volatility icon indicating copy to clipboard operation
volatility copied to clipboard
verified publisher icon volatilityfoundation

Windows 10 x64 pslist not showing anything

Open rlawrence89 opened this issue 5 years ago • 1 comments

I am working on a Windows 10 ram dump i collected using Dumpit. I am using the Win10x64_18362 profile.

Context Volatility Version: 2.6.1 Operating System: Windows 10 Python Version: 2.7.17 Suspected Operating System: Windows 10 Command: >python vol.py --profile=Win10x64_18362 -f .\RAM_DUMPS\LAPTOP-H0DUE8GA-20200602-205807.raw pslist --kdbg=0xf805340a2744

OUTPUT

Volatility Foundation Volatility Framework 2.6.1
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit 
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xffffb0013b4c7280 ?                    32...1 35...1 14...3 -------- ------      1

KDBGSCAN

C:\Users\hitma\Downloads\volatility-master>python vol.py kdbgscan -f .\RAM_DUMPS\LAPTOP-H0DUE8GA-20200602-205807.raw
Volatility Foundation Volatility Framework 2.6.1
**************************************************
Instantiating KDBG using: Unnamed AS Win10x64_18362 (6.4.18362 64bit)
Offset (V)                    : 0xf805342265e0
Offset (P)                    : 0x30265e0
KdCopyDataBlock (V)           : 0xf805340a2744
Block encoded                 : Yes
Wait never                    : 0x8e73886401d05e7f
Wait always                   : 0x3a0bd3265711d800
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win10x64_18362
Version64                     : 0xf8053422a3d8 (Major: 15, Minor: 18362)
Service Pack (CmNtCSDVersion) : 0
Build string (NtBuildLab)     : 18362.1.amd64fre.19h1_release.19
PsActiveProcessHead           : 0xfffff80534238b60 (1 processes)
PsLoadedModuleList            : 0xfffff80534248170 (1 modules)
KernelBase                    : 0xfffff80533e00000 (Matches MZ: True)
Major (OptionalHeader)        : 10
Minor (OptionalHeader)        : 0
KPCR                          : 0xfffff8052e10a000 (CPU 0)
KPCR                          : 0xffff9a00f6b62000 (CPU 1)
KPCR                          : 0xffff9a00f65e1000 (CPU 2)
KPCR                          : 0xffff9a00f6911000 (CPU 3)
KPCR                          : 0xffff9a00f6c8a000 (CPU 4)
KPCR                          : 0xffff9a00f6d39000 (CPU 5)
KPCR                          : 0xffff9a00f6dd6000 (CPU 6)
KPCR                          : 0xffff9a00f6e80000 (CPU 7)

rlawrence89 avatar Jun 03 '20 19:06 rlawrence89

Did you let kdbgscan run to completion or did you stop it after the first result? If you stopped it then please re-run and wait for full output and then copy/paste it all.

atcuno avatar Jun 03 '20 21:06 atcuno