Unable to pslist Win10x64 RAW Memory file

volatilityfoundation / volatility

An advanced memory forensics framework

http://volatilityfoundation.org/

GNU General Public License v2.0

7.39k stars 1.29k forks source link

Unable to pslist Win10x64 RAW Memory file #605

Closed kakokvantaliani closed 5 years ago

kakokvantaliani commented 5 years ago

Anyone could advise on which profile to use for scanning Winx64 Build 17134.706

pslist only lists following: `C:****\DumpIt\Thinkpad.raw --profile=Win10x64_10586 pslist Volatility Foundation Volatility Framework 2.6 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

0xffffc88ac34d8438 0 0 0 -------- ------ 0`

iMHLv2 commented 5 years ago

You'd use Win10x64_17134 (the profiles are not in the bundled executable, but they are available in the github repository).

kakokvantaliani commented 5 years ago

Thanks!

kakokvantaliani commented 5 years ago

Installed python version. Still unable:

vol.py -f C:\*****\DumpIt\Thinkpad.raw --profile=Win10x64_17134 -g 0xf8001d427520 -k 0xfffff8001bc67000 pslist
Volatility Foundation Volatility Framework 2.6.1
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xffffc88ac34d8440

iMHLv2 commented 5 years ago

Unfortunately then you probably have a corrupt memory dump, courtesy of DumpIt. Where did you get 0xf8001d427520 and 0xfffff8001bc67000 from?

kakokvantaliani commented 5 years ago

From imageinfo