Re: [Vol-dev] Error with new packetscan module

Thanks to you both for the help & advice! MA:  You are right...I am using 2.0.  Looks like a great plugin.  I'll try again soon with the new version. MHL: I like your idea of searching the process's address space, at least for my first attempt.  The only problem is that I need to search for a hex value.  Reading the comment on "search_process_memory" from http://code.google.com/p/malwarecookbook/source/browse/trunk/malware2.1_alp… indicates it is a string search.  Do you have a suggestion for searching a hex value? Thanks again! Mike On 4/1/12, Michael Hale Ligh <michael.hale(a)gmail.com> wrote: > Just FYI there are a few templates you can use depending on your needs > (where you expect to find the structures, etc). Packetscan is a good > example of a DiscontigScanner in physical space (it scans from offset > 0 of the file to EOF). Other plugins like svcscan > (http://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/…) > iterate through processes and scan each process's private virtual > memory. There are some convenience functions making it quite easy to > use, for example: > > for task in tasks.pslist(addr_space): >     for found in task.search_process_memory("whatever"): >         print "Found at", hex(found), "in process", task.UniqueProcessId > >> I'm wondering, is it recommended to create a new vtype when >> scanning for a structure in memory? > > Mike Auty answered this a bit, but I just wanted to add - if the > structures you're scanning for are standard (i.e. in the public kernel > PDB documented/released by Microsoft) then its already in the profile > and you can just use it. If you're scanning for undocumented > structures or ones that you've created, reversed yourself, then you'll > need to create your own vtypes for the structs. > > MHL > > On Sun, Apr 1, 2012 at 4:04 PM, Mike Auty <mike.auty(a)gmail.com> wrote: >> Hiya Mike, >> >> My guess would be that you're using volatility-2.0, but the packetscan >> prototype that I put on issue 233 is only suitable for use with the >> latest trunk (which will hopefully become volatility-2.1 in the next >> month or two). >> >> If you're intending to write your own scanner then it should be a >> relatively suitable template to work from.  I would recommend keeping >> your structures as vtypes if they're simple enough.  If they require >> particularly complex parsing (conditionals, etc), then you may want to >> just extract the appropriate amount of data and have a separate parser >> that handles them. >> >> Hope that helps?  Do let me know on issue 233 if you have any other >> problems with the packetscan prototype.  It doesn't do everything yet, >> but hopefully won't require too much work to be useful... >> >> Mike  5:) >> _______________________________________________ >> Vol-dev mailing list >> Vol-dev(a)volatilityfoundation.org >> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev >