View difference between Paste ID: <a href="/VAhbEQPz">VAhbEQPz</a> and <a href="/post/view"></a>

View difference between Paste ID: VAhbEQPz and

SHOW: | | - or go back to the newest paste.

1	-
1	+	$ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 pslist
2		Volatile Systems Volatility Framework 2.1_alpha
3		Offset(V) Name PID PPID Thds Hnds Time
4		---------- -------------------- ------ ------ ------ ------ -------------------
5		0x8274aa00 System 4 0 80 ------ 2011-09-15 06:31:31
6		0x83967040 smss.exe 232 4 2 ------ 2011-09-15 06:31:31
7		0x83fc2040 smss.exe 300 232 0 ------ 2011-09-15 06:31:32
8		0x83fde940 csrss.exe 316 300 8 ------ 2011-09-15 06:31:33
9		0x827fa780 smss.exe 372 232 0 ------ 2011-09-15 06:31:33
10		0x82808040 csrss.exe 380 372 9 ------ 2011-09-15 06:31:33
11		0x8279f640 wininit.exe 388 300 2 ------ 2011-09-15 06:31:33
12		0x827f45c0 winlogon.exe 416 372 3 ------ 2011-09-15 06:31:33
13		0x827cb040 services.exe 476 388 8 ------ 2011-09-15 06:31:34
14		0x827a2780 WerFault.exe 484 388 0 ------ 2011-09-15 06:31:34
15		0x83ffb580 lsass.exe 492 388 8 ------ 2011-09-15 06:31:34
16		0x840bc040 svchost.exe 608 476 7 ------ 2011-09-15 06:31:36
17		0x840c0d00 dwm.exe 632 416 7 ------ 2011-09-15 06:31:36
18		0x840cf4c0 svchost.exe 660 476 11 ------ 2011-09-15 06:31:36
19		0x84084100 LogonUI.exe 760 416 0 ------ 2011-09-15 06:31:37
20		0x841664c0 svchost.exe 772 476 23 ------ 2011-09-15 06:31:37
21		0x8417d780 svchost.exe 800 476 23 ------ 2011-09-15 06:31:37
22		0x84190040 svchost.exe 816 476 26 ------ 2011-09-15 06:31:38
23		0x84191980 svchost.exe 832 476 42 ------ 2011-09-15 06:31:38
24		0x841e0040 svchost.exe 1096 476 19 ------ 2011-09-15 06:31:40
25		0x840d8040 spoolsv.exe 1264 476 11 ------ 2011-09-15 06:31:43
26		0x840d3ac0 svchost.exe 1296 476 24 ------ 2011-09-15 06:31:43
27		0x8423d3c0 MsMpEng.exe 1448 476 21 ------ 2011-09-15 06:31:45
28		0x84323a00 svchost.exe 604 476 15 ------ 2011-09-15 06:31:50
29		0x838af680 SearchIndexer. 2824 476 15 ------ 2011-09-15 06:33:47
30		0x829322c0 taskhost.exe 2556 476 9 ------ 2011-09-15 07:07:05
31		0x83819d00 explorer.exe 3488 3444 59 ------ 2011-09-15 15:42:40
32		0x8293d040 taskhost.exe 2256 476 13 ------ 2011-09-15 15:42:40
33		0x836d7500 taskhost.exe 100 476 4 ------ 2011-09-15 15:56:22
34		0x843e8900 iexplore.exe 2196 3488 17 ------ 2011-09-15 15:59:40
35		0x8407c140 iexplore.exe 2420 2196 24 ------ 2011-09-15 15:59:40
36		0x82957d00 SearchProtocol 4068 2824 9 ------ 2011-09-15 15:59:42
37		0x82933540 SearchFilterHo 4080 2824 8 ------ 2011-09-15 15:59:42
38		0x836916c0 cmd.exe 1508 3488 8 ------ 2011-09-15 16:00:24
39		0x8371eac0 conhost.exe 3504 1508 2 ------ 2011-09-15 16:00:24
40		0x83b2a240 audiodg.exe 3760 772 7 ------ 2011-09-15 16:00:41
41		0x83704d00 DumpIt.exe 3840 1508 2 ------ 2011-09-15 16:00:43
42		0x8366b7c0 conhost.exe 2688 3840 2 ------ 2011-09-15 16:00:43
43		0x836ae500 svchost.exe 2392 1448 1 ------ 2011-09-15 16:01:01
44
45
46		$ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 dlllist
47		Volatile Systems Volatility Framework 2.1_alpha
48		************************************************************************
49		System pid: 4
50		Unable to read PEB for task.
51		************************************************************************
52		smss.exe pid: 232
53		Command line : \SystemRoot\System32\smss.exe
54
55
56		Base Size Path
57		0x00390000 0x017000 \SystemRoot\System32\smss.exe
58		0x77800000 0x15b000 C:\Windows\SYSTEM32\ntdll.dll
59		************************************************************************
60		smss.exe pid: 300
61		Unable to read PEB for task.
62		************************************************************************
63		csrss.exe pid: 316
64		Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
65
66
67		Base Size Path
68		0x01060000 0x005000 C:\Windows\system32\csrss.exe
69		0x77800000 0x15b000 C:\Windows\SYSTEM32\ntdll.dll
70		0x75080000 0x00d000 C:\Windows\system32\CSRSRV.dll
71		0x75070000 0x00e000 C:\Windows\system32\basesrv.DLL
72		0x75040000 0x030000 C:\Windows\system32\winsrv.DLL
73		0x75960000 0x11f000 C:\Windows\system32\USER32.dll
74		0x752b0000 0x0b6000 C:\Windows\SYSTEM32\kernelbase.dll
75		0x77710000 0x0ec000 C:\Windows\SYSTEM32\kernel32.dll
76		0x772d0000 0x057000 C:\Windows\system32\GDI32.dll
77		0x761c0000 0x00c000 C:\Windows\system32\LPK.dll
78		0x75560000 0x0ac000 C:\Windows\system32\USP10.dll
79		0x75b10000 0x0b1000 C:\Windows\system32\msvcrt.dll
80		0x75030000 0x00a000 C:\Windows\system32\sxssrv.DLL
81		0x74ef0000 0x09e000 C:\Windows\system32\sxs.dll
82		0x75650000 0x0aa000 C:\Windows\system32\RPCRT4.dll
83		0x74ee0000 0x009000 C:\Windows\system32\CRYPTBASE.dll
84		0x74e90000 0x04d000 C:\Windows\SYSTEM32\bcryptprimitives.dll
85		************************************************************************
86		smss.exe pid: 372
87		Unable to read PEB for task.
88		************************************************************************
89		csrss.exe pid: 380
90		Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
91
92
93		Base Size Path
94		0x01060000 0x005000 C:\Windows\system32\csrss.exe
95		0x77800000 0x15b000 C:\Windows\SYSTEM32\ntdll.dll
96		0x75080000 0x00d000 C:\Windows\system32\CSRSRV.dll
97		0x75070000 0x00e000 C:\Windows\system32\basesrv.DLL
98		0x75040000 0x030000 C:\Windows\system32\winsrv.DLL
99		0x75960000 0x11f000 C:\Windows\system32\USER32.dll
100		0x752b0000 0x0b6000 C:\Windows\SYSTEM32\kernelbase.dll
101		0x77710000 0x0ec000 C:\Windows\SYSTEM32\kernel32.dll
102		0x772d0000 0x057000 C:\Windows\system32\GDI32.dll
103		0x761c0000 0x00c000 C:\Windows\system32\LPK.dll
104		0x75560000 0x0ac000 C:\Windows\system32\USP10.dll
105		0x75b10000 0x0b1000 C:\Windows\system32\msvcrt.dll
106		0x75030000 0x00a000 C:\Windows\system32\sxssrv.DLL
107		0x74ef0000 0x09e000 C:\Windows\system32\sxs.dll
108		0x75650000 0x0aa000 C:\Windows\system32\RPCRT4.dll
109		0x74ee0000 0x009000 C:\Windows\system32\CRYPTBASE.dll
110		0x74e90000 0x04d000 C:\Windows\SYSTEM32\bcryptprimitives.dll
111		************************************************************************
112
113
114		[snip]
115
116
117		$ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 userassist
118
119		[snip]
120
121		REG_BINARY %windir%\system32\cmd.exe :
122		Count: 2
123		Focus Count: 5
124		Time Focused: 0:07:34.501000
125		Last updated: 2011-09-15 16:00:24
126		0x00000000 00 00 00 00 02 00 00 00 05 00 00 00 71 ed 06 00 ............q...
127		0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
128		0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
129		0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 50 0f 69 94 ............P.i.
130		0x00000040 c0 73 cc 01 00 00 00 00 .s......
131
132		REG_BINARY DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default :
133		Count: 1
134		Focus Count: 0
135		Time Focused: 0:00:00.500000
136		Last updated: 2011-09-15 15:50:42
137		0x00000000 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
138		0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
139		0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
140		0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff a0 68 a3 39 .............h.9
141		0x00000040 bf 73 cc 01 00 00 00 00 .s......
142
143		REG_BINARY Microsoft.Windows.ControlPanel :
144		Count: 0
145		Focus Count: 1
146		Time Focused: 0:00:15.625000
147		Last updated: 1970-01-01 00:00:00
148		0x00000000 00 00 00 00 00 00 00 00 01 00 00 00 15 3b 00 00 .............;..
149		0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
150		0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
151		0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
152		0x00000040 00 00 00 00 00 00 00 00 ........
153
154		REG_BINARY Microsoft.InternetExplorer.Default :
155		Count: 2
156		Focus Count: 8
157		Time Focused: 0:03:34.108000
158		Last updated: 2011-09-15 15:59:40
159		0x00000000 00 00 00 00 02 00 00 00 08 00 00 00 68 42 03 00 ............hB..
160		0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
161		0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
162		0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 90 55 43 7a .............UCz
163		0x00000040 c0 73 cc 01 00 00 00 00 .s......
164
165		REG_BINARY C:\Users\brendandg\Desktop\WinSCP.exe :
166		Count: 1
167		Focus Count: 3
168		Time Focused: 0:01:31.328000
169		Last updated: 2011-09-15 15:52:36
170		0x00000000 00 00 00 00 01 00 00 00 03 00 00 00 cc 62 01 00 .............b..
171		0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
172		0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
173		0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 90 9e 34 7d ..............4}
174		0x00000040 bf 73 cc 01 00 00 00 00 .s......
175
176		REG_BINARY %windir%\system32\taskhost.exe :
177		Count: 0
178		Focus Count: 1
179		Time Focused: 0:00:12.125000
180		Last updated: 1970-01-01 00:00:00
181		0x00000000 00 00 00 00 00 00 00 00 01 00 00 00 69 2d 00 00 ............i-..
182		0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
183		0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
184		0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
185		0x00000040 00 00 00 00 00 00 00 00 ........
186
187		REG_BINARY C:\Users\brendandg\Downloads\DumpIt\DumpIt.exe :
188		Count: 0
189		Focus Count: 1
190		Time Focused: 0:00:00.500000
191		Last updated: 1970-01-01 00:00:00
192		0x00000000 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
193		0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
194		0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
195		0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
196		0x00000040 00 00 00 00 00 00 00 00 ........
197		----------------------------
198		Registry: \??\C:\Users\brendandg\ntuser.dat
199		Key name: Count
200		Last updated: 2011-09-15 15:59:40
201
202		Subkeys:
203
204		Values:
205
206		REG_BINARY UEME_CTLCUACount:ctor :
207		Count: 0
208		Focus Count: 0
209		Time Focused: 0:00:00.500000
210		Last updated: 1970-01-01 00:00:00
211		0x00000000 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................
212		0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
213		0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
214		0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
215		0x00000040 00 00 00 00 00 00 00 00 ........
216
217		REG_BINARY %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk :
218		Count: 1
219		Focus Count: 0
220		Time Focused: 0:00:00.501000
221		Last updated: 2011-09-15 15:50:42
222		0x00000000 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
223		0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
224		0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
225		0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff a0 68 a3 39 .............h.9
226		0x00000040 bf 73 cc 01 00 00 00 00 .s......
227
228		[snip]