility.obj : Applying
modification from
HiberWin7SP01x64
DEBUG : volatility.obj : Applying
modification from
> Win64SyscallVTypes
DEBUG : volatility.obj : Applying
modification from
WindowsOverlay
DEBUG : volatility.obj : Applying
modification from
EThreadCreateTime
DEBUG : volatility.obj : Applying
modification from
MalwarePspCid
DEBUG : volatility.obj : Applying
modification from
UserAssistVTypes
DEBUG : volatility.obj : Applying
modification from
VistaWin7KPCR
DEBUG : volatility.obj : Applying
modification from
Win7x64Hiber
DEBUG : volatility.obj : Applying
modification from
> WinPEObjectClasses
DEBUG : volatility.obj : Applying
modification from
WinPEVTypes
DEBUG : volatility.obj : Applying
modification from
> WindowsObjectClasses
DEBUG : volatility.obj : Applying
modification from
> CmdHistoryObjectClasses
DEBUG : volatility.obj : Applying
modification from
> CmdHistoryVTypesWin7x64
DEBUG : volatility.obj : Applying
modification from
ExFastRefx64
DEBUG : volatility.obj : Applying
modification from
MalwareDrivers
DEBUG : volatility.obj : Applying
modification from
> MalwareObjectClasesXP
DEBUG : volatility.obj : Applying
modification from
MalwareSvcRecent
DEBUG : volatility.obj : Applying
modification from
> MalwareSvcRecentVTypesx64
DEBUG : volatility.obj : Applying
modification from
> UserAssistWin7VTypes
DEBUG : volatility.obj : Applying
modification from
Win2003MMVad
DEBUG : volatility.obj : Applying
modification from
Win7KDBG
DEBUG : volatility.obj : Applying
modification from
Win7ObjectClasses
DEBUG : volatility.obj : Applying
modification from
WinPEx64VTypes
DEBUG : volatility.obj : Applying
modification from
Windows64Overlay
DEBUG : volatility.obj : Applying
modification from
VistaMMVAD
DEBUG : volatility.obj : Applying
modification from
Win7x64DTB
DEBUG : volatility.utils : Succeeded
instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object
at
0x37dfa10>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at
0x3d86710>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
Offset(V) Name PID PPID Thds Hnds Time
---------- -------------------- ------ ------ ------ ------
-------------------
<here I hit Ctrl-C>
>
> When the scan plugins are successful and the rest fail, it is
generally
a
format
issue.
Thanks,
AW
I'm happy to try any advice to get this working; although this is case, I'm sure I'll have more like this
and would love to be able
to
properly collect and analyze 2008R2 from a VMWare
instance...All
advice
welcome. :)
Cheers,
Jesse
offer to
PS. I still owe you a call ;(.
...Anytime. Once this damnable lack of power passes, I'd even exchange the call for
beer-while-I-pick-your-brain. :)
>
>
> On Mon, 2 Jul 2012, Jesse Bowling wrote:
>
>> Perhaps it's an issue of plugins...I've only worked with a
2008R2 image,
>> but found than many of the plugins failed
to work properly.
Some would (I
>> believe it was the '*scan' ones),
but many did not. I would be
interested
>> in any tips or tricks for analyzing such
images as well...
>>
>> Cheers,
>>
>> Jesse
>>
>> On Mon, Jul 2, 2012 at 10:31 AM, Michael Hale Ligh
>> <michael.hale(a)gmail.com> wrote:
>> Do you have a specific issue with Server 2008 (other than
not
>> knowing
>> it was supported since 2.0)?
>>
>> On Mon, Jul 2, 2012 at 9:56 AM, Mike Lambert
>> <dragonforen(a)hotmail.com> wrote:
>> > I know we can't work on Windows Server 2008 with
Volatility
>> at this time.
>> > What products are capable of examining Windows Server
2008?
>
>
> > Thanks,
> > Mike
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users(a)volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>
>
> --
> Jesse Bowling
>
>
>
>
--
Jesse Bowling
6:32 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hiya,
Just to weigh in on this, I haven't been able to create an image where
a .vmem file isn't created alongside the .vmss file. Do you know
under what conditions memory is stored directly within the .vmss file?
Mike 5:)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
iEYEARECAAYFAk/2FewACgkQu7rWomwgFXringCgqw0pf559GdpJwL5lr0mw3s4Z
KJMAn3UiCFbXR9AonBbhVw81hrYIRerZ
=BBSN
-----END PGP SIGNATURE-----
7:32 p.m.
Ikelos,
This typically happens with ESX or ESXi, if a vm as been suspended (vmss)
or a snapshot (vmsn) has been taken.
Thanks,
AW
On Thu, 5 Jul 2012, Mike Auty wrote:
Hiya,
Just to weigh in on this, I haven't been able to create an image where
a .vmem file isn't created alongside the .vmss file. Do you know
under what conditions memory is stored directly within the .vmss file?
Mike 5:)
7:49 p.m.
Hi guys!
most of the work i've done is using ESXi IIRC.
I could check exactly when I get back to work but unfortunately it wont be
until Sunday.
I also saw it happen using VMware Workstation 8 (and there's also a tool
attached that converts vmss to vmem files starting at that version. that
was up until now the only way i knew of to read memory out of vmss/n files)
so I guess ESX versions close to or above the VMWare 8 release date(which
is, I guess, relatively new).
i could also try it on a vmware workstation 8 when i get to work, if we
won't figure it out by then.
While searching for the vmss thingy I think I noticed VMware saying it's
the new format they're going to use from now on (tho they could change
their mind).
AAron - actually it was quite rare, but the first vmss I used to test the
patch had two or three, which made my patch break when i first tested it on
other VMs.
I could try to pinpoint it, but i guess it would be easier for me to
reverse the vmware code than try it manually :)
A thing to note is that that vmss also had two virtual CPUs, which might
have caused having more than one region. it also had ~4G of RAM. most of
the other VMs i used only had about 512M.
did you try to run it on other vmss files that resemble the one i described?
i used to have a contact at vmware a while back, but i don't think it would
be legit to ask him.
maybe we could post at the vmware support site? any of you ever done that?
are they responsive to this kind of questions?
- Nir
On Fri, Jul 6, 2012 at 2:32 AM, AAron Walters <awalters(a)4tphi.net> wrote:
Ikelos,
This typically happens with ESX or ESXi, if a vm as been suspended (vmss)
or a snapshot (vmsn) has been taken.
Thanks,
AW
On Thu, 5 Jul 2012, Mike Auty wrote:
Hiya,
>
> Just to weigh in on this, I haven't been able to create an image where
> a .vmem file isn't created alongside the .vmss file. Do you know
> under what conditions memory is stored directly within the .vmss file?
>
> Mike 5:)
>
>
10:31 p.m.
Nir,
AAron - actually it was quite rare, but the first vmss
I used to test the patch
had two or three, which made my patch break when i first tested it on other
VMs.
I could try to pinpoint it, but i guess it would be easier for me to reverse
the vmware code than try it manually :)
A thing to note is that that vmss also had two virtual CPUs, which might have
caused having more than one region. it also had ~4G of RAM. most of the other
VMs i used only had about 512M.
did you try to run it on other vmss files that resemble the one i described?
Interesting. I have never seen a vmss with multiple regions. If you
happen to come across one again, please let me know. I'd be interested in
what conditions or what product leads to more than one region.
Thanks,
AW
7:21 a.m.
I assume you need it for something other than test my patch,
I can send parts of the vmss of the machine I already noticed more than one
region.
could you use that to gather the info you need?
btw, I'm also using vmware converter standalone pretty often, it might also
be related
On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net> wrote:
Nir,
AAron - actually it was quite rare, but the first vmss I used to test the
patch
had two or three, which made my patch break when i first tested it on
other
VMs.
I could try to pinpoint it, but i guess it would be easier for me to
reverse
the vmware code than try it manually :)
A thing to note is that that vmss also had two virtual CPUs, which might
have
caused having more than one region. it also had ~4G of RAM. most of the
other
VMs i used only had about 512M.
did you try to run it on other vmss files that resemble the one i
described?
Interesting. I have never seen a vmss with multiple regions. If you
happen to come across one again, please let me know. I'd be interested in
what conditions or what product leads to more than one region.
Thanks,
AW
10:03 a.m.
Disclaimer:
So I took Nir's files, and dropped them into my plugins folder...I did not
see any new plugins using vol.py -h, and when I tried to do an imageinfo I
got:
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 44, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 119, in calculate
for offset in scanner.scan(aspace):
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 83, in scan
for offset in scan.BaseScanner.scan(self, address_space, offset,
maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line 136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
So:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time
created Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
WindowsHiberFileSpace32: No xpress signature found
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
At least it doesn't crash. So now:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time
created Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line 218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line 136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time
created Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line 218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line 136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
I have limited testing time the next couple weeks, so will look to see if I
can share this with someone like SA in the meantime...
Cheers,
Jesse
On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
I assume you need it for something other than test my
patch,
I can send parts of the vmss of the machine I already noticed more than
one region.
could you use that to gather the info you need?
btw, I'm also using vmware converter standalone pretty often, it might
also be related
On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net> wrote:
--
Jesse Bowling
Nir,
AAron - actually it was quite rare, but the first vmss I used to test
the patch
had two or three, which made my patch break when i first tested it on
other
VMs.
I could try to pinpoint it, but i guess it would be easier for me to
reverse
the vmware code than try it manually :)
A thing to note is that that vmss also had two virtual CPUs, which might
have
caused having more than one region. it also had ~4G of RAM. most of the
other
VMs i used only had about 512M.
did you try to run it on other vmss files that resemble the one i
described?
Interesting. I have never seen a vmss with multiple regions. If you
happen to come across one again, please let me know. I'd be interested in
what conditions or what product leads to more than one region.
Thanks,
AW
10:29 a.m.
Try to place them in volatility/plugins/addrspaces/ instead and then
do a `make clean` before running
On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <jessebowling(a)gmail.com> wrote:
Disclaimer:
So I took Nir's files, and dropped them into my plugins folder...I did not
see any new plugins using vol.py -h, and when I tried to do an imageinfo I
got:
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 44, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 119, in calculate
for offset in scanner.scan(aspace):
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 83, in scan
for offset in scan.BaseScanner.scan(self, address_space, offset,
maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
So:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
WindowsHiberFileSpace32: No xpress signature found
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
At least it doesn't crash. So now:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
I have limited testing time the next couple weeks, so will look to see if I
can share this with someone like SA in the meantime...
Cheers,
Jesse
On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
I assume you need it for something other than test my patch,
I can send parts of the vmss of the machine I already noticed more than
one region.
could you use that to gather the info you need?
btw, I'm also using vmware converter standalone pretty often, it might
also be related
On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net> wrote:
--
Jesse Bowling
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Nir,
AAron - actually it was quite rare, but the first
vmss I used to test
the patch
had two or three, which made my patch break when i first tested it on
other
VMs.
I could try to pinpoint it, but i guess it would be easier for me to
reverse
the vmware code than try it manually :)
A thing to note is that that vmss also had two virtual CPUs, which might
have
caused having more than one region. it also had ~4G of RAM. most of the
other
VMs i used only had about 512M.
did you try to run it on other vmss files that resemble the one i
described?
Interesting. I have never seen a vmss with multiple regions. If you
happen to come across one again, please let me know. I'd be interested in
what conditions or what product leads to more than one region.
Thanks,
AW
10:33 a.m.
Hi Jesse,
from the second output log you posted I see your vmss file doesnt look like
a vmss file. or at least, my script doesn't recognize the header signature,
the valid header signatures were taken from vmware's own tools, so
I honestly can't see how you've got a mismatch in the signature.
could you share the vmss file or upload it somewhere?
if you can't share the entire file, could you at least post the first ~1K
of it? i might be able to work with only the portion to understand the
problem...
I did not test it on linux which might be related to the problem.
Thanks for the feedback!
On Fri, Jul 6, 2012 at 5:29 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
Try to place them in volatility/plugins/addrspaces/
instead and then
do a `make clean` before running
On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <jessebowling(a)gmail.com>
wrote:
--
Jesse Bowling
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
Disclaimer:
So I took Nir's files, and dropped them into my plugins folder...I did
not
see any new plugins using vol.py -h, and when I
tried to do an imageinfo
I
got:
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 44, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 119, in calculate
for offset in scanner.scan(aspace):
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 83, in scan
for offset in scan.BaseScanner.scan(self, address_space, offset,
maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
So:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
WindowsHiberFileSpace32: No xpress signature found
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
At least it doesn't crash. So now:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
I have limited testing time the next couple weeks, so will look to see
if I
can share this with someone like SA in the
meantime...
Cheers,
Jesse
On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
>
> I assume you need it for something other than test my patch,
> I can send parts of the vmss of the machine I already noticed more than
> one region.
> could you use that to gather the info you need?
>
> btw, I'm also using vmware converter standalone pretty often, it might
> also be related
>
>
> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net>
wrote:
>>
>>
>> Nir,
>>
>>
>>> AAron - actually it was quite rare, but the first vmss I used to test
>>> the patch
>>> had two or three, which made my patch break when i first tested it on
>>> other
>>> VMs.
>>> I could try to pinpoint it, but i guess it would be easier for me to
>>> reverse
>>> the vmware code than try it manually :)
>>> A thing to note is that that vmss also had two virtual CPUs, which
might
>>> have
>>> caused having more than one region. it also had ~4G of RAM. most of
the
>>> other
>>> VMs i used only had about 512M.
>>> did you try to run it on other vmss files that resemble the one i
>>> described?
>>
>>
>> Interesting. I have never seen a vmss with multiple regions. If you
>> happen to come across one again, please let me know. I'd be interested
in
what conditions or what product leads to more than one
region.
Thanks,
AW
10:50 a.m.
Seems better:
root@Forensic-1:/case2/4132012/biweb/mem#
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time
created Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
...
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
...
On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
Try to place them in volatility/plugins/addrspaces/
instead and then
do a `make clean` before running
On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <jessebowling(a)gmail.com>
wrote:
--
Jesse Bowling
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
--
Jesse Bowling
Disclaimer:
So I took Nir's files, and dropped them into my plugins folder...I did
not
see any new plugins using vol.py -h, and when I
tried to do an imageinfo
I
got:
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 44, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 119, in calculate
for offset in scanner.scan(aspace):
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 83, in scan
for offset in scan.BaseScanner.scan(self, address_space, offset,
maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
So:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
WindowsHiberFileSpace32: No xpress signature found
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
At least it doesn't crash. So now:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
I have limited testing time the next couple weeks, so will look to see
if I
can share this with someone like SA in the
meantime...
Cheers,
Jesse
On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
>
> I assume you need it for something other than test my patch,
> I can send parts of the vmss of the machine I already noticed more than
> one region.
> could you use that to gather the info you need?
>
> btw, I'm also using vmware converter standalone pretty often, it might
> also be related
>
>
> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net>
wrote:
>>
>>
>> Nir,
>>
>>
>>> AAron - actually it was quite rare, but the first vmss I used to test
>>> the patch
>>> had two or three, which made my patch break when i first tested it on
>>> other
>>> VMs.
>>> I could try to pinpoint it, but i guess it would be easier for me to
>>> reverse
>>> the vmware code than try it manually :)
>>> A thing to note is that that vmss also had two virtual CPUs, which
might
>>> have
>>> caused having more than one region. it also had ~4G of RAM. most of
the
>>> other
>>> VMs i used only had about 512M.
>>> did you try to run it on other vmss files that resemble the one i
>>> described?
>>
>>
>> Interesting. I have never seen a vmss with multiple regions. If you
>> happen to come across one again, please let me know. I'd be interested
in
what conditions or what product leads to more than one
region.
Thanks,
AW
10:52 a.m.
Ah, actually I see that that is no better... :(
First 1024:
# dd if=myimage.vmss bs=1 count=1024 | xxd
1024+0 records in
1024+0 records out
1024 bytes (1.0 kB) copied, 0.00110567 s, 926 kB/s
0000000: d2be d2be 0800 0000 5b00 0000 4368 6563 ........[...Chec
0000010: 6b70 6f69 6e74 0000 0000 0000 0000 0000 kpoint..........
0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000040: 0000 0000 0000 0000 0000 0000 7c1c 0000 ............|...
0000050: 0000 0000 ab03 0000 0000 0000 6370 7500 ............cpu.
0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000090: 0000 0000 0000 0000 0000 0000 2720 0000 ............' ..
00000a0: 0000 0000 cce1 0300 0000 0000 4275 734d ............BusM
00000b0: 656d 5361 6d70 6c65 0000 0000 0000 0000 emSample........
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000e0: 0000 0000 0000 0000 0000 0000 f301 0400 ................
00000f0: 0000 0000 4f00 0000 0000 0000 4275 734d ....O.......BusM
0000100: 656d 5365 7276 6963 6573 0000 0000 0000 emServices......
0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000130: 0000 0000 0000 0000 0000 0000 4202 0400 ............B...
0000140: 0000 0000 1200 0000 0000 0000 5555 4944 ............UUID
0000150: 564d 5800 0000 0000 0000 0000 0000 0000 VMX.............
0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000180: 0000 0000 0000 0000 0000 0000 5402 0400 ............T...
0000190: 0000 0000 2e00 0000 0000 0000 5374 6174 ............Stat
00001a0: 654c 6f67 6765 7200 0000 0000 0000 0000 eLogger.........
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001d0: 0000 0000 0000 0000 0000 0000 8202 0400 ................
00001e0: 0000 0000 0200 0000 0000 0000 6d65 6d6f ............memo
00001f0: 7279 0000 0000 0000 0000 0000 0000 0000 ry..............
0000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000210: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000220: 0000 0000 0000 0000 0000 0000 8402 0400 ................
0000230: 0000 0000 7efd 0000 0100 0000 4d53 7461 ....~.......MSta
0000240: 7473 0000 0000 0000 0000 0000 0000 0000 ts..............
0000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000270: 0000 0000 0000 0000 0000 0000 0200 0500 ................
0000280: 0100 0000 3619 0000 0000 0000 536e 6170 ....6.......Snap
0000290: 7368 6f74 0000 0000 0000 0000 0000 0000 shot............
00002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00002c0: 0000 0000 0000 0000 0000 0000 3819 0500 ............8...
00002d0: 0100 0000 a971 0000 0000 0000 7069 6300 .....q......pic.
00002e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00002f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000310: 0000 0000 0000 0000 0000 0000 e18a 0500 ................
0000320: 0100 0000 0e07 0000 0000 0000 5469 6d65 ............Time
0000330: 5472 6163 6b65 7200 0000 0000 0000 0000 Tracker.........
0000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000360: 0000 0000 0000 0000 0000 0000 ef91 0500 ................
0000370: 0100 0000 9900 0000 0000 0000 466c 6f70 ............Flop
0000380: 7079 0000 0000 0000 0000 0000 0000 0000 py..............
0000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00003a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00003b0: 0000 0000 0000 0000 0000 0000 8892 0500 ................
00003c0: 0100 0000 8c91 0000 0000 0000 4775 6573 ............Gues
00003d0: 744d 7367 0000 0000 0000 0000 0000 0000 tMsg............
00003e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
On Fri, Jul 6, 2012 at 10:50 AM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
Seems better:
root@Forensic-1:/case2/4132012/biweb/mem#
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time
created Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
...
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
...
On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
--
Jesse Bowling
Try to place them in
volatility/plugins/addrspaces/ instead and then
do a `make clean` before running
On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <jessebowling(a)gmail.com>
wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
--
Jesse Bowling
Disclaimer:
So I took Nir's files, and dropped them into my plugins folder...I did
not
see any new plugins using vol.py -h, and when I
tried to do an
imageinfo I
got:
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 44, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 119, in calculate
for offset in scanner.scan(aspace):
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 83, in scan
for offset in scan.BaseScanner.scan(self, address_space, offset,
maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
So:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
WindowsHiberFileSpace32: No xpress signature found
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
At least it doesn't crash. So now:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
I have limited testing time the next couple weeks, so will look to see
if I
can share this with someone like SA in the
meantime...
Cheers,
Jesse
On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
>
> I assume you need it for something other than test my patch,
> I can send parts of the vmss of the machine I already noticed more than
> one region.
> could you use that to gather the info you need?
>
> btw, I'm also using vmware converter standalone pretty often, it might
> also be related
>
>
> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net>
wrote:
>>
>>
>> Nir,
>>
>>
>>> AAron - actually it was quite rare, but the first vmss I used to test
>>> the patch
>>> had two or three, which made my patch break when i first tested it on
>>> other
>>> VMs.
>>> I could try to pinpoint it, but i guess it would be easier for me to
>>> reverse
>>> the vmware code than try it manually :)
>>> A thing to note is that that vmss also had two virtual CPUs, which
might
>>> have
>>> caused having more than one region. it also had ~4G of RAM. most of
the
>>> other
>>> VMs i used only had about 512M.
>>> did you try to run it on other vmss files that resemble the one i
>>> described?
>>
>>
>> Interesting. I have never seen a vmss with multiple regions. If you
>> happen to come across one again, please let me know. I'd be
interested
in
> what
conditions or what product leads to more than one region.
>
> Thanks,
>
> AW
--
Jesse Bowling
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
10:56 a.m.
Looks like a legit vmss file...
its actually the usual version i've seen while testing...
i'll do some more checks and let you know...
On Fri, Jul 6, 2012 at 5:52 PM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
Ah, actually I see that that is no better... :(
First 1024:
# dd if=myimage.vmss bs=1 count=1024 | xxd
1024+0 records in
1024+0 records out
1024 bytes (1.0 kB) copied, 0.00110567 s, 926 kB/s
0000000: d2be d2be 0800 0000 5b00 0000 4368 6563 ........[...Chec
0000010: 6b70 6f69 6e74 0000 0000 0000 0000 0000 kpoint..........
0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000040: 0000 0000 0000 0000 0000 0000 7c1c 0000 ............|...
0000050: 0000 0000 ab03 0000 0000 0000 6370 7500 ............cpu.
0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000090: 0000 0000 0000 0000 0000 0000 2720 0000 ............' ..
00000a0: 0000 0000 cce1 0300 0000 0000 4275 734d ............BusM
00000b0: 656d 5361 6d70 6c65 0000 0000 0000 0000 emSample........
00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000e0: 0000 0000 0000 0000 0000 0000 f301 0400 ................
00000f0: 0000 0000 4f00 0000 0000 0000 4275 734d ....O.......BusM
0000100: 656d 5365 7276 6963 6573 0000 0000 0000 emServices......
0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000130: 0000 0000 0000 0000 0000 0000 4202 0400 ............B...
0000140: 0000 0000 1200 0000 0000 0000 5555 4944 ............UUID
0000150: 564d 5800 0000 0000 0000 0000 0000 0000 VMX.............
0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000180: 0000 0000 0000 0000 0000 0000 5402 0400 ............T...
0000190: 0000 0000 2e00 0000 0000 0000 5374 6174 ............Stat
00001a0: 654c 6f67 6765 7200 0000 0000 0000 0000 eLogger.........
00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00001d0: 0000 0000 0000 0000 0000 0000 8202 0400 ................
00001e0: 0000 0000 0200 0000 0000 0000 6d65 6d6f ............memo
00001f0: 7279 0000 0000 0000 0000 0000 0000 0000 ry..............
0000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000210: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000220: 0000 0000 0000 0000 0000 0000 8402 0400 ................
0000230: 0000 0000 7efd 0000 0100 0000 4d53 7461 ....~.......MSta
0000240: 7473 0000 0000 0000 0000 0000 0000 0000 ts..............
0000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000270: 0000 0000 0000 0000 0000 0000 0200 0500 ................
0000280: 0100 0000 3619 0000 0000 0000 536e 6170 ....6.......Snap
0000290: 7368 6f74 0000 0000 0000 0000 0000 0000 shot............
00002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00002c0: 0000 0000 0000 0000 0000 0000 3819 0500 ............8...
00002d0: 0100 0000 a971 0000 0000 0000 7069 6300 .....q......pic.
00002e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00002f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000310: 0000 0000 0000 0000 0000 0000 e18a 0500 ................
0000320: 0100 0000 0e07 0000 0000 0000 5469 6d65 ............Time
0000330: 5472 6163 6b65 7200 0000 0000 0000 0000 Tracker.........
0000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0000360: 0000 0000 0000 0000 0000 0000 ef91 0500 ................
0000370: 0100 0000 9900 0000 0000 0000 466c 6f70 ............Flop
0000380: 7079 0000 0000 0000 0000 0000 0000 0000 py..............
0000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00003a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00003b0: 0000 0000 0000 0000 0000 0000 8892 0500 ................
00003c0: 0100 0000 8c91 0000 0000 0000 4775 6573 ............Gues
00003d0: 744d 7367 0000 0000 0000 0000 0000 0000 tMsg............
00003e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
On Fri, Jul 6, 2012 at 10:50 AM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
Seems better:
root@Forensic-1:/case2/4132012/biweb/mem#
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time
created Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
...
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
...
On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
--
Jesse Bowling
Try to place them in
volatility/plugins/addrspaces/ instead and then
do a `make clean` before running
On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <jessebowling(a)gmail.com>
wrote:
--
Jesse Bowling
Disclaimer:
So I took Nir's files, and dropped them into my plugins folder...I did
not
see any new plugins using vol.py -h, and when I
tried to do an
imageinfo I
got:
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173,
in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164,
in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 44, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 119, in calculate
for offset in scanner.scan(aspace):
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 83, in scan
for offset in scan.BaseScanner.scan(self, address_space, offset,
maxlen):
File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
So:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
WindowsHiberFileSpace32: No xpress signature found
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
At least it doesn't crash. So now:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173,
in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164,
in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173,
in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164,
in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
I have limited testing time the next couple weeks, so will look to see
if I
can share this with someone like SA in the
meantime...
Cheers,
Jesse
On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
>
> I assume you need it for something other than test my patch,
> I can send parts of the vmss of the machine I already noticed more
than
> one region.
> could you use that to gather the info you need?
>
> btw, I'm also using vmware converter standalone pretty often, it might
> also be related
>
>
> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net>
wrote:
>>
>>
>> Nir,
>>
>>
>>> AAron - actually it was quite rare, but the first vmss I used to
test
>>> the patch
>>> had two or three, which made my patch break when i first tested it
on
>>> other
>>> VMs.
>>> I could try to pinpoint it, but i guess it would be easier for me to
>>> reverse
>>> the vmware code than try it manually :)
>>> A thing to note is that that vmss also had two virtual CPUs, which
might
>>> have
>>> caused having more than one region. it also had ~4G of RAM. most of
the
>>> other
>>> VMs i used only had about 512M.
>>> did you try to run it on other vmss files that resemble the one i
>>> described?
>>
>>
>> Interesting. I have never seen a vmss with multiple regions. If you
>> happen to come across one again, please let me know. I'd be
interested
in
>> what conditions or what product leads to
more than one region.
>>
>> Thanks,
>>
>> AW
>
>
--
Jesse Bowling
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
10:56 a.m.
Trying imageinfo with a debug flag ends like this:
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0xb3752d0 DEBUG :
volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile' DEBUG : volatility.plugins.addrspaces.vmware:
Read region count from
file: 2
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 2
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: C0000000
Virtual Address: 100000000, Physical Address: C0000000, Size: 40000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 187000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0xb3754d0 DEBUG :
volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.standard.FileAddressSpace' --Return--
/usr/local/src/volatility-read-only-may-01/volatility/debug.py(88)b()->None
-> pdb.set_trace()
(Pdb)
Cheers,
Jesse
On Fri, Jul 6, 2012 at 10:52 AM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
> Ah, actually I see that that is no better... :(
> First 1024:
> # dd if=myimage.vmss bs=1 count=1024 | xxd
> 1024+0 records in
> 1024+0 records out
> 1024 bytes (1.0 kB) copied, 0.00110567 s, 926 kB/s
> 0000000: d2be d2be 0800 0000 5b00 0000 4368 6563 ........[...Chec
> 0000010: 6b70 6f69 6e74 0000 0000 0000 0000 0000 kpoint..........
> 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000040: 0000 0000 0000 0000 0000 0000 7c1c 0000 ............|...
> 0000050: 0000 0000 ab03 0000 0000 0000 6370 7500 ............cpu.
> 0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000090: 0000 0000 0000 0000 0000 0000 2720 0000 ............' ..
> 00000a0: 0000 0000 cce1 0300 0000 0000 4275 734d ............BusM
> 00000b0: 656d 5361 6d70 6c65 0000 0000 0000 0000 emSample........
> 00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00000e0: 0000 0000 0000 0000 0000 0000 f301 0400 ................
> 00000f0: 0000 0000 4f00 0000 0000 0000 4275 734d ....O.......BusM
> 0000100: 656d 5365 7276 6963 6573 0000 0000 0000 emServices......
> 0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000130: 0000 0000 0000 0000 0000 0000 4202 0400 ............B...
> 0000140: 0000 0000 1200 0000 0000 0000 5555 4944 ............UUID
> 0000150: 564d 5800 0000 0000 0000 0000 0000 0000 VMX.............
> 0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000180: 0000 0000 0000 0000 0000 0000 5402 0400 ............T...
> 0000190: 0000 0000 2e00 0000 0000 0000 5374 6174 ............Stat
> 00001a0: 654c 6f67 6765 7200 0000 0000 0000 0000 eLogger.........
> 00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00001d0: 0000 0000 0000 0000 0000 0000 8202 0400 ................
> 00001e0: 0000 0000 0200 0000 0000 0000 6d65 6d6f ............memo
> 00001f0: 7279 0000 0000 0000 0000 0000 0000 0000 ry..............
> 0000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000210: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000220: 0000 0000 0000 0000 0000 0000 8402 0400 ................
> 0000230: 0000 0000 7efd 0000 0100 0000 4d53 7461 ....~.......MSta
> 0000240: 7473 0000 0000 0000 0000 0000 0000 0000 ts..............
> 0000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000270: 0000 0000 0000 0000 0000 0000 0200 0500 ................
> 0000280: 0100 0000 3619 0000 0000 0000 536e 6170 ....6.......Snap
> 0000290: 7368 6f74 0000 0000 0000 0000 0000 0000 shot............
> 00002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002c0: 0000 0000 0000 0000 0000 0000 3819 0500 ............8...
> 00002d0: 0100 0000 a971 0000 0000 0000 7069 6300 .....q......pic.
> 00002e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000310: 0000 0000 0000 0000 0000 0000 e18a 0500 ................
> 0000320: 0100 0000 0e07 0000 0000 0000 5469 6d65 ............Time
> 0000330: 5472 6163 6b65 7200 0000 0000 0000 0000 Tracker.........
> 0000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000360: 0000 0000 0000 0000 0000 0000 ef91 0500 ................
> 0000370: 0100 0000 9900 0000 0000 0000 466c 6f70 ............Flop
> 0000380: 7079 0000 0000 0000 0000 0000 0000 0000 py..............
> 0000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003b0: 0000 0000 0000 0000 0000 0000 8892 0500 ................
> 00003c0: 0100 0000 8c91 0000 0000 0000 4775 6573 ............Gues
> 00003d0: 744d 7367 0000 0000 0000 0000 0000 0000 tMsg............
> 00003e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> On Fri, Jul 6, 2012 at 10:50 AM, Jesse
Bowling <jessebowling(a)gmail.com>wrote:
>> Seems better:
> >>
root@Forensic-1:/case2/4132012/biweb/mem#
>> /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
> >> Volatile Systems Volatility Framework
2.1_alpha
>> Offset(P) Name PID PPID PDB Time
>> created Time exited
>> ---------- ---------------- ------ ------ ----------
>> ------------------------ ------------------------
>> No suitable address space mapping found
>> Tried to open image as:
>> ...
> >> VMWareSnapshotFile: ('Header
signature invalid', 4026597203)
>> ...
> >
> > >
>> On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy(a)gmail.com>
wrote:
> >>> Try to place them in
volatility/plugins/addrspaces/ instead and then
>>> do a `make clean` before running
>> >> >>
>>> On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling
<jessebowling(a)gmail.com >>> wrote:
>>> > Disclaimer:
>>> >>> > So
I took Nir's files, and dropped them into my plugins folder...I did
>>> not
>>> > see any new plugins using vol.py -h, and when I tried to do an
>>> imageinfo I
>>> > got:
>>> >>> >
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> imageinfo
>>> >>> >
Volatile Systems Volatility Framework 2.1_alpha
>>> > Determining profile based on KDBG search...
>>> >>> >
Traceback (most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 173,
>>> in
>>> > <module >>> >
main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 164,
>>> in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>>> > line 34, in render_text
>>> > for k, v in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>>> > line 44, in calculate
>>> > suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>>> > line 119, in calculate
>>> > for offset in scanner.scan(aspace):
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>>> > line 83, in scan
>>> > for offset in scan.BaseScanner.scan(self, address_space, offset,
>>> > maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> >
So:
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> psscan
>>> >>> >
Volatile Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > No suitable address space mapping found
>>> > Tried to open image as:
>>> > WindowsHiberFileSpace32: No base Address Space
>>> > VMWareSnapshotFile: No base Address Space
>>> > WindowsCrashDumpSpace32: No base Address Space
>>> > AMD64PagedMemory: No base Address Space
>>> > JKIA32PagedMemory: No base Address Space
>>> > JKIA32PagedMemoryPae: No base Address Space
>>> > IA32PagedMemoryPae: Module disabled
>>> > IA32PagedMemory: Module disabled
>>> > WindowsHiberFileSpace32: No xpress signature found
>>> > WindowsHiberFileSpace32: No xpress signature found
>>> > VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>>> > WindowsCrashDumpSpace32: Header signature invalid
>>> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>>> > JKIA32PagedMemory: Failed valid Address Space check
>>> > JKIA32PagedMemoryPae: Failed valid Address Space check
>>> > IA32PagedMemoryPae: Module disabled
>>> > IA32PagedMemory: Module disabled
>>> > FileAddressSpace: Must be first Address Space
>>> >>> > At
least it doesn't crash. So now:
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> > --profile=Win2008R2SP1x64 psscan
>>> >>> >
Volatile Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > Traceback (most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 173,
>>> in
>>> > <module >>> >
main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 164,
>>> in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 415, in render_text
>>> > for eprocess in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 405, in calculate
>>> > for offset in PoolScanProcess().scan(address_space):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 218, in scan
>>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> > --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
>>> >>> >
Volatile Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > Traceback (most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 173,
>>> in
>>> > <module >>> >
main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 164,
>>> in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 415, in render_text
>>> > for eprocess in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 405, in calculate
>>> > for offset in PoolScanProcess().scan(address_space):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 218, in scan
>>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> > I
have limited testing time the next couple weeks, so will look to see
>>> if I
>>> > can share this with someone like SA in the meantime...
>>> >>> >
Cheers,
>>> >>> >
Jesse
>>> >>> >>> > On Fri, Jul 6, 2012 at 7:21
AM, nir izraeli <nirizr(a)gmail.com> wrote:
>>> > >>> >>
I assume you need it for something other than test my patch,
>>> >> I can send parts of the vmss of the machine I already noticed more
>>> than
>>> >> one region.
>>> >> could you use that to gather the info you need?
>>> > >>> >>
btw, I'm also using vmware converter standalone pretty often, it might
>>> >> also be related
>>> > >>> > >>> >> On Fri, Jul 6, 2012 at
5:31 AM, AAron Walters <awalters(a)4tphi.net
>>> wrote:
>>> >> >>>
>> >>>
>>> Nir,
>>> >> >>>
>> >>>
>>>> AAron - actually it was quite rare, but the first vmss I used to
>>> test
>>> >>>> the patch
>>> >>>> had two or three, which made my patch break when i first
tested it
>>> on
>>> >>>> other
>>> >>>> VMs.
>>> >>>> I could try to pinpoint it, but i guess it would be easier
for me to
>>> >>>> reverse
>>> >>>> the vmware code than try it manually :)
>>> >>>> A thing to note is that that vmss also had two virtual CPUs,
which
>>> might
>>> >>>> have
>>> >>>> caused having more than one region. it also had ~4G of RAM.
most of
>>> the
>>> >>>> other
>>> >>>> VMs i used only had about 512M.
>>> >>>> did you try to run it on other vmss files that resemble the
one i
>>> >>>> described?
>>> >> >>>
>> >>>
>>> Interesting. I have never seen a vmss with multiple regions. If you
>>> >>> happen to come across one again, please let me know. I'd be
>>> interested in
>>> >>> what conditions or what product leads to more than one region.
>>> >> >>>
>>> Thanks,
>>> >> >>>
>>> AW
>>> > >>> > >>>
>>> >>> >>> > --
>>> > Jesse Bowling
>>> >>> >>>
>>> > _______________________________________________
>>> > Vol-users mailing list
>>> > Vol-users(a)volatilityfoundation.org
>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> >> >>
>> >>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>> > >
> >> --
>> Jesse Bowling
> >
>
> --
> Jesse Bowling
--
Jesse Bowling
11 a.m.
Jesse what you're showing looks like it should work just fine...
could you run a pslist (not psscan) and provide full output?
btw, AAron is looking for a file like yours (it has two regions instead of
0 which imply only a single region).
can you tell us how you've made the vmware snapshot and which
product/versions you've used to make it?
thanks!
On Fri, Jul 6, 2012 at 5:56 PM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
Trying imageinfo with a debug flag ends like this:
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0xb3752d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: Read region count from
file: 2
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 2
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: C0000000
Virtual Address: 100000000, Physical Address: C0000000, Size: 40000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 187000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0xb3754d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
--Return--
/usr/local/src/volatility-read-only-may-01/volatility/debug.py(88)b()->None
-> pdb.set_trace()
(Pdb)
Cheers,
Jesse
On Fri, Jul 6, 2012 at 10:52 AM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
> Ah, actually I see that that is no better... :(
>
> First 1024:
>
> # dd if=myimage.vmss bs=1 count=1024 | xxd
> 1024+0 records in
> 1024+0 records out
> 1024 bytes (1.0 kB) copied, 0.00110567 s, 926 kB/s
> 0000000: d2be d2be 0800 0000 5b00 0000 4368 6563 ........[...Chec
> 0000010: 6b70 6f69 6e74 0000 0000 0000 0000 0000 kpoint..........
> 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000040: 0000 0000 0000 0000 0000 0000 7c1c 0000 ............|...
> 0000050: 0000 0000 ab03 0000 0000 0000 6370 7500 ............cpu.
> 0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000090: 0000 0000 0000 0000 0000 0000 2720 0000 ............' ..
> 00000a0: 0000 0000 cce1 0300 0000 0000 4275 734d ............BusM
> 00000b0: 656d 5361 6d70 6c65 0000 0000 0000 0000 emSample........
> 00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00000e0: 0000 0000 0000 0000 0000 0000 f301 0400 ................
> 00000f0: 0000 0000 4f00 0000 0000 0000 4275 734d ....O.......BusM
> 0000100: 656d 5365 7276 6963 6573 0000 0000 0000 emServices......
> 0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000130: 0000 0000 0000 0000 0000 0000 4202 0400 ............B...
> 0000140: 0000 0000 1200 0000 0000 0000 5555 4944 ............UUID
> 0000150: 564d 5800 0000 0000 0000 0000 0000 0000 VMX.............
> 0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000180: 0000 0000 0000 0000 0000 0000 5402 0400 ............T...
> 0000190: 0000 0000 2e00 0000 0000 0000 5374 6174 ............Stat
> 00001a0: 654c 6f67 6765 7200 0000 0000 0000 0000 eLogger.........
> 00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00001d0: 0000 0000 0000 0000 0000 0000 8202 0400 ................
> 00001e0: 0000 0000 0200 0000 0000 0000 6d65 6d6f ............memo
> 00001f0: 7279 0000 0000 0000 0000 0000 0000 0000 ry..............
> 0000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000210: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000220: 0000 0000 0000 0000 0000 0000 8402 0400 ................
> 0000230: 0000 0000 7efd 0000 0100 0000 4d53 7461 ....~.......MSta
> 0000240: 7473 0000 0000 0000 0000 0000 0000 0000 ts..............
> 0000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000270: 0000 0000 0000 0000 0000 0000 0200 0500 ................
> 0000280: 0100 0000 3619 0000 0000 0000 536e 6170 ....6.......Snap
> 0000290: 7368 6f74 0000 0000 0000 0000 0000 0000 shot............
> 00002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002c0: 0000 0000 0000 0000 0000 0000 3819 0500 ............8...
> 00002d0: 0100 0000 a971 0000 0000 0000 7069 6300 .....q......pic.
> 00002e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000310: 0000 0000 0000 0000 0000 0000 e18a 0500 ................
> 0000320: 0100 0000 0e07 0000 0000 0000 5469 6d65 ............Time
> 0000330: 5472 6163 6b65 7200 0000 0000 0000 0000 Tracker.........
> 0000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000360: 0000 0000 0000 0000 0000 0000 ef91 0500 ................
> 0000370: 0100 0000 9900 0000 0000 0000 466c 6f70 ............Flop
> 0000380: 7079 0000 0000 0000 0000 0000 0000 0000 py..............
> 0000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003b0: 0000 0000 0000 0000 0000 0000 8892 0500 ................
> 00003c0: 0100 0000 8c91 0000 0000 0000 4775 6573 ............Gues
> 00003d0: 744d 7367 0000 0000 0000 0000 0000 0000 tMsg............
> 00003e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>
>
>
> On Fri, Jul 6, 2012 at 10:50 AM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
>
>> Seems better:
>>
>> root@Forensic-1:/case2/4132012/biweb/mem#
>> /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
>>
>> Volatile Systems Volatility Framework 2.1_alpha
>> Offset(P) Name PID PPID PDB Time
>> created Time exited
>> ---------- ---------------- ------ ------ ----------
>> ------------------------ ------------------------
>> No suitable address space mapping found
>> Tried to open image as:
>> ...
>>
>> VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>> ...
>>
>>
>>
>>
>>
>> On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy(a)gmail.com>wrote:
>>
>>> Try to place them in volatility/plugins/addrspaces/ instead and then
>>> do a `make clean` before running
>>>
>>>
>>>
>>> On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling
<jessebowling(a)gmail.com>
>>> wrote:
>>> > Disclaimer:
>>> >>> > So I took
Nir's files, and dropped them into my plugins folder...I
>>> did not
>>> > see any new plugins using vol.py -h, and when I tried to do an
>>> imageinfo I
>>> > got:
>>> >>> >
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> imageinfo
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Determining profile based on KDBG search...
>>> >>> > Traceback
(most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 173,
>>> in
>>> > <module>
>>> > main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 164,
>>> in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>>> > line 34, in render_text
>>> > for k, v in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>>> > line 44, in calculate
>>> > suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>>> > line 119, in calculate
>>> > for offset in scanner.scan(aspace):
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>>> > line 83, in scan
>>> > for offset in scan.BaseScanner.scan(self, address_space, offset,
>>> > maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> > So:
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> psscan
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > No suitable address space mapping found
>>> > Tried to open image as:
>>> > WindowsHiberFileSpace32: No base Address Space
>>> > VMWareSnapshotFile: No base Address Space
>>> > WindowsCrashDumpSpace32: No base Address Space
>>> > AMD64PagedMemory: No base Address Space
>>> > JKIA32PagedMemory: No base Address Space
>>> > JKIA32PagedMemoryPae: No base Address Space
>>> > IA32PagedMemoryPae: Module disabled
>>> > IA32PagedMemory: Module disabled
>>> > WindowsHiberFileSpace32: No xpress signature found
>>> > WindowsHiberFileSpace32: No xpress signature found
>>> > VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>>> > WindowsCrashDumpSpace32: Header signature invalid
>>> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>>> > JKIA32PagedMemory: Failed valid Address Space check
>>> > JKIA32PagedMemoryPae: Failed valid Address Space check
>>> > IA32PagedMemoryPae: Module disabled
>>> > IA32PagedMemory: Module disabled
>>> > FileAddressSpace: Must be first Address Space
>>> >>> > At least it
doesn't crash. So now:
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> > --profile=Win2008R2SP1x64 psscan
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > Traceback (most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 173,
>>> in
>>> > <module>
>>> > main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 164,
>>> in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 415, in render_text
>>> > for eprocess in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 405, in calculate
>>> > for offset in PoolScanProcess().scan(address_space):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 218, in scan
>>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> > --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > Traceback (most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 173,
>>> in
>>> > <module>
>>> > main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line 164,
>>> in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 415, in render_text
>>> > for eprocess in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 405, in calculate
>>> > for offset in PoolScanProcess().scan(address_space):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 218, in scan
>>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> > I have
limited testing time the next couple weeks, so will look to
>>> see if I
>>> > can share this with someone like SA in the meantime...
>>> >>> > Cheers,
>>> >>> > Jesse
>>> >>> >>> > On Fri, Jul 6, 2012 at 7:21
AM, nir izraeli <nirizr(a)gmail.com> wrote:
>>> >>
>>> >> I assume you need it for something other than test my patch,
>>> >> I can send parts of the vmss of the machine I already noticed more
>>> than
>>> >> one region.
>>> >> could you use that to gather the info you need?
>>> >>
>>> >> btw, I'm also using vmware converter standalone pretty often,
it
>>> might
>>> >> also be related
>>> >>
>>> >>
>>> >> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters
<awalters(a)4tphi.net>
>>> wrote:
>>> >>>
>>> >>>
>>> >>> Nir,
>>> >>>
>>> >>>
>>> >>>> AAron - actually it was quite rare, but the first vmss I
used to
>>> test
>>> >>>> the patch
>>> >>>> had two or three, which made my patch break when i first
tested it
>>> on
>>> >>>> other
>>> >>>> VMs.
>>> >>>> I could try to pinpoint it, but i guess it would be easier
for me
>>> to
>>> >>>> reverse
>>> >>>> the vmware code than try it manually :)
>>> >>>> A thing to note is that that vmss also had two virtual CPUs,
which
>>> might
>>> >>>> have
>>> >>>> caused having more than one region. it also had ~4G of RAM.
most
>>> of the
>>> >>>> other
>>> >>>> VMs i used only had about 512M.
>>> >>>> did you try to run it on other vmss files that resemble the
one i
>>> >>>> described?
>>> >>>
>>> >>>
>>> >>> Interesting. I have never seen a vmss with multiple regions. If
you
>>> >>> happen to come across one again, please let me know. I'd be
>>> interested in
>>> >>> what conditions or what product leads to more than one region.
>>> >>>
>>> >>> Thanks,
>>> >>>
>>> >>> AW
>>> >>
>>> >>
>>> >>> >>> >>> > --
>>> > Jesse Bowling
>>> >>> >>> >>> > _______________________________________________
>>> > Vol-users mailing list
>>> > Vol-users(a)volatilityfoundation.org
>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> >>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>>
>>
>>
>>
>> --
>> Jesse Bowling
>>
>>
>>
>
>
> --
> Jesse Bowling
>
>
>
--
Jesse Bowling
11:17 a.m.
Looks a little better (at least there is some result):
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss pslist
--profile=Win2008R2SP1x64
Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Name PID PPID Thds Hnds Time
---------- -------------------- ------ ------ ------ ------
-------------------
0xfffffa8003cb7040 System 4 0 103 ------
2012-04-12 07:14:16
Not quite as good with rev 1977:
# /usr/local/src/volatility-read-only-1977/vol.py -f myimage.vmss pslist
--profile=Win2008R2SP1x64
Volatile Systems Volatility Framework 2.1_alpha
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ -------------------- --------------------
0xfffffa8003cb7040 System 4 0 103 --------
------ 0 2012-04-12 07:14:16
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-1977/vol.py", line 185, in
<module>
main()
File "/usr/local/src/volatility-read-only-1977/vol.py", line 176, in main
command.execute()
File "/usr/local/src/volatility-read-only-1977/volatility/commands.py",
line 111, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/taskmods.py",
line 154, in render_text
str(task.CreateTime or ''),
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/overlays/windows/windows.py",
line 278, in __nonzero__
return self.v() != 0
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/overlays/windows/windows.py",
line 275, in v
return self.windows_to_unix_time(value)
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/overlays/windows/windows.py",
line 262, in windows_to_unix_time
unix_time = windows_time / 10000000
TypeError: unsupported operand type(s) for /: 'NoneObject' and 'int'
I'll work with folks to get them a copy of this VMSS...
The snapshot was made by pausing the machine, and then copying the vmss
file out from the datastore. This was done on a VMware ESX 4.1.0, 502767
host. Let me know if I can provide any more info on it...
Cheers to all,
Jesse
On Fri, Jul 6, 2012 at 11:00 AM, nir izraeli <nirizr(a)gmail.com> wrote:
Jesse what you're showing looks like it should
work just fine...
could you run a pslist (not psscan) and provide full output?
btw, AAron is looking for a file like yours (it has two regions instead of
0 which imply only a single region).
can you tell us how you've made the vmware snapshot and which
product/versions you've used to make it?
thanks!
On Fri, Jul 6, 2012 at 5:56 PM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
--
Jesse Bowling
Trying imageinfo with a debug flag ends like
this:
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.standard.FileAddressSpace object at
0xb3752d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: Read region count from
file: 2
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 2
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: C0000000
Virtual Address: 100000000, Physical Address: C0000000, Size: 40000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 187000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0xb3754d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
--Return--
/usr/local/src/volatility-read-only-may-01/volatility/debug.py(88)b()->None
-> pdb.set_trace()
(Pdb)
Cheers,
Jesse
On Fri, Jul 6, 2012 at 10:52 AM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
> Ah, actually I see that that is no better... :(
>
> First 1024:
>
> # dd if=myimage.vmss bs=1 count=1024 | xxd
> 1024+0 records in
> 1024+0 records out
> 1024 bytes (1.0 kB) copied, 0.00110567 s, 926 kB/s
> 0000000: d2be d2be 0800 0000 5b00 0000 4368 6563 ........[...Chec
> 0000010: 6b70 6f69 6e74 0000 0000 0000 0000 0000 kpoint..........
> 0000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000040: 0000 0000 0000 0000 0000 0000 7c1c 0000 ............|...
> 0000050: 0000 0000 ab03 0000 0000 0000 6370 7500 ............cpu.
> 0000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000090: 0000 0000 0000 0000 0000 0000 2720 0000 ............' ..
> 00000a0: 0000 0000 cce1 0300 0000 0000 4275 734d ............BusM
> 00000b0: 656d 5361 6d70 6c65 0000 0000 0000 0000 emSample........
> 00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00000d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00000e0: 0000 0000 0000 0000 0000 0000 f301 0400 ................
> 00000f0: 0000 0000 4f00 0000 0000 0000 4275 734d ....O.......BusM
> 0000100: 656d 5365 7276 6963 6573 0000 0000 0000 emServices......
> 0000110: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000120: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000130: 0000 0000 0000 0000 0000 0000 4202 0400 ............B...
> 0000140: 0000 0000 1200 0000 0000 0000 5555 4944 ............UUID
> 0000150: 564d 5800 0000 0000 0000 0000 0000 0000 VMX.............
> 0000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000180: 0000 0000 0000 0000 0000 0000 5402 0400 ............T...
> 0000190: 0000 0000 2e00 0000 0000 0000 5374 6174 ............Stat
> 00001a0: 654c 6f67 6765 7200 0000 0000 0000 0000 eLogger.........
> 00001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00001d0: 0000 0000 0000 0000 0000 0000 8202 0400 ................
> 00001e0: 0000 0000 0200 0000 0000 0000 6d65 6d6f ............memo
> 00001f0: 7279 0000 0000 0000 0000 0000 0000 0000 ry..............
> 0000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000210: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000220: 0000 0000 0000 0000 0000 0000 8402 0400 ................
> 0000230: 0000 0000 7efd 0000 0100 0000 4d53 7461 ....~.......MSta
> 0000240: 7473 0000 0000 0000 0000 0000 0000 0000 ts..............
> 0000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000270: 0000 0000 0000 0000 0000 0000 0200 0500 ................
> 0000280: 0100 0000 3619 0000 0000 0000 536e 6170 ....6.......Snap
> 0000290: 7368 6f74 0000 0000 0000 0000 0000 0000 shot............
> 00002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002c0: 0000 0000 0000 0000 0000 0000 3819 0500 ............8...
> 00002d0: 0100 0000 a971 0000 0000 0000 7069 6300 .....q......pic.
> 00002e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00002f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000310: 0000 0000 0000 0000 0000 0000 e18a 0500 ................
> 0000320: 0100 0000 0e07 0000 0000 0000 5469 6d65 ............Time
> 0000330: 5472 6163 6b65 7200 0000 0000 0000 0000 Tracker.........
> 0000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 0000360: 0000 0000 0000 0000 0000 0000 ef91 0500 ................
> 0000370: 0100 0000 9900 0000 0000 0000 466c 6f70 ............Flop
> 0000380: 7079 0000 0000 0000 0000 0000 0000 0000 py..............
> 0000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003b0: 0000 0000 0000 0000 0000 0000 8892 0500 ................
> 00003c0: 0100 0000 8c91 0000 0000 0000 4775 6573 ............Gues
> 00003d0: 744d 7367 0000 0000 0000 0000 0000 0000 tMsg............
> 00003e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
> 00003f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
>
>
>
> On Fri, Jul 6, 2012 at 10:50 AM, Jesse Bowling <jessebowling(a)gmail.com>wrote:
>
>> Seems better:
>>
>> root@Forensic-1:/case2/4132012/biweb/mem#
>> /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
>>
>> Volatile Systems Volatility Framework 2.1_alpha
>> Offset(P) Name PID PPID PDB Time
>> created Time exited
>> ---------- ---------------- ------ ------ ----------
>> ------------------------ ------------------------
>> No suitable address space mapping found
>> Tried to open image as:
>> ...
>>
>> VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>> ...
>>
>>
>>
>>
>>
>> On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy(a)gmail.com>wrote:
>>
>>> Try to place them in volatility/plugins/addrspaces/ instead and then
>>> do a `make clean` before running
>>>
>>>
>>>
>>> On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling
<jessebowling(a)gmail.com>
>>> wrote:
>>> > Disclaimer:
>>> >>> > So I took
Nir's files, and dropped them into my plugins folder...I
>>> did not
>>> > see any new plugins using vol.py -h, and when I tried to do an
>>> imageinfo I
>>> > got:
>>> >>> >
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> imageinfo
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Determining profile based on KDBG search...
>>> >>> > Traceback
(most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 173, in
>>> > <module>
>>> > main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 164, in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>>> > line 34, in render_text
>>> > for k, v in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>>> > line 44, in calculate
>>> > suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>>> > line 119, in calculate
>>> > for offset in scanner.scan(aspace):
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>>> > line 83, in scan
>>> > for offset in scan.BaseScanner.scan(self, address_space, offset,
>>> > maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> > So:
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> psscan
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > No suitable address space mapping found
>>> > Tried to open image as:
>>> > WindowsHiberFileSpace32: No base Address Space
>>> > VMWareSnapshotFile: No base Address Space
>>> > WindowsCrashDumpSpace32: No base Address Space
>>> > AMD64PagedMemory: No base Address Space
>>> > JKIA32PagedMemory: No base Address Space
>>> > JKIA32PagedMemoryPae: No base Address Space
>>> > IA32PagedMemoryPae: Module disabled
>>> > IA32PagedMemory: Module disabled
>>> > WindowsHiberFileSpace32: No xpress signature found
>>> > WindowsHiberFileSpace32: No xpress signature found
>>> > VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>>> > WindowsCrashDumpSpace32: Header signature invalid
>>> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>>> > JKIA32PagedMemory: Failed valid Address Space check
>>> > JKIA32PagedMemoryPae: Failed valid Address Space check
>>> > IA32PagedMemoryPae: Module disabled
>>> > IA32PagedMemory: Module disabled
>>> > FileAddressSpace: Must be first Address Space
>>> >>> > At least it
doesn't crash. So now:
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> > --profile=Win2008R2SP1x64 psscan
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > Traceback (most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 173, in
>>> > <module>
>>> > main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 164, in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 415, in render_text
>>> > for eprocess in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 405, in calculate
>>> > for offset in PoolScanProcess().scan(address_space):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 218, in scan
>>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>>> > --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
>>> >>> > Volatile
Systems Volatility Framework 2.1_alpha
>>> > Offset(P) Name PID PPID PDB Time created
>>> > Time exited
>>> > ---------- ---------------- ------ ------ ----------
>>> > ------------------------ ------------------------
>>> > Traceback (most recent call last):
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 173, in
>>> > <module>
>>> > main()
>>> > File "/usr/local/src/volatility-read-only-may-01/vol.py",
line
>>> 164, in
>>> > main
>>> > command.execute()
>>> > File
>>>
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>>> > line 101, in execute
>>> > func(outfd, data)
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 415, in render_text
>>> > for eprocess in data:
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>>> > line 405, in calculate
>>> > for offset in PoolScanProcess().scan(address_space):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 218, in scan
>>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>>> > File
>>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
>>> > 136, in scan
>>> > skip = max(skip, s.skip(data, i))
>>> > File
>>> >>>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>>> > line 49, in skip
>>> > nextval = data.index(self.tag, offset + 1)
>>> > AttributeError: 'NoneType' object has no attribute
'index'
>>> >>> > I have
limited testing time the next couple weeks, so will look to
>>> see if I
>>> > can share this with someone like SA in the meantime...
>>> >>> > Cheers,
>>> >>> > Jesse
>>> >>> >>> > On Fri, Jul 6, 2012 at 7:21
AM, nir izraeli <nirizr(a)gmail.com>
>>> wrote:
>>> >>
>>> >> I assume you need it for something other than test my patch,
>>> >> I can send parts of the vmss of the machine I already noticed more
>>> than
>>> >> one region.
>>> >> could you use that to gather the info you need?
>>> >>
>>> >> btw, I'm also using vmware converter standalone pretty often,
it
>>> might
>>> >> also be related
>>> >>
>>> >>
>>> >> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters
<awalters(a)4tphi.net>
>>> wrote:
>>> >>>
>>> >>>
>>> >>> Nir,
>>> >>>
>>> >>>
>>> >>>> AAron - actually it was quite rare, but the first vmss I
used to
>>> test
>>> >>>> the patch
>>> >>>> had two or three, which made my patch break when i first
tested
>>> it on
>>> >>>> other
>>> >>>> VMs.
>>> >>>> I could try to pinpoint it, but i guess it would be easier
for me
>>> to
>>> >>>> reverse
>>> >>>> the vmware code than try it manually :)
>>> >>>> A thing to note is that that vmss also had two virtual
CPUs,
>>> which might
>>> >>>> have
>>> >>>> caused having more than one region. it also had ~4G of RAM.
most
>>> of the
>>> >>>> other
>>> >>>> VMs i used only had about 512M.
>>> >>>> did you try to run it on other vmss files that resemble the
one i
>>> >>>> described?
>>> >>>
>>> >>>
>>> >>> Interesting. I have never seen a vmss with multiple regions.
If
>>> you
>>> >>> happen to come across one again, please let me know. I'd be
>>> interested in
>>> >>> what conditions or what product leads to more than one region.
>>> >>>
>>> >>> Thanks,
>>> >>>
>>> >>> AW
>>> >>
>>> >>
>>> >>> >>> >>> > --
>>> > Jesse Bowling
>>> >>> >>> >>> > _______________________________________________
>>> > Vol-users mailing list
>>> > Vol-users(a)volatilityfoundation.org
>>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> >>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>>
>>
>>
>>
>> --
>> Jesse Bowling
>>
>>
>>
>
>
> --
> Jesse Bowling
>
>
>
--
Jesse Bowling
11:01 a.m.
Even though there might be an issue with the vmss address space, if it
had succeeded, you would still have to specify the profile like so:
$ vol.py -f myimage.vmss psscan --profile=Win2008R2SP1x64
Could you try one time like that just to be sure?
On Fri, Jul 6, 2012 at 10:50 AM, Jesse Bowling <jessebowling(a)gmail.com> wrote:
Seems better:
root@Forensic-1:/case2/4132012/biweb/mem#
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
...
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
...
On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
Try to place them in volatility/plugins/addrspaces/ instead and then
do a `make clean` before running
On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <jessebowling(a)gmail.com>
wrote:
--
Jesse Bowling
Disclaimer:
So I took Nir's files, and dropped them into my plugins folder...I did
not
see any new plugins using vol.py -h, and when I tried to do an imageinfo
I
got:
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 44, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 119, in calculate
for offset in scanner.scan(aspace):
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 83, in scan
for offset in scan.BaseScanner.scan(self, address_space, offset,
maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
So:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
WindowsHiberFileSpace32: No xpress signature found
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
At least it doesn't crash. So now:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
I have limited testing time the next couple weeks, so will look to see
if I
can share this with someone like SA in the meantime...
Cheers,
Jesse
On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
I assume you need it for something other than test my patch,
I can send parts of the vmss of the machine I already noticed more than
one region.
could you use that to gather the info you need?
btw, I'm also using vmware converter standalone pretty often, it might
also be related
On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net>
wrote:
>
>
> Nir,
>
>
>> AAron - actually it was quite rare, but the first vmss I used to test
>> the patch
>> had two or three, which made my patch break when i first tested it on
>> other
>> VMs.
>> I could try to pinpoint it, but i guess it would be easier for me to
>> reverse
>> the vmware code than try it manually :)
>> A thing to note is that that vmss also had two virtual CPUs, which
>> might
>> have
>> caused having more than one region. it also had ~4G of RAM. most of
>> the
>> other
>> VMs i used only had about 512M.
>> did you try to run it on other vmss files that resemble the one i
>> described?
>
>
> Interesting. I have never seen a vmss with multiple regions. If you
> happen to come across one again, please let me know. I'd be interested
> in
> what conditions or what product leads to more than one region.
>
> Thanks,
>
> AW
--
Jesse Bowling
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
11:11 a.m.
Sure thing...
# vol.py -f myimage.vmss psscan --profile=Win2008R2SP1x64
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time
created Time exited
------------------ ---------------- ------ ------ ------------------
-------------------- --------------------
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 185, in <module>
main()
File "/usr/local/bin/vol.py", line 176, in main
command.execute()
File "/usr/local/src/volatility-read-only-1977/volatility/commands.py",
line 111, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/filescan.py",
line 444, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/filescan.py",
line 427, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-1977/volatility/scan.py", line
220, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-1977/volatility/scan.py", line
138, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-1977/volatility/plugins/common.py",
line 55, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
With may01 version:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
--profile=Win2008R2SP1x64
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time
created Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line 218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line 136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
On Fri, Jul 6, 2012 at 11:01 AM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
Even though there might be an issue with the vmss
address space, if it
had succeeded, you would still have to specify the profile like so:
$ vol.py -f myimage.vmss psscan --profile=Win2008R2SP1x64
Could you try one time like that just to be sure?
On Fri, Jul 6, 2012 at 10:50 AM, Jesse Bowling <jessebowling(a)gmail.com>
wrote:
--
Jesse Bowling
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
--
Jesse Bowling
Seems better:
root@Forensic-1:/case2/4132012/biweb/mem#
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
...
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
...
On Fri, Jul 6, 2012 at 10:29 AM, Jamie Levy <jamie.levy(a)gmail.com>
wrote:
>
> Try to place them in volatility/plugins/addrspaces/ instead and then
> do a `make clean` before running
>
>
>
> On Fri, Jul 6, 2012 at 10:03 AM, Jesse Bowling <jessebowling(a)gmail.com>
> wrote:
> > Disclaimer:
> >
> > So I took Nir's files, and dropped them into my plugins folder...I did
> > not
> > see any new plugins using vol.py -h, and when I tried to do an
imageinfo
> > I
> > got:
> >
> > /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> > imageinfo
> >
> > Volatile Systems Volatility Framework 2.1_alpha
> > Determining profile based on KDBG search...
> >
> > Traceback (most recent call last):
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173,
in
> > <module>
> > main()
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164,
in
> > main
> > command.execute()
> > File
> > "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> > line 101, in execute
> > func(outfd, data)
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
> > line 34, in render_text
> > for k, v in data:
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
> > line 44, in calculate
> > suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
> > line 119, in calculate
> > for offset in scanner.scan(aspace):
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
> > line 83, in scan
> > for offset in scan.BaseScanner.scan(self, address_space, offset,
> > maxlen):
> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
> > line
> > 136, in scan
> > skip = max(skip, s.skip(data, i))
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> > line 49, in skip
> > nextval = data.index(self.tag, offset + 1)
> > AttributeError: 'NoneType' object has no attribute 'index'
> >
> > So:
> >
> > # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> > psscan
> >
> > Volatile Systems Volatility Framework 2.1_alpha
> > Offset(P) Name PID PPID PDB Time created
> > Time exited
> > ---------- ---------------- ------ ------ ----------
> > ------------------------ ------------------------
> > No suitable address space mapping found
> > Tried to open image as:
> > WindowsHiberFileSpace32: No base Address Space
> > VMWareSnapshotFile: No base Address Space
> > WindowsCrashDumpSpace32: No base Address Space
> > AMD64PagedMemory: No base Address Space
> > JKIA32PagedMemory: No base Address Space
> > JKIA32PagedMemoryPae: No base Address Space
> > IA32PagedMemoryPae: Module disabled
> > IA32PagedMemory: Module disabled
> > WindowsHiberFileSpace32: No xpress signature found
> > WindowsHiberFileSpace32: No xpress signature found
> > VMWareSnapshotFile: ('Header signature invalid', 4026597203)
> > WindowsCrashDumpSpace32: Header signature invalid
> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
> > JKIA32PagedMemory: Failed valid Address Space check
> > JKIA32PagedMemoryPae: Failed valid Address Space check
> > IA32PagedMemoryPae: Module disabled
> > IA32PagedMemory: Module disabled
> > FileAddressSpace: Must be first Address Space
> >
> > At least it doesn't crash. So now:
> >
> > # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> > --profile=Win2008R2SP1x64 psscan
> >
> > Volatile Systems Volatility Framework 2.1_alpha
> > Offset(P) Name PID PPID PDB Time created
> > Time exited
> > ---------- ---------------- ------ ------ ----------
> > ------------------------ ------------------------
> > Traceback (most recent call last):
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173,
in
> > <module>
> > main()
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164,
in
> > main
> > command.execute()
> > File
> > "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> > line 101, in execute
> > func(outfd, data)
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> > line 415, in render_text
> > for eprocess in data:
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> > line 405, in calculate
> > for offset in PoolScanProcess().scan(address_space):
> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
> > line
> > 218, in scan
> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
> > line
> > 136, in scan
> > skip = max(skip, s.skip(data, i))
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> > line 49, in skip
> > nextval = data.index(self.tag, offset + 1)
> > AttributeError: 'NoneType' object has no attribute 'index'
> >
> > # /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
> > --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
> >
> > Volatile Systems Volatility Framework 2.1_alpha
> > Offset(P) Name PID PPID PDB Time created
> > Time exited
> > ---------- ---------------- ------ ------ ----------
> > ------------------------ ------------------------
> > Traceback (most recent call last):
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173,
in
> > <module>
> > main()
> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164,
in
> > main
> > command.execute()
> > File
> > "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
> > line 101, in execute
> > func(outfd, data)
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> > line 415, in render_text
> > for eprocess in data:
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
> > line 405, in calculate
> > for offset in PoolScanProcess().scan(address_space):
> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
> > line
> > 218, in scan
> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
> > line
> > 136, in scan
> > skip = max(skip, s.skip(data, i))
> > File
> >
> >
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
> > line 49, in skip
> > nextval = data.index(self.tag, offset + 1)
> > AttributeError: 'NoneType' object has no attribute 'index'
> >
> > I have limited testing time the next couple weeks, so will look to see
> > if I
> > can share this with someone like SA in the meantime...
> >
> > Cheers,
> >
> > Jesse
> >
> >
> > On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
> >>
> >> I assume you need it for something other than test my patch,
> >> I can send parts of the vmss of the machine I already noticed more
than
> >> one region.
> >> could you use that to gather the info you need?
> >>
> >> btw, I'm also using vmware converter standalone pretty often, it
might
> >> also be related
> >>
> >>
> >> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net>
> >> wrote:
> >>>
> >>>
> >>> Nir,
> >>>
> >>>
> >>>> AAron - actually it was quite rare, but the first vmss I used to
test
> >>>> the patch
> >>>> had two or three, which made my patch break when i first tested it
on
> >>>> other
> >>>> VMs.
> >>>> I could try to pinpoint it, but i guess it would be easier for me
to
> >>>> reverse
> >>>> the vmware code than try it manually :)
> >>>> A thing to note is that that vmss also had two virtual CPUs, which
> >>>> might
> >>>> have
> >>>> caused having more than one region. it also had ~4G of RAM. most of
> >>>> the
> >>>> other
> >>>> VMs i used only had about 512M.
> >>>> did you try to run it on other vmss files that resemble the one i
> >>>> described?
> >>>
> >>>
> >>> Interesting. I have never seen a vmss with multiple regions. If you
> >>> happen to come across one again, please let me know. I'd be
interested
>> in
>> what conditions or what product leads to more than one region.
>>
>> Thanks,
>>
>> AW
>
>
--
Jesse Bowling
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 
4:49 p.m.
It looks to me like the address space is not implementing zread()
properly (or at all). Can you please make sure that you are
implementing zread() in such a way that when you read outside a valid
or mapped region you will receive a null padded buffer rather than
None?
Some more comments about the address space VMWareSnapshotFile:
- Please do not use inner classes. There is no need to have a class
defined in such a way - just place the class at the module level.
- Minor style issues - long lines should be wrapped at 80 chars,
commented out lines should be removed.
- Do no use double underscore member variable names (they mean
something specific e.g. self.__hasseek).
- It would also be nicer if we used the volatility object system
rather than struct module directly for parsing these things - it would
make the file formats more readable and simplify the code a lot.
Thanks
Michael.
On 6 July 2012 16:03, Jesse Bowling <jessebowling(a)gmail.com> wrote:
Disclaimer:
So I took Nir's files, and dropped them into my plugins folder...I did not
see any new plugins using vol.py -h, and when I tried to do an imageinfo I
got:
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 44, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 119, in calculate
for offset in scanner.scan(aspace):
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 83, in scan
for offset in scan.BaseScanner.scan(self, address_space, offset,
maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
So:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
WindowsHiberFileSpace32: No xpress signature found
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
At least it doesn't crash. So now:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
I have limited testing time the next couple weeks, so will look to see if I
can share this with someone like SA in the meantime...
Cheers,
Jesse
On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
I assume you need it for something other than test my patch,
I can send parts of the vmss of the machine I already noticed more than
one region.
could you use that to gather the info you need?
btw, I'm also using vmware converter standalone pretty often, it might
also be related
On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net> wrote:
--
Jesse Bowling
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Nir,
AAron - actually it was quite rare, but the first
vmss I used to test
the patch
had two or three, which made my patch break when i first tested it on
other
VMs.
I could try to pinpoint it, but i guess it would be easier for me to
reverse
the vmware code than try it manually :)
A thing to note is that that vmss also had two virtual CPUs, which might
have
caused having more than one region. it also had ~4G of RAM. most of the
other
VMs i used only had about 512M.
did you try to run it on other vmss files that resemble the one i
described?
Interesting. I have never seen a vmss with multiple regions. If you
happen to come across one again, please let me know. I'd be interested in
what conditions or what product leads to more than one region.
Thanks,
AW
5:58 p.m.
hi Michael,
would you mind to also post your comments at the tracking system?
it'll be a lot easier for me to keep track of it. hoping I'm not stepping
on your tows.
about the zread() - i didn't implement it, I got confused with a few old AS
classes that had unnecessary methods and probably also removed the zread()
by mistake.
I hope to fix these in a couple of days and resubmit an updated version.
the only issue i have trouble with is the conversion to the internal object
system.
I tried using it a couple of times but had trouble with it.
it would also duplicate efforts for writing modifications to the vmss
parsing code.
since it does seem to be easy to write structures using Volatility's
framework,
would you mind taking care of it yourselves?
I could add a textual documentation if you'd rather, since i'll write one
anyway.
although if it's important i could give it another try...
Thanks,
Nir
On Fri, Jul 6, 2012 at 11:49 PM, Michael Cohen <scudette(a)gmail.com> wrote:
It looks to me like the address space is not
implementing zread()
properly (or at all). Can you please make sure that you are
implementing zread() in such a way that when you read outside a valid
or mapped region you will receive a null padded buffer rather than
None?
Some more comments about the address space VMWareSnapshotFile:
- Please do not use inner classes. There is no need to have a class
defined in such a way - just place the class at the module level.
- Minor style issues - long lines should be wrapped at 80 chars,
commented out lines should be removed.
- Do no use double underscore member variable names (they mean
something specific e.g. self.__hasseek).
- It would also be nicer if we used the volatility object system
rather than struct module directly for parsing these things - it would
make the file formats more readable and simplify the code a lot.
Thanks
Michael.
On 6 July 2012 16:03, Jesse Bowling <jessebowling(a)gmail.com> wrote:
--
Jesse Bowling
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Disclaimer:
So I took Nir's files, and dropped them into my plugins folder...I did
not
see any new plugins using vol.py -h, and when I
tried to do an imageinfo
I
got:
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 34, in render_text
for k, v in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
line 44, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 119, in calculate
for offset in scanner.scan(aspace):
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
line 83, in scan
for offset in scan.BaseScanner.scan(self, address_space, offset,
maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
So:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: No base Address Space
VMWareSnapshotFile: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
WindowsHiberFileSpace32: No xpress signature found
WindowsHiberFileSpace32: No xpress signature found
VMWareSnapshotFile: ('Header signature invalid', 4026597203)
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
JKIA32PagedMemory: Failed valid Address Space check
JKIA32PagedMemoryPae: Failed valid Address Space check
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Must be first Address Space
At least it doesn't crash. So now:
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
# /usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
--profile=Win2008R2SP1x64 --dtb=0x187000 psscan
Volatile Systems Volatility Framework 2.1_alpha
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------ ------------------------
Traceback (most recent call last):
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 173, in
<module>
main()
File "/usr/local/src/volatility-read-only-may-01/vol.py", line 164, in
main
command.execute()
File
"/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
line 101, in execute
func(outfd, data)
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 415, in render_text
for eprocess in data:
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
line 405, in calculate
for offset in PoolScanProcess().scan(address_space):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
218, in scan
for i in BaseScanner.scan(self, address_space, offset, maxlen):
File "/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
line
136, in scan
skip = max(skip, s.skip(data, i))
File
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
line 49, in skip
nextval = data.index(self.tag, offset + 1)
AttributeError: 'NoneType' object has no attribute 'index'
I have limited testing time the next couple weeks, so will look to see
if I
can share this with someone like SA in the
meantime...
Cheers,
Jesse
On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli <nirizr(a)gmail.com> wrote:
>
> I assume you need it for something other than test my patch,
> I can send parts of the vmss of the machine I already noticed more than
> one region.
> could you use that to gather the info you need?
>
> btw, I'm also using vmware converter standalone pretty often, it might
> also be related
>
>
> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters <awalters(a)4tphi.net>
wrote:
>>
>>
>> Nir,
>>
>>
>>> AAron - actually it was quite rare, but the first vmss I used to test
>>> the patch
>>> had two or three, which made my patch break when i first tested it on
>>> other
>>> VMs.
>>> I could try to pinpoint it, but i guess it would be easier for me to
>>> reverse
>>> the vmware code than try it manually :)
>>> A thing to note is that that vmss also had two virtual CPUs, which
might
>>> have
>>> caused having more than one region. it also had ~4G of RAM. most of
the
>>> other
>>> VMs i used only had about 512M.
>>> did you try to run it on other vmss files that resemble the one i
>>> described?
>>
>>
>> Interesting. I have never seen a vmss with multiple regions. If you
>> happen to come across one again, please let me know. I'd be interested
in
what conditions or what product leads to more than one
region.
Thanks,
AW
7:02 p.m.
Hey Nir,
We can definitely help out with integrating your code with the object
system. I was just in the process of testing it for the first time this
afternoon.
Here are a few details (I'll copy them to the issue tracker in a sec).
Basically I started with an ESX 4.1.0 and grabbed the following:
* vmsn from xpsp2 x86 256 MB
* vmsn from win7 sp1 x86 512 MB
* vmss from server 2008 sp1 x64 4 GB
Your AS with the latest 2.1 alpha (so about r1983) worked fine for the xp
vmsn. (by fine I mean pslist worked, but other plugins may not work
properly due to what scudette said about zread)
=================================================
VMSN - XPSP3 x86 @ 256 MB RAM
$ python vol.py -d -f Andrew-Snapshot6.vmsn pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile' DEBUG : volatility.plugins.addrspaces.vmware:
RegionCount: 1
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: 10000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 39000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x10363a890 Offset(V) Name
PID PPID Thds Hnds Sess Wow64
Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------
-------------------- --------------------
0x81bcc830 System 4 0 52 477 ------ 0
0x8194a020 smss.exe 364 4 3 21 ------ 0
2012-01-25 20:44:20
0x81954020 csrss.exe 616 364 10 345 0 0
2012-01-25 20:44:20
0x81951128 winlogon.exe 640 364 16 495 0 0
2012-01-25 20:44:20
0x81a897a8 services.exe 684 640 15 272 0 0
2012-01-25 20:44:20
[snip]
It also worked fine for the win7 vmsn:
=================================================
VMSN - Windows 7 SP0 x86 @ 512 MB RAM
$ python vol.py -d -f Abraham-Snapshot2.vmsn --profile=Win7SP0x86 pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile' DEBUG : volatility.plugins.addrspaces.vmware:
RegionCount: 1
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: 20000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 185000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x102a1a750 Offset(V) Name
PID PPID Thds Hnds Sess Wow64
Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------
-------------------- --------------------
0x83f2f730 System 4 0 93 494 ------ 0
2012-03-15 15:04:12
0x84f32c48 smss.exe 252 4 2 29 ------ 0
2012-03-15 15:04:12
0x85708d40 csrss.exe 364 356 9 386 0 0
2012-03-15 15:04:48
0x82050030 wininit.exe 400 356 3 75 0 0
2012-03-15 15:04:48
0x856d9370 csrss.exe 408 392 7 201 1 0
2012-03-15 15:04:48
0x8207f030 services.exe 468 400 8 198 0 0
2012-03-15 15:04:49
0x8208e030 lsass.exe 476 400 8 711 0 0
2012-03-15 15:04:49
[snip]
I then reproduced the same thing Jesse is seeing on the server 2008 x64 w/
4 GB:
=================================================
VMSS - Server 2008 SP1 x64 @ 4 GB RAM
$ python vol.py -d -f Win2008SP1x64-9de64630.vmss --profile=Win2008SP1x64
pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile' DEBUG : volatility.plugins.addrspaces.vmware:
Read region count from
file: 2
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 2
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: C0000000
Virtual Address: 100000000, Physical Address: C0000000, Size: 40000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 124000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x102a1a750 DEBUG :
volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory' DEBUG : volatility.utils : Succeeded
instantiating
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x1036c91d0 DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile' DEBUG : volatility.utils : Failed
instantiating (exception): unpack
requires a string argument of length 4
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory' DEBUG : volatility.utils : Trying
<class
'volatility.plugins.addrspaces.standard.FileAddressSpace' Offset(V) Name PID
PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ -------------------- --------------------
0xfffffa8003ca8950 System 4 0 104 496
------ 0 2012-03-02 07:16:23
/Users/Michael/volatility_pe_exceptions/volatility/plugins/overlays/windows/windows.py(262)windows_to_unix_time()
-> unix_time = windows_time / 10000000
(Pdb) windows_time
<NoneObject: Unable to read 8 bytes from 18446738026473744904
You can see the error occurred because windows_time at 0xfffffa8004a86a08L
(hex value of the decimal offset above) could not be fetched from the vmss
file. Since it appears the System process is able to be found, we should be
able to break into a volshell (which uses the System process AS by default)
and try some checks:
$ python vol.py -d -f Win2008SP1x64-9de64630.vmss --profile=Win2008SP1x64
volshell
Current context: process System, pid=4, ppid=0 DTB=0x124000
Welcome to volshell! Current memory image is:
file:///Users/Michael/Downloads/Win2008SP1x64-9de64630.vmss
To get help, type 'hh()'
> about the zread() - i didn't implement
it, I got confused with a few old
> AS classes that had unnecessary methods and probably also removed the
> zread() by mistake.
> I hope to fix these in a couple of days and
resubmit an updated version.
> the only issue i have trouble with is the
conversion to the internal
> object system.
> I tried using it a couple of times but had trouble with it.
> it would also duplicate efforts for writing modifications to the vmss
> parsing code.
> since it does seem to be easy to write structures using Volatility's
> framework,
> would you mind taking care of it yourselves?
> I could add a textual documentation if you'd rather, since i'll write one
> anyway.
> although if it's important i could give it another try...
> Thanks,
> Nir
> On Fri, Jul 6, 2012 at 11:49 PM, Michael Cohen <scudette(a)gmail.com>
wrote:
>> It looks to me like the address space
is not implementing zread()
>> properly (or at all). Can you please make sure that you are
>> implementing zread() in such a way that when you read outside a valid
>> or mapped region you will receive a null padded buffer rather than
>> None?
> >> Some more comments about the address
space VMWareSnapshotFile:
>> - Please do not use inner classes. There is no need to have a class
>> defined in such a way - just place the class at the module level.
>> - Minor style issues - long lines should be wrapped at 80 chars,
>> commented out lines should be removed.
>> - Do no use double underscore member variable names (they mean
>> something specific e.g. self.__hasseek).
>> - It would also be nicer if we used the volatility object system
>> rather than struct module directly for parsing these things - it would
>> make the file formats more readable and simplify the code a lot.
> >> Thanks
>> Michael.
> >> On 6 July 2012 16:03, Jesse Bowling
<jessebowling(a)gmail.com> wrote:
>> > Disclaimer:
>> >> > So I
took Nir's files, and dropped them into my plugins folder...I did
>> not
>> > see any new plugins using vol.py -h, and when I tried to do an
>> imageinfo I
>> > got:
>> >> >
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> imageinfo
>> >> >
Volatile Systems Volatility Framework 2.1_alpha
>> > Determining profile based on KDBG search...
>> >> >
Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173, in
>> > <module >> >
main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164, in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>> > line 34, in render_text
>> > for k, v in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>> > line 44, in calculate
>> > suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>> > line 119, in calculate
>> > for offset in scanner.scan(aspace):
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>> > line 83, in scan
>> > for offset in scan.BaseScanner.scan(self, address_space, offset,
>> > maxlen):
>> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
>> line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > So:
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> psscan
>> >> >
Volatile Systems Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > No suitable address space mapping found
>> > Tried to open image as:
>> > WindowsHiberFileSpace32: No base Address Space
>> > VMWareSnapshotFile: No base Address Space
>> > WindowsCrashDumpSpace32: No base Address Space
>> > AMD64PagedMemory: No base Address Space
>> > JKIA32PagedMemory: No base Address Space
>> > JKIA32PagedMemoryPae: No base Address Space
>> > IA32PagedMemoryPae: Module disabled
>> > IA32PagedMemory: Module disabled
>> > WindowsHiberFileSpace32: No xpress signature found
>> > WindowsHiberFileSpace32: No xpress signature found
>> > VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>> > WindowsCrashDumpSpace32: Header signature invalid
>> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>> > JKIA32PagedMemory: Failed valid Address Space check
>> > JKIA32PagedMemoryPae: Failed valid Address Space check
>> > IA32PagedMemoryPae: Module disabled
>> > IA32PagedMemory: Module disabled
>> > FileAddressSpace: Must be first Address Space
>> >> > At
least it doesn't crash. So now:
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > --profile=Win2008R2SP1x64 psscan
>> >> >
Volatile Systems Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173, in
>> > <module >> >
main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164, in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 415, in render_text
>> > for eprocess in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 405, in calculate
>> > for offset in PoolScanProcess().scan(address_space):
>> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
>> line
>> > 218, in scan
>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
>> line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
>> >> >
Volatile Systems Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173, in
>> > <module >> >
main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164, in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 415, in render_text
>> > for eprocess in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 405, in calculate
>> > for offset in PoolScanProcess().scan(address_space):
>> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
>> line
>> > 218, in scan
>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>> > File
"/usr/local/src/volatility-read-only-may-01/volatility/scan.py",
>> line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > I have
limited testing time the next couple weeks, so will look to see
>> if I
>> > can share this with someone like SA in the meantime...
>> >> >
Cheers,
>> >> > Jesse
>> >> >> > On Fri, Jul 6, 2012 at 7:21 AM,
nir izraeli <nirizr(a)gmail.com> wrote:
>> > >> >> I
assume you need it for something other than test my patch,
>> >> I can send parts of the vmss of the machine I already noticed more than
>> >> one region.
>> >> could you use that to gather the info you need?
>> > >> >>
btw, I'm also using vmware converter standalone pretty often, it might
>> >> also be related
>> > >> > >> >> On Fri, Jul 6, 2012 at 5:31
AM, AAron Walters <awalters(a)4tphi.net
>> wrote:
>> >> >> >> >> >>> Nir,
>> >> >> >> >> >>>> AAron - actually it
was quite rare, but the first vmss I used to test
>> >>>> the patch
>> >>>> had two or three, which made my patch break when i first tested
it on
>> >>>> other
>> >>>> VMs.
>> >>>> I could try to pinpoint it, but i guess it would be easier for
me to
>> >>>> reverse
>> >>>> the vmware code than try it manually :)
>> >>>> A thing to note is that that vmss also had two virtual CPUs,
which
>> might
>> >>>> have
>> >>>> caused having more than one region. it also had ~4G of RAM. most
of
>> the
>> >>>> other
>> >>>> VMs i used only had about 512M.
>> >>>> did you try to run it on other vmss files that resemble the one
i
>> >>>> described?
>> >> >> >> >> >>> Interesting. I have never
seen a vmss with multiple regions. If you
>> >>> happen to come across one again, please let me know. I'd be
>> interested in
>> >>> what conditions or what product leads to more than one region.
>> >> >> >>>
Thanks,
>> >> >> >>>
AW
>> > >> > >>
>> >> >> > --
>> > Jesse Bowling
>> >> >>
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users(a)volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>
_______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
self.addrspace.is_valid_address(0xfffffa8004a86a08L)
True
>> self.addrspace.vtop(0xfffffa8004a86a08L)
5354580488L
>> dd(0xfffffa8004a86a08L)
Memory
unreadable at fffffa8004a86a08
So the AS thinks the virtual address is valid and is able to vtop, but then
when you try to read (dd command) it fails. The first thing that catches my
eye is the physical address is reportedly 5354580488L, which is much larger
than the size of the file we have:
$ ls -al Win2008SP1x64-9de64630.vmss
-rw-r--r--@ 1 Michael staff 4300360567 Jul 6 16:01
/Users/Michael/Downloads/Win2008SP1x64-9de64630.vmss
This is the same thing we saw recently in the issue "vtop and 5GB 64bit
memory dump problem" [1]. That too was an issue of vmware memory files (a
vmem in this case unless Sebastien changed the extension). Same symptom,
but with the AMD64 AS - it reported vtop as being a physical address much
bigger than the file.
We're still looking into it some things, and although your AS could use a
little work to conform its style with the other AS's, I'm not sure its the
cause of the problem we're seeing here (unless the AMD64 AS has the same
problem).
Stay tuned.... ;-)
MHL
[1]. http://code.google.com/p/volatility/issues/detail?id=272
On Fri, Jul 6, 2012 at 5:58 PM, nir izraeli <nirizr(a)gmail.com> wrote:
> hi Michael,
> would you mind to also post your comments at the tracking system?
> it'll be a lot easier for me to keep track of it. hoping I'm not stepping
> on your tows.
7:22 p.m.
Michael, if you'll load the vmss AS with the -d flag it'll print the
regions specified in the vmss file.
it might help you to check if the address really exist in the file. I would
bet there's more than a single region so the file size is not indicative.
i'll try running a few checks on my part to make sure it is unrelated to my
patch.
if you wish to investigate it further you could quite easily use the
VMSSParser directly, but you might rather leave it to me :)
I'll also hurry with the zread function so you could make more tests.
hopefully I'll write it tomorrow, since it's 2AM over here and I've already
made some promises I should keep for today :)
help with the object system will be much appreciated.
btw,
a list of the features/methods required of an AS could have been useful,
but i don't how many AS commits you receive so it might be unnecessary.
I won't mind writing one if reviewed properly. an "example" AS could also
do the trick
Cheers,
- Nir
On Sat, Jul 7, 2012 at 2:02 AM, Michael Hale Ligh <michael.hale(a)gmail.com>wrote:
Hey Nir,
We can definitely help out with integrating your code with the object
system. I was just in the process of testing it for the first time this
afternoon.
Here are a few details (I'll copy them to the issue tracker in a sec).
Basically I started with an ESX 4.1.0 and grabbed the following:
* vmsn from xpsp2 x86 256 MB
* vmsn from win7 sp1 x86 512 MB
* vmss from server 2008 sp1 x64 4 GB
Your AS with the latest 2.1 alpha (so about r1983) worked fine for the xp
vmsn. (by fine I mean pslist worked, but other plugins may not work
properly due to what scudette said about zread)
=================================================
VMSN - XPSP3 x86 @ 256 MB RAM
$ python vol.py -d -f Andrew-Snapshot6.vmsn pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 1
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: 10000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 39000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x10363a890>
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x81bcc830 System 4 0 52 477 ------
0
0x8194a020 smss.exe 364 4 3 21 ------
0 2012-01-25 20:44:20
0x81954020 csrss.exe 616 364 10 345 0
0 2012-01-25 20:44:20
0x81951128 winlogon.exe 640 364 16 495 0
0 2012-01-25 20:44:20
0x81a897a8 services.exe 684 640 15 272 0
0 2012-01-25 20:44:20
[snip]
It also worked fine for the win7 vmsn:
=================================================
VMSN - Windows 7 SP0 x86 @ 512 MB RAM
$ python vol.py -d -f Abraham-Snapshot2.vmsn --profile=Win7SP0x86 pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 1
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: 20000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 185000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x102a1a750>
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x83f2f730 System 4 0 93 494 ------
0 2012-03-15 15:04:12
0x84f32c48 smss.exe 252 4 2 29 ------
0 2012-03-15 15:04:12
0x85708d40 csrss.exe 364 356 9 386 0
0 2012-03-15 15:04:48
0x82050030 wininit.exe 400 356 3 75 0
0 2012-03-15 15:04:48
0x856d9370 csrss.exe 408 392 7 201 1
0 2012-03-15 15:04:48
0x8207f030 services.exe 468 400 8 198 0
0 2012-03-15 15:04:49
0x8208e030 lsass.exe 476 400 8 711 0
0 2012-03-15 15:04:49
[snip]
I then reproduced the same thing Jesse is seeing on the server 2008 x64 w/
4 GB:
=================================================
VMSS - Server 2008 SP1 x64 @ 4 GB RAM
$ python vol.py -d -f Win2008SP1x64-9de64630.vmss --profile=Win2008SP1x64
pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: Read region count from
file: 2
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 2
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: C0000000
Virtual Address: 100000000, Physical Address: C0000000, Size: 40000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 124000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x102a1a750>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x1036c91d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.utils : Failed instantiating (exception): unpack
requires a string argument of length 4
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ -------------------- --------------------
0xfffffa8003ca8950 System 4 0 104 496
------ 0 2012-03-02 07:16:23
/Users/Michael/volatility_pe_exceptions/volatility/plugins/overlays/windows/windows.py(262)windows_to_unix_time()
-> unix_time = windows_time / 10000000
(Pdb) windows_time
<NoneObject: Unable to read 8 bytes from 18446738026473744904>
You can see the error occurred because windows_time at 0xfffffa8004a86a08L
(hex value of the decimal offset above) could not be fetched from the vmss
file. Since it appears the System process is able to be found, we should be
able to break into a volshell (which uses the System process AS by default)
and try some checks:
$ python vol.py -d -f Win2008SP1x64-9de64630.vmss --profile=Win2008SP1x64
volshell
Current context: process System, pid=4, ppid=0 DTB=0x124000
Welcome to volshell! Current memory image is:
file:///Users/Michael/Downloads/Win2008SP1x64-9de64630.vmss
To get help, type 'hh()'
>> > So I took Nir's
files, and dropped them into my plugins folder...I did
>> not
>> > see any new plugins using vol.py -h, and when I tried to do an
>> imageinfo I
>> > got:
>> >> >
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> imageinfo
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Determining profile based on KDBG search...
>> >> > Traceback (most
recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173,
>> in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164,
>> in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>> > line 34, in render_text
>> > for k, v in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>> > line 44, in calculate
>> > suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>> > line 119, in calculate
>> > for offset in scanner.scan(aspace):
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>> > line 83, in scan
>> > for offset in scan.BaseScanner.scan(self, address_space, offset,
>> > maxlen):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > So:
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> psscan
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > No suitable address space mapping found
>> > Tried to open image as:
>> > WindowsHiberFileSpace32: No base Address Space
>> > VMWareSnapshotFile: No base Address Space
>> > WindowsCrashDumpSpace32: No base Address Space
>> > AMD64PagedMemory: No base Address Space
>> > JKIA32PagedMemory: No base Address Space
>> > JKIA32PagedMemoryPae: No base Address Space
>> > IA32PagedMemoryPae: Module disabled
>> > IA32PagedMemory: Module disabled
>> > WindowsHiberFileSpace32: No xpress signature found
>> > WindowsHiberFileSpace32: No xpress signature found
>> > VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>> > WindowsCrashDumpSpace32: Header signature invalid
>> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>> > JKIA32PagedMemory: Failed valid Address Space check
>> > JKIA32PagedMemoryPae: Failed valid Address Space check
>> > IA32PagedMemoryPae: Module disabled
>> > IA32PagedMemory: Module disabled
>> > FileAddressSpace: Must be first Address Space
>> >> > At least it
doesn't crash. So now:
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > --profile=Win2008R2SP1x64 psscan
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173,
>> in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164,
>> in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 415, in render_text
>> > for eprocess in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 405, in calculate
>> > for offset in PoolScanProcess().scan(address_space):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 218, in scan
>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173,
>> in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164,
>> in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 415, in render_text
>> > for eprocess in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 405, in calculate
>> > for offset in PoolScanProcess().scan(address_space):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 218, in scan
>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > I have limited
testing time the next couple weeks, so will look to see
>> if I
>> > can share this with someone like SA in the meantime...
>> >> > Cheers,
>> >> > Jesse
>> >> >> > On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli
<nirizr(a)gmail.com> wrote:
>> >>
>> >> I assume you need it for something other than test my patch,
>> >> I can send parts of the vmss of the machine I already noticed more
>> than
>> >> one region.
>> >> could you use that to gather the info you need?
>> >>
>> >> btw, I'm also using vmware converter standalone pretty often, it
might
>> >> also be related
>> >>
>> >>
>> >> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters
<awalters(a)4tphi.net>
>> wrote:
>> >>>
>> >>>
>> >>> Nir,
>> >>>
>> >>>
>> >>>> AAron - actually it was quite rare, but the first vmss I used
to
>> test
>> >>>> the patch
>> >>>> had two or three, which made my patch break when i first tested
it
>> on
>> >>>> other
>> >>>> VMs.
>> >>>> I could try to pinpoint it, but i guess it would be easier for
me to
>> >>>> reverse
>> >>>> the vmware code than try it manually :)
>> >>>> A thing to note is that that vmss also had two virtual CPUs,
which
>> might
>> >>>> have
>> >>>> caused having more than one region. it also had ~4G of RAM. most
of
>> the
>> >>>> other
>> >>>> VMs i used only had about 512M.
>> >>>> did you try to run it on other vmss files that resemble the one
i
>> >>>> described?
>> >>>
>> >>>
>> >>> Interesting. I have never seen a vmss with multiple regions. If
you
>> >>> happen to come across one again, please let me know. I'd be
>> interested in
>> >>> what conditions or what product leads to more than one region.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> AW
>> >>
>> >>
>> >> >> >>
> --
>> > Jesse Bowling
>> >> >> >>
> _______________________________________________
>> > Vol-users mailing list
>> > Vol-users(a)volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>>
self.addrspace.is_valid_address(0xfffffa8004a86a08L)
True
>> self.addrspace.vtop(0xfffffa8004a86a08L)
5354580488L
>> dd(0xfffffa8004a86a08L)
Memory
unreadable at fffffa8004a86a08
So the AS thinks the virtual address is valid and is able to vtop, but
then when you try to read (dd command) it fails. The first thing that
catches my eye is the physical address is reportedly 5354580488L, which is
much larger than the size of the file we have:
$ ls -al Win2008SP1x64-9de64630.vmss
-rw-r--r--@ 1 Michael staff 4300360567 Jul 6 16:01
/Users/Michael/Downloads/Win2008SP1x64-9de64630.vmss
This is the same thing we saw recently in the issue "vtop and 5GB 64bit
memory dump problem" [1]. That too was an issue of vmware memory files (a
vmem in this case unless Sebastien changed the extension). Same symptom,
but with the AMD64 AS - it reported vtop as being a physical address much
bigger than the file.
We're still looking into it some things, and although your AS could use a
little work to conform its style with the other AS's, I'm not sure its the
cause of the problem we're seeing here (unless the AMD64 AS has the same
problem).
Stay tuned.... ;-)
MHL
[1]. http://code.google.com/p/volatility/issues/detail?id=272
On Fri, Jul 6, 2012 at 5:58 PM, nir izraeli <nirizr(a)gmail.com> wrote:
> hi Michael,
> would you mind to also post your comments at the tracking system?
> it'll be a lot easier for me to keep track of it. hoping I'm not stepping
> on your tows.
>
> about the zread() - i didn't implement it, I got confused with a few old
> AS classes that had unnecessary methods and probably also removed the
> zread() by mistake.
>
> I hope to fix these in a couple of days and resubmit an updated version.
>
> the only issue i have trouble with is the conversion to the internal
> object system.
> I tried using it a couple of times but had trouble with it.
> it would also duplicate efforts for writing modifications to the vmss
> parsing code.
> since it does seem to be easy to write structures using Volatility's
> framework,
> would you mind taking care of it yourselves?
> I could add a textual documentation if you'd rather, since i'll write one
> anyway.
> although if it's important i could give it another try...
>
> Thanks,
> Nir
>
>
> On Fri, Jul 6, 2012 at 11:49 PM, Michael Cohen <scudette(a)gmail.com>wrote:
>
>> It looks to me like the address space is not implementing zread()
>> properly (or at all). Can you please make sure that you are
>> implementing zread() in such a way that when you read outside a valid
>> or mapped region you will receive a null padded buffer rather than
>> None?
>>
>> Some more comments about the address space VMWareSnapshotFile:
>> - Please do not use inner classes. There is no need to have a class
>> defined in such a way - just place the class at the module level.
>> - Minor style issues - long lines should be wrapped at 80 chars,
>> commented out lines should be removed.
>> - Do no use double underscore member variable names (they mean
>> something specific e.g. self.__hasseek).
>> - It would also be nicer if we used the volatility object system
>> rather than struct module directly for parsing these things - it would
>> make the file formats more readable and simplify the code a lot.
>>
>> Thanks
>> Michael.
>>
>> On 6 July 2012 16:03, Jesse Bowling <jessebowling(a)gmail.com> wrote:
>> > Disclaimer:
>>
9:43 p.m.
Hey Nir,
On Fri, Jul 6, 2012 at 7:22 PM, nir izraeli <nirizr(a)gmail.com> wrote:
Michael, if you'll load the vmss AS with the -d
flag it'll print the
regions specified in the vmss file.
That was done, you should have seen it in my last email. It was:
$ python vol.py -d -f Win2008SP1x64-9de64630.vmss --profile=Win2008SP1x64
pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: Read region count from
file: 2
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 2
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: C0000000
Virtual Address: 100000000, Physical Address: C0000000, Size: 40000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 124000
[snip]
So I've just completed a test by reducing the RAM size of my Win2008SP1x64
system from 4 GB down to 3 GB. This reduced the number of regions to 1 and
allows plugins like pslist to work on the vmss with your AS:
$ python vol.py -d -f Win2008SP1x64-9de64630\ \(1\).vmss
--profile=Win2008SP1x64 pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 1
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: C0000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: a77d3000
[snip]
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ -------------------- --------------------
0xfffffa8002492950 System 4 0 97 440
------ 0 2012-07-07 01:01:26
0xfffffa8002f80320 smss.exe 400 4 4 28
------ 0 2012-07-07 01:01:26
0xfffffa8002ffb8b0 csrss.exe 468 456 10 353
0 0 2012-07-07 01:01:30
0xfffffa8003033900 csrss.exe 512 504 7 77
1 0 2012-07-07 01:01:32
0xfffffa800303bc10 wininit.exe 520 456 3 103
0 0 2012-07-07 01:01:33
0xfffffa8002d8f310 winlogon.exe 548 504 3 101
1 0 2012-07-07 01:01:33
[snip]
Here is the first 0x10000 from my Win2008SP1x64 with 4 GB and Win2008SP1x64
with 3 GB. At this point I still can't say if its related to your patch and
how its mapping the regions. By the way I was also able to test
successfully a Win7 SP1 x64 with 2 GB RAM using your AS, so its not
necessarily a memory model issue (maybe memory model in addition to RAM
size >= 4 GB but at least we know its not isolated to all x64).
Narrowing down the cases, I'm sure we'll figure it out soon...
MHL
it might help you to check if the address really exist
in the file. I
would bet there's more than a single region so the file size is not
indicative.
i'll try running a few checks on my part to make sure it is unrelated to
my patch.
if you wish to investigate it further you could quite easily use the
VMSSParser directly, but you might rather leave it to me :)
I'll also hurry with the zread function so you could make more tests.
hopefully I'll write it tomorrow, since it's 2AM over here and I've
already made some promises I should keep for today :)
help with the object system will be much appreciated.
btw,
a list of the features/methods required of an AS could have been useful,
but i don't how many AS commits you receive so it might be unnecessary.
I won't mind writing one if reviewed properly. an "example" AS could also
do the trick
Cheers,
- Nir
On Sat, Jul 7, 2012 at 2:02 AM, Michael Hale Ligh <michael.hale(a)gmail.com>wrote:
Hey Nir,
We can definitely help out with integrating your code with the object
system. I was just in the process of testing it for the first time this
afternoon.
Here are a few details (I'll copy them to the issue tracker in a sec).
Basically I started with an ESX 4.1.0 and grabbed the following:
* vmsn from xpsp2 x86 256 MB
* vmsn from win7 sp1 x86 512 MB
* vmss from server 2008 sp1 x64 4 GB
Your AS with the latest 2.1 alpha (so about r1983) worked fine for the xp
vmsn. (by fine I mean pslist worked, but other plugins may not work
properly due to what scudette said about zread)
=================================================
VMSN - XPSP3 x86 @ 256 MB RAM
$ python vol.py -d -f Andrew-Snapshot6.vmsn pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 1
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: 10000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 39000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x10363a890>
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x81bcc830 System 4 0 52 477 ------
0
0x8194a020 smss.exe 364 4 3 21 ------
0 2012-01-25 20:44:20
0x81954020 csrss.exe 616 364 10 345 0
0 2012-01-25 20:44:20
0x81951128 winlogon.exe 640 364 16 495 0
0 2012-01-25 20:44:20
0x81a897a8 services.exe 684 640 15 272 0
0 2012-01-25 20:44:20
[snip]
It also worked fine for the win7 vmsn:
=================================================
VMSN - Windows 7 SP0 x86 @ 512 MB RAM
$ python vol.py -d -f Abraham-Snapshot2.vmsn --profile=Win7SP0x86 pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 1
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: 20000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 185000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x102a1a750>
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x83f2f730 System 4 0 93 494 ------
0 2012-03-15 15:04:12
0x84f32c48 smss.exe 252 4 2 29 ------
0 2012-03-15 15:04:12
0x85708d40 csrss.exe 364 356 9 386 0
0 2012-03-15 15:04:48
0x82050030 wininit.exe 400 356 3 75 0
0 2012-03-15 15:04:48
0x856d9370 csrss.exe 408 392 7 201 1
0 2012-03-15 15:04:48
0x8207f030 services.exe 468 400 8 198 0
0 2012-03-15 15:04:49
0x8208e030 lsass.exe 476 400 8 711 0
0 2012-03-15 15:04:49
[snip]
I then reproduced the same thing Jesse is seeing on the server 2008 x64
w/ 4 GB:
=================================================
VMSS - Server 2008 SP1 x64 @ 4 GB RAM
$ python vol.py -d -f Win2008SP1x64-9de64630.vmss --profile=Win2008SP1x64
pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: Read region count from
file: 2
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 2
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: C0000000
Virtual Address: 100000000, Physical Address: C0000000, Size: 40000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 124000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x102a1a750>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x1036c91d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.utils : Failed instantiating (exception): unpack
requires a string argument of length 4
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ -------------------- --------------------
0xfffffa8003ca8950 System 4 0 104 496
------ 0 2012-03-02 07:16:23
/Users/Michael/volatility_pe_exceptions/volatility/plugins/overlays/windows/windows.py(262)windows_to_unix_time()
-> unix_time = windows_time / 10000000
(Pdb) windows_time
<NoneObject: Unable to read 8 bytes from 18446738026473744904>
You can see the error occurred because windows_time at
0xfffffa8004a86a08L (hex value of the decimal offset above) could not be
fetched from the vmss file. Since it appears the System process is able to
be found, we should be able to break into a volshell (which uses the System
process AS by default) and try some checks:
$ python vol.py -d -f Win2008SP1x64-9de64630.vmss --profile=Win2008SP1x64
volshell
Current context: process System, pid=4, ppid=0 DTB=0x124000
Welcome to volshell! Current memory image is:
file:///Users/Michael/Downloads/Win2008SP1x64-9de64630.vmss
To get help, type 'hh()'
>> > So I took Nir's
files, and dropped them into my plugins folder...I
>> did not
>> > see any new plugins using vol.py -h, and when I tried to do an
>> imageinfo I
>> > got:
>> >> >
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> imageinfo
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Determining profile based on KDBG search...
>> >> > Traceback (most
recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173,
>> in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164,
>> in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>> > line 34, in render_text
>> > for k, v in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>> > line 44, in calculate
>> > suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>> > line 119, in calculate
>> > for offset in scanner.scan(aspace):
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>> > line 83, in scan
>> > for offset in scan.BaseScanner.scan(self, address_space, offset,
>> > maxlen):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > So:
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> psscan
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > No suitable address space mapping found
>> > Tried to open image as:
>> > WindowsHiberFileSpace32: No base Address Space
>> > VMWareSnapshotFile: No base Address Space
>> > WindowsCrashDumpSpace32: No base Address Space
>> > AMD64PagedMemory: No base Address Space
>> > JKIA32PagedMemory: No base Address Space
>> > JKIA32PagedMemoryPae: No base Address Space
>> > IA32PagedMemoryPae: Module disabled
>> > IA32PagedMemory: Module disabled
>> > WindowsHiberFileSpace32: No xpress signature found
>> > WindowsHiberFileSpace32: No xpress signature found
>> > VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>> > WindowsCrashDumpSpace32: Header signature invalid
>> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>> > JKIA32PagedMemory: Failed valid Address Space check
>> > JKIA32PagedMemoryPae: Failed valid Address Space check
>> > IA32PagedMemoryPae: Module disabled
>> > IA32PagedMemory: Module disabled
>> > FileAddressSpace: Must be first Address Space
>> >> > At least it
doesn't crash. So now:
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > --profile=Win2008R2SP1x64 psscan
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173,
>> in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164,
>> in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 415, in render_text
>> > for eprocess in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 405, in calculate
>> > for offset in PoolScanProcess().scan(address_space):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 218, in scan
>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173,
>> in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164,
>> in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 415, in render_text
>> > for eprocess in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 405, in calculate
>> > for offset in PoolScanProcess().scan(address_space):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 218, in scan
>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > I have limited
testing time the next couple weeks, so will look to
>> see if I
>> > can share this with someone like SA in the meantime...
>> >> > Cheers,
>> >> > Jesse
>> >> >> > On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli
<nirizr(a)gmail.com> wrote:
>> >>
>> >> I assume you need it for something other than test my patch,
>> >> I can send parts of the vmss of the machine I already noticed more
>> than
>> >> one region.
>> >> could you use that to gather the info you need?
>> >>
>> >> btw, I'm also using vmware converter standalone pretty often, it
>> might
>> >> also be related
>> >>
>> >>
>> >> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters
<awalters(a)4tphi.net>
>> wrote:
>> >>>
>> >>>
>> >>> Nir,
>> >>>
>> >>>
>> >>>> AAron - actually it was quite rare, but the first vmss I used
to
>> test
>> >>>> the patch
>> >>>> had two or three, which made my patch break when i first tested
it
>> on
>> >>>> other
>> >>>> VMs.
>> >>>> I could try to pinpoint it, but i guess it would be easier for
me
>> to
>> >>>> reverse
>> >>>> the vmware code than try it manually :)
>> >>>> A thing to note is that that vmss also had two virtual CPUs,
which
>> might
>> >>>> have
>> >>>> caused having more than one region. it also had ~4G of RAM.
most
>> of the
>> >>>> other
>> >>>> VMs i used only had about 512M.
>> >>>> did you try to run it on other vmss files that resemble the one
i
>> >>>> described?
>> >>>
>> >>>
>> >>> Interesting. I have never seen a vmss with multiple regions. If
you
>> >>> happen to come across one again, please let me know. I'd be
>> interested in
>> >>> what conditions or what product leads to more than one region.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> AW
>> >>
>> >>
>> >> >> >>
> --
>> > Jesse Bowling
>> >> >> >>
> _______________________________________________
>> > Vol-users mailing list
>> > Vol-users(a)volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>>
self.addrspace.is_valid_address(0xfffffa8004a86a08L)
True
>> self.addrspace.vtop(0xfffffa8004a86a08L)
5354580488L
>> dd(0xfffffa8004a86a08L)
Memory
unreadable at fffffa8004a86a08
So the AS thinks the virtual address is valid and is able to vtop, but
then when you try to read (dd command) it fails. The first thing that
catches my eye is the physical address is reportedly 5354580488L, which is
much larger than the size of the file we have:
$ ls -al Win2008SP1x64-9de64630.vmss
-rw-r--r--@ 1 Michael staff 4300360567 Jul 6 16:01
/Users/Michael/Downloads/Win2008SP1x64-9de64630.vmss
This is the same thing we saw recently in the issue "vtop and 5GB 64bit
memory dump problem" [1]. That too was an issue of vmware memory files (a
vmem in this case unless Sebastien changed the extension). Same symptom,
but with the AMD64 AS - it reported vtop as being a physical address much
bigger than the file.
We're still looking into it some things, and although your AS could use a
little work to conform its style with the other AS's, I'm not sure its the
cause of the problem we're seeing here (unless the AMD64 AS has the same
problem).
Stay tuned.... ;-)
MHL
[1]. http://code.google.com/p/volatility/issues/detail?id=272
On Fri, Jul 6, 2012 at 5:58 PM, nir izraeli <nirizr(a)gmail.com> wrote:
> hi Michael,
> would you mind to also post your comments at the tracking system?
> it'll be a lot easier for me to keep track of it. hoping I'm not
> stepping on your tows.
>
> about the zread() - i didn't implement it, I got confused with a few old
> AS classes that had unnecessary methods and probably also removed the
> zread() by mistake.
>
> I hope to fix these in a couple of days and resubmit an updated version.
>
> the only issue i have trouble with is the conversion to the internal
> object system.
> I tried using it a couple of times but had trouble with it.
> it would also duplicate efforts for writing modifications to the vmss
> parsing code.
> since it does seem to be easy to write structures using Volatility's
> framework,
> would you mind taking care of it yourselves?
> I could add a textual documentation if you'd rather, since i'll write
> one anyway.
> although if it's important i could give it another try...
>
> Thanks,
> Nir
>
>
> On Fri, Jul 6, 2012 at 11:49 PM, Michael Cohen <scudette(a)gmail.com>wrote:
>
>> It looks to me like the address space is not implementing zread()
>> properly (or at all). Can you please make sure that you are
>> implementing zread() in such a way that when you read outside a valid
>> or mapped region you will receive a null padded buffer rather than
>> None?
>>
>> Some more comments about the address space VMWareSnapshotFile:
>> - Please do not use inner classes. There is no need to have a class
>> defined in such a way - just place the class at the module level.
>> - Minor style issues - long lines should be wrapped at 80 chars,
>> commented out lines should be removed.
>> - Do no use double underscore member variable names (they mean
>> something specific e.g. self.__hasseek).
>> - It would also be nicer if we used the volatility object system
>> rather than struct module directly for parsing these things - it would
>> make the file formats more readable and simplify the code a lot.
>>
>> Thanks
>> Michael.
>>
>> On 6 July 2012 16:03, Jesse Bowling <jessebowling(a)gmail.com> wrote:
>> > Disclaimer:
>>
6:07 p.m.
Hey MHL,
No I did not changed the extension of my vmem: my memory dump was made with
VmWare Workstation 7.
I just posted the results of my tests on google code (
http://code.google.com/p/volatility/issues/detail?id=272) and your problem
with Windows 2008 vmss seems to be similar to mine.
The problem is related to the memory acquisition process and not to
Volatility. Vmem/vmss larger than ?4GB? (not sure about the limit) doesn't
contains the full physical address space with devices memory. Volatility
can analyze those memory dump but devices memory space need to be filled.
I order to analyzed those dump, a plugin could be created to convert
vmem/vmss/hardware memory dump.
I know the information about the physical address space is in
HKLM\HARDWARE\RESOURCEMAP\System Resources\Physical Memory\.translated
The HARDWARE key is volatile, so it's somewhere in the memory dump. If the
plugin can look for that registry value (this can be difficult because vtop
doesn't work at that stage), the plugin would be able to "recreate" the
physical address space.
Sorry if I'm just throwing ideas for a new plugin, but unfortunately my
plate is full and I don't have the time to do it ;)
Sebastien
On Fri, Jul 6, 2012 at 7:02 PM, Michael Hale Ligh <michael.hale(a)gmail.com>wrote:
Hey Nir,
We can definitely help out with integrating your code with the object
system. I was just in the process of testing it for the first time this
afternoon.
Here are a few details (I'll copy them to the issue tracker in a sec).
Basically I started with an ESX 4.1.0 and grabbed the following:
* vmsn from xpsp2 x86 256 MB
* vmsn from win7 sp1 x86 512 MB
* vmss from server 2008 sp1 x64 4 GB
Your AS with the latest 2.1 alpha (so about r1983) worked fine for the xp
vmsn. (by fine I mean pslist worked, but other plugins may not work
properly due to what scudette said about zread)
=================================================
VMSN - XPSP3 x86 @ 256 MB RAM
$ python vol.py -d -f Andrew-Snapshot6.vmsn pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 1
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: 10000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 39000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x10363a890>
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x81bcc830 System 4 0 52 477 ------
0
0x8194a020 smss.exe 364 4 3 21 ------
0 2012-01-25 20:44:20
0x81954020 csrss.exe 616 364 10 345 0
0 2012-01-25 20:44:20
0x81951128 winlogon.exe 640 364 16 495 0
0 2012-01-25 20:44:20
0x81a897a8 services.exe 684 640 15 272 0
0 2012-01-25 20:44:20
[snip]
It also worked fine for the win7 vmsn:
=================================================
VMSN - Windows 7 SP0 x86 @ 512 MB RAM
$ python vol.py -d -f Abraham-Snapshot2.vmsn --profile=Win7SP0x86 pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 1
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: 20000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 185000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x102a1a750>
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x83f2f730 System 4 0 93 494 ------
0 2012-03-15 15:04:12
0x84f32c48 smss.exe 252 4 2 29 ------
0 2012-03-15 15:04:12
0x85708d40 csrss.exe 364 356 9 386 0
0 2012-03-15 15:04:48
0x82050030 wininit.exe 400 356 3 75 0
0 2012-03-15 15:04:48
0x856d9370 csrss.exe 408 392 7 201 1
0 2012-03-15 15:04:48
0x8207f030 services.exe 468 400 8 198 0
0 2012-03-15 15:04:49
0x8208e030 lsass.exe 476 400 8 711 0
0 2012-03-15 15:04:49
[snip]
I then reproduced the same thing Jesse is seeing on the server 2008 x64 w/
4 GB:
=================================================
VMSS - Server 2008 SP1 x64 @ 4 GB RAM
$ python vol.py -d -f Win2008SP1x64-9de64630.vmss --profile=Win2008SP1x64
pslist
Volatile Systems Volatility Framework 2.1_alpha
[snip]
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.plugins.addrspaces.vmware: Read region count from
file: 2
DEBUG : volatility.plugins.addrspaces.vmware: RegionCount: 2
DEBUG : volatility.plugins.addrspaces.vmware: Virtual Address:
0, Physical Address: 0, Size: C0000000
Virtual Address: 100000000, Physical Address: C0000000, Size: 40000000
DEBUG : volatility.plugins.addrspaces.vmware: dtb: 124000
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.vmware.VMWareSnapshotFile object at
0x102a1a750>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Succeeded instantiating
<volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x1036c91d0>
DEBUG : volatility.utils : Voting round
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'>
DEBUG : volatility.utils : Failed instantiating (exception): unpack
requires a string argument of length 4
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'>
DEBUG : volatility.utils : Trying <class
'volatility.plugins.addrspaces.standard.FileAddressSpace'>
Offset(V) Name PID PPID Thds Hnds
Sess Wow64 Start Exit
------------------ -------------------- ------ ------ ------ --------
------ ------ -------------------- --------------------
0xfffffa8003ca8950 System 4 0 104 496
------ 0 2012-03-02 07:16:23
/Users/Michael/volatility_pe_exceptions/volatility/plugins/overlays/windows/windows.py(262)windows_to_unix_time()
-> unix_time = windows_time / 10000000
(Pdb) windows_time
<NoneObject: Unable to read 8 bytes from 18446738026473744904>
You can see the error occurred because windows_time at 0xfffffa8004a86a08L
(hex value of the decimal offset above) could not be fetched from the vmss
file. Since it appears the System process is able to be found, we should be
able to break into a volshell (which uses the System process AS by default)
and try some checks:
$ python vol.py -d -f Win2008SP1x64-9de64630.vmss --profile=Win2008SP1x64
volshell
Current context: process System, pid=4, ppid=0 DTB=0x124000
Welcome to volshell! Current memory image is:
file:///Users/Michael/Downloads/Win2008SP1x64-9de64630.vmss
To get help, type 'hh()'
>> > So I took Nir's
files, and dropped them into my plugins folder...I did
>> not
>> > see any new plugins using vol.py -h, and when I tried to do an
>> imageinfo I
>> > got:
>> >> >
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> imageinfo
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Determining profile based on KDBG search...
>> >> > Traceback (most
recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173,
>> in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164,
>> in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>> > line 34, in render_text
>> > for k, v in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/imageinfo.py",
>> > line 44, in calculate
>> > suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>> > line 119, in calculate
>> > for offset in scanner.scan(aspace):
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/kdbgscan.py",
>> > line 83, in scan
>> > for offset in scan.BaseScanner.scan(self, address_space, offset,
>> > maxlen):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > So:
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> psscan
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > No suitable address space mapping found
>> > Tried to open image as:
>> > WindowsHiberFileSpace32: No base Address Space
>> > VMWareSnapshotFile: No base Address Space
>> > WindowsCrashDumpSpace32: No base Address Space
>> > AMD64PagedMemory: No base Address Space
>> > JKIA32PagedMemory: No base Address Space
>> > JKIA32PagedMemoryPae: No base Address Space
>> > IA32PagedMemoryPae: Module disabled
>> > IA32PagedMemory: Module disabled
>> > WindowsHiberFileSpace32: No xpress signature found
>> > WindowsHiberFileSpace32: No xpress signature found
>> > VMWareSnapshotFile: ('Header signature invalid', 4026597203)
>> > WindowsCrashDumpSpace32: Header signature invalid
>> > AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
>> > JKIA32PagedMemory: Failed valid Address Space check
>> > JKIA32PagedMemoryPae: Failed valid Address Space check
>> > IA32PagedMemoryPae: Module disabled
>> > IA32PagedMemory: Module disabled
>> > FileAddressSpace: Must be first Address Space
>> >> > At least it
doesn't crash. So now:
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > --profile=Win2008R2SP1x64 psscan
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173,
>> in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164,
>> in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 415, in render_text
>> > for eprocess in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 405, in calculate
>> > for offset in PoolScanProcess().scan(address_space):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 218, in scan
>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > #
/usr/local/src/volatility-read-only-may-01/vol.py -f myimage.vmss
>> > --profile=Win2008R2SP1x64 --dtb=0x187000 psscan
>> >> > Volatile Systems
Volatility Framework 2.1_alpha
>> > Offset(P) Name PID PPID PDB Time created
>> > Time exited
>> > ---------- ---------------- ------ ------ ----------
>> > ------------------------ ------------------------
>> > Traceback (most recent call last):
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
173,
>> in
>> > <module>
>> > main()
>> > File "/usr/local/src/volatility-read-only-may-01/vol.py", line
164,
>> in
>> > main
>> > command.execute()
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/commands.py",
>> > line 101, in execute
>> > func(outfd, data)
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 415, in render_text
>> > for eprocess in data:
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/filescan.py",
>> > line 405, in calculate
>> > for offset in PoolScanProcess().scan(address_space):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 218, in scan
>> > for i in BaseScanner.scan(self, address_space, offset, maxlen):
>> > File
>> "/usr/local/src/volatility-read-only-may-01/volatility/scan.py", line
>> > 136, in scan
>> > skip = max(skip, s.skip(data, i))
>> > File
>> >>
"/usr/local/src/volatility-read-only-may-01/volatility/plugins/common.py",
>> > line 49, in skip
>> > nextval = data.index(self.tag, offset + 1)
>> > AttributeError: 'NoneType' object has no attribute 'index'
>> >> > I have limited
testing time the next couple weeks, so will look to see
>> if I
>> > can share this with someone like SA in the meantime...
>> >> > Cheers,
>> >> > Jesse
>> >> >> > On Fri, Jul 6, 2012 at 7:21 AM, nir izraeli
<nirizr(a)gmail.com> wrote:
>> >>
>> >> I assume you need it for something other than test my patch,
>> >> I can send parts of the vmss of the machine I already noticed more
>> than
>> >> one region.
>> >> could you use that to gather the info you need?
>> >>
>> >> btw, I'm also using vmware converter standalone pretty often, it
might
>> >> also be related
>> >>
>> >>
>> >> On Fri, Jul 6, 2012 at 5:31 AM, AAron Walters
<awalters(a)4tphi.net>
>> wrote:
>> >>>
>> >>>
>> >>> Nir,
>> >>>
>> >>>
>> >>>> AAron - actually it was quite rare, but the first vmss I used
to
>> test
>> >>>> the patch
>> >>>> had two or three, which made my patch break when i first tested
it
>> on
>> >>>> other
>> >>>> VMs.
>> >>>> I could try to pinpoint it, but i guess it would be easier for
me to
>> >>>> reverse
>> >>>> the vmware code than try it manually :)
>> >>>> A thing to note is that that vmss also had two virtual CPUs,
which
>> might
>> >>>> have
>> >>>> caused having more than one region. it also had ~4G of RAM. most
of
>> the
>> >>>> other
>> >>>> VMs i used only had about 512M.
>> >>>> did you try to run it on other vmss files that resemble the one
i
>> >>>> described?
>> >>>
>> >>>
>> >>> Interesting. I have never seen a vmss with multiple regions. If
you
>> >>> happen to come across one again, please let me know. I'd be
>> interested in
>> >>> what conditions or what product leads to more than one region.
>> >>>
>> >>> Thanks,
>> >>>
>> >>> AW
>> >>
>> >>
>> >> >> >>
> --
>> > Jesse Bowling
>> >> >> >>
> _______________________________________________
>> > Vol-users mailing list
>> > Vol-users(a)volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
self.addrspace.is_valid_address(0xfffffa8004a86a08L)
True
>> self.addrspace.vtop(0xfffffa8004a86a08L)
5354580488L
>> dd(0xfffffa8004a86a08L)
Memory
unreadable at fffffa8004a86a08
So the AS thinks the virtual address is valid and is able to vtop, but
then when you try to read (dd command) it fails. The first thing that
catches my eye is the physical address is reportedly 5354580488L, which is
much larger than the size of the file we have:
$ ls -al Win2008SP1x64-9de64630.vmss
-rw-r--r--@ 1 Michael staff 4300360567 Jul 6 16:01
/Users/Michael/Downloads/Win2008SP1x64-9de64630.vmss
This is the same thing we saw recently in the issue "vtop and 5GB 64bit
memory dump problem" [1]. That too was an issue of vmware memory files (a
vmem in this case unless Sebastien changed the extension). Same symptom,
but with the AMD64 AS - it reported vtop as being a physical address much
bigger than the file.
We're still looking into it some things, and although your AS could use a
little work to conform its style with the other AS's, I'm not sure its the
cause of the problem we're seeing here (unless the AMD64 AS has the same
problem).
Stay tuned.... ;-)
MHL
[1]. http://code.google.com/p/volatility/issues/detail?id=272
On Fri, Jul 6, 2012 at 5:58 PM, nir izraeli <nirizr(a)gmail.com> wrote:
> hi Michael,
> would you mind to also post your comments at the tracking system?
> it'll be a lot easier for me to keep track of it. hoping I'm not stepping
> on your tows.
>
> about the zread() - i didn't implement it, I got confused with a few old
> AS classes that had unnecessary methods and probably also removed the
> zread() by mistake.
>
> I hope to fix these in a couple of days and resubmit an updated version.
>
> the only issue i have trouble with is the conversion to the internal
> object system.
> I tried using it a couple of times but had trouble with it.
> it would also duplicate efforts for writing modifications to the vmss
> parsing code.
> since it does seem to be easy to write structures using Volatility's
> framework,
> would you mind taking care of it yourselves?
> I could add a textual documentation if you'd rather, since i'll write one
> anyway.
> although if it's important i could give it another try...
>
> Thanks,
> Nir
>
>
> On Fri, Jul 6, 2012 at 11:49 PM, Michael Cohen <scudette(a)gmail.com>wrote:
>
>> It looks to me like the address space is not implementing zread()
>> properly (or at all). Can you please make sure that you are
>> implementing zread() in such a way that when you read outside a valid
>> or mapped region you will receive a null padded buffer rather than
>> None?
>>
>> Some more comments about the address space VMWareSnapshotFile:
>> - Please do not use inner classes. There is no need to have a class
>> defined in such a way - just place the class at the module level.
>> - Minor style issues - long lines should be wrapped at 80 chars,
>> commented out lines should be removed.
>> - Do no use double underscore member variable names (they mean
>> something specific e.g. self.__hasseek).
>> - It would also be nicer if we used the volatility object system
>> rather than struct module directly for parsing these things - it would
>> make the file formats more readable and simplify the code a lot.
>>
>> Thanks
>> Michael.
>>
>> On 6 July 2012 16:03, Jesse Bowling <jessebowling(a)gmail.com> wrote:
>> > Disclaimer:
>>
4511
days inactive
4518
days old
vol-users@lists.volatilityfoundation.org
49 comments
13 participants
participants (13)
-
AAron Walters -
George M. Garner Jr. -
Jamie Levy -
Jesse Bowling -
Ken Pryor -
Michael Cohen -
Michael Hale Ligh -
Michael Ligh
-
Mike Auty -
Mike Lambert -
nir izraeli -
Sebastien Bourdon-Richard -
Troy Larson (NETSEC)