Hello Jamie

The good news are... problem solved!!
The bad news are… I don’t know the source of my problem

With a new installation of volatility 2.3.1 the problem was solved… ethscan plugin is analyzing successfully…. 

Thanks for Jamie’s support!!

El 14/11/2013, a las 16:16, David <eterno.comandante@gmail.com> escribió:

Thanks for your support Jamie ;)

I’m going to install a new instance of volatility in a new VM…. and I will send to you and the list the results of this topic.

Kind regards.


El 14/11/2013, a las 15:36, Jamie Levy <jamie.levy@gmail.com> escribió:

hrmmm.... I don't know why it failed then.  I can see that you have the file in the correct folder.  Just to test, I pulled down ethscan [1] into my volatility/plugins folder, used a commandline similar to yours and it seems to be working for me:

$ python vol.py -v  ethscan -f Win2008R2SP1x64.raw --profile=Win2008R2SP1x64
Volatility Foundation Volatility Framework 2.3.1
Checking next buffer 0x768a1
Checking next buffer 0x57830
Checking next buffer 0xd990
Checking next buffer 0x513f
...

Not sure.. You should keep playing around with it and see if you can run other plugins... then maybe you should contact the author.

All the best,

-gleeda





On Thu, Nov 14, 2013 at 9:17 AM, David <eterno.comandante@gmail.com> wrote:
The output:

addrspaces       connscan.pyc   dumpfiles.pyc  fileparam.pyc       handles.py     imagecopy.py   kpcrscan.py    mbrparser.pyc  modules.pyc     procdump.py   sockets.pyc   taskmods.pyc    vboxinfo.pyc
bioskbd.py       crashinfo.py   envars.py      filescan.py         handles.pyc    imagecopy.pyc  kpcrscan.pyc   mftparser.py   netscan.py      procdump.pyc  sockscan.py   timeliner.py    vmwareinfo.py
bioskbd.pyc      crashinfo.pyc  envars.pyc     filescan.pyc        hibinfo.py     imageinfo.py   linux          mftparser.pyc  netscan.pyc     pstree.py     sockscan.pyc  timeliner.pyc   vmwareinfo.pyc
common.py        dlldump.py     ethscan.py     getservicesids.py   hibinfo.pyc    imageinfo.pyc  mac            moddump.py     overlays        pstree.pyc    ssdt.py       userassist.py   volshell.py
common.pyc       dlldump.pyc    ethscan.pyc    getservicesids.pyc  hpakinfo.py    __init__.py    machoinfo.py   moddump.pyc    patcher.py      raw2dmp.py    ssdt.pyc      userassist.pyc  volshell.pyc
connections.py   dumpcerts.py   evtlogs.py     getsids.py          hpakinfo.pyc   __init__.pyc   machoinfo.pyc  modscan.py     patcher.pyc     raw2dmp.pyc   strings.py    vadinfo.py
connections.pyc  dumpcerts.pyc  evtlogs.pyc    getsids.pyc         iehistory.py   kdbgscan.py    malware        modscan.pyc    privileges.py   registry      strings.pyc   vadinfo.pyc
connscan.py      dumpfiles.py   fileparam.py   gui                 iehistory.pyc  kdbgscan.pyc   mbrparser.py   modules.py     privileges.pyc  sockets.py    taskmods.py   vboxinfo.py

Best regards!

El 14/11/2013, a las 14:52, Jamie Levy <jamie.levy@gmail.com> escribió:

Please type the following and show me the output:

ls volatility/plugins




On Thu, Nov 14, 2013 at 8:32 AM, David <eterno.comandante@gmail.com> wrote:
Good afternoon Jamie

I copied the file ethscan.py in volatility/plugins and….

I executed: 

remnux@remnux:~/Desktop/volatility-2.3.1$ sudo make clean
rm -f `find . -name "*.pyc" -o -name "*~"`
rm -rf dist build
remnux@remnux:~/Desktop/volatility-2.3.1$ sudo vol.py -v  ethscan -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img 
ERROR   : __main__            : You must specify something to do (try -h)

The same error :( 

El 14/11/2013, a las 14:05, Jamie Levy <jamie.levy@gmail.com> escribió:

Oh, also if you copied the ethscan plugin to your volatility/plugins directory, don't use the --plugins option

Date: Thu, 14 Nov 2013 13:53:05 +0100
To: Jamie Levy<jamie.levy@gmail.com>
Subject: Re: [Vol-users] Help to add new plugin

Hi Jamie

Thanks again...

I executed   "sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan” 

And i have new errors, (i use vol.py 2.3.1 non instalable version volatility 2.3.1)

Do you know if has anybody a similar problem with ethscan plugin?


Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 186, in <module>
    main()
  File "/usr/local/bin/vol.py", line 143, in main
    registry.register_global_options(config, commands.Command)
  File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 157, in register_global_options
    for m in get_plugin_classes(cls, True).values():
  File "/usr/local/lib/python2.7/dist-packages/volatility/registry.py", line 152, in get_plugin_classes
    raise Exception("Object {0} has already been defined by {1}".format(name, plugin))
Exception: Object EthScan has already been defined by <class 'volatility.plugins.ethscan_rc1.EthScan'>


Best regards

El 14/11/2013, a las 12:45, Jamie Levy <jamie.levy@gmail.com> escribió:

Try:

sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 ethscan

First: --plugins takes in either a directory or a zipfile, not a plugin

Second: You didn't specify which plugin to run (ethscan)
Date: Thu, 14 Nov 2013 10:41:47 +0100
To: Jamie Levy<jamie.levy@gmail.com>
Subject: Re: [Vol-users] Help to add new plugin


Sorry I had a typo i didn´t write --profile=Win7SP1x64


sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img --profile=Win7SP1x64 


I have the same error of ever :( 

Volatility Foundation Volatility Framework 2.3.1
ERROR   : __main__            : You must specify something to do (try -h)

Thanks!!

El 14/11/2013, a las 09:36, David <eterno.comandante@gmail.com> escribió:

Hi @Jamie and list

Thanks very much for your support ;) 

I’ve same errors when i’m executing: :( 

 sudo python vol.py --plugins=../jamaal-re-tools-f427978461d4/volplugins/ethscan.py -f /mnt/hgfs/E/ENSE/F/M/Audits/7523/200309/memory.img 

The error:

Volatility Foundation Volatility Framework 2.3.1
ERROR   : __main__            : You must specify something to do (try -h)

Maybe the cause of this error can be that the new plugin “ethscan" isn't compatible with non instalable version of volatility 2.3.1, what do you think about? 

On the other hand, i found a brief tutorial about ethscan:


vol.py ethscan -f be2.vmem -R --dump-dir outputfiles -C out.pcap -P -S

The execution of the vol.py command is different……. :( 

He does not the flag —-plugin=

Thanks for all!!

Ps: My apologies for my level of english 


El 13/11/2013, a las 16:43, Jamie Levy <jamie.levy@gmail.com> escribió:

Hi David,

I think you might have also asked this on the channel.  So yes, you should use the `--plugins=/path/to/folder/with/ethscan` option, obviously changing the path to a folder that has that plugin.  If you were the person on the channel, the issue that you were having is because you must specify `--plugins` first, BEFORE any other options to vol.py:


Let me know if you have any other questions.

All the best,

-gleeda




On Tue, Nov 12, 2013 at 6:42 AM, David Martin <eterno.comandante@gmail.com> wrote:
Hello list,

Please, I need some help about for add/use new plugins in volatility 2.3.1.

Can I use the flag "--plugins=contrib/plugins"? o is there any method?

The plugin that I want for add/use is:


Thanks for your support!!





_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users




--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92







--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92




--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92