search

tthtlc / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

_DRIVER_OBJECT volshell issue #479

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. using volshell "_DRIVER_OBEJECT" on a Windows 7 SP1 x64 image taken with FTK

What is the expected output? What do you see instead?
the driver object name and further details 

What version of the product are you using? On what operating system?
Volatility r3586
Ftk imager lite v3.1.1
Kali Linux Analysis VM 1.0.6 with all current updates

Please provide any additional information below.

Device Tree output

DRV 0x13ddd8710 ?
---| DEV 0xfffffa8005dd84f0  FILE_DEVICE_UNKNOWN

root@kali:~/volatility# time python vol.py -f /root/IR/memory.mem 
--profile=Win7SP1x64 volshell
Volatility Foundation Volatility Framework 2.3.1
Current context: process System, pid=4, ppid=0 DTB=0x187000
Welcome to volshell! Current memory image is:
file:///root/IR/DOMWS-47.mem
To get help, type 'hh()'

>>> dt("_DEVICE_OBJECT", 0xfffffa8005dd84f0)
[_DEVICE_OBJECT _DEVICE_OBJECT] @ 0xFFFFFA8005DD84F0
0x0   : Type                           3
0x2   : Size                           336
0x4   : ReferenceCount                 1
0x8   : DriverObject                   18446738026494002960
0x10  : NextDevice                     0
0x18  : AttachedDevice                 0
0x20  : CurrentIrp                     0
0x28  : Timer                          0
0x30  : Flags                          64
0x34  : Characteristics                256
0x38  : Vpb                            0
0x40  : DeviceExtension                0
0x48  : DeviceType                     34
0x4c  : StackSize                      1
0x50  : Queue                          18446738026494002496
0x98  : AlignmentRequirement           0
0xa0  : DeviceQueue                    18446738026494002576
0xc8  : Dpc                            18446738026494002616
0x108 : ActiveThreadCount              0
0x110 : SecurityDescriptor             18446735964814402304
0x118 : DeviceLock                     18446738026494002696
0x130 : SectorSize                     0
0x132 : Spare1                         0
0x138 : DeviceObjectExtension          18446738026494002752
0x140 : Reserved                       0
>>> dt("_DRIVER_OBJECT", 18446738026494002960)
[_DRIVER_OBJECT _DRIVER_OBJECT] @ 0xFFFFFA8005DD8710
0x0   : Type                           4
0x2   : Size                           336
0x8   : DeviceObject                   18446738026494002416
0x10  : Flags                          18
0x18  : DriverStart                    18446735827393773568
0x20  : DriverSize                     81920
0x28  : DriverSection                  18446738026458892816
0x30  : DriverExtension                18446738026494003296
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/root/volatility/volatility/plugins/volshell.py", line 370, in dt
    print "{0:6}: {1:30} {2}".format(hex(o), m, val)
UnicodeEncodeError: 'ascii' codec can't encode character u'\u057f' in position 
0: ordinal not in range(128)

Original issue reported on code.google.com by supracl...@gmail.com on 13 Feb 2014 at 11:09

GoogleCodeExporter commented 9 years ago 
I've contacted via email and we'll continue the investigation there! Thanks for 
reporting!

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 3:55

GoogleCodeExporter commented 9 years ago 
I ran this with the info you provided me in the email and had no problems.  All 
the driver information displayed as expected.  Thanks for taking care of the 
problem!

Original comment by supracl...@gmail.com on 10 Mar 2014 at 1:01