volatilityfoundation / profiles

Volatility profiles for Linux and Mac OS X
318 stars 100 forks source link

Win10 Issue #72

Open larmet26 opened 5 years ago

larmet26 commented 5 years ago

While processing a Win10 memory image, i get an incomplete imageinfo result and obscured pslist results. Any advice?

vol.py -f memdump.mem imageinfo

Volatility Foundation Volatility Framework 2.6 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win10x64_10586, Win10x64_14393, Win10x64, Win2016x64_14393 AS Layer1 : Win10AMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/cases/memdump.mem) PAE type : No PAE DTB : 0x1ab000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2018-04-06 12:42:32 UTC+0000 Image local date and time : 2018-04-06 08:42:32 -0400

PSLIST returns stuff like the following:


0xffffe602d2ec2038 4 0 36...2 0 ------ 0 6285-08-11 06:06:22 UTC+0000
0xffffe602d4f7e038 0?????smss.exe 368 0 35...8 0 ------ 0 6235-10-10 05:36:19 UTC+0000
0xffffe602d4eb3578 ??A????csrss.ex 472 0 36...4 0 ------ 0 6236-08-31 00:21:17 UTC+0000
0xffffe602d64c0078 556 0 35...8 0 ------ 0 6692-05-05 17:10:47 UTC+0000
0xffffe602d64c4078 ?uK????wininit. 564 292 35...4 0 ------ 0 6236-08-31 07:59:24 UTC+0000
0xffffe602d64ca078 ?yK????csrss.ex 572 0 37...4 0 ------ 0 6236-08-31 00:21:17 UTC+0000
0xffffe602d6514078 ??O????winlogon 664 352 36...0 0 ------ 0 6236-07-21 07:00:39 UTC+0000
0xffffe602d652d578 P?Q????services 708 0 36...0 0 ------ 0 6236-08-31 00:21:17 UTC+0000
0xffffe602d654a078 ??T????lsass.ex 732 2812 37...4 0 ------ 0 6236-07-21 07:00:39