-
Notifications
You must be signed in to change notification settings - Fork 452
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redline Memory Image Support #98
Comments
I believe redline's |
Thanks for replying @ikelos. I got this output: I made sure that symbols are in the right directory and in order. i am not sure why its not working. |
Hmmm, so first off, from the output, it looks like the raw memory image is fine (and that the dat files that Redline/Memoryze produces are just raw memory images), and it did find an intel layer (because you didn't get an issue about primary not being fulfilled, just the nt_symbols). You can run the command again using |
i did. Here's what i got:
i think this is where the issue is residing:
How do i change type and what input shall i provide for my memory image .dat file? Appreciate your help. |
Hiya, Thanks for running that! As it turns out, the TypeError is fine and expected, the issue is when the pdbscan automagic tries to determine the kernel base value. At the moment, it tries three different methods, and the third one finds a potential kernel base, but then fails to read that page of memory. This is actually the same type of trace as seen by @araaj in issue #96. As I said there, my best guess is that the acquisition wasn't successful. If you could produce a memory image that you're happy to make public, then we could try to diagnose the issue further? More than that, I'm not sure how best to help. Again, it looks as though the .dat file is a normal memory image and can be read ok by volatility when it's intact. I'd need to check a failing file to find out if the layout of the file is different, or there's an issue in vol3 that causes the problem... |
So, just to note, I believe the redline |
Hello,
I created a memory image using redline(memoryze) and it created a .dat file for memory acquisition. I was wondering if there's any way analyze that memory dump using volatility?
Appreciate your help.
Thanks
The text was updated successfully, but these errors were encountered: