im-infamou5 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

moddump can not dump on a vmware snap #490

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

# export VOLATILITY_LOCATION=file:///root/vmware-Snapshot3.vmsn
# export VOLATILITY_PROFILE=Win2003SP2x86
# vol driverscan |grep "?"
Volatility Foundation Volatility Framework 2.3.1
0x09fe07f0    3    0 0xf7797000     0x7000 ??????               -544         
0x0a49c900    2    0 0xf7797000     0x8000 ?                    ?            ??
# vol moddump -b 0xf7797000 -D /root/volatility/volatility-read-only/dump/
Volatility Foundation Volatility Framework 2.3.1
Module Base Module Name          Result
----------- -------------------- ------
0x0f7797000 UNKNOWN              Error: Cannot acquire AS

What is the expected output? What do you see instead?
dump module

What version of the product are you using? On what operating system?
volatility 2.3.1 on linux and windows 2003 the infected one.
The image memory is a vmware snapshot 

Please provide any additional information below.
I think the machine is infected  by some advanced rootkit, tdl4 or something.

Original issue reported on code.google.com by forensic...@gmail.com on 17 Mar 2014 at 7:22

Attachments:

GoogleCodeExporter commented 9 years ago
Likely the module that once existed at those addresses has since unloaded, but 
you can double check by going into volshell and checking for the PE header: 

$ vol volshell
>>> db(0xf7797000)

Do you see an MZ header? 

Original comment by michael.hale@gmail.com on 17 Mar 2014 at 7:05

GoogleCodeExporter commented 9 years ago
no..
# vol volshell
Volatility Foundation Volatility Framework 2.3.1
Current context: process System, pid=4, ppid=0 DTB=0xbf6c1000
Welcome to volshell! Current memory image is:
file:///root/vmware-Snapshot3.vmsn
To get help, type 'hh()'
>>> db(0xf7797000)
Memory unreadable at f7797000

Original comment by forensic...@gmail.com on 22 Mar 2014 at 12:45

GoogleCodeExporter commented 9 years ago
Yeah, so the memory is either not allocated anymore or its swapped to disk. The 
driver could also load, move its code to another pool, and then unload. I'll 
close this since its not a bug that needs fixing, but if you need additional 
help feel free to write on the vol-users mailing list. 

Original comment by michael.hale@gmail.com on 25 Mar 2014 at 6:08