ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Executen doesn´t come to an end #448

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. MemDump taken with WinDD (MoonSols Windows Memory Toolkit) -> Size ~9GB
2. Tried: volatility.exe -f memdump.dmp --profile=WinSP1x64 imageinfo (and 
later pslist)
3. Execution goes and goes and volatility uses 25% of my quad-core CPU (AMD X4 
965) for at least 1 hour without any result.

What is the expected output? What do you see instead?
1. I see, when using imageinfo, "Determining profile based on KDBG search..." 
but nothing else is happening
2. The same happens when using pslist. I get the table header but no real 
output.

What version of the product are you using? On what operating system?
2.2 Windows Standalone

Please provide any additional information below.
I tried to use AMD AMD64PagedMemory with --plugins. How do I set such adress 
space?

Original issue reported on code.google.com by epoxian...@gmail.com on 22 Sep 2013 at 8:04

GoogleCodeExporter commented 9 years ago
there have been a lot of fixes since the 2.2 standalone was cut.  Please try 
again with the code from svn if you can and let us know if anything changes.

Original comment by jamie.l...@gmail.com on 23 Sep 2013 at 11:43

GoogleCodeExporter commented 9 years ago
it might also be an issue with windd since we've seen this before on issue 401 
(http://code.google.com/p/volatility/issues/detail?id=401) and issue 412 
(http://code.google.com/p/volatility/issues/detail?id=412) you can try to 
acquire memory using a different tool 
(http://www.forensicswiki.org/wiki/Tools:Memory_Imaging#Windows_Software) and 
see if you get a different result.  

Original comment by jamie.l...@gmail.com on 23 Sep 2013 at 1:19

GoogleCodeExporter commented 9 years ago
Did you try anything as suggested? 

hrmm I also realized that you didn't supply the correct profile: "WinSP1x64" is 
it Windows XP, Vista, 2008, 7 ?  That's why the x64 address space is not 
picking up when you do pslist, which it should do automatically with the 
correct profile.  

Original comment by jamie.l...@gmail.com on 25 Sep 2013 at 12:37

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
1. It is a memdump of a Win7 64 with installed Service Pack 1.  I´ll try to 
get an other dump with the suggested tools. 

2. I later used volatility on a Kali-LiveCD environment. There, after half an 
hour, I got a correct imageinfo (see below)

3. But here´s another strange behavior.
pslist delivers:
(Offset)0x0000fa8006cae9e0 (Name)System (PID)4 (PPID)0 (Thds)119 ... 
and ... nothing

This is the only active process?! Impossible, isn´t it?

----------------------------------------
vol imageinfo --profile=Win7SP1x64 -f '/media/Entertainment/memdump.dmp' 
Volatile Systems Volatility Framework 2.2
Determining profile based on KDBG search...
Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
AS Layer1 : AMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/media/Entertainment/memdump.dmp)
PAE type : PAE
DTB : 0x187000L   
KDBG : 0xf80003a380a0L
Number of Processors : 1
Image Type (Service Pack) : 1
KPCR for CPU 0 : 0xf80003a39d00L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2013-09-18 06:29:41 UTC+0000
Image local date and time : 2013-09-18 08:29:41 +0200
----------------------------------------------------------------

Original comment by epoxian...@gmail.com on 27 Sep 2013 at 12:45

GoogleCodeExporter commented 9 years ago
ok, i tried another dump made with livekd from microsoft: Works great.

Seems it was a win64dd issue.

Thanks for your help.

Original comment by epoxian...@gmail.com on 5 Oct 2013 at 9:44

GoogleCodeExporter commented 9 years ago
K, thanks, closing out the issue.

Original comment by michael.hale@gmail.com on 7 Oct 2013 at 1:15