search

Thrown / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Win7 64bit hivelist addresses #393

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. I made Memory image using Dumpit (5GB.raw file as output)
2. command "imageinfo" on image .
3. command "hivelist" on image with profile Win7Sp1x64.
4. command "hashdump" on SYSTEM and SAM Virtual addresses .

What is the expected output? What do you see instead?
Windows password hashes, instead i see EMPTY hash.txt file...
But i'think "hivelist" addresses are weird, but maybe i'm wrong.?

image info:

          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (C:\Users\utente\Desktop\SAM\v
ol\UTENTE-PC-20130327-134049.raw)
                      PAE type : PAE
                           DTB : 0x187000L
                          KDBG : 0xf8000344a0a0L
          Number of Processors : 3
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff8000344bd00L
                KPCR for CPU 1 : 0xfffff880009e9000L
                KPCR for CPU 2 : 0xfffff88003163000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2013-03-27 13:40:51 UTC+0000
     Image local date and time : 2013-03-27 14:40:51 +0100

hive list:

Virtual            Physical           Name
------------------ ------------------ ----
0xfffff8a00000f010 0x00000000a7aef010 [no name]
0xfffff8a000024010 0x00000000a7ad2010 \REGISTRY\MACHINE\SYSTEM
0xfffff8a00006b010 0x00000000a4db1010 \REGISTRY\MACHINE\HARDWARE
0xfffff8a000e52010 0x0000000070ca2010 \SystemRoot\System32\Config\SOFTWARE
0xfffff8a001197010 0x0000000060b8d010 \SystemRoot\System32\Config\SAM
0xfffff8a00139b010 0x00000000601b6010 \SystemRoot\System32\Config\SECURITY
0xfffff8a001435010 0x0000000059bc1010 \??\C:\Windows\ServiceProfiles\LocalServic
e\NTUSER.DAT
0xfffff8a0014c5010 0x0000000058a0a010 \??\C:\Windows\ServiceProfiles\NetworkServ
ice\NTUSER.DAT
0xfffff8a00257c010 0x0000000010c0e010 \??\C:\Users\utente\ntuser.dat
0xfffff8a003408010 0x0000000010689010 \??\C:\Users\utente\AppData\Local\Microsof
t\Windows\UsrClass.dat
0xfffff8a003f6b410 0x0000000009556410 \??\C:\System Volume Information\Syscache.
hve
0xfffff8a006c88010 0x0000000062922010 \SystemRoot\System32\Config\DEFAULT
0xfffff8a0081cb010 0x0000000001c6d010 \Device\HarddiskVolume1\Boot\BCD

What version of the product are you using? On what operating system?
Volatility 2.3 alpha (beacause 2.1/2 standalone versions return wrong profile 
with "imageinfo". I've Win 7 Home premium 64bit SP1 4GB RAM)

Please provide any additional information below.
dump.raw 4,75 GB (5.100.273.664 byte)
Volatile Systems Volatility Framework 2.3_alpha

Thanks, any help is appreciated, sorry for my awful english but it isn't my 
first language.

Original issue reported on code.google.com by venditto...@gmail.com on 27 Mar 2013 at 2:57

GoogleCodeExporter commented 8 years ago 
Hi Venditto, the hivelist addresses look OK to me. However, hashdump is a 
plugin that we know doesn't work on x64 at the moment. We have an open issue 
(see Issue #92) already so I'll merge your comments into that issue to keep 
track of everything together. Sadly, we may not get around to fixing hashdump 
for x64 until after the 2.3 release, but if we do, I'll make sure someone lets 
you know.

Original comment by michael.hale@gmail.com on 27 Mar 2013 at 4:55

GoogleCodeExporter commented 8 years ago 
Thank you very much, i'll follow issue #92 thread waiting for 2.3 release.

Thanks again.

Original comment by venditto...@gmail.com on 28 Mar 2013 at 10:12