Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- $ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 pslist
- Volatile Systems Volatility Framework 2.1_alpha
- Offset(V) Name PID PPID Thds Hnds Time
- ---------- -------------------- ------ ------ ------ ------ -------------------
- 0x8274aa00 System 4 0 80 ------ 2011-09-15 06:31:31
- 0x83967040 smss.exe 232 4 2 ------ 2011-09-15 06:31:31
- 0x83fc2040 smss.exe 300 232 0 ------ 2011-09-15 06:31:32
- 0x83fde940 csrss.exe 316 300 8 ------ 2011-09-15 06:31:33
- 0x827fa780 smss.exe 372 232 0 ------ 2011-09-15 06:31:33
- 0x82808040 csrss.exe 380 372 9 ------ 2011-09-15 06:31:33
- 0x8279f640 wininit.exe 388 300 2 ------ 2011-09-15 06:31:33
- 0x827f45c0 winlogon.exe 416 372 3 ------ 2011-09-15 06:31:33
- 0x827cb040 services.exe 476 388 8 ------ 2011-09-15 06:31:34
- 0x827a2780 WerFault.exe 484 388 0 ------ 2011-09-15 06:31:34
- 0x83ffb580 lsass.exe 492 388 8 ------ 2011-09-15 06:31:34
- 0x840bc040 svchost.exe 608 476 7 ------ 2011-09-15 06:31:36
- 0x840c0d00 dwm.exe 632 416 7 ------ 2011-09-15 06:31:36
- 0x840cf4c0 svchost.exe 660 476 11 ------ 2011-09-15 06:31:36
- 0x84084100 LogonUI.exe 760 416 0 ------ 2011-09-15 06:31:37
- 0x841664c0 svchost.exe 772 476 23 ------ 2011-09-15 06:31:37
- 0x8417d780 svchost.exe 800 476 23 ------ 2011-09-15 06:31:37
- 0x84190040 svchost.exe 816 476 26 ------ 2011-09-15 06:31:38
- 0x84191980 svchost.exe 832 476 42 ------ 2011-09-15 06:31:38
- 0x841e0040 svchost.exe 1096 476 19 ------ 2011-09-15 06:31:40
- 0x840d8040 spoolsv.exe 1264 476 11 ------ 2011-09-15 06:31:43
- 0x840d3ac0 svchost.exe 1296 476 24 ------ 2011-09-15 06:31:43
- 0x8423d3c0 MsMpEng.exe 1448 476 21 ------ 2011-09-15 06:31:45
- 0x84323a00 svchost.exe 604 476 15 ------ 2011-09-15 06:31:50
- 0x838af680 SearchIndexer. 2824 476 15 ------ 2011-09-15 06:33:47
- 0x829322c0 taskhost.exe 2556 476 9 ------ 2011-09-15 07:07:05
- 0x83819d00 explorer.exe 3488 3444 59 ------ 2011-09-15 15:42:40
- 0x8293d040 taskhost.exe 2256 476 13 ------ 2011-09-15 15:42:40
- 0x836d7500 taskhost.exe 100 476 4 ------ 2011-09-15 15:56:22
- 0x843e8900 iexplore.exe 2196 3488 17 ------ 2011-09-15 15:59:40
- 0x8407c140 iexplore.exe 2420 2196 24 ------ 2011-09-15 15:59:40
- 0x82957d00 SearchProtocol 4068 2824 9 ------ 2011-09-15 15:59:42
- 0x82933540 SearchFilterHo 4080 2824 8 ------ 2011-09-15 15:59:42
- 0x836916c0 cmd.exe 1508 3488 8 ------ 2011-09-15 16:00:24
- 0x8371eac0 conhost.exe 3504 1508 2 ------ 2011-09-15 16:00:24
- 0x83b2a240 audiodg.exe 3760 772 7 ------ 2011-09-15 16:00:41
- 0x83704d00 DumpIt.exe 3840 1508 2 ------ 2011-09-15 16:00:43
- 0x8366b7c0 conhost.exe 2688 3840 2 ------ 2011-09-15 16:00:43
- 0x836ae500 svchost.exe 2392 1448 1 ------ 2011-09-15 16:01:01
- $ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 dlllist
- Volatile Systems Volatility Framework 2.1_alpha
- ************************************************************************
- System pid: 4
- Unable to read PEB for task.
- ************************************************************************
- smss.exe pid: 232
- Command line : \SystemRoot\System32\smss.exe
- Base Size Path
- 0x00390000 0x017000 \SystemRoot\System32\smss.exe
- 0x77800000 0x15b000 C:\Windows\SYSTEM32\ntdll.dll
- ************************************************************************
- smss.exe pid: 300
- Unable to read PEB for task.
- ************************************************************************
- csrss.exe pid: 316
- Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
- Base Size Path
- 0x01060000 0x005000 C:\Windows\system32\csrss.exe
- 0x77800000 0x15b000 C:\Windows\SYSTEM32\ntdll.dll
- 0x75080000 0x00d000 C:\Windows\system32\CSRSRV.dll
- 0x75070000 0x00e000 C:\Windows\system32\basesrv.DLL
- 0x75040000 0x030000 C:\Windows\system32\winsrv.DLL
- 0x75960000 0x11f000 C:\Windows\system32\USER32.dll
- 0x752b0000 0x0b6000 C:\Windows\SYSTEM32\kernelbase.dll
- 0x77710000 0x0ec000 C:\Windows\SYSTEM32\kernel32.dll
- 0x772d0000 0x057000 C:\Windows\system32\GDI32.dll
- 0x761c0000 0x00c000 C:\Windows\system32\LPK.dll
- 0x75560000 0x0ac000 C:\Windows\system32\USP10.dll
- 0x75b10000 0x0b1000 C:\Windows\system32\msvcrt.dll
- 0x75030000 0x00a000 C:\Windows\system32\sxssrv.DLL
- 0x74ef0000 0x09e000 C:\Windows\system32\sxs.dll
- 0x75650000 0x0aa000 C:\Windows\system32\RPCRT4.dll
- 0x74ee0000 0x009000 C:\Windows\system32\CRYPTBASE.dll
- 0x74e90000 0x04d000 C:\Windows\SYSTEM32\bcryptprimitives.dll
- ************************************************************************
- smss.exe pid: 372
- Unable to read PEB for task.
- ************************************************************************
- csrss.exe pid: 380
- Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
- Base Size Path
- 0x01060000 0x005000 C:\Windows\system32\csrss.exe
- 0x77800000 0x15b000 C:\Windows\SYSTEM32\ntdll.dll
- 0x75080000 0x00d000 C:\Windows\system32\CSRSRV.dll
- 0x75070000 0x00e000 C:\Windows\system32\basesrv.DLL
- 0x75040000 0x030000 C:\Windows\system32\winsrv.DLL
- 0x75960000 0x11f000 C:\Windows\system32\USER32.dll
- 0x752b0000 0x0b6000 C:\Windows\SYSTEM32\kernelbase.dll
- 0x77710000 0x0ec000 C:\Windows\SYSTEM32\kernel32.dll
- 0x772d0000 0x057000 C:\Windows\system32\GDI32.dll
- 0x761c0000 0x00c000 C:\Windows\system32\LPK.dll
- 0x75560000 0x0ac000 C:\Windows\system32\USP10.dll
- 0x75b10000 0x0b1000 C:\Windows\system32\msvcrt.dll
- 0x75030000 0x00a000 C:\Windows\system32\sxssrv.DLL
- 0x74ef0000 0x09e000 C:\Windows\system32\sxs.dll
- 0x75650000 0x0aa000 C:\Windows\system32\RPCRT4.dll
- 0x74ee0000 0x009000 C:\Windows\system32\CRYPTBASE.dll
- 0x74e90000 0x04d000 C:\Windows\SYSTEM32\bcryptprimitives.dll
- ************************************************************************
- [snip]
- $ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 userassist
- [snip]
- REG_BINARY %windir%\system32\cmd.exe :
- Count: 2
- Focus Count: 5
- Time Focused: 0:07:34.501000
- Last updated: 2011-09-15 16:00:24
- 0x00000000 00 00 00 00 02 00 00 00 05 00 00 00 71 ed 06 00 ............q...
- 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 50 0f 69 94 ............P.i.
- 0x00000040 c0 73 cc 01 00 00 00 00 .s......
- REG_BINARY DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default :
- Count: 1
- Focus Count: 0
- Time Focused: 0:00:00.500000
- Last updated: 2011-09-15 15:50:42
- 0x00000000 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
- 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff a0 68 a3 39 .............h.9
- 0x00000040 bf 73 cc 01 00 00 00 00 .s......
- REG_BINARY Microsoft.Windows.ControlPanel :
- Count: 0
- Focus Count: 1
- Time Focused: 0:00:15.625000
- Last updated: 1970-01-01 00:00:00
- 0x00000000 00 00 00 00 00 00 00 00 01 00 00 00 15 3b 00 00 .............;..
- 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
- 0x00000040 00 00 00 00 00 00 00 00 ........
- REG_BINARY Microsoft.InternetExplorer.Default :
- Count: 2
- Focus Count: 8
- Time Focused: 0:03:34.108000
- Last updated: 2011-09-15 15:59:40
- 0x00000000 00 00 00 00 02 00 00 00 08 00 00 00 68 42 03 00 ............hB..
- 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 90 55 43 7a .............UCz
- 0x00000040 c0 73 cc 01 00 00 00 00 .s......
- REG_BINARY C:\Users\brendandg\Desktop\WinSCP.exe :
- Count: 1
- Focus Count: 3
- Time Focused: 0:01:31.328000
- Last updated: 2011-09-15 15:52:36
- 0x00000000 00 00 00 00 01 00 00 00 03 00 00 00 cc 62 01 00 .............b..
- 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 90 9e 34 7d ..............4}
- 0x00000040 bf 73 cc 01 00 00 00 00 .s......
- REG_BINARY %windir%\system32\taskhost.exe :
- Count: 0
- Focus Count: 1
- Time Focused: 0:00:12.125000
- Last updated: 1970-01-01 00:00:00
- 0x00000000 00 00 00 00 00 00 00 00 01 00 00 00 69 2d 00 00 ............i-..
- 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
- 0x00000040 00 00 00 00 00 00 00 00 ........
- REG_BINARY C:\Users\brendandg\Downloads\DumpIt\DumpIt.exe :
- Count: 0
- Focus Count: 1
- Time Focused: 0:00:00.500000
- Last updated: 1970-01-01 00:00:00
- 0x00000000 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
- 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
- 0x00000040 00 00 00 00 00 00 00 00 ........
- ----------------------------
- Registry: \??\C:\Users\brendandg\ntuser.dat
- Key name: Count
- Last updated: 2011-09-15 15:59:40
- Subkeys:
- Values:
- REG_BINARY UEME_CTLCUACount:ctor :
- Count: 0
- Focus Count: 0
- Time Focused: 0:00:00.500000
- Last updated: 1970-01-01 00:00:00
- 0x00000000 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
- 0x00000040 00 00 00 00 00 00 00 00 ........
- REG_BINARY %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk :
- Count: 1
- Focus Count: 0
- Time Focused: 0:00:00.501000
- Last updated: 2011-09-15 15:50:42
- 0x00000000 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
- 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
- 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff a0 68 a3 39 .............h.9
- 0x00000040 bf 73 cc 01 00 00 00 00 .s......
- [snip]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement