trietptm / volatility Goto Github PK

Hey guys, 

Here's a port of moddump for 1.4. Potential issues are that it inherits from 
procdump.ProcExeDump instead of disk vs mem being optional, and I've only 
tested it on XP[1,2,3] memory samples.

Hey guys, when trying to use printkey I got this error:

$ python volatility.py printkey -o OFFSET -f MEM.DMP

Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
  File "volatility.py", line 126, in <module>
    main()
  File "volatility.py", line 117, in main
    command.execute()
  File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 77, in execute
    # with backslash.
  File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/plugins/registry/printkey.py", line 82, in calculate
  File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/win32/hive.py", line 47, in __init__
TypeError: __init__() takes exactly 3 arguments (2 given)

So we just need to change hive.py like this:

class HiveAddressSpace(addrspace.BaseAddressSpace):
    def __init__(self, config, baseAddressSpace, hive_addr):
        addrspace.BaseAddressSpace.__init__(self, baseAddressSpace, config)

And then alter printkey.py:

hive = hivemod.HiveAddressSpace(self._config, addr_space, 
self._config.hive_offset)

The same may also need to be done for lsadump. 

This is a meta-bug about all the plugins that fail to work with Windows 7.

Any bugs that refer to Windows 7 breakage should be noted and added to *this* 
bug's "Blocked On" field.  This will help us keep a track of what needs fixing 
and how far we have to go.

Hey guys, 

The printkey plugin has a conflicting option string. You change it by modifying 
the line in plugins/registry/printkey.py from:

config.add_option('KEY', short_option = 'k',

To:

config.add_option('KEY', short_option = 'K', # just an uppercase K

"thrdscan" returns all the threads properly while "thrdscan2" returns no 
results.

I assume this would be a legitimate problem since both plugins claim to do the 
same thing.

host machine: 32 bit windows 7 w/ python 2.7

C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py connections 
--profile=Win7SP0x86  -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 72, in execute
    data = self.calculate()
  File "C:\Users\admin\Desktop\vol\plugins\internal\connections.py", line 56, in calculate
    result = network.determine_connections(addr_space)
  File "C:\Users\admin\Desktop\vol\volatility\win32\network.py", line 104, in determine_connections
    target = obj.Curry(obj.Pointer, '_TCPT_OBJECT'))
  File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 631, in __init__
    parent = parent, name = name)
  File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 301, in __init__
    raise InvalidOffsetError("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name))
volatility.obj.InvalidOffsetError: Invalid Address 0xC73B2C46, instantiating 
None

I am missing output for the files command on some PIDs here is a sample:

$ ./volatility.py files -f ~/Work/volatility/xpsp3.vmem profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Pid:      4
File   \pagefile.sys                           
File   \WINDOWS\system32\config\default        
File   \System Volume 
Information\_restore{57726F20-9F0F-4D22-B53C-B6F197BAA74A}\RP72\change.log
File   \Topology                               
************************************************************************

now for 1.3.2:

$ ./volatility files -f /Users/gleeda/Work/volatility/xpsp3.vmem

************************************************************************
Pid: 4    
File   \pagefile.sys    
File   \WINDOWS\system32\config\default    
File   \System Volume 
Information\_restore{57726F20-9F0F-4D22-B53C-B6F197BAA74A}\RP72\change.log
File   \WINDOWS\system32\config\system    
File   \WINDOWS\system32\config\SECURITY    
File   \WINDOWS\system32\config\SECURITY.LOG   
File   \WINDOWS\system32\config\software    
File   \WINDOWS\system32\config\software.LOG   
File   \WINDOWS\system32\config\system.LOG    
File   \WINDOWS\system32\config\default.LOG    
File   \WINDOWS\system32\config\SAM    
File   \WINDOWS\system32\config\SAM.LOG    
File   \Documents and Settings\NetworkService\ntuser.dat.LOG
File   \Documents and Settings\NetworkService\NTUSER.DAT
File   \Documents and Settings\NetworkService\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
File   \Documents and Settings\NetworkService\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat.LOG
File   \Documents and Settings\LocalService\ntuser.dat.LOG
File   \Documents and Settings\LocalService\NTUSER.DAT
File   \Documents and Settings\LocalService\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
File   \Documents and Settings\LocalService\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat.LOG
File   \Documents and Settings\Administrator\NTUSER.DAT
File   \Documents and Settings\Administrator\ntuser.dat.LOG
File   \Documents and Settings\Administrator\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
File   \Documents and Settings\Administrator\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat.LOG
File   \255    
File   \WINDOWS\Temp\hlktmp    
File   \    
File   \47    
File   \Topology    
************************************************************************

I get the same with or without "profile=WinXPSP3"

Hey guys, 

I've been seeing this problem:

$ python volatility.py procexedump -f d0.vmem -p 1504 --dump-dir=out
Volatile Systems Volatility Framework 1.4_rc1
************************************************************************
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 98, in execute
    func(outfd, data)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/internal/procdump.py", line 54, in render_text
    if task.Peb.ImageBaseAddress == None or task_space == None or task_space.vtop(task.Peb.ImageBaseAddress) == None:
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/addrspace.py", line 84, in __eq__
    return  self.profile == other.profile and \
AttributeError: 'NoneType' object has no attribute 'profile'

It seems to happen anytime you test an address space with None like this:

ps_ad = p.get_process_address_space()
if ps_ad == None: # this will cause the issue 

host changed to a 32 bit windows 7 running python 2.7. the image is still the 
same x86 windows 7 image.

C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py sockets 
--profile=Win7SP0x86  -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 72, in execute
    data = self.calculate()
  File "C:\Users\admin\Desktop\vol\plugins\internal\sockets.py", line 40, in calculate
    result = win32.network.determine_sockets(addr_space)
  File "C:\Users\admin\Desktop\vol\volatility\win32\network.py", line 139, in determine_sockets
    target = obj.Curry(obj.Pointer, "_ADDRESS_OBJECT"))
  File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 631, in __init__
    parent = parent, name = name)
  File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 301, in __init__
    raise InvalidOffsetError("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name))
volatility.obj.InvalidOffsetError: Invalid Address 0x7CCC153B, instantiating 
None

I found this whilst examing memdump, which returns a generated list of (pid, 
task, pages) where pages is a generator (get_available_pages).

What happens is that the decorator calls generate on the outer generator.  The 
individual results are appended to the payload and then yielded.  At the end, 
the payload is dumped.  The problem is that, due to the yield, any 
sub-generators may get traversed before the dump happens.  Then, by the time 
they come to be dumped, they return no results.

I've attached a proposed patch, which I'll apply if scudette's happy with it?  
The idea is simply to always flatten all available generators.  This will have 
side effects on functions that terminate the generator early, don't iterate 
through it completely.  I've kept flatten_generators as a method of the node so 
that blocking nodes can pass on the generators without interruption.

The only other solution I can think of is replacing each generator with a 
caching generator wrapper such that when it generates a value, the value is 
cached (and in the right place).  That doesn't strike me as a trivial piece of 
engineering, but without it certain caching operations may be much slower than 
simply running the plugin without any caching.

Hey guys, 

I'm getting this error using vadinfo on XP SP2 and SP3 samples. 

$ python volatility.py vadinfo -f mem.vmem
Volatile Systems Volatility Framework 1.4_rc1
************************************************************************
Pid:      4
VAD node @823c4200 Start 00010000 End 00033fff Tag Vad 
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 96, in execute
    func(outfd, data)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/internal/vadinfo.py", line 49, in render_text
    self.write_vad_short(outfd, vad)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/internal/vadinfo.py", line 65, in write_vad_short
    outfd.write("Flags: {0}\n".format(vad.Flags))
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 773, in __getattribute__
    return self.m(attr)
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 758, in m
    parent = self, name = attr)
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 280, in Object
    **kwargs)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/Basic.py", line 88, in __init__
    obj.NativeType.__init__(self, targetType, offset, vm, parent, **args)
TypeError: __init__() got multiple values for keyword argument 'theType'

root@newubuntu:~/vol# python volatility.py vadinfo --profile=WinXPSP3 -f 
winXP-32-SP3.vmem
Volatile Systems Volatility Framework 1.4_rc1
************************************************************************
Pid:      4
VAD node @81bcc2c0 Start 00010000 End 00033fff Tag Vad
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "/home/x/vol/volatility/commands.py", line 96, in execute
    func(outfd, data)
  File "/home/x/vol/plugins/internal/vadinfo.py", line 49, in render_text
    self.write_vad_short(outfd, vad)
  File "/home/x/vol/plugins/internal/vadinfo.py", line 65, in write_vad_short
    outfd.write("Flags: {0}\n".format(vad.Flags))
  File "/home/x/vol/volatility/obj.py", line 773, in __getattribute__
    return self.m(attr)
  File "/home/x/vol/volatility/obj.py", line 755, in m
    offset = int(offset) + int(self.offset)
TypeError: int() argument must be a string or a number, not 'function'

Hey guys, 

One flaw in the moddump I submitted last week - its missing BDG's original 
find_space function. Thus, it cannot dump a few modules (namely win32k.sys). 
Here is a new version of moddump.py and a patch file (not sure which you 
prefer). 

Old version:

$ python volatility.py moddump -f mem.vmem -r win32k -D out
Volatile Systems Volatility Framework 1.4_rc1
Cannot dump win32k.sys at bf800000

New version:

$ python volatility.py moddump -f mem.vmem -r win32k -D out
Volatile Systems Volatility Framework 1.4_rc1
Dumping win32k.sys, Base: bf800000 output: driver.bf800000.sys

One thing we could consider doing in the future is adding the find_space 
function to the address space object and having it automatically perform this 
search when a user tries to read an address in kernel memory. In WinDbg, you 
have to switch to a context of a process with at least one GUI thread before 
reading memory owned by win32k.sys...so we could essentially handle that 
context switch on the fly. 

Btw, can someone remind me how to use the plugins in the contrib directory? I 
know they don't show up in the list of plugins by default, and also the 
--plugins=contrib/ doesn't work. Lately I've been copying plugins from the 
contrib directory into the plugins directory to use them, which kinda defeats 
the purpose of putting them in contrib ;-) 

Thanks.

Hey guys - not a defect here, more of a small inconvenience. A lot of the 
malware plugins inherit from procdump.ProcExeDump. When detecting API hooks, we 
have to rebuild all DLLs in a process, which results in thousands of these:

Memory Not Accessible: Virtual Address: 0x402000 File Offset: 0x1000 Size: 
0x1000
Memory Not Accessible: Virtual Address: 0x403000 File Offset: 0x1000 Size: 
0x1000
Memory Not Accessible: Virtual Address: 0x404000 File Offset: 0x1000 Size: 
0x1000
Memory Not Accessible: Virtual Address: 0x405000 File Offset: 0x1000 Size: 
0x1000

To see the output of the command, we have to do:

$ python volatility.py apihooks -f mem.dmp | egrep -v 'Memory Not Accessible'

Is there a way we can suppress the messages (or make them optional) so that the 
egrep isn't needed?

Thank you.

Sorry to keep pestering you with these, but I figure it's best to have a 
placeholder so that we can discuss them.

At the moment, running memdump with -p 1 followed by memdump -p 2 will fail 
because memdump caches the output of dlllist, which is filtered based on 
config.PID.

The solution that comes to mind immediately is to cache the config object 
entirely, and then verify that all they are the same.  If not, then invalidate 
the cache.  We'll probably have to add in a function that returns all the 
(relevant/cache-changing) options to make it easy to store and later verify.  
Then we'll have to assume that all options are cache-affecting by default, and 
go around turning off those that aren't.

This might sidestep the need to hand plugins their own config objects (at least 
for caching, not for use as a library), however it has the downside that a 
config item which isn't used will still invalidate the cache.  Since each 
plugin only sees it's own options (-p on a plugin that doesn't support it will 
raise a help message), this may not be a problem.

root@newubuntu:~/vol# python volatility.py mutantscan -f winXP-32-SP3.vmem 
--profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Phys.Addr. Obj Type   #Ptr #Hnd Signal Thread     CID        Name
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "/home/x/vol/volatility/commands.py", line 96, in execute
    func(outfd, data)
  File "/home/x/vol/plugins/internal/filescan.py", line 276, in render_text
    self.parse_string(object_name_info_obj.Name)
AttributeError: 'NoneType' object has no attribute 'Name'
root@newubuntu:~/vol#

run from a linux 32 bit machine

Hi guys,

Just figured I'd make a place to watch what goes on with respect to making a 
console that allows people to do "dt" commands and so on.  I've had a first 
stab at converting volshell to 1.4.  It's not completely converted (I'm not 
sure what context offsets are supposed to be, whether from flat or kernel or 
process space) and mostly dt doesn't work properly yet, but it should be a base 
to go from...

Feel free to submit new versions/diffs of fixes, and when it's in a good 
working order, we can commit it as a core plugin.

the basic problem is that python has the idea of "infinite" sign extension when 
dealing with negative numbers that makes dealing with them really annoying. 
Here is an example from the python interpreter:

>>> x = 255
>>> print "%x" % x
ff
>>> x = -1
>>> print "%x" % x
-1
>>> x = x & 0xffffffff
>>> print "%x" % x
ffffffff
>>>

>>> x = -1
>>> type(x)
<type 'int'>
>>> x = x & 0xffffffff
>>> type(x)
<type 'long'>
>>>

as you can see when x is "-1" python doesn't treat it as a 4 byte 32 bit 
integer but instead treats it as the magic infinitely sign extended number. 
only after masking off 32 bits does it then switch to a regular 4 byte 'long' 
as opposed to the magic 'int'

so I guess I was wondering of the handler code for obj.Object would be able to 
mask to perform the 32bit mask on all integers in structures? If not, the 
render_* functions will be long and complicated as all the integer members will 
need to be chopped

Hey guys, 

I am seeing errors in the current 1.4 branch:

$ python volatility.py 
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
  File "volatility.py", line 126, in <module>
    main()
  File "volatility.py", line 103, in main
    debug.error("You must specify something to do (try -h)")
  File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/debug.py", line 58, in error
    log(msg, logging.ERROR)
  File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/debug.py", line 73, in log
    modname = mod.__name__

So currently, defining an object class in one overlay module will allow it to 
be instantiated by any profile, so for example _EPROCESS can be defined in 
xpsp2, but all the methods will still be present in the EPROCESS object create 
for the Win7SP0x86 profile.

This raises problems if two different profiles need different methods on 
identically named objects.  For example, attempting to redefine _EPROCESS will 
result in an "Object _EPROCESS has already been defined <clas 'blah'>" error 
message.

Currently this isn't an issue, but it at least needs documenting.  If it does 
become an issue in the future it will possibly need refining so that objects 
are defined as part of an overlay, rather than simply as global objects.  This 
may well already be doable by pointing the overlay at a callable that spits out 
an object, but this will need some looking into and again documenting somewhere 
(possibly the wiki to begin with).

Ideally we want some form of inheritance (so that things that stay the same, 
don't need redefining) but also some form of override (so that things which 
need to change, can).  I think currently the important code resides in either 
obj.CType.__init__ or obj.Object(), but it's not clear if that needs changing, 
or we can simply use/abuse the overlay mechanism to define objects too (so 
Win7SP0x86_EPROCESS is defined, and then plastered on _EPROCESS in the 
overlay).  Any ideas/thoughts/comments?

The vadinfo, vaddump, and vadwalk commands don't work with profile=Win7SP0x86. 
Its because in XP the EPROCESS.VadRoot is a pointer to _MMVAD but in Win7 its a 
little different:

kd> dt _EPROCESS 
...
   +0x278 VadRoot          : _MM_AVL_TABLE
      +0x000 BalancedRoot     : _MMADDRESS_NODE
         +0x000 u1               : <unnamed-tag>
         +0x004 LeftChild        : (null) 
         +0x008 RightChild       : 0x8594b410 _MMADDRESS_NODE
         +0x00c StartingVpn      : 0
         +0x010 EndingVpn        : 0

kd> dt _MMADDRESS_NODE 0x8594b410 
ntdll!_MMADDRESS_NODE
   +0x000 u1               : <unnamed-tag>
   +0x004 LeftChild        : 0x85389008 _MMADDRESS_NODE
   +0x008 RightChild       : 0x854185f8 _MMADDRESS_NODE
   +0x00c StartingVpn      : 0x75850
   +0x010 EndingVpn        : 0x7585c

So when the vad commands do task.VadRoot.traverse(), the code in 
plugins/overlays/Windows/xp_sp2.py in class _MMVAD fails:

## What type is this struct?
tag = vm.read(offset - 4, 4)
theType = switch.get(tag)

if not theType:
    return obj.NoneObject("Tag {0} not knowns".format(tag))

Due to the change in Win7, theType will always be None. At least it appears 
that the Win7 nodes still use the same Vad, VadS, Vadl tags though:

kd> db 0x8594b410-4 L4
8594b40c  56 61 64 20     Vad 

kd> db 0x85389008-4 L4
85389004  56 61 64 53     VadS

ran on windows 7 64 host with python 2.7, win7vss.vmem is a 32bit windows 7 
image

C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py  pslist 
--profile=Win7SP0x86  -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
Name                 Pid    PPid   Thds   Hnds   Time
System                    4      0     90    516 2010-07-06 22:28:46
smss.exe                252      4      2     29 2010-07-06 22:28:46
csrss.exe               348    340     10    441 2010-07-06 22:28:53
wininit.exe             384    340      3     73 2010-07-06 22:28:53
csrss.exe               396    376      8    187 2010-07-06 22:28:53
winlogon.exe            424    376      5    129 2010-07-06 22:28:54
services.exe            492    384     12    216 2010-07-06 22:28:54
lsass.exe               500    384      7    559 2010-07-06 22:28:54
lsm.exe                 508    384     10    142 2010-07-06 22:28:54
svchost.exe             616    492     10    348 2010-07-06 22:28:55
svchost.exe             680    492      8    264 2010-07-06 22:28:56
svchost.exe             728    492     21    425 2010-07-06 22:28:56
svchost.exe             848    492     20    413 2010-07-06 22:28:56
svchost.exe             876    492     44   1333 2010-07-06 22:28:56
svchost.exe            1056    492     16    589 2010-07-06 22:29:31
svchost.exe            1140    492     17    375 2010-07-06 22:29:51
spoolsv.exe            1312    492     13    315 2010-07-06 22:31:06
svchost.exe            1344    492     20    315 2010-07-06 22:31:07
VMwareService.         1488    492      8    200 2010-07-06 22:31:11
dllhost.exe            1944    492     16    187 2010-07-06 22:31:21
msdtc.exe               284    492     15    152 2010-07-06 22:31:24
svchost.exe            1920    492      8    115 2010-07-06 22:33:17
svchost.exe             840    492     15    381 2010-07-06 22:33:18
SearchIndexer.         1464    492     18    624 2010-07-06 22:33:20
TrustedInstall          188    492      8    245 2010-07-06 22:35:08
WmiPrvSE.exe           1768    616      5    112 2010-07-06 22:35:16
SearchFilterHo         1724   1464      6     82 2010-07-06 22:37:36
taskhost.exe           1156    492     10    155 2010-07-06 22:37:54
dwm.exe                 956    848      4     71 2010-07-06 22:38:07
explorer.exe           1880   1720     31    647 2010-07-06 22:38:07
wuauclt.exe            1896    876      6     96 2010-07-06 22:38:14
VMwareTray.exe         2144   1880      5     67 2010-07-06 22:38:29
VMwareUser.exe         2156   1880      9    205 2010-07-06 22:38:30
audiodg.exe            2312    728      5    153 2010-07-06 22:38:44
rundll32.exe           2484    492      1      5 2010-07-06 22:39:08
sdclt.exe              2504    492      1      4 2010-07-06 22:39:09
schtasks.exe           2512    492      2     60 2010-07-06 22:39:09
taskhost.exe           2520    492     11    224 2010-07-06 22:39:10
conhost.exe            2568    348      2     33 2010-07-06 22:39:11
wsqmcons.exe           2576    492      1      3 2010-07-06 22:39:11
SearchProtocol         2680   1464      8    231 2010-07-06 22:39:27
VMwareResoluti         3064   1488      1     23 2010-07-06 22:40:27
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 96, in execute
    func(outfd, data)
  File "C:\Users\admin\Desktop\vol\plugins\internal\taskmods.py", line 146, in render_text
    for task in data:
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 404, in generate
    self.dump(path, payload)
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 409, in dump
    self.node.dump()
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 259, in dump
    self.storage.dump(self.stem, self)
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 357, in dump
    filename = self.filename(url)
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 338, in filename
    raise RuntimeError("Storing non relative URLs is not supported now ({0})".format(url))
RuntimeError: Storing non relative URLs is not supported now 
(file:///C:/Users/admin/Desktop/vol/win7vss.vmem/tests/pslist)

Hiya guys,

This is just a placeholder bug to put information pertaining to the rendering 
engine problem.

At the moment all plugins specify a render_text function which accepts a data 
object (can be anything) from it's own calculate function, and a file 
descriptor.  It then prints out the important text to the file descriptor.  
Status/progress information can be printed/written to stdout.

It would be nice to have the ability to write a whole new output format (such 
as XML or SQL) that applies to all plugins, including those that already exist. 
 To do this, some kind of common standard will be needed.

Scudette's taken a first crack at this, which has lived mostly in the 
experimental branch.  It is backwards compatible (so that existing 1.4 plugins 
will still output to text if necessary) and works by defining a UI object, 
which different rendering engines can then work with.

I'm attaching a patch that applies to r392 of the Volatility-1.4_rc1 branch 
just so that we've got a copy locally.  You can also find this at 
https://gist.github.com/54ed859a20d9d01c489d complete with syntax highlighting.

Hiya guys,

Just a quick note that since CTypes have a self.name, self.offset, self.theType 
and so on, those values can't then be used for attributes.  This probably most 
affects automatic generation of vtypes from a pdb, although, in general, 
generated members all start with a capital letter, and all the object 
attributes start with a lower case letter.  Unfortunately we already have 
_CLS_LSN in the vista and 7 vtypes which has an "offset" member, which will be 
in accessible to any plugin that might want it.

We've got a few options, and I don't think this'll get solved quickly, since 
they're all relatively invasive, and it's not clear how big a problem this will 
be.  However, best to have a place holder for discussions and so on.

So, as I see it options are:

a) Ensure the pdb generator mangles any member names so that they're not the 
same as BaseObject/CType attributes (mostly by case mangled).  There *may* be 
situations where a vtype has two members differentiated only by case, but I 
doubt it.  This is by far the easiest option.

b) Change all the attributes, trying very hard to avoid introducing bugs 
because of it, and probably failing because things ask for .offset and .vm all 
over the place.  Changing them to _blah or __blah won't work because there are 
members generated with that start with those too, so probably best to go with 
vol_blah or even _volatility_blah for total certainty.

c) Some other ingenious option that I've completely neglected and would never 
have thought of in a million years that simultaneously solves all the problems 
without any drawbacks...  5:)

Hey guys, 

The 1.3 version of hivedump was nice, you could dump an entire hive as text or 
csv and then grep for a certain term or sort by timestamp. In the 1.4 hivedump, 
some of that functionality was lost. I'd like to propose a few changes to r516 
version of hivedump:

1) Allow csv output with timestamps

2) In the text output, change the single-space indention (" ") to something 
like a tab or 4 spaces *and* include the full key name. This way, if you were 
looking for a key named "MaliciousKey" you could pipe the output of hivedump to 
grep and quickly find it, then pass the full key name to printkey. Currently, 
its difficult because hivedump only prints the subkey name on a line by 
itself...so you'd have to redirect all output of hivedump to a file, open it 
up, look for "MaliciousKey" and then try to follow the single-space indention 
to determine the full key before calling printkey -- lots of time.  

So instead of this:

$$$PROTO.HIV
 C07ft5Y
  WinXP
 Classes
  *
   OpenWithList
    Excel.exe

We could have this:

HKEY_LOCAL_MACHINE\Software
    HKEY_LOCAL_MACHINE\Software\C07ft5Y
        HKEY_LOCAL_MACHINE\Software\C07ft5Y\WinXP
    HKEY_LOCAL_MACHINE\Software\Classes
        HKEY_LOCAL_MACHINE\Software\Classes\*

And this:

1229023892,2008-12-11 19:31:32,HKEY_LOCAL_MACHINE\Software
1208454788,2008-04-17 17:53:08,HKEY_LOCAL_MACHINE\Software\C07ft5Y
1208454788,2008-04-17 17:53:08,HKEY_LOCAL_MACHINE\Software\C07ft5Y\WinXP
1229021837,2008-12-11 18:57:17,HKEY_LOCAL_MACHINE\Software\Classes
1220997002,2008-09-09 21:50:02,HKEY_LOCAL_MACHINE\Software\Classes\*


I attached a patched version of hivelist.py that could be used as a template 
for these changes. Note: I moved the HiveDump command from lsadump.py to 
hivelist.py for this example. Also, you'll see the -o option commented out in 
the HiveList command. I don't think that option is needed any longer since you 
guys made hivelist automatically find the physical offset of the first hive 
(which is great, it eliminates the need to run hivescan first - awesome). 

Thanks

the psscan module drops into the debugger when attempting to scan a windows 7 
image. see the following:

C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py  psscan 
--profile=Win7SP0x86  -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
PID    PPID   Time created             Time exited              Offset     PDB  
      Remarks
------ ------ ------------------------ ------------------------ ---------- 
---------- ----------------
--Return--
> c:\users\admin\desktop\vol\volatility\debug.py(38)b()->None
-> pdb.set_trace()
(Pdb) bt
  c:\users\admin\desktop\vol\volatility.py(138)<module>()
-> main()
  c:\users\admin\desktop\vol\volatility.py(129)main()
-> command.execute()
  c:\users\admin\desktop\vol\volatility\commands.py(96)execute()
-> func(outfd, data)
  c:\users\admin\desktop\vol\plugins\internal\psscan.py(273)render_text()
-> for eprocess in data:
  c:\users\admin\desktop\vol\volatility\cache.py(400)generate()
-> for x in g:
  c:\users\admin\desktop\vol\plugins\internal\psscan.py(237)calculate()
-> for offset in PSScanner().scan(address_space):
  c:\users\admin\desktop\vol\volatility\scan.py(143)scan()
-> for match in BaseScanner.scan(self, address_space, o, l):
  c:\users\admin\desktop\vol\volatility\scan.py(112)scan()
-> if self.check_addr(i + self.base_offset):
  c:\users\admin\desktop\vol\volatility\scan.py(76)check_addr()
-> debug.b()
> c:\users\admin\desktop\vol\volatility\debug.py(38)b()->None
-> pdb.set_trace()
(Pdb)

Hey guys, 

I encountered this issue this week. I've been updating the code from CVS about 
once a week and the problem just starting happening so it may be due to a 
recent change.

$ python volatility.py pslist -f XPSP3.vmem
Volatile Systems Volatility Framework 1.4_rc1
Name                 Pid    PPid   Thds   Hnds   Time 
System                    4      0     56    196 1970-01-01 00:00:00      
                          0      0      0 ------ 1970-01-01 00:00:00      
                          0      0      0 ------ 1970-01-01 00:00:00      
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 98, in execute
    func(outfd, data)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/internal/taskmods.py", line 153, in render_text
    task.CreateTime))
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/Windows/xp_sp2.py", line 165, in __format__
    dt = self.as_datetime()
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/Windows/xp_sp2.py", line 157, in as_datetime
    dt = datetime.datetime.utcfromtimestamp(self.v())
ValueError: year is out of range

Same with psscan:

$ python volatility.py psscan -f XPSP3.vmem
Volatile Systems Volatility Framework 1.4_rc1
PID    PPID   Time created             Time exited              Offset     PDB  
      Remarks
------ ------ ------------------------ ------------------------ ---------- 
---------- ----------------
     0      0                                                   0x005529a0 0x00319000 Idle           
     0      0                                                   0x01f6a978 0x00000000                
     0      0                                                   0x01f8e7e0 0x00000000                
     0      0                                                   0x01fa63c0 0x00000000                
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 98, in execute
    func(outfd, data)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/internal/psscan.py", line 280, in render_text
    eprocess.ImageFileName))
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/Windows/xp_sp2.py", line 165, in __format__
    dt = self.as_datetime()
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/Windows/xp_sp2.py", line 157, in as_datetime
    dt = datetime.datetime.utcfromtimestamp(self.v())
ValueError: year is out of range

I can analyze the memory in Volatility 1.3 just fine though:

$ python volatility pslist -f XPSP3.vmem
Name                 Pid    PPid   Thds   Hnds   Time 
System               4      0      56     196    Thu Jan 01 00:00:00 1970   
823c8830
smss.exe             532    4      3      19     Sun Aug 22 17:39:08 2010   
81df0388
csrss.exe            596    532    12     388    Sun Aug 22 17:39:10 2010   
81e45978
winlogon.exe         620    532    19     520    Sun Aug 22 17:39:10 2010   
822dfda0
services.exe         664    620    17     340    Sun Aug 22 17:39:10 2010   
81e41610
lsass.exe            676    620    21     351    Sun Aug 22 17:39:10 2010   
82175b90

Not really sure how to file this or if its a bug that can really be fixed, but 
I thought I should post it anyway.

So the problem is that I was on a previous version of volatility from yesterday 
and had generated caches. Today I updated to the latest in svn and sometime 
later ran pslist to get the PID of a process and this happened:

root@newubuntu:~/vol# python volatility.py pslist -f winXP-32-SP3.vmem 
--profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Name                 Pid    PPid   Thds   Hnds   Time
System                    4      0     54    249 1970-01-01 00:00:00
smss.exe                552      4      3     19 2010-08-26 01:00:40
csrss.exe               600    552     11    361 2010-08-26 01:00:41
winlogon.exe            624    552     24    550 2010-08-26 01:00:42
services.exe            668    624     16    250 2010-08-26 01:00:42
lsass.exe               680    624     26    379 2010-08-26 01:00:42
vmacthlp.exe            840    668      1     25 2010-08-26 01:00:42
svchost.exe             852    668     19    198 2010-08-26 01:00:42
svchost.exe             920    668      9    239 2010-08-26 01:00:43
svchost.exe            1016    668     71   1188 2010-08-26 01:00:43
svchost.exe            1060    668      5     73 2010-08-26 01:00:43
svchost.exe            1156    668     13    192 2010-08-26 01:00:43
spoolsv.exe            1312    668      6     51 2010-08-26 01:00:44
VMwareService.e        1608    668      3    144 2010-08-26 01:01:01
alg.exe                2004    668      8    106 2010-08-26 01:01:10
explorer.exe            528    500     17    290 2010-08-26 01:01:31
wscntfy.exe             292   1016      1     28 2010-08-26 01:01:32
VMwareTray.exe          908    528      1     29 2010-08-26 01:01:34
VMwareUser.exe         1004    528      4     76 2010-08-26 01:01:34
msmsgs.exe             1220    528      4    153 2010-08-26 01:01:35
4±OPO     2172747816 2174491220 2174491300 538517528 1970-01-01 00:00:00
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "/home/x/vol/volatility/commands.py", line 96, in execute
    func(outfd, data)
  File "/home/x/vol/plugins/internal/taskmods.py", line 153, in render_text
    task.CreateTime))
  File "/home/x/vol/plugins/overlays/Windows/xp_sp2.py", line 167, in __format__
    dt = self.as_datetime()
  File "/home/x/vol/plugins/overlays/Windows/xp_sp2.py", line 159, in as_datetime
    dt = datetime.datetime.utcfromtimestamp(self.v())
ValueError: timestamp out of range for platform time_t

-----------------

now I think the datetime stuff was updated in the revisions that got pulled so 
I am sure that is why its broke, but obviously the cache doesn't know about 
this....

Again, I am not really sure if this is a bug or not, and if I were doing a real 
investigation I wouldn't be updating software in the middle unless something 
was really broken....

either way, removing the cache directory under /tmp for the image fixed it and 
now everything works as expected

So I am working on a plugin that analyzes a specific userland application and I 
hit a bug pretty nasty and non-obvious bug in the Scanner framework.

the problem is that I have created my own vtypes for the application in order 
to parse its structures and the way I find the "task" for the proces is either 
by the user-supplied PID or by searching by process name. Once I find the 
process, I then proceed to add my custom vtypes to the tasks address space so 
then I can process them as verinfo does.  this works perfect for everything but 
scanning.

The bug came when I went to scan the tasks address space, and anytime I tried 
to make a structure using the obj.Object method, the return value was always 
"None". After wasting an hour debugging the issue, I finally realized the issue 
was that my custom vtypes weren't being put into the buffer address space set 
as "self.address_space" in the inherited scan class, which means of course it 
knows nothing of my custom structure and so it couldn't instantiate it.

I fixed the bug for now by making my check function begin like this:

def check(self, offset):
     self.address_space.profile.add_types(my_types)

and then proceed to scan and its working now, but that was very non-obvious.

I believe this actually exposes two bugs, 

1) is that even when vol is run with -d, the obj.Object handler gave no error 
messages or warnings about why it couldn't instantiate the object

2) the scanning code needs to make the buffer address space object it uses 
inherit all the vtypes from the address space you pass it or ugly hacks like my 
fix will have to be used in all plugins that want to use custom vtypes with 
scanning

Hey guys, 

For some commands like dlllist, the pid filtering is no longer working. If I do 
dlllist -p 4 or --pid=4 (or any other pid) then it prints the DLLs in all 
processes. 

I found that if I comment out the line in Dlllist:

@cache.CacheDecorator("tests/pslist")

That fixes the problem and it obeys the -p or --pid parameters. Of course, I'm 
not sure what other things might break with that line commented!

C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py  pslist 
--profile=Win7SP0x86  -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
Name                 Pid    PPid   Thds   Hnds   Time
System                    4      0     90    516 2010-07-06 22:28:46
smss.exe                252      4      2     29 2010-07-06 22:28:46
csrss.exe               348    340     10    441 2010-07-06 22:28:53
wininit.exe             384    340      3     73 2010-07-06 22:28:53
csrss.exe               396    376      8    187 2010-07-06 22:28:53
winlogon.exe            424    376      5    129 2010-07-06 22:28:54
services.exe            492    384     12    216 2010-07-06 22:28:54
lsass.exe               500    384      7    559 2010-07-06 22:28:54
lsm.exe                 508    384     10    142 2010-07-06 22:28:54
svchost.exe             616    492     10    348 2010-07-06 22:28:55
svchost.exe             680    492      8    264 2010-07-06 22:28:56
svchost.exe             728    492     21    425 2010-07-06 22:28:56
svchost.exe             848    492     20    413 2010-07-06 22:28:56
svchost.exe             876    492     44   1333 2010-07-06 22:28:56
svchost.exe            1056    492     16    589 2010-07-06 22:29:31
svchost.exe            1140    492     17    375 2010-07-06 22:29:51
spoolsv.exe            1312    492     13    315 2010-07-06 22:31:06
svchost.exe            1344    492     20    315 2010-07-06 22:31:07
VMwareService.         1488    492      8    200 2010-07-06 22:31:11
dllhost.exe            1944    492     16    187 2010-07-06 22:31:21
msdtc.exe               284    492     15    152 2010-07-06 22:31:24
svchost.exe            1920    492      8    115 2010-07-06 22:33:17
svchost.exe             840    492     15    381 2010-07-06 22:33:18
SearchIndexer.         1464    492     18    624 2010-07-06 22:33:20
TrustedInstall          188    492      8    245 2010-07-06 22:35:08
WmiPrvSE.exe           1768    616      5    112 2010-07-06 22:35:16
SearchFilterHo         1724   1464      6     82 2010-07-06 22:37:36
taskhost.exe           1156    492     10    155 2010-07-06 22:37:54
dwm.exe                 956    848      4     71 2010-07-06 22:38:07
explorer.exe           1880   1720     31    647 2010-07-06 22:38:07
wuauclt.exe            1896    876      6     96 2010-07-06 22:38:14
VMwareTray.exe         2144   1880      5     67 2010-07-06 22:38:29
VMwareUser.exe         2156   1880      9    205 2010-07-06 22:38:30
audiodg.exe            2312    728      5    153 2010-07-06 22:38:44
rundll32.exe           2484    492      1      5 2010-07-06 22:39:08
sdclt.exe              2504    492      1      4 2010-07-06 22:39:09
schtasks.exe           2512    492      2     60 2010-07-06 22:39:09
taskhost.exe           2520    492     11    224 2010-07-06 22:39:10
conhost.exe            2568    348      2     33 2010-07-06 22:39:11
wsqmcons.exe           2576    492      1      3 2010-07-06 22:39:11
SearchProtocol         2680   1464      8    231 2010-07-06 22:39:27
VMwareResoluti         3064   1488      1     23 2010-07-06 22:40:27
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 96, in execute
    func(outfd, data)
  File "C:\Users\admin\Desktop\vol\plugins\internal\taskmods.py", line 146, in render_text
    for task in data:
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 404, in generate
    self.dump(path, payload)
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 409, in dump
    self.node.dump()
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 259, in dump
    self.storage.dump(self.stem, self)
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 357, in dump
    filename = self.filename(url)
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 338, in filename
    raise RuntimeError("Storing non relative URLs is not supported now ({0})".format(url))
RuntimeError: Storing non relative URLs is not supported now 
(file:///C:/Users/admin/Desktop/vol/win7vss.vmem/tests/pslist)

The code currently doesn't sanity check the value passed to --profile and if a 
valid profile isn't passed, it keeps running and eventually exits with an error 
about invalid address spaces, which to most people will be extremely confusing 
and non-obvious 

A better solution would be for the value to be checked and error out with a 
message about the invalid profile

root@newubuntu:~/vol# python volatility.py sockets -f winXP-32-SP3.vmem 
--profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Pid    Port   Proto  Create Time
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "/home/x/vol/volatility/commands.py", line 96, in execute
    func(outfd, data)
  File "/home/x/vol/plugins/internal/sockets.py", line 32, in render_text
    for sock in data:
  File "/home/x/vol/volatility/win32/network.py", line 140, in determine_sockets
    while sock.is_valid():
AttributeError: 'NoneType' object has no attribute 'is_valid'

*************

I believe this may just be a logic error somewhere, because the machine was 
rebooted fresh and then frozen to get the .vmem meaning there was no sockets

Hey guys, 

The help for --plugins says: Additional plugin directories to use (colon 
separated)

So I expected that specifying --plugins=mydir would let me load plugins from 
the default (./plugins) in addition to mydir. But it looks like if you specify 
--plugins=mydir on command-line, it only searches mydir and not ./plugins. 

If that's how you intend it to work, then its OK but I have a feeling it should 
work differently. The default value could be changed to none:

config.add_option("PLUGINS", default = None,
                  help = "Additional plugin directories to use (colon separated)")

and then something like:

# Setup initial plugin directories
plugins = './plugins'

if config.PLUGINS != None:
      plugins += ':{0}'.format(config.PLUGINS)

for path in plugins.split(':'):
   ......

Hey guys, I don't think this is a big problem currently, but just FYI because 
it came up recently. If a plugin doesn't support output in HTML (or any other 
format), but inherits from a plugin that does support it...then we'll see type 
and/or tuple unpack exceptions. For example:

class OnePlugin:
    def calculate(self):
        yield a,b,c
    def render_text(self, outfd, data):
        pass
    def render_html(self, outfd, data):
        for a,b,c in data:
            pass

class TwoPlugin(OnePlugin):
    def calculate(self):
        yield a,b,c,d,e,f,g
    def render_text(self, outfd, data):
        pass

So if someone tries to do "volatility.py twoplugin --output=html" then 
OnePlugin.render_html() will be executed with the data yielded by 
TwoPlugin.calculate() - and it will result is some exceptions. 

While the plugin runs and doesn't crash, it doesn't appear to be working 
correctly as in no process that I tested did it ever stop dumping memory. 

For all process in lsass.exe, taskhost.exe, services.exe, and a few more,  all 
processes are reported by task manager as around a few hundred Kb to 2 or 3MB.  
This was tested on the same VM from which the memory image is produced.

The problem is that for all of the processes mentioned, I let the plugin run 
and the "*.dmp" file produced went well over 100MB for all of them before I had 
to ctrl+c the script.

It would seem that the code that calculates the size of a process in memory is 
broken under windows 7...

What steps will reproduce the problem?
1. python volatility connections -f <file.image>
2. also connscan & connscan2 have the same problem
3.
What is the expected output? What do you see instead?
No output

What version of the product are you using? On what operating system?
Volatility 1.3, Windows XP SP 3, python 2.7

Please provide any additional information below.

Tried various image gathering tools same affect
When I used the sample memory dumps it works fine
Tried version 1.1.2 of volatility same problem
Target OS is XP version 2002 running within a VM
pslist, dlllist, ident 

example:

root@newubuntu:~/vol# python volatility.py --no-cache pslist -f XPSP3.vmem 
--profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Name                 Pid    PPid   Thds   Hnds   Time
System                    4      0     56    382 1970-01-01 00:00:00
smss.exe                552      4      3     19 2010-09-08 14:57:09
csrss.exe               600    552     11    394 2010-09-08 14:57:11
.....

root@newubuntu:~/vol# python volatility.py --no-cache pslist -f 
file_that_doesnt_exist --profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
No suitable address space mapping found
Tried to open image as:
 WindowsHiberFileSpace32: Filename must be specified and exist
 WindowsCrashDumpSpace32: Filename must be specified and exist
 JKIA32PagedMemory: No base Address Space
 JKIA32PagedMemoryPae: No base Address Space
 IA32PagedMemoryPae: Module disabled
 IA32PagedMemory: Module disabled
 FileAddressSpace: Filename must be specified and exist

--------------

similar to --profile it should validate that the file exists and is readable by 
the user

Hey guys, I ran into an issue importing some classes from other plugins. 

from volatility.plugins.filescan import FileScan, MutantScan,
DriverScan, PoolScanDriver
from volatility.plugins.psscan import ThrdScan, ThreadScan

I do this because some of my malware plugins (like driverirp) inherit from 
DriverScan etc. Yesterday on Windows, everything was OK:

C:\Volatility-1.4_rc1>python volatility.py -h
[...]
       driverirp    [MALWARE] Driver IRP hook detection
       mutantscandb [MALWARE] mutantscan extension for highlighting
suspicious mutexes

However, the same code (same plugin file and same Volatility revision) on OSX 
caused the following problem:

$ python volatility.py -h
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
  File "volatility.py", line 128, in <module>
    main()
  File "volatility.py", line 90, in main
    MemoryRegistry.Init()
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/registry.py",
line 372, in Init
    PLUGIN_COMMANDS = VolatilityCommandRegistry(commands.command, modules)
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/registry.py",
line 286, in __init__
    raise Exception("Command {0} has already been defined by
{1}".format(command, self.commands[command]))
Exception: Command mutantscan has already been defined by <class
'volatility.plugins.filescan.MutantScan'>

This morning I updated to revision 483 on Windows and now I get the same 
problem on Windows as well. 

Currently the ssdt plugin will return no results for a windows 7 image.

It'd be good if this could be updated to work with windows 7.

Ideally volatility shouldn't be so dependent on a single command line 
configuration option, or more specifically global variables that then don't 
allow two different plugins to be run with different option sets.

This is a (low priority) tracking bug so that we can keep a track of 
discussions and development in the area without having to trawl back through 
lots of IRC discussions.  If this gets enough action, we can create a branch in 
subversion for it.

How I triggered the bug:

ran the ssdt plugin once against my XP SP3 image and it worked. I then 
immediately re-ran the command, and got this error:

Volatile Systems Volatility Framework 1.4_rc1
SSDT[0] at 804e26a8 with 284 entries
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "/home/x/vol/volatility/commands.py", line 96, in execute
    func(outfd, data)
  File "/home/x/vol/plugins/ssdt.py", line 1105, in render_text
    syscall_mod = find_module(mods, mod_addrs, syscall_addr)
  File "/home/x/vol/plugins/ssdt.py", line 1028, in find_module
    mod = modlist[mod_addrs[pos]]
IndexError: cannot fit 'long' into an index-sized integer

I confirmed that it is indeed a cache problem, by running the command multiple 
times in a row with --no-cache and it never error and reported the right 
results each time

Hey guys, 

I've been looking into a TypeError issue and wanted to share what I've found, 
though its not a complete fix (nor do I know the exact problem). I placed two 
memory dumps at http://www.mnin.org/Archive.zip. You should be able to 
reproduce the problem like this:

$ python volatility.py dlllist -f dreamon.bin -p 2596
************************************************************************
cmd.exe pid:   2596
Unable to read PEB for task.

OK, no problem there, except for the PEB is unreadable, but then try one of the 
Vad commands:

$ python volatility.py vadinfo -f dreamon.bin -p 2596
************************************************************************
Pid:   2596
Traceback (most recent call last):
  File "volatility.py", line 129, in <module>
    main()
  File "volatility.py", line 120, in main
    command.execute()
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/vadinfo.py", line 46, in render_text
    for vad in task.VadRoot.traverse():
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 592, in __getattribute__
    result = self.dereference()
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 568, in dereference
    name = self.name)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/windows/xp_sp2_x86.py", line 330, in __new__
    vm = eprocess.get_process_address_space()
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/windows/xp_sp2_x86.py", line 240, in get_process_address_space
    process_as = self.vm.__class__(self.vm.base, dtb = directory_table_base)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 92, in __init__
    self.as_assert(self.is_valid_kernelAS(), "Not a valid Kernel Address Space")
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 128, in is_valid_kernelAS
    for (offset, _length) in self.get_available_addresses():
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/standard.py", line 163, in get_available_addresses
    for (offset, size) in self.get_available_pages():
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 342, in get_available_pages
    if self.entry_present(pte_value):
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 163, in entry_present
    return (entry & 1) == 1
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'

In xp_sp2_x86.py, you can catch the exception by changing:

try:
    process_as = self.vm.__class__(self.vm.base, dtb = directory_table_base)
-    except AssertionError, _e:
+    except (TypeError, AssertionError), _e:
    return obj.NoneObject("Unable to get process AS")

However, that's a temporary fix only. In the other memory sample, the process 
in question is pid 3120:

$ python volatility.py dlllist -f conficker.bin -p 3120
************************************************************************
cmd.exe pid:   3120
Unable to read PEB for task.

$ python volatility.py vadinfo -f conficker.bin -p 2596
[same stack trace as above]

Hey guys, 

There are two versions of parse_string (FileScan.parse_string and 
ModScan2.parse_string). When using the modscan2 command, I ran into this issue:

Traceback (most recent call last):
  File "volatility.py", line 129, in <module>
    main()
  File "volatility.py", line 120, in main
    command.execute()
  File "/data/volatility/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/data/volatility/plugins/modscan2.py", line 97, in render_text
    self.parse_string(ldr_entry.BaseDllName)))
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-3: 
ordinal not in range(128)

The module being printed at the time is not identified by modscan, so it makes 
sense that there may be some invalid characters around. However, when I replace 
the ModScan2.parse_string with the FileScan.parse_string, it doesn't error out:

\SystemRoot\system32\DRIVERS\swenum.sys            0x00f9eac000 0x002000 
swenum.sys
\SystemRoot\system32\drivers\kmixer.sys            0x00f0345000 0x02a000 
kmixer.sys
䃘膟Ẩ\REGISTRY\MACHINE\SYSTEM\Con
TOOLS.CO  0x00f9ef2000 0x002000 splitter.sys
\SystemRoot\System32\drivers\dxg.sys               0x00bf9c1000 0x012000 dxg.sys
\SystemRoot\system32\DRIVERS\raspptp.sys           0x00f9b1c000 0x00c000 
raspptp.sys

So there are some still invalid characters, but that's unavoidable. At least 
using the FileScan's version of parse_string though, the scanner keeps going. 

In 1.3 with printkey, if you don't specify a key, it prints the top-level list 
like this:

$ python volatility printkey -f zeus2x4.vmem -o 0xe1db1470 
Key name: $$$PROTO.HIV (Stable)
Last updated: Thu Sep  2 08:25:53 2010

Subkeys:
   AppEvents (Stable)
   Console (Stable)
   Control Panel (Stable)
...

In 1.4, if you don't specify a key, or if you specify a blank key ('') to try 
and get the list of top-level keys, you get this:

$ python volatility.py printkey -f zeus2x4.vmem -o 0xe1db1470 
Volatile Systems Volatility Framework 1.4_rc1
Usage: Volatility - A memory forensics analysis platform.

volatility.py: error: No registry key specified.  Please use -k to specify one

The error message says use -k but it should be -K (capital). However, the 1.4 
version still requires you to know the name of a key, which isn't always the 
case. I suggest we make a change similar to the following so people can see the 
list of top-level keys easily:

plugins/registry/printkey.py @ 83

if not config.key:
    #config.error("No registry key specified.  Please use -k to specify one")
    key = []
else:
    key = config.key.split('\\')

...

key = rawreg.open_key(root, key)

Now you can get the same behavior as seen in the 1.3 version. Thoughts?

generates another issue....

C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py files 
--profile=Win7SP0x86  --no-cache -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
Pid:      4
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 96, in execute
    func(outfd, data)
  File "C:\Users\admin\Desktop\vol\plugins\internal\taskmods.py", line 123, in render_text
    for h in handles:
  File "C:\Users\admin\Desktop\vol\plugins\internal\taskmods.py", line 136, in handle_list
    for h in task.handles():
  File "C:\Users\admin\Desktop\vol\plugins\overlays\Windows\xp_sp2.py", line 260, in handles
    for h in self._make_handle_array(offset, table_levels):
  File "C:\Users\admin\Desktop\vol\plugins\overlays\Windows\xp_sp2.py", line 227, in _make_handle_array
    for h in self._make_handle_array(offset, level - 1):
  File "C:\Users\admin\Desktop\vol\plugins\overlays\Windows\xp_sp2.py", line 219, in _make_handle_array
    count = 0x200, parent = self)
  File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 631, in __init__
    parent = parent, name = name)
  File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 301, in __init__
    raise InvalidOffsetError("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name))
volatility.obj.InvalidOffsetError: Invalid Address 0x00000000, instantiating 
None

Run the ident plugin on an image where the DTB can be recovered, but the KPCR 
cannot be found.  The plugin will error out with a message rather than 
returning as much information as possible.

Hiya guys,

It looks as though the Files plugin doesn't work on Windows 7 images.  
Initially this was due to the array being instantiated at an invalid address, 
and throwing an exception (in earlier versions this check was done once the 
loop had started), but even with that fixed it still seems to be having issues.

I dunno why the TableCode/ObjectTable stuff isn't working.  All the right 
profile elements seem to be defined, and that's as far as my knowledge goes, so 
I'm going to have to call in an expert to investigate please...

Hey guys, 

Since it was only a few lines modification from moddump, here is a dlldump 
plugin for 1.4. You can:

* dump all DLLs from all processes (by calling without any args)
* dump all DLLs from a specific process (by using -p PID)
* dump a specific DLL from all processes (by using -r DLLNAME)
* dump a specific DLL from a specific process (by using -r DLLNAME -p PID)

Tested on XP and Win7 only. If you decide to include it, It doesn't matter to 
me where it goes (contrib vs plugins) -- as long as the functionality is 
available somewhere. 

Thanks.

The following line in plugins/internal/datetime-ident.py needs to be changed 
from:

class Ident(DateTime):
        datetime.__init__(self, args)

To:

class Ident(DateTime):
        DateTime.__init__(self, args)