However, you can specify the values directly for any plugin by providing -kpcr=ADDRESS or -kdbg=ADDRESS. Plugins automatically scan for the KPCR and KDBG values when they need them. Similarly, if there are multiple processors, you'll see the KPCR address and CPU number for each one. In some cases, especially larger memory samples, there may be multiple KDBG structures. It also prints the address of the KDBG (short for _KDDEBUGGER_DATA64) structure that will be used by plugins like pslist and modules to find the process and module list heads, respectively. There may be more than one profile suggestion if profiles are closely related. The imageinfo output tells you the suggested profile that you should pass as the parameter to -profile=PROFILE when using other plugins. Suggested Profile(s) : Win7SP0圆4, Win7SP1圆4, Win2008R2SP0圆4, Win2008R2SP1圆4ĪS Layer2 : FileAddressSpace (/Users/Michael/Desktop/win7_trial_64bit.raw) Volatility Foundation Volatility Framework 2.4ĭetermining profile based on KDBG search. $ python vol.py -f ~/Desktop/win7_trial_64bit.raw imageinfo Most often this command is used to identify the operating system, service pack, and hardware architecture (32 or 64 bit), but it also contains other useful information such as the DTB address and time the sample was collected. Crash Dumps, Hibernation, and Conversionįor a high level summary of the memory sample you're analyzing, use the imageinfo command.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |