1:18 p.m.
Hello Jamie
The good news are... problem solved!!
The bad news are… I don’t know the source of my problem
With a new installation of volatility 2.3.1 the problem was solved… ethscan plugin is
analyzing successfully….
Thanks for Jamie’s support!!
El 14/11/2013, a las 16:16, David <eterno.comandante(a)gmail.com> escribió:
Thanks for your support Jamie ;)
I’m going to install a new instance of volatility in a new VM…. and I will send to you
and the list the results of this topic.
Kind regards.
El 14/11/2013, a las 15:36, Jamie Levy <jamie.levy(a)gmail.com> escribió:
hrmmm.... I don't know why it failed then. I
can see that you have the file in the correct folder. Just to test, I pulled down ethscan
[1] into my volatility/plugins folder, used a commandline similar to yours and it seems to
be working for me:
$ python vol.py -v ethscan -f Win2008R2SP1x64.raw --profile=Win2008R2SP1x64
Volatility Foundation Volatility Framework 2.3.1
Checking next buffer 0x768a1
Checking next buffer 0x57830
Checking next buffer 0xd990
Checking next buffer 0x513f
...
Not sure.. You should keep playing around with it and see if you can run other plugins...
then maybe you should contact the author.
All the best,
-gleeda
[1] https://jamaal-re-tools.googlecode.com/git/volplugins/ethscan.py
On Thu, Nov 14, 2013 at 9:17 AM, David <eterno.comandante(a)gmail.com> wrote:
The output:
addrspaces connscan.pyc dumpfiles.pyc fileparam.pyc handles.py
imagecopy.py kpcrscan.py mbrparser.pyc modules.pyc procdump.py sockets.pyc
taskmods.pyc vboxinfo.pyc
bioskbd.py crashinfo.py envars.py filescan.py handles.pyc
imagecopy.pyc kpcrscan.pyc mftparser.py netscan.py procdump.pyc sockscan.py
timeliner.py vmwareinfo.py
bioskbd.pyc crashinfo.pyc envars.pyc filescan.pyc hibinfo.py
imageinfo.py linux mftparser.pyc netscan.pyc pstree.py sockscan.pyc
timeliner.pyc vmwareinfo.pyc
common.py dlldump.py ethscan.py getservicesids.py hibinfo.pyc
imageinfo.pyc mac moddump.py overlays pstree.pyc ssdt.py
userassist.py volshell.py
common.pyc dlldump.pyc ethscan.pyc getservicesids.pyc hpakinfo.py
__init__.py machoinfo.py moddump.pyc patcher.py raw2dmp.py ssdt.pyc
userassist.pyc volshell.pyc
connections.py dumpcerts.py evtlogs.py getsids.py hpakinfo.pyc
__init__.pyc machoinfo.pyc modscan.py patcher.pyc raw2dmp.pyc strings.py
vadinfo.py
connections.pyc dumpcerts.pyc evtlogs.pyc getsids.pyc iehistory.py
kdbgscan.py malware modscan.pyc privileges.py registry strings.pyc
vadinfo.pyc
connscan.py dumpfiles.py fileparam.py gui iehistory.pyc
kdbgscan.pyc mbrparser.py modules.py privileges.pyc sockets.py taskmods.py
vboxinfo.py
Best regards!
El 14/11/2013, a las 14:52, Jamie Levy <jamie.levy(a)gmail.com> escribió:
Please type the following and show me the
output:
ls volatility/plugins
On Thu, Nov 14, 2013 at 8:32 AM, David <eterno.comandante(a)gmail.com> wrote:
Good afternoon Jamie
I copied the file ethscan.py in volatility/plugins and….
I executed:
remnux@remnux:~/Desktop/volatility-2.3.1$ sudo make clean
rm -f `find . -name "*.pyc" -o -name "*~"`
rm -rf dist build
remnux@remnux:~/Desktop/volatility-2.3.1$ sudo vol.py -v ethscan -f
/mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
ERROR : __main__ : You must specify something to do (try -h)
The same error :(
El 14/11/2013, a las 14:05, Jamie Levy <jamie.levy(a)gmail.com> escribió:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92 Oh, also if you copied the ethscan plugin to your
volatility/plugins directory, don't use the --plugins option
From: David <eterno.comandante(a)gmail.com>
Date: Thu, 14 Nov 2013 13:53:05 +0100
To: Jamie Levy<jamie.levy(a)gmail.com>
Cc: Volatility List<vol-users(a)volatilityfoundation.org>
Subject: Re: [Vol-users] Help to add new plugin
Hi Jamie
Thanks again...
I executed "sudo python vol.py
--plugins=../jamaal-re-tools-f427978461d4/volplugins -f
/mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan”
And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1)
Do you know if has anybody a similar problem with ethscan plugin?
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 186, in <module>
main()
File "/usr/local/bin/vol.py", line 143, in main
registry.register_global_options(config, commands.Command)
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line
157, in register_global_options
for m in get_plugin_classes(cls, True).values():
File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line
152, in get_plugin_classes
raise Exception("Object {0} has already been defined by {1}".format(name,
plugin))
Exception: Object EthScan has already been defined by <class
'volatility.plugins.ethscan_rc1.EthScan'>
Best regards
El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy(a)gmail.com> escribió:
> Try:
>
> sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f
/mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan
>
> First: --plugins takes in either a directory or a zipfile, not a plugin
>
> Second: You didn't specify which plugin to run (ethscan)
> From: David <eterno.comandante(a)gmail.com>
> Date: Thu, 14 Nov 2013 10:41:47 +0100
> To: Jamie Levy<jamie.levy(a)gmail.com>
> Cc: Volatility List<vol-users(a)volatilityfoundation.org>
> Subject: Re: [Vol-users] Help to add new plugin
>
>
> Sorry I had a typo i didn´t write --profile=Win7SP1x64
>
>
>> sudo python vol.py
--plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f
/mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64
>
>
>
> I have the same error of ever :(
>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>
>
> Thanks!!
>
> El 14/11/2013, a las 09:36, David <eterno.comandante(a)gmail.com> escribió:
>
>> Hi @Jamie and list
>>
>> Thanks very much for your support ;)
>>
>> I’ve same errors when i’m executing: :(
>>
>> sudo python vol.py
--plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f
/mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img
>>
>> The error:
>>
>> Volatility Foundation Volatility Framework 2.3.1
>> ERROR : __main__ : You must specify something to do (try -h)
>>
>> Maybe the cause of this error can be that the new plugin “ethscan" isn't
compatible with non instalable version of volatility 2.3.1, what do you think about?
>>
>> On the other hand, i found a brief tutorial about ethscan:
>>
>> https://code.google.com/p/jamaal-re-tools/source/browse/volplugins/README.t…
>>
>> vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S
>>
>> The execution of the vol.py command is different……. :(
>>
>> He does not the flag —-plugin=
>>
>> Thanks for all!!
>>
>> Ps: My apologies for my level of english
>>
>>
>> El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy(a)gmail.com> escribió:
>>
>>> Hi David,
>>>
>>> I think you might have also asked this on the channel. So yes, you should
use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a
folder that has that plugin. If you were the person on the channel, the issue that you
were having is because you must specify `--plugins` first, BEFORE any other options to
vol.py:
>>>
>>>
http://code.google.com/p/volatility/wiki/VolatilityUsage23#Specifying_Addit…
>>>
>>> Let me know if you have any other questions.
>>>
>>> All the best,
>>>
>>> -gleeda
>>>
>>>
>>>
>>>
>>> On Tue, Nov 12, 2013 at 6:42 AM, David Martin
<eterno.comandante(a)gmail.com> wrote:
>>> Hello list,
>>>
>>> Please, I need some help about for add/use new plugins in volatility 2.3.1.
>>>
>>> Can I use the flag "--plugins=contrib/plugins"? o is there any
method?
>>>
>>> The plugin that I want for add/use is:
>>>
>>> https://code.google.com/p/jamaal-re-tools/source/checkout
>>>
>>> Thanks for your support!!
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Vol-users mailing list
>>> Vol-users(a)volatilityfoundation.org
>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>
>>>
>>>
>>>
>>> --
>>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
>>
>
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92