mikeInCalgary
commented
4 months ago This might help too - shows system type etc. info.Info.txt
Closed mikeInCalgary closed 4 months ago
mikeInCalgary
commented
4 months ago This might help too - shows system type etc. info.Info.txt
Working on a CTF for memory forensics. Memory file obtained by dumpit.exe works just great across wide range of plugins - thanks! However the windows.handles.Handles does not work - just gives blank output. Have tried various levels of messages with no success in getting it to run yet. Output looks like this. Output with debugging output attached.
Volatility 3 Framework 2.5.2
PID Process Offset HandleValue Type GrantedAccess Name
Have looked through issues and ensure that pycryptodome, jsonscheme and capstone are all installed. Have attached files with output as shown below.
fullOutputWith_vvvv.txt shortOutput.txt
Have tried debugging with volatility3 on Win10, Kali and Parrot. Today I have put in a few print statements to figure out where things have stopped working. In the shortOutput.txt the "Volatility3 Framework 2.5.3" is at line 9. Then line 12 shows automagic for windows. Then output goes back to handles.py in line 13 and 14. After this at line 15 program goes back to automagic. Balance after that seems to go back to handles.py. Wondering if some threads have got out of order. The output line starting with PID (line 26) then gets printed out and generator and get_type_map function kick in. Looks like there is no data and some kind of configuration, symbols or data from Kernel Module aren't being captured and that are required to produce output. Did try reloading symbol tables as suggested by one of the "solutions" on the web.
The base memory dump is in the public domain at: https://github.com/SecurityNik/CTF. So it's possible to run this as a test. Also ran on earlier 2.1 version on a Parrot Linux. Works great - except for handles.
Would appreciate any help assistance you can provide ....