gleeda (Jamie Levy)
gleeda (Jamie Levy)
For Volatility 2.6.1, the dtb value is `0x1ad002` in the attached output I see: ```114 DEBUG volatility.framework.automagic.windows: DTB was found at: 0x1ad000``` ntoskrnl info: ``` Offset(V) Name Base Size File...
If I run volatility 2 w/the other dtb, it's still good: ``` $ python vol.py -f memory.raw --profile=Win10x64_18362 pslist --dtb=0x1ad000 Volatility Foundation Volatility Framework 2.6.1 Offset(V) Name PID PPID Thds...
Seems to be correct: ```$ python vol.py -f memory.raw --profile=Win10x64_18362 volshell Volatility Foundation Volatility Framework 2.6.1 Current context: System @ 0xffffad08cb270040, pid=4, ppid=0 DTB=0x1ad002 Python 2.7.16 (default, Feb 29 2020,...
hrmmm that didn't work: ``` $ python3.7 vol.py -c config.json windows.pslist.PsList Volatility 3 Framework 1.0.0-beta.1 WARNING volatility.framework.plugins: Automagic exception occurred: ValueError: Unable to run LayerStacker, single_location parameter not provided WARNING...
weird... i thought that's what the `"primary.memory_layer.location": "file://` parameter was for. I see that the `windows.zip` file is from `Oct 16 2019` could it be that the profiles just aren't...
OK, I got it working. I took the `ntoskrnl.exe` from the memory sample using volatility 2: ``` $ python vol.py -f memory.raw --profile=Win10x64_18362 moddump -b 0xfffff80578219000 -D ~/Desktop/memory Volatility Foundation...
> Just to note, that there shouldn't be a need to add the file image when using a config.json, but it turned out that the various layers weren't being loaded...
@ikelos there has been a change since we last visited this, that has broken my ability to get anything back from the memory sample now. I'll have to try to...
At first it looks like the path isn't picked up from the config file now: ``` $ python3 vol.py -vvvvvvvv -c config.json windows.pslist.PsList Volatility 3 Framework 2.0.0-beta.1 INFO root :...
But it ultimately still fails, even if I give it the location: ``` $ python3 vol.py -vvvvvvvv -c config.json -f memory.raw windows.pslist.PsList Volatility 3 Framework 2.0.0-beta.1 INFO root : Volatility...