volatility icon indicating copy to clipboard operation
volatility copied to clipboard
verified publisher icon volatilityfoundation

Guide for creating a Windows profile for Win10 19042?

Open swepeba opened this issue 5 years ago • 12 comments

Hi, I have read several guides explaining how to create Linux profiles to be used by Volatility, but I cannot find any guide for creating new Windows profiles. I know that there is a Python script (volatility/framework/symbols/windows/pdbconv.py) in Volatility3, but the output from that one differs from the vtypes file used by Volatility2.

Right now, I have a Windows 10 (19042) memory dump that is correct identified and processed by Volatility3. I have tried to use the identified DTB value (from windows.info in Volatility3) together with the Win10x64_18362 profile in Volatility2, but most of the modules produces garbage output because of wrong profile. Plist does work, but Pscan does not. Imageinfo in Volatility2 does not give any profile suggestion at all.

Anyone know how to create a profile for Windows 10 (19042)? Any kind of hint will be appreciated. I can try to create one and make it public, but need some intro first.

Thanks!

swepeba avatar Nov 05 '20 20:11 swepeba

There's a 19041 profile in the repo now, which should probably work for 19042, but let me know if it doesn't.

iMHLv2 avatar Dec 11 '20 14:12 iMHLv2

Hi, I have read several guides explaining how to create Linux profiles to be used by Volatility, but I cannot find any guide for creating new Windows profiles. I know that there is a Python script (volatility/framework/symbols/windows/pdbconv.py) in Volatility3, but the output from that one differs from the vtypes file used by Volatility2.

Right now, I have a Windows 10 (19042) memory dump that is correct identified and processed by Volatility3. I have tried to use the identified DTB value (from windows.info in Volatility3) together with the Win10x64_18362 profile in Volatility2, but most of the modules produces garbage output because of wrong profile. Plist does work, but Pscan does not. Imageinfo in Volatility2 does not give any profile suggestion at all.

Anyone know how to create a profile for Windows 10 (19042)? Any kind of hint will be appreciated. I can try to create one and make it public, but need some intro first.

Thanks!

Hi swepeba. I'm working on methodology to create a windows profile. Did you generate your own Window 10 (19042) profile ? Can you share with me your steps ? Thanks for your help

kidrek avatar Jan 20 '21 14:01 kidrek

@kidrek: My idea was to use the profile downloaded by Volatility 3 to get the values and then translate it to Volatility 2. I started to change the values in a clone of the 18362 profile. This is a very time-consuming manually work, so I started to look inside the source code to get the values used by Pscan. That was not too hard I thought, but it was not good enough. After spending several hours during several evenings I gave up. The updated profile for 19041 did not work. What methodology do you plan to use?

swepeba avatar Jan 21 '21 20:01 swepeba

@swepeba could you please elaborate on 'did not work', specifically could you answer these:

  1. Did you do a git pull of the latest master branch?

  2. You used --profile=Win10x64_19041 as the profile?

  3. Does pslist work with it still?

  4. Is psscan still broken?

  5. have you tried any other plugins?

atcuno avatar Jan 22 '21 00:01 atcuno

Someone can help with windows profile creation? Is there any tutorial found on web ? I think this is an important topic to help worldwide analyse most recent windows memory dumps.

alb3rn4z avatar Feb 21 '21 18:02 alb3rn4z

Hi,

@atcuno We tested the profile Win10x64_19041 on a Windows 10, 64 bits and build 19042, and it almost works. The plugins pslist, psscan works. However some others seems broken (not all were tested):

  • hivelist result is empty, hence impossible to print a key or to run a plugin based on registry
  • psxview shows a lot of discrepancies for pslist/psscan (false/true and conversely) on legitimate processes
  • procdump with an offset from psxview fails for process with true/false or false/true on pslist/psscan

Is there a plan to create a profile for 19042 ?

certxlm avatar Apr 22 '21 09:04 certxlm

Hi, I have read several guides explaining how to create Linux profiles to be used by Volatility, but I cannot find any guide for creating new Windows profiles. I know that there is a Python script (volatility/framework/symbols/windows/pdbconv.py) in Volatility3, but the output from that one differs from the vtypes file used by Volatility2. Right now, I have a Windows 10 (19042) memory dump that is correct identified and processed by Volatility3. I have tried to use the identified DTB value (from windows.info in Volatility3) together with the Win10x64_18362 profile in Volatility2, but most of the modules produces garbage output because of wrong profile. Plist does work, but Pscan does not. Imageinfo in Volatility2 does not give any profile suggestion at all. Anyone know how to create a profile for Windows 10 (19042)? Any kind of hint will be appreciated. I can try to create one and make it public, but need some intro first. Thanks!

Hi swepeba. I'm working on methodology to create a windows profile. Did you generate your own Window 10 (19042) profile ? Can you share with me your steps ? Thanks for your help

Did you advance in this methodology? Please, give us some hope! :)

alb3rn4z avatar May 27 '21 04:05 alb3rn4z

i also need help

Y1ng0 avatar Sep 29 '21 07:09 Y1ng0

The process for creating a profile for Windows is as follows:

  1. taking ntoskrnl.exe from disk or moddump
  2. using pdbparse to generate vtypes

https://github.com/moyix/pdbparse

symchk.py -e ntoskrnl.exe pdb_tpi_vtypes.py ntkrnlmp.pdb > dump.txt

dump.txt will contain the vtypes for Volatility. 

  1. plugging in the vtypes into volatility

These steps are only effective if structure offsets change. If data enumeration algorithms change, or things of that nature, then the steps are obviously different, and you just need to approach that on a case-by-case basis.

Beercow avatar Oct 28 '21 02:10 Beercow

@Beercow: Wow, thanks a lot for the steps! It worked just great!

Remember to name the dump.txt to the build version you generate the vtypes from, e.g. win10_x64_19043_1348_vtypes.py. Then add the new profile to win10.py to get it to work.

I can see that there are some plugins, e.g. svcscan and timers that includes additional content for 19041, so be aware of the need for additional changes to some plugins when you create a new profile.

@atcuno and @Beercow: How do I verify the signature value (win10.py, line 91-) of a newly created profile to know if the code needs to be updated?

swepeba avatar Nov 16 '21 20:11 swepeba

@swepeba I’ll have to look into that. I don’t think that was in there the last time I built a profile.

Beercow avatar Nov 17 '21 13:11 Beercow

Has anyone had an issue with ntoskrnl.exe? When I'm trying to run it's stating that it cannot be run in Win32 mode. I have tried this on multiple 64 bit systems now though and I'm receiving the same error. I've played around with compatibility options but had no luck. I've also tried forcing a stop to running in 32 bit mode with CorFlags but it states the file has no valid managed header.

smertin123 avatar Apr 11 '22 04:04 smertin123