volatility icon indicating copy to clipboard operation
volatility copied to clipboard
verified publisher icon volatilityfoundation

Memory analysis from Windows 20H2+ not possible

Open martii-xx opened this issue 4 years ago • 0 comments

I'm currently trying to examine a Windows 20H2 RAM memory file created with DumpIt. As there are not any appropriate profile for this Windows version for volatibility2 (I tried to recognize the Windows version with volatibility2 using imageinfo but there after waiting over 1h I didn't get any result), I also tried volatibility3:

┌──(root💀kali)-[/home/kali/Downloads/volatility3]
└─# python3 vol.py -f /home/kali/Desktop/MICHAEL-20210930-221612.raw windows.info                  
Volatility 3 Framework 2.0.0
Progress:  100.00               PDB scanning finished                        
Variable        Value

Kernel Base     0xf80766a00000
DTB     0x1ad000
Symbols file:///home/kali/Downloads/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/47114209A62F3B9930F6B8998DFD4A99-1.json.xz
Is64Bit True
IsPAE   False
layer_name      0 WindowsIntel32e
memory_layer    1 FileLayer
KdVersionBlock  0xf8076760f378
Major/Minor     15.19041
MachineType     34404
KeNumberProcessors      4
SystemTime      2021-09-30 22:17:06
NtSystemRoot    C:\WINDOWS
NtProductType   NtProductWinNt
NtMajorVersion  10
NtMinorVersion  0
PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine      34404
PE TimeDateStamp        Sat Apr  7 12:04:17 2068

As you can see, the Windows version shown in volatibility3 is 19041, but I'm pretty sure it is 19042. PETimeDateStamp is also incorrect as I created the image two weeks ago. Recognising the false version wouldn't be such a problem, but the pslist command is also not working properly

┌──(root💀kali)-[/home/kali/Downloads/volatility3]
└─# python3 vol.py -f /home/kali/Desktop/MICHAEL-20210930-221612.raw windows.pslist.PsList                                                                                                                                               2 ⨯
Volatility 3 Framework 2.0.0
Progress:  100.00               PDB scanning finished                        
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime        File output

133397932895849 56312950121266  ����n#{"detai   0xe586e4ce4080  1869182064      -       -       True    -       -       Disabled

Another commands seem not to work properly too:

┌──(root💀kali)-[/home/kali/Downloads/volatility3]
└─# python3 vol.py -f /home/kali/Desktop/MICHAEL-20210930-221612.raw windows.pstree.PsTree
Volatility 3 Framework 2.0.0
Progress:  100.00               PDB scanning finished                        
PID     PPID    ImageFileName   Offset(V)       Threads Handles SessionId       Wow64   CreateTime      ExitTime


Volatility was unable to read a requested page:
Page error 0x22202c226d5d in layer layer_name (Page Fault at entry 0x0 in table page directory pointer)

        * Memory smear during acquisition (try re-acquiring if possible)
        * An intentionally invalid page lookup (operating system protection)
        * A bug in the plugin/volatility3 (re-run with -vvv and file a bug)

No further results will be produced

Another commands are also not working, I can't get any meaningful output from the image. I'm pretty sure I have created the dump file properly. Can somebody help me?

martii-xx avatar Oct 17 '21 17:10 martii-xx