Dik1s / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Pslist hangs with no result on Win7SP1x64 image(s) #475

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Running pslist against an 8GB Windows 7 x64 image. I've tried images 
acquired obtain via (Winpmem and Dumpit)
2. Using the appropriate profile Win7SP1x64 profile
3. Only field headers are return but process list does not get outputed. I've 
left the plugin run for an hour or so.
4. Same issues are obtained when running psxview.

What version of the product are you using? On what operating system?

I am running Volatility 2.3 on am Ubuntu SANS SIFT workstation image.

Pscan does seem to work so I figure this might be an issue in identifying the 
proper KDBG but not sure how to pass the physical offset of the proper KDBG to 
the pslist plugin.

Any help would be appreciated.

Original issue reported on code.google.com by Maxime.P...@gmail.com on 4 Feb 2014 at 5:44

GoogleCodeExporter commented 8 years ago
Can you run kdbgscan and paste the output? 

Original comment by michael.hale@gmail.com on 5 Feb 2014 at 12:09

GoogleCodeExporter commented 8 years ago
Seems the issue was with the images

- KDBGSCAN seems to hang for all images acquired using Dumpit and Winpmem
- Looking at the memory images using an editor unable to locate ANY valid KDBG 
value.
-  As per issue id=412 image acquired using Windows Memory Reader have valid 
KDBG values and plugins are running as expected.

Looks like I was experiencing a known problem with some acquiry tools in 
dealing with Win7x64 systems.

Apologies for that.

Original comment by Maxime.P...@gmail.com on 5 Feb 2014 at 7:32

GoogleCodeExporter commented 8 years ago

Original comment by michael.hale@gmail.com on 6 Feb 2014 at 4:40