2

I want to check for some information in a text file and after that, use it to insert into command.

For example:

There is this text file (hello.txt) and the information in it is:

Determining profile based on KDBG search...

      Suggested Profile(s) : Win7SP0x86, Win7SP1x86
                 AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                 AS Layer2 : FileAddressSpace (E:\KOHMOHOJOJO-PC-20140714-152414.raw)
                  PAE type : PAE
                       DTB : 0x185000L
                      KDBG : 0x82734be8L
      Number of Processors : 1
 Image Type (Service Pack) : 0
            KPCR for CPU 0 : 0x82735c00L
         KUSER_SHARED_DATA : 0xffdf0000L
       Image date and time : 2014-07-14 15:24:17 UTC+0000
 Image local date and time : 2014-07-14 23:24:17 +0800

So to continue analyzing using volatility, the user need to identify its profile.

There is 2 suggested profile, however at the bottom part "Image Type (Service Pack) : 0", it shows that the profile is Win7SP0x86 instead of Win7SP1x86.

How do I use this 2 important details to select it to be the correct profile and insert it into the command

vol231.exe -f E:\KOHMOHOJOJO-PC-20140714-152414.raw --profile=Win7SP0x86 pslist > hello2.txt

Can anyone help me with it? Thanks in advance!

Edit:

The suggested profile is not fixed. Depending on the .raw file, it might have more than 2 suggested profiles. How do you kind of match the Image Type (Service Pack) : 0 to the suggested profile?

For example: When it reads, it will "store" the two or more suggested profiles into a variable then it will check if the suggested profile has 0 or 1 or 2 etc.

Hopefully, this explains better. Or whichever suitable way is good.

Linify
  • 227
  • 4
  • 13

1 Answers1

2
@echo off

for /f "tokens=5 delims=: " %%a in ('type hello.txt^| find /i "Image Type (Service Pack)"') do (
    set "SP=%%a"
)

for /f "tokens=2 delims=:" %%p in ('type hello.txt^| find /i "Suggested Profile(s)"') do (
    set "profiles=%%p"
)

set /a tkn=sp+1

for /f "tokens=%tkn% delims=, "  %%s in ("%profiles%") do (
    set "profile=%%s"
)



::vol231.exe -f E:\KOHMOHOJOJO-PC-20140714-152414.raw --profile=%profile% pslist > hello2.txt
npocmaka
  • 55,367
  • 18
  • 148
  • 187
  • Is it possible not to hard code the `Win7SP0x86` and `Win7SP1x86` because there could be other profiles? – Linify Jul 17 '14 at 08:51
  • and unfortunately, it does not work. It will always insert `Win7SP1x86` into the command – Linify Jul 17 '14 at 08:53
  • @Linify oops.I've edited my answer.What are other values depending on the SP number? – npocmaka Jul 17 '14 at 09:29
  • Please provide the other possible file output for the service pack. We would have to use our crystal balls otherwise. – foxidrive Jul 17 '14 at 09:42
  • It works. It changed. But is it possible not to hard code the suggested profile? Depending on the .raw file, the suggested profile can be `VistaSP0x86`, `VistaSP1x86`, `VistaSP2x86`, `Win2003SP0x86`, `Win2003SP1x86`, `Win2003SP2x86`, `Win2008SP0x86`, `Win2008SP1x86`, `Win2008SP2x86`, `Win7SP0x86`, etc. – Linify Jul 17 '14 at 09:43
  • @Linify - can you check it now? – npocmaka Jul 17 '14 at 10:04