Win7 build 23864 memdump doesn't work with any win7 profiles

[zachsis]

Hi all,

I am trying to do some forensics of an image i took with DumpIt on a windows7 x64 SP1 machine build 23864, and i'm not getting any output from psxview, pslist, apihooks etc...

Here is some output of what I have tried so far:

imaginfo

# volatility -f XXXXXXX-20170816-213028.raw --profile=Win7SP1x64 --kdbg=0xf800033ef110 imageinfo
Volatility Foundation Volatility Framework 2.6
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_23418
                     AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/media/sf_vboxshare/XXXXXXX-20170816-213028.raw)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf800033ef110L
          Number of Processors : 1
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff800033f0d00L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2017-08-16 21:30:31 UTC+0000
     Image local date and time : 2017-08-16 15:30:31 -0600

kdbgscan

# volatility -f XXXXXXX-20170816-213028.raw --profile=Win7SP1x64 kdbgscan
Volatility Foundation Volatility Framework 2.6
**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V)                    : 0xf800033ef110
Offset (P)                    : 0x33ef110
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP1x64
Version64                     : 0xf800033ef0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab)     : 7601.23807.amd64fre.win7sp1_ldr.
PsActiveProcessHead           : 0xfffff80003426440 (1 processes)
PsLoadedModuleList            : 0xfffff80003444750 (1 modules)
KernelBase                    : 0xfffff80003202000 (Matches MZ: True)
Major (OptionalHeader)        : 6
Minor (OptionalHeader)        : 1
KPCR                          : 0xfffff800033f0d00 (CPU 0)

**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V)                    : 0xf800033ef110
Offset (P)                    : 0x33ef110
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2008R2SP1x64
Version64                     : 0xf800033ef0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab)     : 7601.23807.amd64fre.win7sp1_ldr.
PsActiveProcessHead           : 0xfffff80003426440 (1 processes)
PsLoadedModuleList            : 0xfffff80003444750 (1 modules)
KernelBase                    : 0xfffff80003202000 (Matches MZ: True)
Major (OptionalHeader)        : 6
Minor (OptionalHeader)        : 1
KPCR                          : 0xfffff800033f0d00 (CPU 0)

**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V)                    : 0xf800033ef110
Offset (P)                    : 0x33ef110
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP1x64_23418
Version64                     : 0xf800033ef0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab)     : 7601.23807.amd64fre.win7sp1_ldr.
PsActiveProcessHead           : 0xfffff80003426440 (1 processes)
PsLoadedModuleList            : 0xfffff80003444750 (1 modules)
KernelBase                    : 0xfffff80003202000 (Matches MZ: True)
Major (OptionalHeader)        : 6
Minor (OptionalHeader)        : 1
KPCR                          : 0xfffff800033f0d00 (CPU 0)

**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V)                    : 0xf800033ef110
Offset (P)                    : 0x33ef110
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2008R2SP0x64
Version64                     : 0xf800033ef0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab)     : 7601.23807.amd64fre.win7sp1_ldr.
PsActiveProcessHead           : 0xfffff80003426440 (1 processes)
PsLoadedModuleList            : 0xfffff80003444750 (1 modules)
KernelBase                    : 0xfffff80003202000 (Matches MZ: True)
Major (OptionalHeader)        : 6
Minor (OptionalHeader)        : 1
KPCR                          : 0xfffff800033f0d00 (CPU 0)

**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V)                    : 0xf800033ef110
Offset (P)                    : 0x33ef110
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win7SP0x64
Version64                     : 0xf800033ef0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab)     : 7601.23807.amd64fre.win7sp1_ldr.
PsActiveProcessHead           : 0xfffff80003426440 (1 processes)
PsLoadedModuleList            : 0xfffff80003444750 (1 modules)
KernelBase                    : 0xfffff80003202000 (Matches MZ: True)
Major (OptionalHeader)        : 6
Minor (OptionalHeader)        : 1
KPCR                          : 0xfffff800033f0d00 (CPU 0)

**************************************************
Instantiating KDBG using: Kernel AS Win7SP1x64 (6.1.7601 64bit)
Offset (V)                    : 0xf800033ef110
Offset (P)                    : 0x33ef110
KDBG owner tag check          : True
Profile suggestion (KDBGHeader): Win2008R2SP1x64_23418
Version64                     : 0xf800033ef0e8 (Major: 15, Minor: 7601)
Service Pack (CmNtCSDVersion) : 1
Build string (NtBuildLab)     : 7601.23807.amd64fre.win7sp1_ldr.
PsActiveProcessHead           : 0xfffff80003426440 (1 processes)
PsLoadedModuleList            : 0xfffff80003444750 (1 modules)
KernelBase                    : 0xfffff80003202000 (Matches MZ: True)
Major (OptionalHeader)        : 6
Minor (OptionalHeader)        : 1
KPCR                          : 0xfffff800033f0d00 (CPU 0)

psscan --profile=Win7SP1x64

# volatility -f XXXXXX-20170816-213028.raw --profile=Win7SP1x64 --kdbg=0xf800033ef110 psscan
Volatility Foundation Volatility Framework 2.6
Offset(P)          Name                PID   PPID PDB                Time created                   Time exited                   
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------

psscan --profile=Win7SP1x64_23418

# volatility -f XXXXXXX-20170816-213028.raw --profile=Win7SP1x64_23418 --kdbg=0xf800033ef110 psscan
Volatility Foundation Volatility Framework 2.6
Offset(P)          Name                PID   PPID PDB                Time created                   Time exited                   
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------

psxview --profile=Win7SP1x64

# volatility -f XXXXXX-20170816-213028.raw --profile=Win7SP1x64 --kdbg=0xf800033ef110 psxview
Volatility Foundation Volatility Framework 2.6
Offset(P)          Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
------------------ -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x000000041e72d040                           0 True   False  False    False  False False   False    

pslist --profile=Win7SP1x64_23418

# volatility -f XXXXXXXX-20170816-213028.raw --profile=Win7SP1x64_23418 --kdbg=0xf800033ef110 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa800c72d040                           0      0      0 -------- ------      0  

# volatility -f XXXXXXX-20170816-213028.raw --profile=Win7SP1x64 --kdbg=0xf800033ef110 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)          Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0xfffffa800c72d040                           0      0      0 -------- ------      0                                                              

[iMHLv2]

That's pretty typical of DumpIt. I would recommend using Surge instead. Its not free, but it works: https://www.volexity.com/products-overview/surge/.

[zachsis]

@iMHLv2 are there any open source tools you would recommend? Have you seen the same behavior using the old moonsols win[32|64]dd.exe` ?

[iMHLv2]

No sir, none that I'm willing to vouch for. Back porting your acquisition software is a bad idea in general, because lots of things have been changing recently with regards to memory. So if the latest version of a tool doesn't work, its highly unlikely an older version would. If its a "clutch" situation (i.e. the target machine is about to get formatted) and you don't have time to procure a license, you may be able to get a trial copy.

[zachsis]

@iMHLv2 I am going to give FTK Imager a shot and if that doesn't work i'll get my boss's boss to fork over some cash for a commercial tool. Thanks!

[iMHLv2]

No worries, good luck.