search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.24k stars 1.27k forks source link

help me please with windows 10 x64 18363 #713

Open xSanx opened 4 years ago

xSanx commented 4 years ago

hello, i work in windows 10 last version(update may 2020), python 2.7. I use DumpIT for dumpfile. C:\Users\Александр\Desktop\work\volatility-master>vol.py -f "D:\образы систем\DumpIt\DESKTOP-S3PKQLJ-20200526-055905.raw" kdbgscan Volatility Foundation Volatility Framework 2.6.1

Instantiating KDBG using: Unnamed AS Win10x64_18362 (6.4.18362 64bit) Offset (V) : 0xf8050ac265e0 Offset (P) : 0x26265e0 KdCopyDataBlock (V) : 0xf8050aaa2744 Block encoded : Yes Wait never : 0x778a77d400d1a148 Wait always : 0x1a3424fe84f248 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win10x64_18362 Version64 : 0xf8050ac2a3d8 (Major: 15, Minor: 18362) Service Pack (CmNtCSDVersion) : 0 Build string (NtBuildLab) : 18362.1.amd64fre.19h1_release.19 PsActiveProcessHead : 0xfffff8050ac38b60 (1 processes) PsLoadedModuleList : 0xfffff8050ac48170 (1 modules) KernelBase : 0xfffff8050a800000 (Matches MZ: True) Major (OptionalHeader) : 10 Minor (OptionalHeader) : 0 KPCR : 0xfffff80508a4c000 (CPU 0) KPCR : 0xffffc9817cd00000 (CPU 1) KPCR : 0xffffc9817cd97000 (CPU 2) KPCR : 0xffffc9817ce40000 (CPU 3) but, apihooks, driverscan, timers, callbacks don`t works:

C:\Users\Александр\Desktop\work\volatility-master>vol.py -f "D:\образы систем\DumpIt\DESKTOP-S3PKQLJ-20200526-055905.raw" apihooks --profile=Win10x64_18362 Volatility Foundation Volatility Framework 2.6.1

C:\Users\Александр\Desktop\work\volatility-master> thank you.

AqibMukhtar commented 4 years ago

If python 2.7 is defined in your environment variables, then try this C:\Users\Александр\Desktop\work\volatility-master>python vol.py -f "D:\образысистем\DumpIt\DESKTOP-S3PKQLJ-20200526-055905.raw" kdbgscan (Note that command starts with python).

atcuno commented 4 years ago

Looking at:

PsActiveProcessHead : 0xfffff8050ac38b60 (1 processes)
PsLoadedModuleList : 0xfffff8050ac48170 (1 modules)

it appears that the linked list of modules and processes each only have 1 process found. This usually indicates a corrupt memory sample or that multiple KDBG structures are present.

Did you let kdbgscan run until it completely finished or did you stop it after the first output? If you stopped kdbgscan earlier then please re-run and let it finish fully. If other blocks of output appear, then check if any report a reasonable number of processes and modules. If so, then look for the line with "KdCopyDataBlock (V)" and pass the address it prints as:

--kdbg=

in future invocations of Volatility. This will ensure the proper one is used.

If you don't get any extra kdbg structures printed then the sample really is just corrupt. Dumpit is not a stable acquisition tool since Windows 7 and often produces corrupt memory captures.

xSanx commented 4 years ago

which tool is better to use?

nganhkhoa commented 4 years ago

There are many options to dump the RAM. You can try Windows bug check dump and notmyfault. WinPmem is another option. You can run in the VM and dump through the VM. VBoxManage for VirtualBox. If you just want to try out, than anything would do, if you want to do malware and stuff, put it in the VM.

DumpIt is kinda old and the original source is missing. I tried DumpIt on Windows 10 Insider, it immediately blue screen. I don't use DumpIt anymore.