search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.26k stars 1.28k forks source link

Guide for creating a Windows profile for Win10 19042? #760

Open swepeba opened 3 years ago

swepeba commented 3 years ago

Hi, I have read several guides explaining how to create Linux profiles to be used by Volatility, but I cannot find any guide for creating new Windows profiles. I know that there is a Python script (volatility/framework/symbols/windows/pdbconv.py) in Volatility3, but the output from that one differs from the vtypes file used by Volatility2.

Right now, I have a Windows 10 (19042) memory dump that is correct identified and processed by Volatility3. I have tried to use the identified DTB value (from windows.info in Volatility3) together with the Win10x64_18362 profile in Volatility2, but most of the modules produces garbage output because of wrong profile. Plistdoes work, but Pscandoes not. Imageinfo in Volatility2 does not give any profile suggestion at all.

Anyone know how to create a profile for Windows 10 (19042)? Any kind of hint will be appreciated. I can try to create one and make it public, but need some intro first.

Thanks!

iMHLv2 commented 3 years ago

There's a 19041 profile in the repo now, which should probably work for 19042, but let me know if it doesn't.

kidrek commented 3 years ago

Hi, I have read several guides explaining how to create Linux profiles to be used by Volatility, but I cannot find any guide for creating new Windows profiles. I know that there is a Python script (volatility/framework/symbols/windows/pdbconv.py) in Volatility3, but the output from that one differs from the vtypes file used by Volatility2.

Right now, I have a Windows 10 (19042) memory dump that is correct identified and processed by Volatility3. I have tried to use the identified DTB value (from windows.info in Volatility3) together with the Win10x64_18362 profile in Volatility2, but most of the modules produces garbage output because of wrong profile. Plistdoes work, but Pscandoes not. Imageinfo in Volatility2 does not give any profile suggestion at all.

Anyone know how to create a profile for Windows 10 (19042)? Any kind of hint will be appreciated. I can try to create one and make it public, but need some intro first.

Thanks!

Hi swepeba. I'm working on methodology to create a windows profile. Did you generate your own Window 10 (19042) profile ? Can you share with me your steps ? Thanks for your help

swepeba commented 3 years ago

@kidrek: My idea was to use the profile downloaded by Volatility 3 to get the values and then translate it to Volatility 2. I started to change the values in a clone of the 18362 profile. This is a very time-consuming manually work, so I started to look inside the source code to get the values used by Pscan. That was not too hard I thought, but it was not good enough. After spending several hours during several evenings I gave up. The updated profile for 19041 did not work. What methodology do you plan to use?

atcuno commented 3 years ago

@swepeba could you please elaborate on 'did not work', specifically could you answer these:

1) Did you do a git pull of the latest master branch?

2) You used --profile=Win10x64_19041 as the profile?

3) Does pslist work with it still?

4) Is psscan still broken?

5) have you tried any other plugins?

alb3rn4z commented 3 years ago

Someone can help with windows profile creation? Is there any tutorial found on web ? I think this is an important topic to help worldwide analyse most recent windows memory dumps.

certxlm commented 3 years ago

Hi,

@atcuno We tested the profile Win10x64_19041 on a Windows 10, 64 bits and build 19042, and it almost works. The plugins pslist, psscan works. However some others seems broken (not all were tested):

Is there a plan to create a profile for 19042 ?

alb3rn4z commented 3 years ago

Hi, I have read several guides explaining how to create Linux profiles to be used by Volatility, but I cannot find any guide for creating new Windows profiles. I know that there is a Python script (volatility/framework/symbols/windows/pdbconv.py) in Volatility3, but the output from that one differs from the vtypes file used by Volatility2. Right now, I have a Windows 10 (19042) memory dump that is correct identified and processed by Volatility3. I have tried to use the identified DTB value (from windows.info in Volatility3) together with the Win10x64_18362 profile in Volatility2, but most of the modules produces garbage output because of wrong profile. Plistdoes work, but Pscandoes not. Imageinfo in Volatility2 does not give any profile suggestion at all. Anyone know how to create a profile for Windows 10 (19042)? Any kind of hint will be appreciated. I can try to create one and make it public, but need some intro first. Thanks!

Hi swepeba. I'm working on methodology to create a windows profile. Did you generate your own Window 10 (19042) profile ? Can you share with me your steps ? Thanks for your help

Did you advance in this methodology? Please, give us some hope! :)

Y1ng0 commented 3 years ago

i also need help

Beercow commented 2 years ago

The process for creating a profile for Windows is as follows:

1) taking ntoskrnl.exe from disk or moddump 2) using pdbparse to generate vtypes

https://github.com/moyix/pdbparse

symchk.py -e ntoskrnl.exe pdb_tpi_vtypes.py ntkrnlmp.pdb > dump.txt

dump.txt will contain the vtypes for Volatility. 

3) plugging in the vtypes into volatility

These steps are only effective if structure offsets change. If data enumeration algorithms change, or things of that nature, then the steps are obviously different, and you just need to approach that on a case-by-case basis.

swepeba commented 2 years ago

@Beercow: Wow, thanks a lot for the steps! It worked just great!

Remember to name the dump.txt to the build version you generate the vtypes from, e.g. win10_x64_19043_1348_vtypes.py. Then add the new profile to win10.py to get it to work.

I can see that there are some plugins, e.g. svcscanand timers that includes additional content for 19041, so be aware of the need for additional changes to some plugins when you create a new profile.

@atcuno and @Beercow: How do I verify the signature value (win10.py, line 91-) of a newly created profile to know if the code needs to be updated?

Beercow commented 2 years ago

@swepeba I’ll have to look into that. I don’t think that was in there the last time I built a profile.

smertin123 commented 2 years ago

Has anyone had an issue with ntoskrnl.exe? When I'm trying to run it's stating that it cannot be run in Win32 mode. I have tried this on multiple 64 bit systems now though and I'm receiving the same error. I've played around with compatibility options but had no luck. I've also tried forcing a stop to running in 32 bit mode with CorFlags but it states the file has no valid managed header.