Open eightymg opened 4 years ago
atcuno
commented
4 years ago Please run:
python vol.py -f /home/kali/Desktop/MEMDUMP/User/MEMORYtest.DMP --profile=Win10x64_17134 kdbgscan
and paste the full results. Also, please ensure you use the latest master branch checkout.
eightymg
commented
4 years ago MEMORYtest.DMP --profile=Win10x64_17134 kdbgscan Volatility Foundation Volatility Framework 2.6.1
Instantiating KDBG using: Kernel AS Win10x64_17134 (6.4.17134 64bit) Offset (V) : 0xf802de59f520 Offset (P) : 0x399f520 KdCopyDataBlock (V) : 0xf802de446dec Block encoded : No Wait never : 0xf0bf040b1dce4f0e Wait always : 0x58ee5cc8085f9800 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win10x64_17134 Version64 : 0xf802de5a2d90 (Major: 15, Minor: 17134) Service Pack (CmNtCSDVersion) : 0 Build string (NtBuildLab) : 17134.1.amd64fre.rs4_release.180 PsActiveProcessHead : 0xfffff802de5af320 (0 processes) PsLoadedModuleList : 0xfffff802de5b5ce0 (0 modules) KernelBase : 0xfffff802de209000 (Matches MZ: True) Major (OptionalHeader) : 10 Minor (OptionalHeader) : 0 KPCR : 0xfffff802dba8a000 (CPU 0) KPCR : 0xffff958112681000 (CPU 2) KPCR : 0xffff9581126a6000 (CPU 3)
@atcuno Anything curious here? Also, new to github, would I have the latest master branch if I git-cloned the page and double checked by git pull in the volatility directory? Because that's what I did and I'd be happy to reinstall if needed.
atcuno
commented
4 years ago Yes, you installed the latest Volatility source correctly.
In order to help verify that the capture is stable, could you please performing the following and report the full results:
1) Run crashinfo in Volatility as:
$ python vol.py -f /home/kali/Desktop/MEMDUMP/User/MEMORYtest.DMP --profile=Win10x64_17134 crashinfo
2) Load MEMORYtest.DMP into WinDbg and run the !process command
ghost
commented
4 years ago I am also having the same issue analysing full memory crash dumps using notmyfault.exe runing windows 10 version 10.0.18362 Build 18362
Runs as expected in WinDbg
atcuno
commented
4 years ago @ipptac
Could you please paste the output from WinDbg !process ?
atcuno
commented
4 years ago @ipptac Can you also please run the crashinfo plugin of Volatility with --profile=Win10x64 18362 set (assuming 64bit, change to Win10x86 18362 if 32bit)
ghost
commented
4 years ago It does not recognise that profile ( i have assumed the whitespace was a typo) i am running the latest version of volatility 2.6.1
I have also tried convertingg it to a raw memory dump using the win10x64 profile, but that will still not analyses the data correctly.
ghost
commented
4 years ago 0: kd> !process PROCESS ffff9e853e9be080 SessionId: 1 Cid: 1088 Peb: 4977fc4000 ParentCid: 1300 DirBase: 151ee6000 ObjectTable: ffffca8a662a63c0 HandleCount: 190. Image: notmyfault64.exe VadRoot ffff9e853f6cb430 Vads 82 Clone 0 Private 470. Modified 8. Locked 0. DeviceMap ffffca8a68e45f50 Token ffffca8a6279e060 ElapsedTime 00:00:20.302 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 215104 QuotaPoolUsage[NonPagedPool] 11480 Working Set Sizes (now,min,max) (3241, 50, 345) (12964KB, 200KB, 1380KB) PeakWorkingSetSize 3165 VirtualSize 4246 Mb PeakVirtualSize 4246 Mb PageFaultCount 3313 MemoryPriority FOREGROUND BasePriority 8 CommitCharge 530 Job ffff9e8537fab420
THREAD ffff9e853e865080 Cid 1088.1268 Teb: 0000004977fc5000 Win32Thread: ffff9e853f6cc1a0 RUNNING on processor 0
THREAD ffff9e853eee3080 Cid 1088.1074 Teb: 0000004977fc7000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff9e85403a7d40 QueueObject
THREAD ffff9e853dd7f080 Cid 1088.1640 Teb: 0000004977fc9000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff9e85403a7d40 QueueObject
THREAD ffff9e853da47080 Cid 1088.10ec Teb: 0000004977fcb000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable
ffff9e85403a7d40 QueueObject@atcuno I have jsut taken a look at more issues raised here, and it seems like a pretty consitent issue, I appreciate that the core focus of deveolpment may be on volatiity3, is there a suitable way to analyses a crash dump from this windows 10 build using that ?
atcuno
commented
4 years ago It does not recognise that profile ( i have assumed the whitespace was a typo) i am running the latest version of volatility 2.6.1
I have also tried convertingg it to a raw memory dump using the win10x64 profile, but that will still not analyses the data correctly.
If you have the latest master branch checkout from here (github) then you should have Win10x64_18362. If you don't then your code is behind and you need to update.
atcuno
commented
4 years ago @ipptac @eightymg after you git pull to be up-to-date with master, please do:
git checkout -b bitmap_crashdumps
and then re-run Volatility and let me know if you get better results.
eightymg
commented
4 years ago @atcuno crashinfo gives:
Volatility Foundation Volatility Framework 2.6.1 _DMP_HEADER64: Majorversion: 0x0000000f (15) Minorversion: 0x000042ee (17134) KdSecondaryVersion 0x00000041 DirectoryTableBase 0x1e7700000 PfnDataBase 0xffffaa0000000000 PsLoadedModuleList 0xfffff802de5b5ce0 PsActiveProcessHead 0xfffff802de5af320 MachineImageType 0x00008664 NumberProcessors 0x00000004 BugCheckCode 0x000000d1 KdDebuggerDataBlock 0xfffff802de59f520 ProductType 0x00000001 SuiteMask 0x00000110 WriterStatus 0x45474150 Comment PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE DumpType BitMap Dump SystemTime 2020-07-21 21:06:28 UTC+0000 SystemUpTime 0:04:52.221691
Physical Memory Description: Number of runs: 6 FileOffset Start Address Length 00002000 00001000 00057000 00059000 00059000 00045000 0009e000 00100000 00107000 001a5000 0020b000 c4ef0000 c5095000 c5eff000 00001000 c5096000 100000000 f68a0000 1bb935000 1f689f000
And WinDBG gives:
0: kd> !process PROCESS ffffdc0d3dfea080 SessionId: 1 Cid: 3788 Peb: fe290d5000 ParentCid: 39f8 DirBase: 1e7700002 ObjectTable: ffffb38429ef1e00 HandleCount: 187. Image: notmyfault64.exe VadRoot ffffdc0d3785ced0 Vads 83 Clone 0 Private 485. Modified 10. Locked 0. DeviceMap ffffb38429bbe1f0 Token ffffb3842d679990 ElapsedTime 00:00:10.156 UserTime 00:00:00.000 KernelTime 00:00:00.000 QuotaPoolUsage[PagedPool] 248640 QuotaPoolUsage[NonPagedPool] 11744 Working Set Sizes (now,min,max) (3063, 50, 345) (12252KB, 200KB, 1380KB) PeakWorkingSetSize 2978 VirtualSize 4262 Mb PeakVirtualSize 4262 Mb PageFaultCount 3170 MemoryPriority FOREGROUND BasePriority 8 CommitCharge 573
THREAD ffffdc0d37a72700 Cid 3788.2a70 Teb: 000000fe290d6000 Win32Thread: ffffdc0d4037d1a0 RUNNING on processor 0 THREAD ffffdc0d36f00700 Cid 3788.1a44 Teb: 000000fe290d8000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffdc0d3f1f2f80 QueueObject THREAD ffffdc0d36ea0080 Cid 3788.2b10 Teb: 000000fe290da000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffdc0d3f1f2f80 QueueObject THREAD ffffdc0d3705b700 Cid 3788.3b70 Teb: 000000fe290dc000 Win32Thread: 0000000000000000 WAIT: (WrQueue) UserMode Alertable ffffdc0d3f1f2f80 QueueObject
ghost
commented
4 years ago So i re-installed by doing the following;
$ sudo apt-get install git $ git clone https://github.com/volatilityfoundation/volatility.git $ cd volatility/ $ sudo python setup.py install $ sudo apt-get install yara $ sudo apt-get install python-pip $ sudo -H pip install --upgrade pip $ sudo -H pip install distorm3==3.4.4 pycrypto openpyxl Pillow
this then had the profile i was missing before, although imageinfo would not detect it. Setting the profile to Win10x64_18362 now parses the crash info and outputs this;
`$ vol.py -f MEMORY.DMP --profile=Win10x64_18362 crashinfo Volatility Foundation Volatility Framework 2.6.1 _DMP_HEADER64: Majorversion: 0x0000000f (15) Minorversion: 0x000047ba (18362) KdSecondaryVersion 0x00000041 DirectoryTableBase 0x151ee6000 PfnDataBase 0xffffc58000000000 PsLoadedModuleList 0xfffff80665048190 PsActiveProcessHead 0xfffff80665038b80 MachineImageType 0x00008664 NumberProcessors 0x00000002 BugCheckCode 0x000000d1 KdDebuggerDataBlock 0xfffff806650265e0 ProductType 0x00000001 SuiteMask 0x00000110 WriterStatus 0x45474150 Comment PAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGEPAGE DumpType BitMap Dump SystemTime 2020-07-27 20:48:08 UTC+0000 SystemUpTime 1:00:43.933200
Physical Memory Description: Number of runs: 4 FileOffset Start Address Length 00002000 00001000 0009e000 000a0000 00100000 00002000 000a2000 00103000 bfed8000 bff7a000 100000000 7ff80000 13fef9000 17ff7f000 ` however when i try to run pslist, against origional dump it finds no Suitable address space mapping. when i run it against the RAW converted i get the following blank output;
`$ vol.py -f MEMORY_RAW.DMP --profile=Win10x64_18362 pslist Volatility Foundation Volatility Framework 2.6.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
`
ghost
commented
4 years ago I did get kdbgscan to complete, but only on the sample i converted to raw and specified the profile in the command;
Conversion;
vol.py -f MEMORY.DMP --profile=Win10x64_18362 imagecopy -O MEMORY_RAW.DMP
kdbgscan;
`vol.py -f MEMORY_RAW.DMP --profile=Win10x64_18362 kdbgscan Volatility Foundation Volatility Framework 2.6.1
Instantiating KDBG using: Kernel AS Win10x64_18362 (6.4.18362 64bit) Offset (V) : 0xf801224265e0 Offset (P) : 0x28265e0 KdCopyDataBlock (V) : 0xf801222a2734 Block encoded : No Wait never : 0x636e23312c0de4a4 Wait always : 0x64e7de3eb7178989 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win10x64_18362 Version64 : 0xf8012242a3c8 (Major: 15, Minor: 18362) Service Pack (CmNtCSDVersion) : 0 Build string (NtBuildLab) : 18362.1.amd64fre.19h1_release.19 PsActiveProcessHead : 0xfffff80122438b80 (0 processes) PsLoadedModuleList : 0xfffff80122448190 (0 modules) KernelBase : 0xfffff80122000000 (Matches MZ: True) Major (OptionalHeader) : 10 Minor (OptionalHeader) : 0 KPCR : 0xfffff8011fb17000 (CPU 0) KPCR : 0xffff9c80555e5000 (CPU 1)`
So based on this; PsActiveProcessHead : 0xfffff80122438b80 (0 processes) PsLoadedModuleList : 0xfffff80122448190 (0 modules)
it looks like its not identifying any processes in the dump, however there was definetly stuff running at the time of me triggering the Notmyfault crash.
for clarity when running the origional memory dump in windbg and running
!process 0 0
i get a full break down of all the processes so they are present in the origional dump
ghost
commented
4 years ago output from imageinfo;
vol.py -f MEMORY_RAW.DMP --profile=Win10x64_18362 imageinfo Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win10x64_18362 AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS) AS Layer2 : FileAddressSpace (/home/luke/MEMORY_RAW.DMP) PAE type : No PAE DTB : 0x1aa000L KDBG : 0xf801224265e0L Number of Processors : 2 Image Type (Service Pack) : 0 KPCR for CPU 0 : 0xfffff8011fb17000L KPCR for CPU 1 : 0xffff9c80555e5000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2020-07-28 08:40:29 UTC+0000 Image local date and time : 2020-07-28 09:40:29 +0100
atcuno
commented
4 years ago @eightymg Did you mean to close this?
atcuno
commented
4 years ago @ipptac Can you please test using the bitmap_crashdumps branch? I don't see the branch switch in your commands.
ghost
commented
4 years ago @actuno, sorry for not making it clear, that was on the requested branch
ghost
commented
4 years ago @atcuno has there been any progress on this issue? I have managed to analyse the memory dump using Rekall, but would prefer to use Volatility if I can.
mydockergit
commented
4 years ago @ipptac how did you installed Rekall? I tried to install it on Linux and Windows, it is a nightmare, can't get it to work.
Hi all. Been working with Volatility for a decent amount of time now, pretty familiar with how it is supposed to work but I would still consider myself wet behind the ears.
Trying to analyze a dump created by a friend using NotMyFault on a Windows 10 1803 machine. 8gb .dmp file, but loading it into volatility doesn't give me any good results. I even tried imagecopy to (by any stroke of luck) convert it to a .raw format because that is what I'm used to and no luck there either. Full read/write permissions on the file by the way.
Kind of at a loss here really. Using the latest cloned version of volatility as of this post, python 2.7.18 on a VBox kali setup. Apparently this version of Windows is supported but I can't get anything to work- imageinfo actually looks like a decent reply:
But no processes makes it a little difficult to start anywhere. I tried multiple additional commands over the other profiles and nothing.
Anyone have any advice?