search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.38k stars 1.29k forks source link

imageinfo Windows Build 18362 hangs #645

Closed angry-bender closed 5 years ago

angry-bender commented 5 years ago

32Gig image, left overnight, but as I don't believe there has been a new uodate for 18632 yet, this could be why imageinfo hangs as well. I have also tried running with plugins up to 17763, but nothing seems to parse. I have also tried with smaller RAM dumps that size in 4G, with no luck, a few plugins including malprocfind have said that the profile isn't working.

Dumped with winpmem 3.3RC as .raw. can still use strings -le to parse the dumps just not volatility.

angry-bender commented 5 years ago

Output

Volatility -f mem.raw --profile=Win10x64_17763 pstree Volatility Foundation Volatility Framework 2.6.1 No suitable address space mapping found Tried to open image as: MachOAddressSpace: mac: need base LimeAddressSpace: lime: need base WindowsHiberFileSpace32: No base Address Space WindowsCrashDumpSpace64BitMap: No base Address Space WindowsCrashDumpSpace64: No base Address Space HPAKAddressSpace: No base Address Space VMWareMetaAddressSpace: No base Address Space VirtualBoxCoreDumpElf64: No base Address Space QemuCoreDumpElf: No base Address Space VMWareAddressSpace: No base Address Space WindowsCrashDumpSpace32: No base Address Space SkipDuplicatesAMD64PagedMemory: No base Address Space WindowsAMD64PagedMemory: No base Address Space LinuxAMD64PagedMemory: No base Address Space AMD64PagedMemory: No base Address Space IA32PagedMemoryPae: No base Address Space IA32PagedMemory: No base Address Space OSXPmemELF: No base Address Space MachOAddressSpace: MachO Header signature invalid LimeAddressSpace: Invalid Lime header signature WindowsHiberFileSpace32: No xpress signature found WindowsCrashDumpSpace64BitMap: Header signature invalid WindowsCrashDumpSpace64: Header signature invalid HPAKAddressSpace: Invalid magic found VMWareMetaAddressSpace: VMware metadata file is not available VirtualBoxCoreDumpElf64: ELF Header signature invalid QemuCoreDumpElf: ELF Header signature invalid VMWareAddressSpace: Invalid VMware signature: 0x4034b50 WindowsCrashDumpSpace32: Header signature invalid SkipDuplicatesAMD64PagedMemory: No valid DTB found WindowsAMD64PagedMemory: No valid DTB found LinuxAMD64PagedMemory: Incompatible profile Win10x64_17763 selected AMD64PagedMemory: No valid DTB found IA32PagedMemoryPae: Incompatible profile Win10x64_17763 selected IA32PagedMemory: Incompatible profile Win10x64_17763 selected OSXPmemELF: ELF Header signature invalid FileAddressSpace: Must be first Address Space ArmAddressSpace: No valid DTB found

deeFIR commented 5 years ago

@samfree91 as you've said, it's due to the 18632 base not yet being supported. I've just had to manually parse the memdump with strings. Takes a lot longer, but can still yield sufficient results.

gleeda commented 5 years ago

Support for 18632 was added in cde27bb359ea9932027f9c7a4cdf81e585b68863