Fly safe! If you find others, just give us a shout. 

MHL

On Thu, Oct 4, 2012 at 6:08 PM, David Kovar <dkovar@gmail.com> wrote:
Greetings,

That worked. Thanks!

About to get on a plane for a day or two so I shouldn't be finding any more issues for awhile.

-David

On Oct 4, 2012, at 5:03 PM, Michael Hale Ligh <michael.hale@gmail.com> wrote:

That one is definitely a bug. Since you're using a source distribution, can you apply the patch below (also attached as a file in case that's easier) and let me know if its resolved?

-MHL

Index: volatility/plugins/malware/malfind.py
===================================================================
--- volatility/plugins/malware/malfind.py (revision 2641)
+++ volatility/plugins/malware/malfind.py (working copy)
@@ -562,7 +562,7 @@
                 # vad region and then checking the first two bytes. 
                 if obj.Object("_IMAGE_DOS_HEADER", offset = vad.Start, vm = address_space).e_magic != 0x5A4D:
                     continue
-                mapped_files[int(vad.Start)] = vad.FileObject.FileName
+                mapped_files[int(vad.Start)] = str(vad.FileObject.FileName or '')
 
             # For each base address with a mapped file, print info on 
             # the other PEB lists to spot discrepancies. 


On Thu, Oct 4, 2012 at 5:31 PM, David Kovar <dkovar@gmail.com> wrote:
Greetings,

Same install, new error:

vol.py -f *.mem --profile=Win2003SP2x86 --kdbg=0x808943e0 --dtb=0x1595000 ldrmodules

<lots of valid output, then....>

Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 5, in <module>
    pkg_resources.run_script('volatility==2.2', 'vol.py')
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources.py", line 489, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/pkg_resources.py", line 1207, in run_script
    execfile(script_filename, namespace, namespace)
  File "/Library/Python/2.7/site-packages/volatility-2.2-py2.7.egg/EGG-INFO/scripts/vol.py", line 186, in <module>
    main()
  File "/Library/Python/2.7/site-packages/volatility-2.2-py2.7.egg/EGG-INFO/scripts/vol.py", line 177, in main
    command.execute()
  File "/Library/Python/2.7/site-packages/volatility-2.2-py2.7.egg/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/Library/Python/2.7/site-packages/volatility-2.2-py2.7.egg/volatility/plugins/malware/malfind.py", line 582, in render_text
    mapped_files[base]
  File "/Library/Python/2.7/site-packages/volatility-2.2-py2.7.egg/volatility/commands.py", line 201, in table_row
    result = self._elide(("{0:" + spec.to_string() + "}").format(args[index]), spec.minwidth)
UnicodeEncodeError: 'ascii' codec can't encode character u'\ufffd' in position 0: ordinal not in range(128)

-David

_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

<volatility-ldrmodules-string.patch>