volatility

volatility copied to clipboard

volatilityfoundation

Reame
Issues

PSTREE error

Open c0debr opened this issue 1 year ago • 15 comments

I am attemtping to use pstree on volatility 2.6.1 and for whatever reason it does not appear to be working despite my using multiple profiles. and i require assistance in trying to find the cause of the error and correcting it?. Screenshot 2024-05-22 182309

May 22 '24 21:05 c0debr

Could you run vol with the -vvv option before the plugin name and share the log output as text and not an image. It really helps work out what's going on.

May 22 '24 21:05 eve-mem

A quick note, vol3 doesn't need you to choose a profile. It'll find it automatically.

May 22 '24 21:05 eve-mem

C:\Users\W0457579\Documents\volatility-master\volatility-master> C:\Users\W0457579\Documents\volatility-master\volatility-master> C:\Users\W0457579\Documents\volatility-master\volatility-master>python vol.py -f "Clone of Clone of Windows 7 x64-a88debbd.vmem" --profile=Win7SP1x64 pstree Volatility Foundation Volatility Framework 2.6.1 Name Pid PPid Thds Hnds Time

0xfffffa8006d26890: 0 0 0 ------ 1970-01-01 00:00:00 UTC+0000

C:\Users\W0457579\Documents\volatility-master\volatility-master>python vol.py -f "Clone of Clone of Windows 7 x64-a88debbd.vmem" --profile=Win7SP0x64 pstree Volatility Foundation Volatility Framework 2.6.1 Name Pid PPid Thds Hnds Time

0xfffffa8006d26890: 0 0 0 ------ 1970-01-01 00:00:00 UTC+0000

C:\Users\W0457579\Documents\volatility-master\volatility-master>python vol.py -f "Clone of Clone of Windows 7 x64-a88debbd.vmem" --profile=Win2008R2SP0x64 pstree Volatility Foundation Volatility Framework 2.6.1 Name Pid PPid Thds Hnds Time

0xfffffa8006d26890: 0 0 0 ------ 1970-01-01 00:00:00 UTC+0000

C:\Users\W0457579\Documents\volatility-master\volatility-master>python vol.py -f "Clone of Clone of Windows 7 x64-a88debbd.vmem" --profile=Win2008R2SP1x64_24000 pstree Volatility Foundation Volatility Framework 2.6.1 Name Pid PPid Thds Hnds Time

0xfffffa8006d26890: 0 0 0 ------ 1970-01-01 00:00:00 UTC+0000

C:\Users\W0457579\Documents\volatility-master\volatility-master>python vol.py -f "Clone of Clone of Windows 7 x64-a88debbd.vmem" --profile=Win2008R2SP1x64_23418 pstree Volatility Foundation Volatility Framework 2.6.1 Name Pid PPid Thds Hnds Time

0xfffffa8006d26890: 0 0 0 ------ 1970-01-01 00:00:00 UTC+0000

C:\Users\W0457579\Documents\volatility-master\volatility-master>python vol.py -f "Clone of Clone of Windows 7 x64-a88debbd.vmem" --profile=Win2008R2SP1x64 pstree Volatility Foundation Volatility Framework 2.6.1 Name Pid PPid Thds Hnds Time

0xfffffa8006d26890: 0 0 0 ------ 1970-01-01 00:00:00 UTC+0000

C:\Users\W0457579\Documents\volatility-master\volatility-master>python vol.py -f "Clone of Clone of Windows 7 x64-a88debbd.vmem" --profile=Win7SP1x64_24000 pstree Volatility Foundation Volatility Framework 2.6.1 Name Pid PPid Thds Hnds Time

0xfffffa8006d26890: 0 0 0 ------ 1970-01-01 00:00:00 UTC+0000

C:\Users\W0457579\Documents\volatility-master\volatility-master>python vol.py -f "Clone of Clone of Windows 7 x64-a88debbd.vmem" --profile=Win7SP1x64_23418 pstree Volatility Foundation Volatility Framework 2.6.1 Name Pid PPid Thds Hnds Time

0xfffffa8006d26890: 0 0 0 ------ 1970-01-01 00:00:00 UTC+0000

C:\Users\W0457579\Documents\volatility-master\volatility-master>python vol.py -f "Clone of Clone of Windows 7 x64-a88debbd.vmem" --profile=Win7SP1x64 pslist Volatility Foundation Volatility Framework 2.6.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

0xfffffa8006d26890 0 0 0 -------- ------ 0

C:\Users\W0457579\Documents\volatility-master\volatility-master>

does this work better?

May 22 '24 21:05 c0debr

and i understand but i simply wish to work out whats wrong with 2.6

May 22 '24 21:05 c0debr

Please use the -vvv option so that more logs are made and upload that.

Vol3 has a 2.6.1 version, or do you mean you're trying to run the old python2 framework? If so you'll have more luck raising an issue there.

Edit: yes sorry. I see you are using the old framework. You'll be better off raising an issue there.

May 22 '24 21:05 eve-mem

how do i use the -vvv option?

May 22 '24 21:05 c0debr

To use -vvv with the newer framework you would do this.

Vol.py -f image.vmem -vvv windows.pstree

I'm not sure about extra logging with the older framework, you're better off raising an issue there if yiu want help understanding that.

I'd really encourage you to use the newer framework.

May 22 '24 21:05 eve-mem

C:\Users\W0457579\Documents\volatility-master\volatility-master>python vol.py -f "Clone of Clone of Windows 7 x64-a88debbd.vmem" --profile=Win7SP1x64 -vvv pslist Volatility Foundation Volatility Framework 2.6.1 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

0xfffffa8006d26890 0 0 0 -------- ------ 0

C:\Users\W0457579\Documents\volatility-master\volatility-master>

alright here's what i was able to find

May 22 '24 21:05 c0debr

also where do you reccomend i ask this issue?

May 22 '24 21:05 c0debr

Yes, that is the older Framework. I can't personally help you with that. You'll have more luck using the newer framework or raising an issue on the older frameworks page.

This isn't an issue with vol3.

May 22 '24 21:05 eve-mem

where's the older frameworks page?

May 22 '24 21:05 c0debr

https://github.com/volatilityfoundation/volatility

May 22 '24 21:05 eve-mem

how do i comment on the page since im not seeing the option to do so?

May 22 '24 21:05 c0debr

In exactly the same way you created this issue, just on that project instead https://github.com/volatilityfoundation/volatility/issues

GitHub guide:

https://docs.github.com/en/issues/tracking-your-work-with-issues/creating-an-issue

I'd really recommend using the newer framework.

May 22 '24 21:05 eve-mem

Please keep in mind that volatility 2 is no longer supported and was last updated 4 years ago. You'd be better advised trying to get volatility 3's pslist to work on the memory image you have.

May 22 '24 23:05 ikelos