TimsterMon / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Unable to parse win2008SP1x64 memory version 2.3 #501

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Running PSSCAN, THRDSCAN, PSXVIEW against memory
2.
3.

What is the expected output? What do you see instead?
ANything... prefer the correct values, 

Offset(P)          Name                    PID pslist psscan thrdproc pspcid 
csrss session deskthrd
------------------ -------------------- ------ ------ ------ -------- ------ 
----- ------- --------
No suitable address space mapping found
Tried to open image as:
 MachOAddressSpace: mac: need base
 LimeAddressSpace: lime: need base
 WindowsHiberFileSpace32: No base Address Space
 EWFAddressSpace: No base address space provided
 WindowsCrashDumpSpace64: No base Address Space
 HPAKAddressSpace: No base Address Space
 VirtualBoxCoreDumpElf64: No base Address Space
 VMWareSnapshotFile: No base Address Space
 WindowsCrashDumpSpace32: No base Address Space
 AMD64PagedMemory: No base Address Space
 IA32PagedMemoryPae: No base Address Space
 IA32PagedMemory: No base Address Space
 MachOAddressSpace: MachO Header signature invalid
 LimeAddressSpace: Invalid Lime header signature
 WindowsHiberFileSpace32: No xpress signature found
 EWFAddressSpace: EWF signature not present
 WindowsCrashDumpSpace64: Header signature invalid
 HPAKAddressSpace: Invalid magic found
 VirtualBoxCoreDumpElf64: ELF64 Header signature invalid
 VMWareSnapshotFile: Invalid VMware signature: 0x0
 WindowsCrashDumpSpace32: Header signature invalid
 AMD64PagedMemory: No valid DTB found
 IA32PagedMemoryPae: Incompatible profile Win2008SP2x64 selected
 IA32PagedMemory: Incompatible profile Win2008SP2x64 selected
 FileAddressSpace: Must be first Address Space
 ArmAddressSpace: No valid DTB found

What version of the product are you using? On what operating system?
Version 2.3  Linux

Please provide any additional information below.
root@siftworkstation:/mnt/hgfs/Memory# vol.py -f Memory.mem 
--profile=Win2008SP2x64 pslist -d -d -d
Volatility Foundation Volatility Framework 2.3.1
DEBUG   : volatility.obj      : Applying modification from AtomTablex64Overlay
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from 
ControlAreaModification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from IEHistoryVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from SSLKeyModification
DEBUG   : volatility.obj      : Applying modification from UnloadedDriverVTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from VistaSP12x64Syscalls
DEBUG   : volatility.obj      : Applying modification from Win32KGahtiVType
DEBUG   : volatility.obj      : Applying modification from Win32Kx64VTypes
DEBUG   : volatility.obj      : Applying modification from Win7Vista2008x64Tcpip
DEBUG   : volatility.obj      : Applying modification from 
Win7Vista2008x64Timers
DEBUG   : volatility.obj      : Applying modification from WinSyscallsAttribute
DEBUG   : volatility.obj      : Applying modification from Vista2008x64GuiVTypes
DEBUG   : volatility.obj      : Applying modification from VistaSP12x64Tcpip
DEBUG   : volatility.obj      : Applying modification from WindowsVTypes
DEBUG   : volatility.obj      : Applying modification from HiberVistaSP2x64
DEBUG   : volatility.obj      : Applying modification from ProcessAuditVTypes
DEBUG   : volatility.obj      : Applying modification from Win64SyscallVTypes
DEBUG   : volatility.obj      : Applying modification from WindowsOverlay
DEBUG   : volatility.obj      : Applying modification from EThreadCreateTime
DEBUG   : volatility.obj      : Applying modification from MalwarePspCid
DEBUG   : volatility.obj      : Applying modification from UserAssistVTypes
DEBUG   : volatility.obj      : Applying modification from VistaKDBG
DEBUG   : volatility.obj      : Applying modification from VistaSP2x64Hiber
DEBUG   : volatility.obj      : Applying modification from VistaWin7KPCR
DEBUG   : volatility.obj      : Applying modification from WinPEObjectClasses
DEBUG   : volatility.obj      : Applying modification from WinPEVTypes
DEBUG   : volatility.obj      : Applying modification from WindowsObjectClasses
DEBUG   : volatility.obj      : Applying modification from 
CmdHistoryObjectClasses
DEBUG   : volatility.obj      : Applying modification from CmdHistoryVTypesx64
DEBUG   : volatility.obj      : Applying modification from CrashInfoModification
DEBUG   : volatility.obj      : Applying modification from ExFastRefx64
DEBUG   : volatility.obj      : Applying modification from KDBGObjectClass
DEBUG   : volatility.obj      : Applying modification from 
KPCRProfileModification
DEBUG   : volatility.obj      : Applying modification from MFTTYPES
DEBUG   : volatility.obj      : Applying modification from MalwareDrivers
DEBUG   : volatility.obj      : Applying modification from MalwareKthread
DEBUG   : volatility.obj      : Applying modification from MalwareObjectClasesXP
DEBUG   : volatility.obj      : Applying modification from NetscanObjectClasses
DEBUG   : volatility.obj      : Applying modification from ServiceBase
DEBUG   : volatility.obj      : Applying modification from ShellBagsTypesVista
DEBUG   : volatility.obj      : Applying modification from 
ShimCacheTypesVistax64
DEBUG   : volatility.obj      : Applying modification from VistaSP1KDBG
DEBUG   : volatility.obj      : Applying modification from Win2003MMVad
DEBUG   : volatility.obj      : Applying modification from Win32KCoreClasses
DEBUG   : volatility.obj      : Applying modification from WinPEx64VTypes
DEBUG   : volatility.obj      : Applying modification from Windows64Overlay
DEBUG   : volatility.obj      : Applying modification from ServiceBasex64
DEBUG   : volatility.obj      : Applying modification from ServiceVista
DEBUG   : volatility.obj      : Applying modification from ServiceVistax64
DEBUG   : volatility.obj      : Applying modification from VistaMMVAD
DEBUG   : volatility.obj      : Applying modification from Vistax64DTB
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: mac: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: lime: 
need base
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.aspaces.ewf.EWFAddressSpace'> 
DEBUG   : volatility.obj      : Applying modification from AtomTablex64Overlay
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from 
ControlAreaModification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from IEHistoryVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from SSLKeyModification
DEBUG   : volatility.obj      : Applying modification from UnloadedDriverVTypes
DEBUG   : volatility.obj      : Applying modification from 
VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from 
VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from VistaSP12x64Syscalls
DEBUG   : volatility.obj      : Applying modification from Win32KGahtiVType
DEBUG   : volatility.obj      : Applying modification from Win32Kx64VTypes
DEBUG   : volatility.obj      : Applying modification from Win7Vista2008x64Tcpip
DEBUG   : volatility.obj      : Applying modification from 
Win7Vista2008x64Timers
DEBUG   : volatility.obj      : Applying modification from WinSyscallsAttribute
DEBUG   : volatility.obj      : Applying modification from Vista2008x64GuiVTypes
DEBUG   : volatility.obj      : Applying modification from VistaSP12x64Tcpip
DEBUG   : volatility.obj      : Applying modification from WindowsVTypes
DEBUG   : volatility.obj      : Applying modification from HiberVistaSP2x64
DEBUG   : volatility.obj      : Applying modification from ProcessAuditVTypes
DEBUG   : volatility.obj      : Applying modification from Win64SyscallVTypes
DEBUG   : volatility.obj      : Applying modification from WindowsOverlay
DEBUG   : volatility.obj      : Applying modification from EThreadCreateTime
DEBUG   : volatility.obj      : Applying modification from MalwarePspCid
DEBUG   : volatility.obj      : Applying modification from UserAssistVTypes
DEBUG   : volatility.obj      : Applying modification from VistaKDBG
DEBUG   : volatility.obj      : Applying modification from VistaSP2x64Hiber
DEBUG   : volatility.obj      : Applying modification from VistaWin7KPCR
DEBUG   : volatility.obj      : Applying modification from WinPEObjectClasses
DEBUG   : volatility.obj      : Applying modification from WinPEVTypes
DEBUG   : volatility.obj      : Applying modification from WindowsObjectClasses
DEBUG   : volatility.obj      : Applying modification from 
CmdHistoryObjectClasses
DEBUG   : volatility.obj      : Applying modification from CmdHistoryVTypesx64
DEBUG   : volatility.obj      : Applying modification from CrashInfoModification
DEBUG   : volatility.obj      : Applying modification from ExFastRefx64
DEBUG   : volatility.obj      : Applying modification from KDBGObjectClass
DEBUG   : volatility.obj      : Applying modification from 
KPCRProfileModification
DEBUG   : volatility.obj      : Applying modification from MFTTYPES
DEBUG   : volatility.obj      : Applying modification from MalwareDrivers
DEBUG   : volatility.obj      : Applying modification from MalwareKthread
DEBUG   : volatility.obj      : Applying modification from MalwareObjectClasesXP
DEBUG   : volatility.obj      : Applying modification from NetscanObjectClasses
DEBUG   : volatility.obj      : Applying modification from ServiceBase
DEBUG   : volatility.obj      : Applying modification from ShellBagsTypesVista
DEBUG   : volatility.obj      : Applying modification from 
ShimCacheTypesVistax64
DEBUG   : volatility.obj      : Applying modification from VistaSP1KDBG
DEBUG   : volatility.obj      : Applying modification from Win2003MMVad
DEBUG   : volatility.obj      : Applying modification from Win32KCoreClasses
DEBUG   : volatility.obj      : Applying modification from WinPEx64VTypes
DEBUG   : volatility.obj      : Applying modification from Windows64Overlay
DEBUG   : volatility.obj      : Applying modification from ServiceBasex64
DEBUG   : volatility.obj      : Applying modification from ServiceVista
DEBUG   : volatility.obj      : Applying modification from ServiceVistax64
DEBUG   : volatility.obj      : Applying modification from VistaMMVAD
DEBUG   : volatility.obj      : Applying modification from Vistax64DTB
DEBUG1  : volatility.utils    : Failed instantiating EWFAddressSpace: No base 
address space provided
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating AMD64PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x6408b90>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating MachOAddressSpace: MachO 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating LimeAddressSpace: Invalid 
Lime header signature
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid hibernation 
header
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No xpress signature found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.aspaces.ewf.EWFAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating EWFAddressSpace: EWF 
signature not present
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace64: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating HPAKAddressSpace: Invalid 
magic found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vboxelf.VirtualBoxCoreDumpElf64'> 
DEBUG1  : volatility.utils    : Failed instantiating VirtualBoxCoreDumpElf64: 
ELF64 Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.vmware.VMWareSnapshotFile'> 
DEBUG1  : volatility.utils    : Failed instantiating VMWareSnapshotFile: 
Invalid VMware signature: 0x0
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 

Hangs right here everytime

Original issue reported on code.google.com by patories on 27 May 2014 at 1:56

GoogleCodeExporter commented 9 years ago
Collection method was ftkimager

Original comment by patories on 27 May 2014 at 1:57

GoogleCodeExporter commented 9 years ago
continued via email....

Original comment by michael.hale@gmail.com on 27 May 2014 at 8:12