ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Volatility 2.3.1 with the win2k3 profiles #466

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. You cannot read a memory dump if you use volatility 2.3.x with 
windows2003x86 profiles but it's works on volatility 2.2

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?
Volatility 2.3.1 on any systems.

Please provide any additional information below.

vol.py -f memdump.mem --profile=Win2003SP2x86 pslist
Volatility Foundation Volatility Framework 2.3
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 
Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ 
------------------------------ ------------------------------
0x8bd76408                           0      0      0 -------- ------      0     

Thank you

Original issue reported on code.google.com by teck...@gmail.com on 27 Nov 2013 at 5:22

GoogleCodeExporter commented 9 years ago
So you get a valid pslist output when you use 2.2, but not when you use 2.3 
with the same commandline?  Can you run kdbgscan with the correct profile and 
paste the output here please?  I just want to check something.

Original comment by jamie.l...@gmail.com on 27 Nov 2013 at 10:59

GoogleCodeExporter commented 9 years ago
Yes not only pslist , you will find below the output asked :

vol.py -f memdump.mem --profile=Win2003SP2x86 kdbgscan

Volatility Foundation Volatility Framework 2.3
**************************************************
Instantiating KDBG using: Kernel AS Win2003SP2x86 (5.2.3791 32bit)
Offset (V)                    : 0x808943e0
Offset (P)                    : 0x8943e0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2003SP1x86
Version64                     : 0x808943b8 (Major: 15, Minor: 3790)
Service Pack (CmNtCSDVersion) : 2
Build string (NtBuildLab)     : 3790.srv03_sp2_gdr.100216-1301
PsActiveProcessHead           : 0x808ad0c8 (1 processes)
PsLoadedModuleList            : 0x808a6ea8 (1 modules)
KernelBase                    : 0x80800000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 2
KPCR                          : 0xffdff000 (CPU 0)
KPCR                          : 0xf773f000 (CPU 1)
KPCR                          : 0xf7747000 (CPU 2)
KPCR                          : 0xf774f000 (CPU 3)
KPCR                          : 0xf7757000 (CPU 4)
KPCR                          : 0xf775f000 (CPU 5)
KPCR                          : 0xf7767000 (CPU 6)
KPCR                          : 0xf776f000 (CPU 7)

**************************************************
Instantiating KDBG using: Kernel AS Win2003SP2x86 (5.2.3791 32bit)
Offset (V)                    : 0x808943e0
Offset (P)                    : 0x8943e0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2003SP2x86
Version64                     : 0x808943b8 (Major: 15, Minor: 3790)
Service Pack (CmNtCSDVersion) : 2
Build string (NtBuildLab)     : 3790.srv03_sp2_gdr.100216-1301
PsActiveProcessHead           : 0x808ad0c8 (1 processes)
PsLoadedModuleList            : 0x808a6ea8 (1 modules)
KernelBase                    : 0x80800000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 2
KPCR                          : 0xffdff000 (CPU 0)
KPCR                          : 0xf773f000 (CPU 1)
KPCR                          : 0xf7747000 (CPU 2)
KPCR                          : 0xf774f000 (CPU 3)
KPCR                          : 0xf7757000 (CPU 4)
KPCR                          : 0xf775f000 (CPU 5)
KPCR                          : 0xf7767000 (CPU 6)
KPCR                          : 0xf776f000 (CPU 7)

**************************************************
Instantiating KDBG using: Kernel AS Win2003SP2x86 (5.2.3791 32bit)
Offset (V)                    : 0x808943e0
Offset (P)                    : 0x8943e0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2003SP0x86
Version64                     : 0x808943b8 (Major: 15, Minor: 3790)
Service Pack (CmNtCSDVersion) : 2
Build string (NtBuildLab)     : 3790.srv03_sp2_gdr.100216-1301
PsActiveProcessHead           : 0x808ad0c8 (1 processes)
PsLoadedModuleList            : 0x808a6ea8 (1 modules)
KernelBase                    : 0x80800000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 2
KPCR                          : 0xffdff000 (CPU 0)
KPCR                          : 0xf773f000 (CPU 1)
KPCR                          : 0xf7747000 (CPU 2)
KPCR                          : 0xf774f000 (CPU 3)
KPCR                          : 0xf7757000 (CPU 4)
KPCR                          : 0xf775f000 (CPU 5)
KPCR                          : 0xf7767000 (CPU 6)
KPCR                          : 0xf776f000 (CPU 7)

**************************************************
Instantiating KDBG using: Kernel AS Win2003SP2x86 (5.2.3791 32bit)
Offset (V)                    : 0x81c943e0
Offset (P)                    : 0x8943e0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2003SP1x86
Version64                     : 0x81c943b8 (Major: 15, Minor: 3790)
Service Pack (CmNtCSDVersion) : 2
Build string (NtBuildLab)     : 3790.srv03_sp2_gdr.100216-1301
PsActiveProcessHead           : 0x808ad0c8 (1 processes)
PsLoadedModuleList            : 0x808a6ea8 (1 modules)
KernelBase                    : 0x80800000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 2
KPCR                          : 0xffdff000 (CPU 0)
KPCR                          : 0xf773f000 (CPU 1)
KPCR                          : 0xf7747000 (CPU 2)
KPCR                          : 0xf774f000 (CPU 3)
KPCR                          : 0xf7757000 (CPU 4)
KPCR                          : 0xf775f000 (CPU 5)
KPCR                          : 0xf7767000 (CPU 6)
KPCR                          : 0xf776f000 (CPU 7)

**************************************************
Instantiating KDBG using: Kernel AS Win2003SP2x86 (5.2.3791 32bit)
Offset (V)                    : 0x81c943e0
Offset (P)                    : 0x8943e0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2003SP2x86
Version64                     : 0x81c943b8 (Major: 15, Minor: 3790)
Service Pack (CmNtCSDVersion) : 2
Build string (NtBuildLab)     : 3790.srv03_sp2_gdr.100216-1301
PsActiveProcessHead           : 0x808ad0c8 (1 processes)
PsLoadedModuleList            : 0x808a6ea8 (1 modules)
KernelBase                    : 0x80800000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 2
KPCR                          : 0xffdff000 (CPU 0)
KPCR                          : 0xf773f000 (CPU 1)
KPCR                          : 0xf7747000 (CPU 2)
KPCR                          : 0xf774f000 (CPU 3)
KPCR                          : 0xf7757000 (CPU 4)
KPCR                          : 0xf775f000 (CPU 5)
KPCR                          : 0xf7767000 (CPU 6)
KPCR                          : 0xf776f000 (CPU 7)

**************************************************
Instantiating KDBG using: Kernel AS Win2003SP2x86 (5.2.3791 32bit)
Offset (V)                    : 0x81c943e0
Offset (P)                    : 0x8943e0
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2003SP0x86
Version64                     : 0x81c943b8 (Major: 15, Minor: 3790)
Service Pack (CmNtCSDVersion) : 2
Build string (NtBuildLab)     : 3790.srv03_sp2_gdr.100216-1301
PsActiveProcessHead           : 0x808ad0c8 (1 processes)
PsLoadedModuleList            : 0x808a6ea8 (1 modules)
KernelBase                    : 0x80800000 (Matches MZ: True)
Major (OptionalHeader)        : 5
Minor (OptionalHeader)        : 2
KPCR                          : 0xffdff000 (CPU 0)
KPCR                          : 0xf773f000 (CPU 1)
KPCR                          : 0xf7747000 (CPU 2)
KPCR                          : 0xf774f000 (CPU 3)
KPCR                          : 0xf7757000 (CPU 4)
KPCR                          : 0xf775f000 (CPU 5)
KPCR                          : 0xf7767000 (CPU 6)
KPCR                          : 0xf776f000 (CPU 7)

Original comment by teck...@gmail.com on 28 Nov 2013 at 8:45

GoogleCodeExporter commented 9 years ago
OK, now try this:

vol.py -f memdump.mem --profile=Win2003SP2x86 --kdbg=0x81c943e0 pslist 

let me know if this works

Original comment by jamie.l...@gmail.com on 1 Dec 2013 at 2:43

GoogleCodeExporter commented 9 years ago
oh wait.. that won't work either since it only has one process in the list... 
hrmmm.  Do you get any output if you use psscan instead of pslist?

Original comment by jamie.l...@gmail.com on 1 Dec 2013 at 2:45

GoogleCodeExporter commented 9 years ago
If i use the command psscan , i get all the process.

Original comment by teck...@gmail.com on 5 Dec 2013 at 10:18

GoogleCodeExporter commented 9 years ago
@tecko92: just out of curiosity how big is your Win2003SP2x86 memory image (in 
GB)? we should have a fix for it in a few days if it happens to be PAE and over 
4 GB. 

Original comment by michael.hale@gmail.com on 14 Feb 2014 at 9:33

GoogleCodeExporter commented 9 years ago
Only 1 Gb

Original comment by teck...@gmail.com on 19 Feb 2014 at 12:10

GoogleCodeExporter commented 9 years ago
Hi tecko92, I'm going to close this issue, but I've followed up with you via 
email and we can track down the problem that way. 

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 4:12