Guest User

some win 8 volatility output

a guest
Sep 16th, 2011
304
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. $ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 pslist
  2. Volatile Systems Volatility Framework 2.1_alpha
  3. Offset(V) Name PID PPID Thds Hnds Time
  4. ---------- -------------------- ------ ------ ------ ------ -------------------
  5. 0x8274aa00 System 4 0 80 ------ 2011-09-15 06:31:31
  6. 0x83967040 smss.exe 232 4 2 ------ 2011-09-15 06:31:31
  7. 0x83fc2040 smss.exe 300 232 0 ------ 2011-09-15 06:31:32
  8. 0x83fde940 csrss.exe 316 300 8 ------ 2011-09-15 06:31:33
  9. 0x827fa780 smss.exe 372 232 0 ------ 2011-09-15 06:31:33
  10. 0x82808040 csrss.exe 380 372 9 ------ 2011-09-15 06:31:33
  11. 0x8279f640 wininit.exe 388 300 2 ------ 2011-09-15 06:31:33
  12. 0x827f45c0 winlogon.exe 416 372 3 ------ 2011-09-15 06:31:33
  13. 0x827cb040 services.exe 476 388 8 ------ 2011-09-15 06:31:34
  14. 0x827a2780 WerFault.exe 484 388 0 ------ 2011-09-15 06:31:34
  15. 0x83ffb580 lsass.exe 492 388 8 ------ 2011-09-15 06:31:34
  16. 0x840bc040 svchost.exe 608 476 7 ------ 2011-09-15 06:31:36
  17. 0x840c0d00 dwm.exe 632 416 7 ------ 2011-09-15 06:31:36
  18. 0x840cf4c0 svchost.exe 660 476 11 ------ 2011-09-15 06:31:36
  19. 0x84084100 LogonUI.exe 760 416 0 ------ 2011-09-15 06:31:37
  20. 0x841664c0 svchost.exe 772 476 23 ------ 2011-09-15 06:31:37
  21. 0x8417d780 svchost.exe 800 476 23 ------ 2011-09-15 06:31:37
  22. 0x84190040 svchost.exe 816 476 26 ------ 2011-09-15 06:31:38
  23. 0x84191980 svchost.exe 832 476 42 ------ 2011-09-15 06:31:38
  24. 0x841e0040 svchost.exe 1096 476 19 ------ 2011-09-15 06:31:40
  25. 0x840d8040 spoolsv.exe 1264 476 11 ------ 2011-09-15 06:31:43
  26. 0x840d3ac0 svchost.exe 1296 476 24 ------ 2011-09-15 06:31:43
  27. 0x8423d3c0 MsMpEng.exe 1448 476 21 ------ 2011-09-15 06:31:45
  28. 0x84323a00 svchost.exe 604 476 15 ------ 2011-09-15 06:31:50
  29. 0x838af680 SearchIndexer. 2824 476 15 ------ 2011-09-15 06:33:47
  30. 0x829322c0 taskhost.exe 2556 476 9 ------ 2011-09-15 07:07:05
  31. 0x83819d00 explorer.exe 3488 3444 59 ------ 2011-09-15 15:42:40
  32. 0x8293d040 taskhost.exe 2256 476 13 ------ 2011-09-15 15:42:40
  33. 0x836d7500 taskhost.exe 100 476 4 ------ 2011-09-15 15:56:22
  34. 0x843e8900 iexplore.exe 2196 3488 17 ------ 2011-09-15 15:59:40
  35. 0x8407c140 iexplore.exe 2420 2196 24 ------ 2011-09-15 15:59:40
  36. 0x82957d00 SearchProtocol 4068 2824 9 ------ 2011-09-15 15:59:42
  37. 0x82933540 SearchFilterHo 4080 2824 8 ------ 2011-09-15 15:59:42
  38. 0x836916c0 cmd.exe 1508 3488 8 ------ 2011-09-15 16:00:24
  39. 0x8371eac0 conhost.exe 3504 1508 2 ------ 2011-09-15 16:00:24
  40. 0x83b2a240 audiodg.exe 3760 772 7 ------ 2011-09-15 16:00:41
  41. 0x83704d00 DumpIt.exe 3840 1508 2 ------ 2011-09-15 16:00:43
  42. 0x8366b7c0 conhost.exe 2688 3840 2 ------ 2011-09-15 16:00:43
  43. 0x836ae500 svchost.exe 2392 1448 1 ------ 2011-09-15 16:01:01
  44.  
  45.  
  46. $ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 dlllist
  47. Volatile Systems Volatility Framework 2.1_alpha
  48. ************************************************************************
  49. System pid: 4
  50. Unable to read PEB for task.
  51. ************************************************************************
  52. smss.exe pid: 232
  53. Command line : \SystemRoot\System32\smss.exe
  54.  
  55.  
  56. Base Size Path
  57. 0x00390000 0x017000 \SystemRoot\System32\smss.exe
  58. 0x77800000 0x15b000 C:\Windows\SYSTEM32\ntdll.dll
  59. ************************************************************************
  60. smss.exe pid: 300
  61. Unable to read PEB for task.
  62. ************************************************************************
  63. csrss.exe pid: 316
  64. Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
  65.  
  66.  
  67. Base Size Path
  68. 0x01060000 0x005000 C:\Windows\system32\csrss.exe
  69. 0x77800000 0x15b000 C:\Windows\SYSTEM32\ntdll.dll
  70. 0x75080000 0x00d000 C:\Windows\system32\CSRSRV.dll
  71. 0x75070000 0x00e000 C:\Windows\system32\basesrv.DLL
  72. 0x75040000 0x030000 C:\Windows\system32\winsrv.DLL
  73. 0x75960000 0x11f000 C:\Windows\system32\USER32.dll
  74. 0x752b0000 0x0b6000 C:\Windows\SYSTEM32\kernelbase.dll
  75. 0x77710000 0x0ec000 C:\Windows\SYSTEM32\kernel32.dll
  76. 0x772d0000 0x057000 C:\Windows\system32\GDI32.dll
  77. 0x761c0000 0x00c000 C:\Windows\system32\LPK.dll
  78. 0x75560000 0x0ac000 C:\Windows\system32\USP10.dll
  79. 0x75b10000 0x0b1000 C:\Windows\system32\msvcrt.dll
  80. 0x75030000 0x00a000 C:\Windows\system32\sxssrv.DLL
  81. 0x74ef0000 0x09e000 C:\Windows\system32\sxs.dll
  82. 0x75650000 0x0aa000 C:\Windows\system32\RPCRT4.dll
  83. 0x74ee0000 0x009000 C:\Windows\system32\CRYPTBASE.dll
  84. 0x74e90000 0x04d000 C:\Windows\SYSTEM32\bcryptprimitives.dll
  85. ************************************************************************
  86. smss.exe pid: 372
  87. Unable to read PEB for task.
  88. ************************************************************************
  89. csrss.exe pid: 380
  90. Command line : %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
  91.  
  92.  
  93. Base Size Path
  94. 0x01060000 0x005000 C:\Windows\system32\csrss.exe
  95. 0x77800000 0x15b000 C:\Windows\SYSTEM32\ntdll.dll
  96. 0x75080000 0x00d000 C:\Windows\system32\CSRSRV.dll
  97. 0x75070000 0x00e000 C:\Windows\system32\basesrv.DLL
  98. 0x75040000 0x030000 C:\Windows\system32\winsrv.DLL
  99. 0x75960000 0x11f000 C:\Windows\system32\USER32.dll
  100. 0x752b0000 0x0b6000 C:\Windows\SYSTEM32\kernelbase.dll
  101. 0x77710000 0x0ec000 C:\Windows\SYSTEM32\kernel32.dll
  102. 0x772d0000 0x057000 C:\Windows\system32\GDI32.dll
  103. 0x761c0000 0x00c000 C:\Windows\system32\LPK.dll
  104. 0x75560000 0x0ac000 C:\Windows\system32\USP10.dll
  105. 0x75b10000 0x0b1000 C:\Windows\system32\msvcrt.dll
  106. 0x75030000 0x00a000 C:\Windows\system32\sxssrv.DLL
  107. 0x74ef0000 0x09e000 C:\Windows\system32\sxs.dll
  108. 0x75650000 0x0aa000 C:\Windows\system32\RPCRT4.dll
  109. 0x74ee0000 0x009000 C:\Windows\system32\CRYPTBASE.dll
  110. 0x74e90000 0x04d000 C:\Windows\SYSTEM32\bcryptprimitives.dll
  111. ************************************************************************
  112.  
  113.  
  114. [snip]
  115.  
  116.  
  117. $ python vol.py -f WIN8_32-20110915-160043.raw --profile=Win8M3x86 userassist
  118.  
  119. [snip]
  120.  
  121. REG_BINARY %windir%\system32\cmd.exe :
  122. Count: 2
  123. Focus Count: 5
  124. Time Focused: 0:07:34.501000
  125. Last updated: 2011-09-15 16:00:24
  126. 0x00000000 00 00 00 00 02 00 00 00 05 00 00 00 71 ed 06 00 ............q...
  127. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  128. 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  129. 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 50 0f 69 94 ............P.i.
  130. 0x00000040 c0 73 cc 01 00 00 00 00 .s......
  131.  
  132. REG_BINARY DefaultBrowser_NOPUBLISHERID!Microsoft.InternetExplorer.Default :
  133. Count: 1
  134. Focus Count: 0
  135. Time Focused: 0:00:00.500000
  136. Last updated: 2011-09-15 15:50:42
  137. 0x00000000 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
  138. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  139. 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  140. 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff a0 68 a3 39 .............h.9
  141. 0x00000040 bf 73 cc 01 00 00 00 00 .s......
  142.  
  143. REG_BINARY Microsoft.Windows.ControlPanel :
  144. Count: 0
  145. Focus Count: 1
  146. Time Focused: 0:00:15.625000
  147. Last updated: 1970-01-01 00:00:00
  148. 0x00000000 00 00 00 00 00 00 00 00 01 00 00 00 15 3b 00 00 .............;..
  149. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  150. 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  151. 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
  152. 0x00000040 00 00 00 00 00 00 00 00 ........
  153.  
  154. REG_BINARY Microsoft.InternetExplorer.Default :
  155. Count: 2
  156. Focus Count: 8
  157. Time Focused: 0:03:34.108000
  158. Last updated: 2011-09-15 15:59:40
  159. 0x00000000 00 00 00 00 02 00 00 00 08 00 00 00 68 42 03 00 ............hB..
  160. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  161. 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  162. 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 90 55 43 7a .............UCz
  163. 0x00000040 c0 73 cc 01 00 00 00 00 .s......
  164.  
  165. REG_BINARY C:\Users\brendandg\Desktop\WinSCP.exe :
  166. Count: 1
  167. Focus Count: 3
  168. Time Focused: 0:01:31.328000
  169. Last updated: 2011-09-15 15:52:36
  170. 0x00000000 00 00 00 00 01 00 00 00 03 00 00 00 cc 62 01 00 .............b..
  171. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  172. 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  173. 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 90 9e 34 7d ..............4}
  174. 0x00000040 bf 73 cc 01 00 00 00 00 .s......
  175.  
  176. REG_BINARY %windir%\system32\taskhost.exe :
  177. Count: 0
  178. Focus Count: 1
  179. Time Focused: 0:00:12.125000
  180. Last updated: 1970-01-01 00:00:00
  181. 0x00000000 00 00 00 00 00 00 00 00 01 00 00 00 69 2d 00 00 ............i-..
  182. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  183. 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  184. 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
  185. 0x00000040 00 00 00 00 00 00 00 00 ........
  186.  
  187. REG_BINARY C:\Users\brendandg\Downloads\DumpIt\DumpIt.exe :
  188. Count: 0
  189. Focus Count: 1
  190. Time Focused: 0:00:00.500000
  191. Last updated: 1970-01-01 00:00:00
  192. 0x00000000 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................
  193. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  194. 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  195. 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
  196. 0x00000040 00 00 00 00 00 00 00 00 ........
  197. ----------------------------
  198. Registry: \??\C:\Users\brendandg\ntuser.dat
  199. Key name: Count
  200. Last updated: 2011-09-15 15:59:40
  201.  
  202. Subkeys:
  203.  
  204. Values:
  205.  
  206. REG_BINARY UEME_CTLCUACount:ctor :
  207. Count: 0
  208. Focus Count: 0
  209. Time Focused: 0:00:00.500000
  210. Last updated: 1970-01-01 00:00:00
  211. 0x00000000 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ................
  212. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  213. 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  214. 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff 00 00 00 00 ................
  215. 0x00000040 00 00 00 00 00 00 00 00 ........
  216.  
  217. REG_BINARY %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk :
  218. Count: 1
  219. Focus Count: 0
  220. Time Focused: 0:00:00.501000
  221. Last updated: 2011-09-15 15:50:42
  222. 0x00000000 00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................
  223. 0x00000010 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  224. 0x00000020 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................
  225. 0x00000030 00 00 80 bf 00 00 80 bf ff ff ff ff a0 68 a3 39 .............h.9
  226. 0x00000040 bf 73 cc 01 00 00 00 00 .s......
  227.  
  228. [snip]
RAW Paste Data