New subject: Volatility never finishes on 8 gig Win7SP1x64

2 Mar 2014

      Hello Aaron and Michael,

This is a machine with a very interesting file corruption case which is most likely
malware. I used moonsol's DumpIt to acquire the image from a Win7 64bit SP1 machine
with 8 gigs of ram.  Here's the output of bin2dmp:

  bin2dmp - 1.0.20100405 - (Professional Edition - Single User Licence)
  Convert raw memory dump images into Microsoft crash dump files.
  Copyright (C) 2007 - 2010, Matthieu Suiche <http://www.msuiche.net>
  Copyright (C) 2009 - 2010, MoonSols <http://www.moonsols.com>
  User ,  ()

Initializing memory descriptors... Done.
Looking for kernel variables... Done.
Loading file... Done.

Rewritting CONTEXT for Windbg...
   -> Context->SegCs at physical address 0x0000000006017F78 modified from 00 in
o 10
   -> Context->SegDs at physical address 0x0000000006017F7A modified from 00 in
o 2b
   -> Context->SegEs at physical address 0x0000000006017F7C modified from 00 in
o 2b
   -> Context->SegFs at physical address 0x0000000006017F7E modified from 00 in
   [0x000000021E600000 of 0x000000021E600000]
   MD5 = 2DF9C04AB34D820ACA56B201B1382A880x0000000006017F80 is already equal to
00
Total time for the conversion: 9 minutes 49 seconds.6017F82 modified from 00 in
o 18

And here I tried loading the dump file in windbg 64

Loading Dump File [C:\ xxxx.dmp]
Kernel Complete Dump File: Full address space is available

Comment: 'Hibernation file converted with MoonSols Memory Toolkit'
Symbol search path is:
C:\windows\symbols;SRV*C:\windows\symbols*http://msdl.microsoft.com/downloa…
Executable search path is: 
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
*** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540
*** ERROR: Module load completed but symbols could not be loaded for
Unknown_Module_8b4820ec`83485540
Debugger can not determine kernel base address
Windows 7 Kernel Version 7601 (Service Pack 1) MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7601.18229.amd64fre.win7sp1_gdr.130801-1533
Machine Name:
Kernel base = 0xfffff800`02e1b000 PsLoadedModuleList = 0xfffff800`0305e6d0
Debug session time: Sun Mar  2 21:08:59.275 2014 (UTC + 0:00)
System Uptime: 0 days 7:22:16.509
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
*** WARNING: Unable to verify timestamp for Unknown_Module_8b4820ec`83485540
*** ERROR: Module load completed but symbols could not be loaded for
Unknown_Module_8b4820ec`83485540
Debugger can not determine kernel base address
Loading Kernel Symbols
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
.Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147

Image path too long, possible corrupt data.
Loading unloaded module list
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
..Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
..Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Missing image name, possible paged-out or corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.Image path too long, possible corrupt data.
.
WARNING: .reload failed, module list may be incomplete
GetContextState failed, 0xD0000147
CS descriptor lookup failed
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get program counter
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck 4D415454, {1, 2, 3, 4}

GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
***** Debugger could not find nt in module list, module list might be corrupt, error
0x80070057.

Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147
WARNING: .reload failed, module list may be incomplete
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
Unable to get current machine context, NTSTATUS 0xC0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147
WARNING: .reload failed, module list may be incomplete
Unable to read NT module Base Name string at c48348ff`ffa3abe8 - NTSTATUS 0xC0000141
Missing image name, possible paged-out or corrupt data.
Unable to read KLDR_DATA_TABLE_ENTRY at 00000140`248c8b48 - NTSTATUS 0xC0000147
WARNING: .reload failed, module list may be incomplete
Probably caused by : Unknown_Image ( ANALYSIS_INCONCLUSIVE )

Followup: MachineOwner
---------

GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147
GetContextState failed, 0xD0000147

-----Original Message-----
From: AAron Walters [mailto:awalters@4tphi.net] 
Sent: 02 March 2014 20:50
To: Smelkovs, Konrads (London)
Cc: Michael Ligh
Subject: RE: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64

Hi Konrads,

Nice to meet you. Thank for joining the mailing list.

Is the machine you are trying to analyze part of an investigation or a test machine?  A
physical machine or a virtual machine?  Does it have any unusual devices connected to it?

If you convert the sample to windbg format using the MoolSols tools, will it load in
windows debugger?

Thanks,

AAron Walters
The Volatility Foundation

On Sun, 2 Mar 2014, Smelkovs, Konrads (London) wrote:

...
  Hi,

 Hangs on both Linux and Windows. I used MoonSol's memory acquisition tools. What
tools would you suggest to use instead?

 -----Original Message-----
 From: Michael Ligh [mailto:michael.ligh@mnin.org]
 Sent: 02 March 2014 16:25
 To: Smelkovs, Konrads (London)
 Cc: vol-users(a)volatilityfoundation.org
 Subject: Re: [Vol-users] Volatility never finishes on 8 gig Win7SP1x64

 Hi Konrads,

 Thanks for the output. At the moment, its looks like the page table is corrupt (based on
the errors trying to read physical addresses in the range 0xf8b4c0575d000, which is way
outside the size of your file). Whether the acquisition tool or Volatility's address
space parser is to blame, I'm not currently sure. Can you answer a few additional
questions, please:

 * Does it also hang on Linux also, or does it complete sometime after printing those
"None object instantiated: Unable to read_long_long_phys" messages?
 * What tool did you acquire memory with? Is it possible to re-acquire in a different
format, such as a Windows crash dump?

 Thanks,
 Michael

 This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit plc,
KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company
under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited
(together, "KPMG").  ELLP does not provide services to clients and none of its
subsidiaries has authority to bind it.
 This email, and any attachments, is confidential and may be privileged or otherwise
protected from disclosure. It is intended solely for the stated addressee(s) and access to
it by any other person is unauthorised. If you are not the intended recipient, you must
not disclose, copy, circulate or in any other way use or rely on the information contained
herein. If you have received this email in error, please inform us immediately and delete
all copies of it.
 Any communications made with KPMG may be monitored and a record may be kept of any
communication.
 Any opinion or advice contained herein is subject to the terms and conditions set out in
your KPMG LLP client engagement letter.
 A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered
office.
 KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited
liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered
no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited
(registered no. 03580549) are companies registered in England and Wales. Each entity's
registered office is at 15 Canada Square, London, E14 5GL.
 This email has been sent by and on behalf of one or more of KPMG LLP, KPMG Audit
plc, KPMG Europe LLP ("ELLP"), KPMG Resource Centre Private Limited or a company
under the control of KPMG LLP, including KPMG United Kingdom plc and KPMG UK Limited
(together, "KPMG").  ELLP does not provide services to clients and none of its
subsidiaries has authority to bind it.
This email, and any attachments, is confidential and may be privileged or otherwise
protected from disclosure. It is intended solely for the stated addressee(s) and access to
it by any other person is unauthorised. If you are not the intended recipient, you must
not disclose, copy, circulate or in any other way use or rely on the information contained
herein. If you have received this email in error, please inform us immediately and delete
all copies of it. 
Any communications made with KPMG may be monitored and a record may be kept of any
communication. 
Any opinion or advice contained herein is subject to the terms and conditions set out in
your KPMG LLP client engagement letter.
A list of members of KPMG LLP and ELLP is open for inspection at KPMG's registered
office.
KPMG LLP (registered no. OC301540) and ELLP (registered no. OC324045) are limited
liability partnerships registered in England and Wales. Each of KPMG Audit plc (registered
no. 03110745), KPMG United Kingdom plc (registered no. 03513178) and KPMG UK Limited
(registered no. 03580549) are companies registered in England and Wales. Each entity's
registered office is at 15 Canada Square, London, E14 5GL.