5:19 p.m.
Greetings,
I'm seeing the following errors when attempting to run volatility with
'malfind' and referencing yara. This used to work fine on yara 1.4, but
now fails on 1.6. I'm wondering what might have happened and how to
resolve it.
~/vol.py -f purple.vmem --profile=WinXPSP3x86 malfind -D
/home/apollo/workspace/dump_dir/ --yara-rules="http://" -p 1004
Volatile Systems Volatility Framework 2.1_alpha
Name Pid Start End Tag Hits Protect
Traceback (most recent call last):
File "/home/apollo/vol.py", line 135, in <module>
main()
File "/home/apollo/vol.py", line 126, in main
command.execute()
File "/home/sportivo/tools/Volatility/volatility/commands.py", line
101, in execute
func(outfd, data)
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 1042, in render_text
for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 992, in calculate
for ps_ad, start, end, tag, prx, data in self.get_vads(proc):
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 923, in get_vads
yield (ps_ad, start, end, vad.Tag, vad.Flags.Protection >> 24, data)
File "/home/sportivo/tools/Volatility/volatility/obj.py", line 777, in
__getattr__
return self.m(attr)
File "/home/sportivo/tools/Volatility/volatility/obj.py", line 762, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VadRoot has no member Flags
Any thoughts or ideas are welcome. Thanks!
Andre'
--
Andre' M. DiMino
DeepEnd REsearch
http://deependresearch.org
http://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
5:31 p.m.
Hey Andre'
If you're using malware.py from
http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py,
its only going to work with one of the 2.0 stable downloads from
http://code.google.com/p/volatility/downloads/list. It sounds like
you're using malware.py or malware2.1_alpha.py from the above link but
with the Volatility 2.1 alpha branch from svn trunk. You'd think
malware2.1_alpha.py is compatible with the 2.1 alpha branch of
Volatility but current its just my template for where the malware
plugins will go once 2.1 is released and stable.
So in short, if you want to use malware plugins, use malware.py with
the 2.0 stable release. If you want to use the 2.1 alpha trunk with
x64 support, there are currently no malware plugins. But by the time
2.1 is released, there will be.
Sorry for the confusion!
MHL
On Thu, Feb 2, 2012 at 5:19 PM, Andre' M. DiMino
<adimino(a)sempersecurus.org> wrote:
Greetings,
I'm seeing the following errors when attempting to run volatility with
'malfind' and referencing yara. This used to work fine on yara 1.4, but
now fails on 1.6. I'm wondering what might have happened and how to
resolve it.
~/vol.py -f purple.vmem --profile=WinXPSP3x86 malfind -D
/home/apollo/workspace/dump_dir/ --yara-rules="http://" -p 1004
Volatile Systems Volatility Framework 2.1_alpha
Name Pid Start End Tag Hits Protect
Traceback (most recent call last):
File "/home/apollo/vol.py", line 135, in <module>
main()
File "/home/apollo/vol.py", line 126, in main
command.execute()
File "/home/sportivo/tools/Volatility/volatility/commands.py", line
101, in execute
func(outfd, data)
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 1042, in render_text
for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 992, in calculate
for ps_ad, start, end, tag, prx, data in self.get_vads(proc):
File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
line 923, in get_vads
yield (ps_ad, start, end, vad.Tag, vad.Flags.Protection >> 24, data)
File "/home/sportivo/tools/Volatility/volatility/obj.py", line 777, in
__getattr__
return self.m(attr)
File "/home/sportivo/tools/Volatility/volatility/obj.py", line 762, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct VadRoot has no member Flags
Any thoughts or ideas are welcome. Thanks!
Andre'
--
Andre' M. DiMino
DeepEnd REsearch
http://deependresearch.org
http://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
6 p.m.
Heya Michael,
No worries, it's all good. I'll use 2.0 stable for the malware plugins
and 2.1 alpha for all else. Thanks for the clarification!
Andre'
Andre' M. DiMino
Deep End Research
http://deependresearch.org
http://sempersecurus.org
"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
On 02/02/2012 05:31 PM, Michael Hale Ligh wrote:
Hey Andre'
If you're using malware.py from
http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py,
its only going to work with one of the 2.0 stable downloads from
http://code.google.com/p/volatility/downloads/list. It sounds like
you're using malware.py or malware2.1_alpha.py from the above link but
with the Volatility 2.1 alpha branch from svn trunk. You'd think
malware2.1_alpha.py is compatible with the 2.1 alpha branch of
Volatility but current its just my template for where the malware
plugins will go once 2.1 is released and stable.
So in short, if you want to use malware plugins, use malware.py with
the 2.0 stable release. If you want to use the 2.1 alpha trunk with
x64 support, there are currently no malware plugins. But by the time
2.1 is released, there will be.
Sorry for the confusion!
MHL
On Thu, Feb 2, 2012 at 5:19 PM, Andre' M. DiMino
<adimino(a)sempersecurus.org> wrote:
> Greetings,
>
> I'm seeing the following errors when attempting to run volatility with
> 'malfind' and referencing yara. This used to work fine on yara 1.4, but
> now fails on 1.6. I'm wondering what might have happened and how to
> resolve it.
>
> ~/vol.py -f purple.vmem --profile=WinXPSP3x86 malfind -D
> /home/apollo/workspace/dump_dir/ --yara-rules="http://" -p 1004
>
> Volatile Systems Volatility Framework 2.1_alpha
> Name Pid Start End Tag Hits Protect
> Traceback (most recent call last):
> File "/home/apollo/vol.py", line 135, in <module>
> main()
> File "/home/apollo/vol.py", line 126, in main
> command.execute()
> File "/home/sportivo/tools/Volatility/volatility/commands.py", line
> 101, in execute
> func(outfd, data)
> File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
> line 1042, in render_text
> for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
> File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
> line 992, in calculate
> for ps_ad, start, end, tag, prx, data in self.get_vads(proc):
> File "/home/sportivo/tools/Volatility/volatility/plugins/malware.py",
> line 923, in get_vads
> yield (ps_ad, start, end, vad.Tag, vad.Flags.Protection >> 24, data)
> File "/home/sportivo/tools/Volatility/volatility/obj.py", line 777, in
> __getattr__
> return self.m(attr)
> File "/home/sportivo/tools/Volatility/volatility/obj.py", line 762, in m
> raise AttributeError("Struct {0} has no member
> {1}".format(self.obj_name, attr))
> AttributeError: Struct VadRoot has no member Flags
>
>
> Any thoughts or ideas are welcome. Thanks!
>
> Andre'
>
>
> --
> Andre' M. DiMino
> DeepEnd REsearch
> http://deependresearch.org
> http://sempersecurus.org
>
> "Make sure that nobody pays back wrong for wrong, but always try to be
> kind to each other and to everyone else" - 1 Thess 5:15 (NIV)
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4669
days inactive
4669
days old
vol-users@lists.volatilityfoundation.org
2 comments
2 participants
participants (2)
-
Andre' M. DiMino -
Michael Hale Ligh