Closed Jed-Chang closed 8 years ago
npetroni
commented
8 years ago Hi,
Thank you for the report. This looks like another instance of issue #319. Can you try with the latest (master) version of volatility? https://github.com/volatilityfoundation/volatility/archive/master.zip. You'll need to install the dependencies as well, including distorm3.
Win10x86 does appear to be the correct profile, based on your kdbgscan output.
Thanks
Jed-Chang
commented
8 years ago I would be glad to give it a try. Thank you for a timely response nothing but praise for the Volatility team.
Gave it a try with the link you provided, you are spot on it appears to work. Thank you very much.
On Tue, Oct 4, 2016 at 12:33 PM, npetroni notifications@github.com wrote:
Hi,
Thank you for the report. This looks like another instance of issue #319 https://github.com/volatilityfoundation/volatility/issues/319. Can you try with the latest (master) version of volatility? https://github.com/ volatilityfoundation/volatility/archive/master.zip. You'll need to install the dependencies as well, including distorm3.
Win10x86 does appear to be the correct profile, based on your kdbgscan output.
Thanks
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/volatilityfoundation/volatility/issues/332#issuecomment-251504555, or mute the thread https://github.com/notifications/unsubscribe-auth/AVkw8c7Rfpd7tmmC8BSQNwQvsenw5pTHks5qwrgNgaJpZM4KN-eU .
v/r
Jason Cheney
GIAC Certified Web Application Pen Tester
GIAC Advanced Network Forensics
GIAC Certified Incident Handler GIAC Certified Intrusion Analyst Q/EH Qualified Ethical Hacker
Q/PTL Qualified Penetration Tester
Q/FE Qualified Forensic Expert
Q/SA Qualified Security Analyst
MCTS: WIN 7
Security + Certified, CompTIA CNSS 4011 Information Systems Security Professional (INFOSEC) CNSS 4012 Senior Systems Manager
"We need to be flexible and innovative, and at the same time absolutely unwavering in doing what is right, ethically and legally"(Conoco).
npetroni
commented
8 years ago Great, I'm glad you were able to get it working. Thanks for the quick feedback as well. We're hoping to release a new standalone version soon based on recent improvements.
I apologize if this had been addressed already, im new to GitHub. Im using the Vol 2.5 source code in Ubuntu I ran kdbgscanm below was the only profile that suggested Win10 so I used it.
Instantiating KDBG using: Kernel AS WinXPSP2x86 (5.1.0 32bit) Offset (V) : 0x81497820 Offset (P) : 0x2e97820 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win10x86 Version64 : 0x81497ef0 (Major: 15, Minor: 10240) Service Pack (CmNtCSDVersion) : 0 Build string (NtBuildLab) : 10240.16590.x86fre.th1_st1.15110 PsActiveProcessHead : 0x814a5fb0 (53 processes) PsLoadedModuleList : 0x814a9a38 (217 modules) KernelBase : 0x81268000 (Matches MZ: True) Major (OptionalHeader) : 10 Minor (OptionalHeader) : 0 KPCR : 0x814c1000 (CPU 0)
pslist and other plugins seem to work well
0x8e5530c0 conhost.exe 2820 3800 4 0 1 0 2016-10-03 21:42:28 UTC+0000
0x8f76a780 SearchProtocol 3336 716 7 0 0 0 2016-10-03 21:46:26 UTC+0000
0xaee3b880 kinject.exe 2480 2592 2 0 1 0 2016-10-03 21:46:26 UTC+0000
0xb1256c40 conhost.exe 3612 2480 3 0 1 0 2016-10-03 21:46:26 UTC+0000
0x8ecb9040 SearchFilterHo 768 716 5 0 0 0 2016-10-03 21:46:27 UTC+0000
0xa3d65c40 notepad.exe 2196 2480 2 0 1 0 2016-10-03 21:46:34 UTC+0000
0x8f6c4c40 cmd.exe 1104 1832 0 -------- 0 0 2016-10-03 21:47:25 UTC+0000 2016-10-03 21:47:25 UTC+0000
0xa8e7e040 conhost.exe 1524 1104 0 0 0 0 2016-10-03 21:47:25 UTC+0000
0x961ce7c0 ipconfig.exe 764 1104 0 -------- 0 0 2016-10-03 21:47:25 UTC+0000 2016-10-03 21:47:25 UTC+0000
Yet when I try to run vadinfo / malfind /ldrmodules etc I think plugins using VAD I get the following error:
vol.py -f dllinjectionwin10.dmp vadinfo -p 2196
Volatility Foundation Volatility Framework 2.5
Pid: 2196 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 4, in
import('pkg_resources').run_script('volatility==2.5', 'vol.py')
File "/usr/local/lib/python2.7/dist-packages/setuptools-15.0-py2.7.egg/pkg_resources/init.py", line 723, in run_script
File "/usr/local/lib/python2.7/dist-packages/setuptools-15.0-py2.7.egg/pkg_resources/init.py", line 1636, in run_script
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in
main()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 145, in execute
func(outfd, data)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/vadinfo.py", line 212, in render_text
self.write_vad_short(outfd, vad)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/vadinfo.py", line 239, in write_vad_short
vad.Start,
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/obj.py", line 748, in getattr
return self.m(attr)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/obj.py", line 730, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct _MMVAD has no member Start
Thank you in advance for your time.