search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.19k stars 1.27k forks source link

problems inspecting win10 enterprise build1511 #267

Closed cartel0x27 closed 7 years ago

cartel0x27 commented 8 years ago

Hey there, I'm having some issues running Volatility against a crash dump from win10 enterprise build 1511.

My steps:

  1. force crash dump using https://msdn.microsoft.com/en-us/library/windows/hardware/ff545499(v=vs.85).aspx
  2. move memory.dmp into vm shared folder
  3. apt-get install volatility in ubuntu 14.10
  4. apt-get remove volatility
  5. install volatility-2.5 from https://github.com/volatilityfoundation/volatility/archive/2.5.zip with python setup.py
  6. try some vol.py commands: $ vol.py crashinfo -f ./MEMORY.DMP --profile=Win10x64 Volatility Foundation Volatility Framework 2.5 _DMP_HEADER64: Majorversion: 0x0000000f (15) Minorversion: 0x0000295a (10586) KdSecondaryVersion 0x00000041 DirectoryTableBase 0x001ab000 PfnDataBase 0xfffffa8000000000 PsLoadedModuleList 0xfffff802512fcc70 PsActiveProcessHead 0xfffff802512f7160 MachineImageType 0x00008664 NumberProcessors 0x00000004 BugCheckCode 0x000000e2 KdDebuggerDataBlock 0xfffff802512e2a60 ProductType 0x00000001 SuiteMask 0x00000110 WriterStatus 0x45474150 Comment PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE DumpType BitMap Dump SystemTime 2015-12-14 00:34:59 UTC+0000 SystemUpTime 1:18:11.393330

Physical Memory Description: Number of runs: 7 FileOffset Start Address Length 00002000 00001000 00057000 00059000 00059000 00044000 0009d000 00100000 00203000 002a0000 00307000 d099d000 d0c3d000 d0ea6000 09b8f000 da7cc000 dcfff000 00001000 da7cd000 100000000 2f9de0000 3d45ac000 3f9ddf000

$ $ vol.py netscan -f ./MEMORY.DMP --profile=Win10x64 Volatility Foundation Volatility Framework 2.5 Offset(P) Proto Local Address Foreign Address State Pid Owner Created Traceback (most recent call last): File "/usr/local/bin/vol.py", line 4, in import('pkg_resources').run_script('volatility==2.5', 'vol.py') File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 735, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 1652, in run_script exec(code, namespace, namespace) File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in main() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main command.execute() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 145, in execute func(outfd, data) File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/netscan.py", line 269, in render_text for net_object, proto, laddr, lport, raddr, rport, state in data: File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/netscan.py", line 212, in calculate for objct in self.scan_results(addr_space): File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/poolscan.py", line 213, in scan cookie = obj.VolMagic(space).ObHeaderCookie.v() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/windows/win10.py", line 205, in v return self.get_best_suggestion() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/obj.py", line 818, in get_best_suggestion for val in self.get_suggestions(): File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/windows/win10.py", line 212, in get_suggestions for x in self.generate_suggestions(): File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/windows/win10.py", line 217, in generate_suggestions store.findcookie(self.obj_vm) File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/overlays/windows/win10.py", line 131, in findcookie nt_mod = list(kdbg.modules())[0] IndexError: list index out of range

$ vol.py pslist -f ./MEMORY.DMP --profile=Win10x64 Volatility Foundation Volatility Framework 2.5 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

(just returns having printed nothing)

iMHLv2 commented 8 years ago

Any chance you can upload the ntoskrnl.exe file from that system's disk somewhere and send a link? It looks like the object header cookie value is not being found (something new that's required for Windows 10 pool tag scanning).

cartel0x27 commented 8 years ago

Here you go: https://drive.google.com/file/d/0Bxj45laejfxwalVXamd5YnQ5RDQ/view?usp=sharing

iMHLv2 commented 8 years ago

OK, your file looks fine...the signature we want to locate is in there...so there must be another issue. Have you installed the distorm3 python module? This is required for Windows 8 and above. For more info on that, see:

https://github.com/volatilityfoundation/volatility/wiki/Windows-8-2012 and https://github.com/volatilityfoundation/volatility/wiki/Installation#dependencies

Let me know if you still have issues after that.

cartel0x27 commented 8 years ago

Thanks, but I already had the distorm3 python module installed.

Any other ideas?

iMHLv2 commented 7 years ago

@pnegry sorry for the delay. We've fixed a ton of Windows 10 related issues over the past couple weeks. Would you mind updating to the latest master branch and trying again?

iMHLv2 commented 7 years ago

I'm going to close out this issue, let me know if you're able to test in the coming days and if the existing fixes for Win10 doesn't help, we can reopen and take a look.