No suitable address space mapping found

[CohenEliel]

Hello.

I'm getting this message when i try "pslist" on my dumped RAM "ram.img" file.

The dump come from Windows 7 Ultimate x64 Version 6.1 (7601 Service Pack 1) I ran the Volatility 2.6 standalone on the same machine (Windows 7 x64) The "imageinfo" command suggest me theses profiles :

• Win7SP1x64
• Win7SP0x64
• Win2008R2SP0x64
• Win2008R2SP1x64_23418
• Win2008R2SP1x64
• Win7SP1x64_23418

I've tried the "pslist" command on all theses profiles and i'm getting the same result.

I'm not familiar with all of this. Just trying to recover some Notepad process from crashed Windows 7 system.

Any help is welcome.

[AqibMukhtar]

I will advise you to run kdbgscan to get a correct profile and use --kdbg option in plugins. As this type of issue is discussed in the book 'The Art of Memory Forensics' and in command reference, I am pasting some of its content which may help you out

_Notice in the following command that kdbgscan picks up two structures: • An invalid one (with 0 processes and 0 modules) found at address 0xf80001172cb0 • A valid one (with 37 processes and 116 modules) found at address 0xf80001175cf0

$ python vol.py -f Win2K3SP2x64.vmem --profile=Win2003SP2x64 kdbgscan Volatility Foundation Volatility Framework 2.4

---

Instantiating KDBG using: Kernel AS Win2003SP2x64 (5.2.3791 64bit) Offset (V) : 0xf80001172cb0 Offset (P) : 0x1172cb0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2003SP2x64 Version64 : 0xf80001172c70 (Major: 15, Minor: 3790) Service Pack (CmNtCSDVersion) : 0 Build string (NtBuildLab) : T? PsActiveProcessHead : 0xfffff800011947f0 (0 processes) PsLoadedModuleList : 0xfffff80001197ac0 (0 modules) KernelBase : 0xfffff80001000000 (Matches MZ: True) Major (OptionalHeader) : 5 Minor (OptionalHeader) : 2

---

Instantiating KDBG using: Kernel AS Win2003SP2x64 (5.2.3791 64bit) Offset (V) : 0xf80001175cf0 Offset (P) : 0x1175cf0 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2003SP2x64 The Volatility Framework 65 Version64 : 0xf80001175cb0 (Major: 15, Minor: 3790) Service Pack (CmNtCSDVersion) : 2 Build string (NtBuildLab) : 3790.srv03_sp2_rtm.070216-1710 PsActiveProcessHead : 0xfffff800011977f0 (37 processes) PsLoadedModuleList : 0xfffff8000119aae0 (116 modules) KernelBase : 0xfffff80001000000 (Matches MZ: True) Major (OptionalHeader) : 5 Minor (OptionalHeader) : 2 KPCR : 0xfffff80001177000 (CPU 0)

As previously mentioned, many Volatility plugins rely on finding the debugger data block and then walking the active process and loaded module lists. By default, these plugins accept the first debugger structure they find via scanning; however, as you just witnessed, the first choice is not always the best choice. In these cases, after manually verifying the more accurate value with kdbgscan, you can set the global option --kdbg=0xf80001175cf0. This not only ensures that Volatility uses the correct value but it also saves you time when executing multiple commands because there is no longer a need to perform a scan._

[CohenEliel]

I've run the kdbgscan command but it gives me the same 6 profiles. I didn't really understand what i need to do right now.

Thanks for your answer though !

[AqibMukhtar]

Do all of your suggested profiles have multiple processes and modules in PsActiveProcessHead and PsLoadedModuleList respectively. Check for the build string if any of the build string is 24000.

[CohenEliel]

All suggested profiles are showing this :

PsActiveProcessHead : 0x362bb90 PsLoadedModuleList : 0x3649e90

None of them have the 24000 build.

[atcuno]

A few things:

1. How was memory acquired? Is this from a crashdump after a blue screen?

2. Can you please paste the full input/output of running kdbgscan?

3. Volatility 2.6 standalone is extremely old. It is best to run from latest source. Depending on the kdbgscan output, you may have to switch to that.

[CohenEliel]

1- From here https://github.com/baselsayeh/coldboot-tools

2-

3- I'm running it from the Windows 7 SP1 x64 PC which is not connected to the net (and never been)

[atcuno]

Can you re-run kdbgscan with --profile=Win7SP1x64_23418 set and show the full input/output?

[CohenEliel]

Here it is :

[atcuno]

Would it be possible to use the latest source version of Volatility and re-run the kdbgscan?

[CohenEliel]

How to do that ?

[AqibMukhtar]

@CohenEliel I think @atcuno is asking you to clone the latest volatility repository and use it using python 2.x.

[CohenEliel]

Can i do it on my Windows 7 PC (which is not connected to the net) ?

[AqibMukhtar]

Yes you can clone/download zip file in another computer/mobile/tablet etc and transfer it to your computer via USB or USB cable etc. Make sure that using latest version will require python 2.x version installed with all dependencies in you computer.

[CohenEliel]

OK. But then the Python will not need internet to download dependencies ?

I'm trying to avoid as far as i can to install stuff on my brother Windows 10 PC. I've installed alot of stuff trying to compile the scraper, virtual machine, etc all of that for nothing. Theses things are putting files everywhere.

So if i can do it locally on my Windows 7 PC, i will go that way.

[AqibMukhtar]

When I set up my environment using python 2.6, two dependencies (Distorm3 and PyCrypto) were missing so volatility didn't function properly, so I needed to install both of them. Therefore, I will advise, when you download/clone volatility, do download installers of PyCrypto and Distorm3, so that if they get absent in your system too, you can install them offline. Complete list of volatility dependencies is here

[CohenEliel]

I downloaded the latest Volatility and Python 2.6.7 I extracted both of them. Now i have 2 folders :

1. volatility-master
2. Python-2.6.7

What i need to do now ? I'm on the Windows 10 PC right now. I'm really not familiar with all of this.

[AqibMukhtar]

First of all, you need to install python. To verify your installation, open cmd, and type python --version. If the correct version number appears then this means python is installed successfully. It will look something like this:

E:\>python --version
Python 2.7.13

If you get an error message like this,

E:\>python --version
'python' is not recognized as an internal or external command,
operable program or batch file.

then this means that python is not set into the environment variables. To solve this issue go to the directory where you have installed python (default is C:\Python27), copy python.exe, and paste in your volatility-master directory. Now open cmd and navigate to volatility-master and run python --version. This time you must be able to see a version number. If the version number appears then you are good to proceed with volatility. In case of any issue or difficulty feel free to ask :smile:

[CohenEliel]

What do you mean by install ? After extracting the archive, i need to run some files ? There is no setup.exe in the folder.

One thing i have found is that i have Python 3.5 32-bit installed, i don't remember when i had installed it.

[AqibMukhtar]

What files do you have in Python-2.6.7. Python 3.5 is not useful for us, because volatility needs any version of python 2

[CohenEliel]

I have a folder called "Python 2.6.7" and that folder contain a bunch of files. There is setup.py file. This is what we are looking for ?

[AqibMukhtar]

I am not sure what that setup.py file actually is. For your ease, I have uploaded python 2.7 at Google drive. You can download and install python from there. To avoid conflicts, make sure not to include it in the environment variables because Python 3.5 is already installed in your machine.

[CohenEliel]

python --version Python 2.7.8

Done !

What now ? I have moved the ram.img file to the volatility-master folder for simplicity.

[AqibMukhtar]

Great!! Now run kdbgscan again as mentioned here

[CohenEliel]

What is the command that i need to put ? With the standalone version of Volatility, i've used this command :

"C:\Volatility 2.6\volatility_2.6_win64_standalone\volatility_2.6_win64_standalone.exe" --profile=Win7SP1x64_23418 -f ram.img kdbgscan

But in the volatility-master folder, there is no .exe file. There are a bunch of .py files. Do i need to install something ?

[AqibMukhtar]

For sake of simplicity, open CMD and change current directory to the volatility-master folder. Now run following command python vol.py -f ram.img kdbgscan

[CohenEliel]

This is what i get :

Volatility Foundation Volatility Framework 2.6.1 *** Failed to import volatility.plugins.registry.shutdown (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.getservicesids (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.timeliner (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.malware.apihooks (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.malware.servicediff (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.userassist (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.getsids (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.shellbags (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.evtlogs (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.tcaudit (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.dumpregistry (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.lsadump (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.malware.threads (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.mac.apihooks_kernel (ImportError: No module named distorm3) *** Failed to import volatility.plugins.registry.amcache (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.mac.check_syscall_shadow (ImportError: No module named distorm3) *** Failed to import volatility.plugins.malware.svcscan (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.auditpol (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.ssdt (NameError: name 'distorm3' is not defined) *** Failed to import volatility.plugins.registry.registryapi (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.mac.apihooks (ImportError: No module named distorm3) *** Failed to import volatility.plugins.envars (ImportError: No module named Crypto.Hash) *** Failed to import volatility.plugins.registry.shimcache (ImportError: No module named Crypto.Hash)

[AqibMukhtar]

This means that PyCrypto and Distorm3 are not installed on your computer. You can download these two from here Distrom3 PyCrypto

[CohenEliel]

I installed both of them, still getting the same Failed to import messages. Do i need to copy something in the volatility-master folder ? This got much and much more complex.

[AqibMukhtar]

Are you sure that PyCrypto and Distorm3 are installed correctly? Verify this by importing them in your python shell.

[CohenEliel]

What is python shell ? How i do that ? Please understand that all of this are like chinese for me. I have absolutely no knowledge in this.

Thanks you for trying to help me !