12:05 p.m.
Hey all,
So I went through the install docs for Linux on the wiki to install
Volatility on my MacBook Pro running OS X Lion. I'm testing it using
the samples from the Malware Cookbook (stuxnet.vmem in this case), and
just doing:
python ~/volatility-read-only/vol.py -f stuxnet.vmem imageinfo
I'm getting the following output:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/Users/e18529/volatility-read-only/vol.py", line 135, in <module>
main()
File "/Users/e18529/volatility-read-only/vol.py", line 126, in main
command.execute()
File "/Users/e18529/volatility-read-only/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
line 37, in render_text
for k, v in data:
File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
line 47, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File "/Users/e18529/volatility-read-only/volatility/plugins/kdbgscan.py",
line 95, in calculate
buf = addrspace.BufferAddressSpace(self._config)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 161, in __init__
BaseAddressSpace.__init__(self, None, config, **kwargs)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 68, in __init__
self.profile = self._set_profile(config.PROFILE)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 90, in _set_profile
ret = registry.PROFILES[profile_name]()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
879, in __init__
self.reset()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
906, in reset
self.load_modifications()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
960, in load_modifications
mod.modification(self)
File
"/Users/e18529/volatility-read-only/volatility/plugins/overlays/windows/ssdt_vtypes.py",
line 57, in modification
profile.additional['syscalls'] = module.syscalls
AttributeError: 'NoneType' object has no attribute 'syscalls'
So I'm guessing I still don't have something configured correctly.
Thanks ahead of time,
Tom
3:09 p.m.
On Fri, Mar 2, 2012 at 10:05 AM, Tom Yarrish <tom(a)yarrish.com> wrote:
Hey all,
So I went through the install docs for Linux on the wiki to install
Volatility on my MacBook Pro running OS X Lion. I'm testing it using
the samples from the Malware Cookbook (stuxnet.vmem in this case), and
just doing:
python ~/volatility-read-only/vol.py -f stuxnet.vmem imageinfo
I'm getting the following output:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/Users/e18529/volatility-read-only/vol.py", line 135, in <module>
main()
File "/Users/e18529/volatility-read-only/vol.py", line 126, in main
command.execute()
File "/Users/e18529/volatility-read-only/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
line 37, in render_text
for k, v in data:
File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
line 47, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File "/Users/e18529/volatility-read-only/volatility/plugins/kdbgscan.py",
line 95, in calculate
buf = addrspace.BufferAddressSpace(self._config)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 161, in __init__
BaseAddressSpace.__init__(self, None, config, **kwargs)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 68, in __init__
self.profile = self._set_profile(config.PROFILE)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 90, in _set_profile
ret = registry.PROFILES[profile_name]()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
879, in __init__
self.reset()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
906, in reset
self.load_modifications()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
960, in load_modifications
mod.modification(self)
File
"/Users/e18529/volatility-read-only/volatility/plugins/overlays/windows/ssdt_vtypes.py",
line 57, in modification
profile.additional['syscalls'] = module.syscalls
AttributeError: 'NoneType' object has no attribute 'syscalls'
So I'm guessing I still don't have something configured correctly.
Looks like exactly what I was getting last night (on snow leopard,
after a fresh 'svn up' + removal of all .pyc files).
In my case I figured it may have been because I hadn't satisfied a
required dependency yet (tested a bit prematurely) although I'd expect
that case to throw a bit more concise errors.
--
Darren Spruell
phatbuckett(a)gmail.com
3:52 p.m.
Hi Tom,
It looks from this backtrace like you are trying to run a subversion
checkout. If you are looking for stability, please check out the 2.0
branch or download the tarball. Clearly the current subversion head is
a little broken :-)
Michael.
On 2 March 2012 18:05, Tom Yarrish <tom(a)yarrish.com> wrote:
Hey all,
So I went through the install docs for Linux on the wiki to install
Volatility on my MacBook Pro running OS X Lion. I'm testing it using
the samples from the Malware Cookbook (stuxnet.vmem in this case), and
just doing:
python ~/volatility-read-only/vol.py -f stuxnet.vmem imageinfo
I'm getting the following output:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/Users/e18529/volatility-read-only/vol.py", line 135, in <module>
main()
File "/Users/e18529/volatility-read-only/vol.py", line 126, in main
command.execute()
File "/Users/e18529/volatility-read-only/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
line 37, in render_text
for k, v in data:
File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
line 47, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File "/Users/e18529/volatility-read-only/volatility/plugins/kdbgscan.py",
line 95, in calculate
buf = addrspace.BufferAddressSpace(self._config)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 161, in __init__
BaseAddressSpace.__init__(self, None, config, **kwargs)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 68, in __init__
self.profile = self._set_profile(config.PROFILE)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 90, in _set_profile
ret = registry.PROFILES[profile_name]()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
879, in __init__
self.reset()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
906, in reset
self.load_modifications()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
960, in load_modifications
mod.modification(self)
File
"/Users/e18529/volatility-read-only/volatility/plugins/overlays/windows/ssdt_vtypes.py",
line 57, in modification
profile.additional['syscalls'] = module.syscalls
AttributeError: 'NoneType' object has no attribute 'syscalls'
So I'm guessing I still don't have something configured correctly.
Thanks ahead of time,
Tom
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4:07 p.m.
Yeah I think this was introduced in r1483-1485. Some files named
win2k3 need to be renamed win2003. We'll fix it up shortly. Thanks for
catching it!
MHL
On Fri, Mar 2, 2012 at 3:52 PM, Michael Cohen <scudette(a)gmail.com> wrote:
Hi Tom,
It looks from this backtrace like you are trying to run a subversion
checkout. If you are looking for stability, please check out the 2.0
branch or download the tarball. Clearly the current subversion head is
a little broken :-)
Michael.
On 2 March 2012 18:05, Tom Yarrish <tom(a)yarrish.com> wrote:
Hey all,
So I went through the install docs for Linux on the wiki to install
Volatility on my MacBook Pro running OS X Lion. I'm testing it using
the samples from the Malware Cookbook (stuxnet.vmem in this case), and
just doing:
python ~/volatility-read-only/vol.py -f stuxnet.vmem imageinfo
I'm getting the following output:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/Users/e18529/volatility-read-only/vol.py", line 135, in <module>
main()
File "/Users/e18529/volatility-read-only/vol.py", line 126, in main
command.execute()
File "/Users/e18529/volatility-read-only/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
line 37, in render_text
for k, v in data:
File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
line 47, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File "/Users/e18529/volatility-read-only/volatility/plugins/kdbgscan.py",
line 95, in calculate
buf = addrspace.BufferAddressSpace(self._config)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 161, in __init__
BaseAddressSpace.__init__(self, None, config, **kwargs)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 68, in __init__
self.profile = self._set_profile(config.PROFILE)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 90, in _set_profile
ret = registry.PROFILES[profile_name]()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
879, in __init__
self.reset()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
906, in reset
self.load_modifications()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
960, in load_modifications
mod.modification(self)
File
"/Users/e18529/volatility-read-only/volatility/plugins/overlays/windows/ssdt_vtypes.py",
line 57, in modification
profile.additional['syscalls'] = module.syscalls
AttributeError: 'NoneType' object has no attribute 'syscalls'
So I'm guessing I still don't have something configured correctly.
Thanks ahead of time,
Tom
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users 
4:30 p.m.
OK, it's now fixed. Everyone `svn update` ;-)
On Fri, Mar 2, 2012 at 4:07 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
Yeah I think this was introduced in r1483-1485. Some
files named
win2k3 need to be renamed win2003. We'll fix it up shortly. Thanks for
catching it!
MHL
On Fri, Mar 2, 2012 at 3:52 PM, Michael Cohen <scudette(a)gmail.com> wrote:
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
Hi Tom,
It looks from this backtrace like you are trying to run a subversion
checkout. If you are looking for stability, please check out the 2.0
branch or download the tarball. Clearly the current subversion head is
a little broken :-)
Michael.
On 2 March 2012 18:05, Tom Yarrish <tom(a)yarrish.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users Hey all,
So I went through the install docs for Linux on the wiki to install
Volatility on my MacBook Pro running OS X Lion. I'm testing it using
the samples from the Malware Cookbook (stuxnet.vmem in this case), and
just doing:
python ~/volatility-read-only/vol.py -f stuxnet.vmem imageinfo
I'm getting the following output:
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...
Traceback (most recent call last):
File "/Users/e18529/volatility-read-only/vol.py", line 135, in <module>
main()
File "/Users/e18529/volatility-read-only/vol.py", line 126, in main
command.execute()
File "/Users/e18529/volatility-read-only/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
line 37, in render_text
for k, v in data:
File "/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
line 47, in calculate
suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
File "/Users/e18529/volatility-read-only/volatility/plugins/kdbgscan.py",
line 95, in calculate
buf = addrspace.BufferAddressSpace(self._config)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 161, in __init__
BaseAddressSpace.__init__(self, None, config, **kwargs)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 68, in __init__
self.profile = self._set_profile(config.PROFILE)
File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
line 90, in _set_profile
ret = registry.PROFILES[profile_name]()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
879, in __init__
self.reset()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
906, in reset
self.load_modifications()
File "/Users/e18529/volatility-read-only/volatility/obj.py", line
960, in load_modifications
mod.modification(self)
File
"/Users/e18529/volatility-read-only/volatility/plugins/overlays/windows/ssdt_vtypes.py",
line 57, in modification
profile.additional['syscalls'] = module.syscalls
AttributeError: 'NoneType' object has no attribute 'syscalls'
So I'm guessing I still don't have something configured correctly.
Thanks ahead of time,
Tom
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4:36 p.m.
Yep works now....thanks...
I was using the malware cookbook vmem stuff as a baseline, that's all....
On Mar 2, 2012 3:31 PM, "Jamie Levy" <jamie.levy(a)gmail.com> wrote:
OK, it's now fixed. Everyone `svn update` ;-)
On Fri, Mar 2, 2012 at 4:07 PM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Yeah I think this was introduced in r1483-1485.
Some files named
win2k3 need to be renamed win2003. We'll fix it up shortly. Thanks for
catching it!
MHL
On Fri, Mar 2, 2012 at 3:52 PM, Michael Cohen <scudette(a)gmail.com>
wrote:
> Hi Tom,
> It looks from this backtrace like you are trying to run a subversion
> checkout. If you are looking for stability, please check out the 2.0
> branch or download the tarball. Clearly the current subversion head is
> a little broken :-)
>
> Michael.
>
> On 2 March 2012 18:05, Tom Yarrish <tom(a)yarrish.com> wrote:
>> Hey all,
>> So I went through the install docs for Linux on the wiki to install
>> Volatility on my MacBook Pro running OS X Lion. I'm testing it using
>> the samples from the Malware Cookbook (stuxnet.vmem in this case), and
>> just doing:
>>
>> python ~/volatility-read-only/vol.py -f stuxnet.vmem imageinfo
>>
>> I'm getting the following output:
>>
>>
>> Volatile Systems Volatility Framework 2.1_alpha
>> Determining profile based on KDBG search...
>>
>> Traceback (most recent call last):
>> File "/Users/e18529/volatility-read-only/vol.py", line 135, in
<module>
>> main()
>> File "/Users/e18529/volatility-read-only/vol.py", line 126, in main
>> command.execute()
>> File "/Users/e18529/volatility-read-only/volatility/commands.py",
>> line 101, in execute
>> func(outfd, data)
>> File
"/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
>> line 37, in render_text
>> for k, v in data:
>> File
"/Users/e18529/volatility-read-only/volatility/plugins/imageinfo.py",
>> line 47, in calculate
>> suglist = [ s for s, _, _ in kdbg.KDBGScan.calculate(self)]
>> File
"/Users/e18529/volatility-read-only/volatility/plugins/kdbgscan.py",
>> line 95, in calculate
>> buf = addrspace.BufferAddressSpace(self._config)
>> File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
>> line 161, in __init__
>> BaseAddressSpace.__init__(self, None, config, **kwargs)
>> File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
>> line 68, in __init__
>> self.profile = self._set_profile(config.PROFILE)
>> File "/Users/e18529/volatility-read-only/volatility/addrspace.py",
>> line 90, in _set_profile
>> ret = registry.PROFILES[profile_name]()
>> File "/Users/e18529/volatility-read-only/volatility/obj.py", line
>> 879, in __init__
>> self.reset()
>> File "/Users/e18529/volatility-read-only/volatility/obj.py", line
>> 906, in reset
>> self.load_modifications()
>> File "/Users/e18529/volatility-read-only/volatility/obj.py", line
>> 960, in load_modifications
>> mod.modification(self)
>> File
"/Users/e18529/volatility-read-only/volatility/plugins/overlays/windows/ssdt_vtypes.py",
line 57, in modification
profile.additional['syscalls'] = module.syscalls
AttributeError: 'NoneType' object has no attribute 'syscalls'
So I'm guessing I still don't have something configured correctly.
Thanks ahead of time,
Tom
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4640
days inactive
4640
days old
vol-users@lists.volatilityfoundation.org
5 comments
5 participants
participants (5)
-
Darren Spruell -
Jamie Levy -
Michael Cohen -
Michael Hale Ligh -
Tom Yarrish