9:38 p.m.
Hello Everyone,
I have been dumping memory on a few systems and when I go to process the
memory images I get different errors, some of these I think I've found
the answers but not sure on others.
Here are the errors I have seen:
procdump:
=======
Memory Not Accessible: Virtual Address: 0x4ad50000 File Offset: 0x50000
Size: 0x1000
pslist:
====
volatility_v1.3/forensics/win32/crashdump.py:31: DeprecationWarning: the
sha module is deprecated; use the hashlib module instead
import sha
*** Unable to load module malfind: No module named pydasm
*** Unable to load module malfind: No module named pydasm
datetime:
======
/volatility_v1.3/forensics/win32/crashdump.py:31: DeprecationWarning:
the sha module is deprecated; use the hashlib module instead
import sha
*** Unable to load module malfind: No module named pydasm
*** Unable to load module malfind: No module named pydasm
I believe the DeprecationWarning is due to the version of Python, which
is 2.6.2
The malfind module, not sure why I downloaded the module and have not
looked into it, however there should not be an issue, but there is.
Any Advice?
Thanks,
Robert
11:48 p.m.
On Jul 14, 2009, at 9:38 PM, Robert Miller wrote:
Hello Everyone,
I have been dumping memory on a few systems and when I go to
process the memory images I get different errors, some of these I
think I've found the answers but not sure on others.
Here are the errors I have seen:
procdump:
=======
Memory Not Accessible: Virtual Address: 0x4ad50000 File Offset:
0x50000 Size: 0x1000
This is normal and the message is simply informational -- not all
virtual addresses in memory will be accessible in a given image (some
may be swapped out to disk). These messages are an attempt to provide
you with an audit log so you can determine which portions of the
executable were retrieved successfully.
pslist:
====
volatility_v1.3/forensics/win32/crashdump.py:31:
DeprecationWarning: the sha module is deprecated; use the hashlib
module instead
import sha
*** Unable to load module malfind: No module named pydasm
*** Unable to load module malfind: No module named pydasm
datetime:
======
/volatility_v1.3/forensics/win32/crashdump.py:31:
DeprecationWarning: the sha module is deprecated; use the hashlib
module instead
import sha
*** Unable to load module malfind: No module named pydasm
*** Unable to load module malfind: No module named pydasm
I believe the DeprecationWarning is due to the version of Python,
which is 2.6.2
None of these messages should prevent pslist or datetime from
running. Are you finding that this is the case?
The DeprecationWarning is caused by a stray line from testing that
was left in crashdump.py; the warning is not harmful but if it
bothers you you can comment that line out.
The malfind module, not sure why I downloaded the
module and have
not looked into it, however there should not be an issue, but there
is.
As described here:
http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html
you will need pydasm to use malfind:
http://dkbza.org/pydasm.html
Any Advice?
Hope this helps,
Brendan
5601
days inactive
5601
days old
vol-users@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Brendan Dolan-Gavitt -
Robert Miller