Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

some win 8 volatility output

By: a guest on Sep 16th, 2011  |  syntax: None  |  size: 12.38 KB  |  views: 162  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
This paste has a previous version, view the difference. Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. $ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 pslist
  2. Volatile Systems Volatility Framework 2.1_alpha
  3.  Offset(V)  Name                 PID    PPID   Thds   Hnds   Time
  4. ---------- -------------------- ------ ------ ------ ------ -------------------
  5. 0x8274aa00 System                    4      0     80 ------ 2011-09-15 06:31:31      
  6. 0x83967040 smss.exe                232      4      2 ------ 2011-09-15 06:31:31      
  7. 0x83fc2040 smss.exe                300    232      0 ------ 2011-09-15 06:31:32      
  8. 0x83fde940 csrss.exe               316    300      8 ------ 2011-09-15 06:31:33      
  9. 0x827fa780 smss.exe                372    232      0 ------ 2011-09-15 06:31:33      
  10. 0x82808040 csrss.exe               380    372      9 ------ 2011-09-15 06:31:33      
  11. 0x8279f640 wininit.exe             388    300      2 ------ 2011-09-15 06:31:33      
  12. 0x827f45c0 winlogon.exe            416    372      3 ------ 2011-09-15 06:31:33      
  13. 0x827cb040 services.exe            476    388      8 ------ 2011-09-15 06:31:34      
  14. 0x827a2780 WerFault.exe            484    388      0 ------ 2011-09-15 06:31:34      
  15. 0x83ffb580 lsass.exe               492    388      8 ------ 2011-09-15 06:31:34      
  16. 0x840bc040 svchost.exe             608    476      7 ------ 2011-09-15 06:31:36      
  17. 0x840c0d00 dwm.exe                 632    416      7 ------ 2011-09-15 06:31:36      
  18. 0x840cf4c0 svchost.exe             660    476     11 ------ 2011-09-15 06:31:36      
  19. 0x84084100 LogonUI.exe             760    416      0 ------ 2011-09-15 06:31:37      
  20. 0x841664c0 svchost.exe             772    476     23 ------ 2011-09-15 06:31:37      
  21. 0x8417d780 svchost.exe             800    476     23 ------ 2011-09-15 06:31:37      
  22. 0x84190040 svchost.exe             816    476     26 ------ 2011-09-15 06:31:38      
  23. 0x84191980 svchost.exe             832    476     42 ------ 2011-09-15 06:31:38      
  24. 0x841e0040 svchost.exe            1096    476     19 ------ 2011-09-15 06:31:40      
  25. 0x840d8040 spoolsv.exe            1264    476     11 ------ 2011-09-15 06:31:43      
  26. 0x840d3ac0 svchost.exe            1296    476     24 ------ 2011-09-15 06:31:43      
  27. 0x8423d3c0 MsMpEng.exe            1448    476     21 ------ 2011-09-15 06:31:45      
  28. 0x84323a00 svchost.exe             604    476     15 ------ 2011-09-15 06:31:50      
  29. 0x838af680 SearchIndexer.         2824    476     15 ------ 2011-09-15 06:33:47      
  30. 0x829322c0 taskhost.exe           2556    476      9 ------ 2011-09-15 07:07:05      
  31. 0x83819d00 explorer.exe           3488   3444     59 ------ 2011-09-15 15:42:40      
  32. 0x8293d040 taskhost.exe           2256    476     13 ------ 2011-09-15 15:42:40      
  33. 0x836d7500 taskhost.exe            100    476      4 ------ 2011-09-15 15:56:22      
  34. 0x843e8900 iexplore.exe           2196   3488     17 ------ 2011-09-15 15:59:40      
  35. 0x8407c140 iexplore.exe           2420   2196     24 ------ 2011-09-15 15:59:40      
  36. 0x82957d00 SearchProtocol         4068   2824      9 ------ 2011-09-15 15:59:42      
  37. 0x82933540 SearchFilterHo         4080   2824      8 ------ 2011-09-15 15:59:42      
  38. 0x836916c0 cmd.exe                1508   3488      8 ------ 2011-09-15 16:00:24      
  39. 0x8371eac0 conhost.exe            3504   1508      2 ------ 2011-09-15 16:00:24      
  40. 0x83b2a240 audiodg.exe            3760    772      7 ------ 2011-09-15 16:00:41      
  41. 0x83704d00 DumpIt.exe             3840   1508      2 ------ 2011-09-15 16:00:43      
  42. 0x8366b7c0 conhost.exe            2688   3840      2 ------ 2011-09-15 16:00:43      
  43. 0x836ae500 svchost.exe            2392   1448      1 ------ 2011-09-15 16:01:01
  44.  
  45.  
  46. $ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 dlllist
  47. Volatile Systems Volatility Framework 2.1_alpha
  48. ************************************************************************
  49. System pid:      4
  50. Unable to read PEB for task.
  51. ************************************************************************
  52. smss.exe pid:    232
  53. Command line : \SystemRoot\System32\smss.exe
  54.  
  55.  
  56. Base         Size         Path
  57. 0x00390000   0x017000     \SystemRoot\System32\smss.exe
  58. 0x77800000   0x15b000     C:\Windows\SYSTEM32\ntdll.dll
  59. ************************************************************************
  60. smss.exe pid:    300
  61. Unable to read PEB for task.
  62. ************************************************************************
  63. csrss.exe pid:    316
  64. Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
  65.  
  66.  
  67. Base         Size         Path
  68. 0x01060000   0x005000     C:\Windows\system32\csrss.exe
  69. 0x77800000   0x15b000     C:\Windows\SYSTEM32\ntdll.dll
  70. 0x75080000   0x00d000     C:\Windows\system32\CSRSRV.dll
  71. 0x75070000   0x00e000     C:\Windows\system32\basesrv.DLL
  72. 0x75040000   0x030000     C:\Windows\system32\winsrv.DLL
  73. 0x75960000   0x11f000     C:\Windows\system32\USER32.dll
  74. 0x752b0000   0x0b6000     C:\Windows\SYSTEM32\kernelbase.dll
  75. 0x77710000   0x0ec000     C:\Windows\SYSTEM32\kernel32.dll
  76. 0x772d0000   0x057000     C:\Windows\system32\GDI32.dll
  77. 0x761c0000   0x00c000     C:\Windows\system32\LPK.dll
  78. 0x75560000   0x0ac000     C:\Windows\system32\USP10.dll
  79. 0x75b10000   0x0b1000     C:\Windows\system32\msvcrt.dll
  80. 0x75030000   0x00a000     C:\Windows\system32\sxssrv.DLL
  81. 0x74ef0000   0x09e000     C:\Windows\system32\sxs.dll
  82. 0x75650000   0x0aa000     C:\Windows\system32\RPCRT4.dll
  83. 0x74ee0000   0x009000     C:\Windows\system32\CRYPTBASE.dll
  84. 0x74e90000   0x04d000     C:\Windows\SYSTEM32\bcryptprimitives.dll
  85. ************************************************************************
  86. smss.exe pid:    372
  87. Unable to read PEB for task.
  88. ************************************************************************
  89. csrss.exe pid:    380
  90. Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
  91.  
  92.  
  93. Base         Size         Path
  94. 0x01060000   0x005000     C:\Windows\system32\csrss.exe
  95. 0x77800000   0x15b000     C:\Windows\SYSTEM32\ntdll.dll
  96. 0x75080000   0x00d000     C:\Windows\system32\CSRSRV.dll
  97. 0x75070000   0x00e000     C:\Windows\system32\basesrv.DLL
  98. 0x75040000   0x030000     C:\Windows\system32\winsrv.DLL
  99. 0x75960000   0x11f000     C:\Windows\system32\USER32.dll
  100. 0x752b0000   0x0b6000     C:\Windows\SYSTEM32\kernelbase.dll
  101. 0x77710000   0x0ec000     C:\Windows\SYSTEM32\kernel32.dll
  102. 0x772d0000   0x057000     C:\Windows\system32\GDI32.dll
  103. 0x761c0000   0x00c000     C:\Windows\system32\LPK.dll
  104. 0x75560000   0x0ac000     C:\Windows\system32\USP10.dll
  105. 0x75b10000   0x0b1000     C:\Windows\system32\msvcrt.dll
  106. 0x75030000   0x00a000     C:\Windows\system32\sxssrv.DLL
  107. 0x74ef0000   0x09e000     C:\Windows\system32\sxs.dll
  108. 0x75650000   0x0aa000     C:\Windows\system32\RPCRT4.dll
  109. 0x74ee0000   0x009000     C:\Windows\system32\CRYPTBASE.dll
  110. 0x74e90000   0x04d000     C:\Windows\SYSTEM32\bcryptprimitives.dll
  111. ************************************************************************
  112.  
  113.  
  114. [snip]      
  115.  
  116.  
  117. $ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 userassist
  118.  
  119. [snip]
  120.  
  121. REG_BINARY    %windir%\system32\cmd.exe :
  122. Count:          2
  123. Focus Count:    5
  124. Time Focused:   0:07:34.501000
  125. Last updated:   2011-09-15 16:00:24
  126. 0x00000000  00 00 00 00 02 00 00 00 05 00 00 00 71 ed 06 00   ............q...
  127. 0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  128. 0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  129. 0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 50 0f 69 94   ............P.i.
  130. 0x00000040  c0 73 cc 01 00 00 00 00                           .s......
  131.  
  132. REG_BINARY    DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default :
  133. Count:          1
  134. Focus Count:    0
  135. Time Focused:   0:00:00.500000
  136. Last updated:   2011-09-15 15:50:42
  137. 0x00000000  00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00   ................
  138. 0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  139. 0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  140. 0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff a0 68 a3 39   .............h.9
  141. 0x00000040  bf 73 cc 01 00 00 00 00                           .s......
  142.  
  143. REG_BINARY    Microsoft.Windows.ControlPanel :
  144. Count:          0
  145. Focus Count:    1
  146. Time Focused:   0:00:15.625000
  147. Last updated:   1970-01-01 00:00:00
  148. 0x00000000  00 00 00 00 00 00 00 00 01 00 00 00 15 3b 00 00   .............;..
  149. 0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  150. 0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  151. 0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00   ................
  152. 0x00000040  00 00 00 00 00 00 00 00                           ........
  153.  
  154. REG_BINARY    Microsoft.InternetExplorer.Default :
  155. Count:          2
  156. Focus Count:    8
  157. Time Focused:   0:03:34.108000
  158. Last updated:   2011-09-15 15:59:40
  159. 0x00000000  00 00 00 00 02 00 00 00 08 00 00 00 68 42 03 00   ............hB..
  160. 0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  161. 0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  162. 0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 90 55 43 7a   .............UCz
  163. 0x00000040  c0 73 cc 01 00 00 00 00                           .s......
  164.  
  165. REG_BINARY    C:\Users\brendandg\Desktop\WinSCP.exe :
  166. Count:          1
  167. Focus Count:    3
  168. Time Focused:   0:01:31.328000
  169. Last updated:   2011-09-15 15:52:36
  170. 0x00000000  00 00 00 00 01 00 00 00 03 00 00 00 cc 62 01 00   .............b..
  171. 0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  172. 0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  173. 0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 90 9e 34 7d   ..............4}
  174. 0x00000040  bf 73 cc 01 00 00 00 00                           .s......
  175.  
  176. REG_BINARY    %windir%\system32\taskhost.exe :
  177. Count:          0
  178. Focus Count:    1
  179. Time Focused:   0:00:12.125000
  180. Last updated:   1970-01-01 00:00:00
  181. 0x00000000  00 00 00 00 00 00 00 00 01 00 00 00 69 2d 00 00   ............i-..
  182. 0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  183. 0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  184. 0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00   ................
  185. 0x00000040  00 00 00 00 00 00 00 00                           ........
  186.  
  187. REG_BINARY    C:\Users\brendandg\Downloads\DumpIt\DumpIt.exe :
  188. Count:          0
  189. Focus Count:    1
  190. Time Focused:   0:00:00.500000
  191. Last updated:   1970-01-01 00:00:00
  192. 0x00000000  00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00   ................
  193. 0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  194. 0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  195. 0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00   ................
  196. 0x00000040  00 00 00 00 00 00 00 00                           ........
  197. ----------------------------
  198. Registry: \??\C:\Users\brendandg\ntuser.dat
  199. Key name: Count
  200. Last updated: 2011-09-15 15:59:40
  201.  
  202. Subkeys:
  203.  
  204. Values:
  205.  
  206. REG_BINARY    UEME_CTLCUACount:ctor :
  207. Count:          0
  208. Focus Count:    0
  209. Time Focused:   0:00:00.500000
  210. Last updated:   1970-01-01 00:00:00
  211. 0x00000000  ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00   ................
  212. 0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  213. 0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  214. 0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00   ................
  215. 0x00000040  00 00 00 00 00 00 00 00                           ........
  216.  
  217. REG_BINARY    %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk :
  218. Count:          1
  219. Focus Count:    0
  220. Time Focused:   0:00:00.501000
  221. Last updated:   2011-09-15 15:50:42
  222. 0x00000000  00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00   ................
  223. 0x00000010  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  224. 0x00000020  00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf   ................
  225. 0x00000030  00 00 80 bf 00 00 80 bf ff ff ff ff a0 68 a3 39   .............h.9
  226. 0x00000040  bf 73 cc 01 00 00 00 00                           .s......
  227.  
  228. [snip]