volatility

volatility copied to clipboard

hardcoded structures in module.c not up to date

7

Hi, Some hard coded kernel structures, such as mnt_namespace have changed (7 times) since kernel 3.3 ([like 4.9 here](https://elixir.bootlin.com/linux/v4.9/source/fs/mount.h#L7) )but [module.c](https://github.com/volatilityfoundation/volatility/blob/master/tools/linux/module.c) was not updated. I would like to make a...

neuracr

I got Windows7x64's memory, and then translated the dmp of windbg by raw2dmp. I opened the dmp by windbg. I typed the > !wow64exts.sw the rsp was normal, > 16.0:...

sculida

`NtBuildNumber` located in `KUSER_SHARED_DATA` for Windows 10, contains the build number. I don't see volatility using this anywhere. Instead it scans the memory to find KDBG for it, which seems...

VelocityRa

Invalid profile <Linux ARM profile name> selected

1

I am working with a Linux ARM arhcitecture qemu-based virtual machine. I am able to successfully create a new profile. But when I use the profile with the plugins, such...

anafsah

New Linux profile not working

3

Hi, I have just created a Linux profile for _CentOS 7.6.18 (kernel version 3.10)_. The ZIP file looks like any other public available Linux profiles and was copied to `volatility\plugins\overlays\linux`....

swepeba

Volatility not working with windows Livekd memory dump (.dmp)

2

hello, I used Windows LiveKd - Windows Sysinternals tool to extract the memory dump and tried volatility for analyse the same. However i could not figure out the imageinfo cannot...

weabey

How to obtain own dump

1

What is command for obtain dump of ram or entire OS(.iso,.dd,.img)? i try nofault app that generate system crash but after bsod and collect data dump no file on system...

vespertillo

tagWnd spwndNext 7601:0x48 14393:0x58 15063:0x58 16299:0x58 17134:0x40 17763:0x40 tagWND* spwndNext (We know that one offset is enough) tagWnd* spwndPrev + 8 tagWnd* spwndParent + 8x2 tagWnd* spwndChild + 8x3 tagWnd*...

zhuhuibeishadiao

ARM address space issue

1

Hi, I have a custom ARM kernel that I created a profile for; however, I'm unable to get any plugins to work correctly. The kernel that I created the profile...

canance

dlllist unable to read PEB when physical offset is specified

6

Memory image from Windows 7 SP1 x86 Profile: Win7SP1x86_24000 Memory image taken from VirtualBox VM. I'm using the latest volatility checked out from git. I started a process "catchme32.exe" on...

ratarun