I would recommend grabbing a 2.3.1 install, the 2.0 version is more than 3 years old now. 

$ svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only
$ cd volatility-read-only
$ python vol.py --plugins=contrib/plugins/malware -f mem.dmp zeusscan2

Give that a shot...
MHL


On Mon, Jan 27, 2014 at 1:35 PM, <shorejsi2@mmm.com> wrote:
 I'm dealing with what appears to be a new Zeus variant and on a whim I tried to run zeusscan2 under a copy of Volatility 2.0 I still hang onto. Perhaps not surprisingly, it ends unhappily

Volatile Systems Volatility Framework 2.0
Traceback (most recent call last):
  File "vol.py", line 135, in <module>
    main()
  File "vol.py", line 126, in main
    command.execute()
  File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py", line 330, in render_text
    for p, start, url, config_key, creds_key, decoded_config, decoded_magic in data:
  File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py", line 221, in calculate
    data  = malware.get_vad_data(ps_ad, start, end)
  File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/malware.py", line 856, in get_vad_data
    return ''.join(pages_one)
OverflowError: join() result is too long for a Python string

 Now I strongly suspect that the new variant is just enough different that it messes with the parsing and results in a runaway, but I just wanted to make sure I'm not leaving something on the table here...

 Should this work?


                        -=[ Steve ]=-

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users