nuuska / volatility Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/volatility
Automatically exported from code.google.com/p/volatility
Hey guys,
For some commands like dlllist, the pid filtering is no longer working. If I do
dlllist -p 4 or --pid=4 (or any other pid) then it prints the DLLs in all
processes.
I found that if I comment out the line in Dlllist:
@cache.CacheDecorator("tests/pslist")
That fixes the problem and it obeys the -p or --pid parameters. Of course, I'm
not sure what other things might break with that line commented!
Original issue reported on code.google.com by [email protected]
on 26 Aug 2010 at 4:58
Hey guys,
I encountered this issue this week. I've been updating the code from CVS about
once a week and the problem just starting happening so it may be due to a
recent change.
$ python volatility.py pslist -f XPSP3.vmem
Volatile Systems Volatility Framework 1.4_rc1
Name Pid PPid Thds Hnds Time
System 4 0 56 196 1970-01-01 00:00:00
0 0 0 ------ 1970-01-01 00:00:00
0 0 0 ------ 1970-01-01 00:00:00
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 98, in execute
func(outfd, data)
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/internal/taskmods.py", line 153, in render_text
task.CreateTime))
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/Windows/xp_sp2.py", line 165, in __format__
dt = self.as_datetime()
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/Windows/xp_sp2.py", line 157, in as_datetime
dt = datetime.datetime.utcfromtimestamp(self.v())
ValueError: year is out of range
Same with psscan:
$ python volatility.py psscan -f XPSP3.vmem
Volatile Systems Volatility Framework 1.4_rc1
PID PPID Time created Time exited Offset PDB
Remarks
------ ------ ------------------------ ------------------------ ----------
---------- ----------------
0 0 0x005529a0 0x00319000 Idle
0 0 0x01f6a978 0x00000000
0 0 0x01f8e7e0 0x00000000
0 0 0x01fa63c0 0x00000000
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 98, in execute
func(outfd, data)
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/internal/psscan.py", line 280, in render_text
eprocess.ImageFileName))
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/Windows/xp_sp2.py", line 165, in __format__
dt = self.as_datetime()
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/Windows/xp_sp2.py", line 157, in as_datetime
dt = datetime.datetime.utcfromtimestamp(self.v())
ValueError: year is out of range
I can analyze the memory in Volatility 1.3 just fine though:
$ python volatility pslist -f XPSP3.vmem
Name Pid PPid Thds Hnds Time
System 4 0 56 196 Thu Jan 01 00:00:00 1970
823c8830
smss.exe 532 4 3 19 Sun Aug 22 17:39:08 2010
81df0388
csrss.exe 596 532 12 388 Sun Aug 22 17:39:10 2010
81e45978
winlogon.exe 620 532 19 520 Sun Aug 22 17:39:10 2010
822dfda0
services.exe 664 620 17 340 Sun Aug 22 17:39:10 2010
81e41610
lsass.exe 676 620 21 351 Sun Aug 22 17:39:10 2010
82175b90
Original issue reported on code.google.com by [email protected]
on 9 Sep 2010 at 12:42
Run the ident plugin on an image where the DTB can be recovered, but the KPCR
cannot be found. The plugin will error out with a message rather than
returning as much information as possible.
Original issue reported on code.google.com by [email protected]
on 11 Nov 2010 at 10:42
Hey guys,
Since it was only a few lines modification from moddump, here is a dlldump
plugin for 1.4. You can:
* dump all DLLs from all processes (by calling without any args)
* dump all DLLs from a specific process (by using -p PID)
* dump a specific DLL from all processes (by using -r DLLNAME)
* dump a specific DLL from a specific process (by using -r DLLNAME -p PID)
Tested on XP and Win7 only. If you decide to include it, It doesn't matter to
me where it goes (contrib vs plugins) -- as long as the functionality is
available somewhere.
Thanks.
Original issue reported on code.google.com by [email protected]
on 18 Oct 2010 at 1:36
Attachments:
Sorry to keep pestering you with these, but I figure it's best to have a
placeholder so that we can discuss them.
At the moment, running memdump with -p 1 followed by memdump -p 2 will fail
because memdump caches the output of dlllist, which is filtered based on
config.PID.
The solution that comes to mind immediately is to cache the config object
entirely, and then verify that all they are the same. If not, then invalidate
the cache. We'll probably have to add in a function that returns all the
(relevant/cache-changing) options to make it easy to store and later verify.
Then we'll have to assume that all options are cache-affecting by default, and
go around turning off those that aren't.
This might sidestep the need to hand plugins their own config objects (at least
for caching, not for use as a library), however it has the downside that a
config item which isn't used will still invalidate the cache. Since each
plugin only sees it's own options (-p on a plugin that doesn't support it will
raise a help message), this may not be a problem.
Original issue reported on code.google.com by [email protected]
on 23 Aug 2010 at 11:38
How I triggered the bug:
ran the ssdt plugin once against my XP SP3 image and it worked. I then
immediately re-ran the command, and got this error:
Volatile Systems Volatility Framework 1.4_rc1
SSDT[0] at 804e26a8 with 284 entries
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "/home/x/vol/volatility/commands.py", line 96, in execute
func(outfd, data)
File "/home/x/vol/plugins/ssdt.py", line 1105, in render_text
syscall_mod = find_module(mods, mod_addrs, syscall_addr)
File "/home/x/vol/plugins/ssdt.py", line 1028, in find_module
mod = modlist[mod_addrs[pos]]
IndexError: cannot fit 'long' into an index-sized integer
I confirmed that it is indeed a cache problem, by running the command multiple
times in a row with --no-cache and it never error and reported the right
results each time
Original issue reported on code.google.com by [email protected]
on 26 Aug 2010 at 3:05
Hiya guys,
Just a quick note that since CTypes have a self.name, self.offset, self.theType
and so on, those values can't then be used for attributes. This probably most
affects automatic generation of vtypes from a pdb, although, in general,
generated members all start with a capital letter, and all the object
attributes start with a lower case letter. Unfortunately we already have
_CLS_LSN in the vista and 7 vtypes which has an "offset" member, which will be
in accessible to any plugin that might want it.
We've got a few options, and I don't think this'll get solved quickly, since
they're all relatively invasive, and it's not clear how big a problem this will
be. However, best to have a place holder for discussions and so on.
So, as I see it options are:
a) Ensure the pdb generator mangles any member names so that they're not the
same as BaseObject/CType attributes (mostly by case mangled). There *may* be
situations where a vtype has two members differentiated only by case, but I
doubt it. This is by far the easiest option.
b) Change all the attributes, trying very hard to avoid introducing bugs
because of it, and probably failing because things ask for .offset and .vm all
over the place. Changing them to _blah or __blah won't work because there are
members generated with that start with those too, so probably best to go with
vol_blah or even _volatility_blah for total certainty.
c) Some other ingenious option that I've completely neglected and would never
have thought of in a million years that simultaneously solves all the problems
without any drawbacks... 5:)
Original issue reported on code.google.com by [email protected]
on 27 Aug 2010 at 7:58
ran on windows 7 64 host with python 2.7, win7vss.vmem is a 32bit windows 7
image
C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py pslist
--profile=Win7SP0x86 -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
Name Pid PPid Thds Hnds Time
System 4 0 90 516 2010-07-06 22:28:46
smss.exe 252 4 2 29 2010-07-06 22:28:46
csrss.exe 348 340 10 441 2010-07-06 22:28:53
wininit.exe 384 340 3 73 2010-07-06 22:28:53
csrss.exe 396 376 8 187 2010-07-06 22:28:53
winlogon.exe 424 376 5 129 2010-07-06 22:28:54
services.exe 492 384 12 216 2010-07-06 22:28:54
lsass.exe 500 384 7 559 2010-07-06 22:28:54
lsm.exe 508 384 10 142 2010-07-06 22:28:54
svchost.exe 616 492 10 348 2010-07-06 22:28:55
svchost.exe 680 492 8 264 2010-07-06 22:28:56
svchost.exe 728 492 21 425 2010-07-06 22:28:56
svchost.exe 848 492 20 413 2010-07-06 22:28:56
svchost.exe 876 492 44 1333 2010-07-06 22:28:56
svchost.exe 1056 492 16 589 2010-07-06 22:29:31
svchost.exe 1140 492 17 375 2010-07-06 22:29:51
spoolsv.exe 1312 492 13 315 2010-07-06 22:31:06
svchost.exe 1344 492 20 315 2010-07-06 22:31:07
VMwareService. 1488 492 8 200 2010-07-06 22:31:11
dllhost.exe 1944 492 16 187 2010-07-06 22:31:21
msdtc.exe 284 492 15 152 2010-07-06 22:31:24
svchost.exe 1920 492 8 115 2010-07-06 22:33:17
svchost.exe 840 492 15 381 2010-07-06 22:33:18
SearchIndexer. 1464 492 18 624 2010-07-06 22:33:20
TrustedInstall 188 492 8 245 2010-07-06 22:35:08
WmiPrvSE.exe 1768 616 5 112 2010-07-06 22:35:16
SearchFilterHo 1724 1464 6 82 2010-07-06 22:37:36
taskhost.exe 1156 492 10 155 2010-07-06 22:37:54
dwm.exe 956 848 4 71 2010-07-06 22:38:07
explorer.exe 1880 1720 31 647 2010-07-06 22:38:07
wuauclt.exe 1896 876 6 96 2010-07-06 22:38:14
VMwareTray.exe 2144 1880 5 67 2010-07-06 22:38:29
VMwareUser.exe 2156 1880 9 205 2010-07-06 22:38:30
audiodg.exe 2312 728 5 153 2010-07-06 22:38:44
rundll32.exe 2484 492 1 5 2010-07-06 22:39:08
sdclt.exe 2504 492 1 4 2010-07-06 22:39:09
schtasks.exe 2512 492 2 60 2010-07-06 22:39:09
taskhost.exe 2520 492 11 224 2010-07-06 22:39:10
conhost.exe 2568 348 2 33 2010-07-06 22:39:11
wsqmcons.exe 2576 492 1 3 2010-07-06 22:39:11
SearchProtocol 2680 1464 8 231 2010-07-06 22:39:27
VMwareResoluti 3064 1488 1 23 2010-07-06 22:40:27
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 96, in execute
func(outfd, data)
File "C:\Users\admin\Desktop\vol\plugins\internal\taskmods.py", line 146, in render_text
for task in data:
File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 404, in generate
self.dump(path, payload)
File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 409, in dump
self.node.dump()
File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 259, in dump
self.storage.dump(self.stem, self)
File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 357, in dump
filename = self.filename(url)
File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 338, in filename
raise RuntimeError("Storing non relative URLs is not supported now ({0})".format(url))
RuntimeError: Storing non relative URLs is not supported now
(file:///C:/Users/admin/Desktop/vol/win7vss.vmem/tests/pslist)
Original issue reported on code.google.com by [email protected]
on 17 Aug 2010 at 11:36
root@newubuntu:~/vol# python volatility.py sockets -f winXP-32-SP3.vmem
--profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Pid Port Proto Create Time
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "/home/x/vol/volatility/commands.py", line 96, in execute
func(outfd, data)
File "/home/x/vol/plugins/internal/sockets.py", line 32, in render_text
for sock in data:
File "/home/x/vol/volatility/win32/network.py", line 140, in determine_sockets
while sock.is_valid():
AttributeError: 'NoneType' object has no attribute 'is_valid'
*************
I believe this may just be a logic error somewhere, because the machine was
rebooted fresh and then frozen to get the .vmem meaning there was no sockets
Original issue reported on code.google.com by [email protected]
on 26 Aug 2010 at 1:19
Hey guys,
The 1.3 version of hivedump was nice, you could dump an entire hive as text or
csv and then grep for a certain term or sort by timestamp. In the 1.4 hivedump,
some of that functionality was lost. I'd like to propose a few changes to r516
version of hivedump:
1) Allow csv output with timestamps
2) In the text output, change the single-space indention (" ") to something
like a tab or 4 spaces *and* include the full key name. This way, if you were
looking for a key named "MaliciousKey" you could pipe the output of hivedump to
grep and quickly find it, then pass the full key name to printkey. Currently,
its difficult because hivedump only prints the subkey name on a line by
itself...so you'd have to redirect all output of hivedump to a file, open it
up, look for "MaliciousKey" and then try to follow the single-space indention
to determine the full key before calling printkey -- lots of time.
So instead of this:
$$$PROTO.HIV
C07ft5Y
WinXP
Classes
*
OpenWithList
Excel.exe
We could have this:
HKEY_LOCAL_MACHINE\Software
HKEY_LOCAL_MACHINE\Software\C07ft5Y
HKEY_LOCAL_MACHINE\Software\C07ft5Y\WinXP
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Classes\*
And this:
1229023892,2008-12-11 19:31:32,HKEY_LOCAL_MACHINE\Software
1208454788,2008-04-17 17:53:08,HKEY_LOCAL_MACHINE\Software\C07ft5Y
1208454788,2008-04-17 17:53:08,HKEY_LOCAL_MACHINE\Software\C07ft5Y\WinXP
1229021837,2008-12-11 18:57:17,HKEY_LOCAL_MACHINE\Software\Classes
1220997002,2008-09-09 21:50:02,HKEY_LOCAL_MACHINE\Software\Classes\*
I attached a patched version of hivelist.py that could be used as a template
for these changes. Note: I moved the HiveDump command from lsadump.py to
hivelist.py for this example. Also, you'll see the -o option commented out in
the HiveList command. I don't think that option is needed any longer since you
guys made hivelist automatically find the physical offset of the first hive
(which is great, it eliminates the need to run hivescan first - awesome).
Thanks
Original issue reported on code.google.com by [email protected]
on 8 Nov 2010 at 6:21
Attachments:
the psscan module drops into the debugger when attempting to scan a windows 7
image. see the following:
C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py psscan
--profile=Win7SP0x86 -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
PID PPID Time created Time exited Offset PDB
Remarks
------ ------ ------------------------ ------------------------ ----------
---------- ----------------
--Return--
> c:\users\admin\desktop\vol\volatility\debug.py(38)b()->None
-> pdb.set_trace()
(Pdb) bt
c:\users\admin\desktop\vol\volatility.py(138)<module>()
-> main()
c:\users\admin\desktop\vol\volatility.py(129)main()
-> command.execute()
c:\users\admin\desktop\vol\volatility\commands.py(96)execute()
-> func(outfd, data)
c:\users\admin\desktop\vol\plugins\internal\psscan.py(273)render_text()
-> for eprocess in data:
c:\users\admin\desktop\vol\volatility\cache.py(400)generate()
-> for x in g:
c:\users\admin\desktop\vol\plugins\internal\psscan.py(237)calculate()
-> for offset in PSScanner().scan(address_space):
c:\users\admin\desktop\vol\volatility\scan.py(143)scan()
-> for match in BaseScanner.scan(self, address_space, o, l):
c:\users\admin\desktop\vol\volatility\scan.py(112)scan()
-> if self.check_addr(i + self.base_offset):
c:\users\admin\desktop\vol\volatility\scan.py(76)check_addr()
-> debug.b()
> c:\users\admin\desktop\vol\volatility\debug.py(38)b()->None
-> pdb.set_trace()
(Pdb)
Original issue reported on code.google.com by [email protected]
on 17 Aug 2010 at 11:12
root@newubuntu:~/vol# python volatility.py mutantscan -f winXP-32-SP3.vmem
--profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Phys.Addr. Obj Type #Ptr #Hnd Signal Thread CID Name
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "/home/x/vol/volatility/commands.py", line 96, in execute
func(outfd, data)
File "/home/x/vol/plugins/internal/filescan.py", line 276, in render_text
self.parse_string(object_name_info_obj.Name)
AttributeError: 'NoneType' object has no attribute 'Name'
root@newubuntu:~/vol#
run from a linux 32 bit machine
Original issue reported on code.google.com by [email protected]
on 26 Aug 2010 at 1:18
Hiya guys,
This is just a placeholder bug to put information pertaining to the rendering
engine problem.
At the moment all plugins specify a render_text function which accepts a data
object (can be anything) from it's own calculate function, and a file
descriptor. It then prints out the important text to the file descriptor.
Status/progress information can be printed/written to stdout.
It would be nice to have the ability to write a whole new output format (such
as XML or SQL) that applies to all plugins, including those that already exist.
To do this, some kind of common standard will be needed.
Scudette's taken a first crack at this, which has lived mostly in the
experimental branch. It is backwards compatible (so that existing 1.4 plugins
will still output to text if necessary) and works by defining a UI object,
which different rendering engines can then work with.
I'm attaching a patch that applies to r392 of the Volatility-1.4_rc1 branch
just so that we've got a copy locally. You can also find this at
https://gist.github.com/54ed859a20d9d01c489d complete with syntax highlighting.
Original issue reported on code.google.com by [email protected]
on 22 Aug 2010 at 2:26
Attachments:
This is a meta-bug about all the plugins that fail to work with Windows 7.
Any bugs that refer to Windows 7 breakage should be noted and added to *this*
bug's "Blocked On" field. This will help us keep a track of what needs fixing
and how far we have to go.
Original issue reported on code.google.com by [email protected]
on 18 Aug 2010 at 10:27
What steps will reproduce the problem?
1. python volatility connections -f <file.image>
2. also connscan & connscan2 have the same problem
3.
What is the expected output? What do you see instead?
No output
What version of the product are you using? On what operating system?
Volatility 1.3, Windows XP SP 3, python 2.7
Please provide any additional information below.
Tried various image gathering tools same affect
When I used the sample memory dumps it works fine
Tried version 1.1.2 of volatility same problem
Target OS is XP version 2002 running within a VM
pslist, dlllist, ident
Original issue reported on code.google.com by [email protected]
on 15 Nov 2010 at 8:09
Hey guys - not a defect here, more of a small inconvenience. A lot of the
malware plugins inherit from procdump.ProcExeDump. When detecting API hooks, we
have to rebuild all DLLs in a process, which results in thousands of these:
Memory Not Accessible: Virtual Address: 0x402000 File Offset: 0x1000 Size:
0x1000
Memory Not Accessible: Virtual Address: 0x403000 File Offset: 0x1000 Size:
0x1000
Memory Not Accessible: Virtual Address: 0x404000 File Offset: 0x1000 Size:
0x1000
Memory Not Accessible: Virtual Address: 0x405000 File Offset: 0x1000 Size:
0x1000
To see the output of the command, we have to do:
$ python volatility.py apihooks -f mem.dmp | egrep -v 'Memory Not Accessible'
Is there a way we can suppress the messages (or make them optional) so that the
egrep isn't needed?
Thank you.
Original issue reported on code.google.com by [email protected]
on 14 Oct 2010 at 9:37
Hey guys,
I am seeing errors in the current 1.4 branch:
$ python volatility.py
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
File "volatility.py", line 126, in <module>
main()
File "volatility.py", line 103, in main
debug.error("You must specify something to do (try -h)")
File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/debug.py", line 58, in error
log(msg, logging.ERROR)
File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/debug.py", line 73, in log
modname = mod.__name__
Original issue reported on code.google.com by [email protected]
on 2 Dec 2010 at 10:37
"thrdscan" returns all the threads properly while "thrdscan2" returns no
results.
I assume this would be a legitimate problem since both plugins claim to do the
same thing.
Original issue reported on code.google.com by [email protected]
on 26 Aug 2010 at 1:25
C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py pslist
--profile=Win7SP0x86 -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
Name Pid PPid Thds Hnds Time
System 4 0 90 516 2010-07-06 22:28:46
smss.exe 252 4 2 29 2010-07-06 22:28:46
csrss.exe 348 340 10 441 2010-07-06 22:28:53
wininit.exe 384 340 3 73 2010-07-06 22:28:53
csrss.exe 396 376 8 187 2010-07-06 22:28:53
winlogon.exe 424 376 5 129 2010-07-06 22:28:54
services.exe 492 384 12 216 2010-07-06 22:28:54
lsass.exe 500 384 7 559 2010-07-06 22:28:54
lsm.exe 508 384 10 142 2010-07-06 22:28:54
svchost.exe 616 492 10 348 2010-07-06 22:28:55
svchost.exe 680 492 8 264 2010-07-06 22:28:56
svchost.exe 728 492 21 425 2010-07-06 22:28:56
svchost.exe 848 492 20 413 2010-07-06 22:28:56
svchost.exe 876 492 44 1333 2010-07-06 22:28:56
svchost.exe 1056 492 16 589 2010-07-06 22:29:31
svchost.exe 1140 492 17 375 2010-07-06 22:29:51
spoolsv.exe 1312 492 13 315 2010-07-06 22:31:06
svchost.exe 1344 492 20 315 2010-07-06 22:31:07
VMwareService. 1488 492 8 200 2010-07-06 22:31:11
dllhost.exe 1944 492 16 187 2010-07-06 22:31:21
msdtc.exe 284 492 15 152 2010-07-06 22:31:24
svchost.exe 1920 492 8 115 2010-07-06 22:33:17
svchost.exe 840 492 15 381 2010-07-06 22:33:18
SearchIndexer. 1464 492 18 624 2010-07-06 22:33:20
TrustedInstall 188 492 8 245 2010-07-06 22:35:08
WmiPrvSE.exe 1768 616 5 112 2010-07-06 22:35:16
SearchFilterHo 1724 1464 6 82 2010-07-06 22:37:36
taskhost.exe 1156 492 10 155 2010-07-06 22:37:54
dwm.exe 956 848 4 71 2010-07-06 22:38:07
explorer.exe 1880 1720 31 647 2010-07-06 22:38:07
wuauclt.exe 1896 876 6 96 2010-07-06 22:38:14
VMwareTray.exe 2144 1880 5 67 2010-07-06 22:38:29
VMwareUser.exe 2156 1880 9 205 2010-07-06 22:38:30
audiodg.exe 2312 728 5 153 2010-07-06 22:38:44
rundll32.exe 2484 492 1 5 2010-07-06 22:39:08
sdclt.exe 2504 492 1 4 2010-07-06 22:39:09
schtasks.exe 2512 492 2 60 2010-07-06 22:39:09
taskhost.exe 2520 492 11 224 2010-07-06 22:39:10
conhost.exe 2568 348 2 33 2010-07-06 22:39:11
wsqmcons.exe 2576 492 1 3 2010-07-06 22:39:11
SearchProtocol 2680 1464 8 231 2010-07-06 22:39:27
VMwareResoluti 3064 1488 1 23 2010-07-06 22:40:27
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 96, in execute
func(outfd, data)
File "C:\Users\admin\Desktop\vol\plugins\internal\taskmods.py", line 146, in render_text
for task in data:
File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 404, in generate
self.dump(path, payload)
File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 409, in dump
self.node.dump()
File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 259, in dump
self.storage.dump(self.stem, self)
File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 357, in dump
filename = self.filename(url)
File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 338, in filename
raise RuntimeError("Storing non relative URLs is not supported now ({0})".format(url))
RuntimeError: Storing non relative URLs is not supported now
(file:///C:/Users/admin/Desktop/vol/win7vss.vmem/tests/pslist)
Original issue reported on code.google.com by [email protected]
on 17 Aug 2010 at 11:16
So currently, defining an object class in one overlay module will allow it to
be instantiated by any profile, so for example _EPROCESS can be defined in
xpsp2, but all the methods will still be present in the EPROCESS object create
for the Win7SP0x86 profile.
This raises problems if two different profiles need different methods on
identically named objects. For example, attempting to redefine _EPROCESS will
result in an "Object _EPROCESS has already been defined <clas 'blah'>" error
message.
Currently this isn't an issue, but it at least needs documenting. If it does
become an issue in the future it will possibly need refining so that objects
are defined as part of an overlay, rather than simply as global objects. This
may well already be doable by pointing the overlay at a callable that spits out
an object, but this will need some looking into and again documenting somewhere
(possibly the wiki to begin with).
Ideally we want some form of inheritance (so that things that stay the same,
don't need redefining) but also some form of override (so that things which
need to change, can). I think currently the important code resides in either
obj.CType.__init__ or obj.Object(), but it's not clear if that needs changing,
or we can simply use/abuse the overlay mechanism to define objects too (so
Win7SP0x86_EPROCESS is defined, and then plastered on _EPROCESS in the
overlay). Any ideas/thoughts/comments?
Original issue reported on code.google.com by [email protected]
on 16 Sep 2010 at 11:04
Hey guys,
The help for --plugins says: Additional plugin directories to use (colon
separated)
So I expected that specifying --plugins=mydir would let me load plugins from
the default (./plugins) in addition to mydir. But it looks like if you specify
--plugins=mydir on command-line, it only searches mydir and not ./plugins.
If that's how you intend it to work, then its OK but I have a feeling it should
work differently. The default value could be changed to none:
config.add_option("PLUGINS", default = None,
help = "Additional plugin directories to use (colon separated)")
and then something like:
# Setup initial plugin directories
plugins = './plugins'
if config.PLUGINS != None:
plugins += ':{0}'.format(config.PLUGINS)
for path in plugins.split(':'):
......
Original issue reported on code.google.com by [email protected]
on 26 Aug 2010 at 1:57
Hey guys, when trying to use printkey I got this error:
$ python volatility.py printkey -o OFFSET -f MEM.DMP
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
File "volatility.py", line 126, in <module>
main()
File "volatility.py", line 117, in main
command.execute()
File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 77, in execute
# with backslash.
File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/plugins/registry/printkey.py", line 82, in calculate
File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/win32/hive.py", line 47, in __init__
TypeError: __init__() takes exactly 3 arguments (2 given)
So we just need to change hive.py like this:
class HiveAddressSpace(addrspace.BaseAddressSpace):
def __init__(self, config, baseAddressSpace, hive_addr):
addrspace.BaseAddressSpace.__init__(self, baseAddressSpace, config)
And then alter printkey.py:
hive = hivemod.HiveAddressSpace(self._config, addr_space,
self._config.hive_offset)
The same may also need to be done for lsadump.
Original issue reported on code.google.com by [email protected]
on 9 Dec 2010 at 10:16
The code currently doesn't sanity check the value passed to --profile and if a
valid profile isn't passed, it keeps running and eventually exits with an error
about invalid address spaces, which to most people will be extremely confusing
and non-obvious
A better solution would be for the value to be checked and error out with a
message about the invalid profile
Original issue reported on code.google.com by [email protected]
on 23 Sep 2010 at 12:43
The following line in plugins/internal/datetime-ident.py needs to be changed
from:
class Ident(DateTime):
datetime.__init__(self, args)
To:
class Ident(DateTime):
DateTime.__init__(self, args)
Original issue reported on code.google.com by [email protected]
on 26 Aug 2010 at 1:51
The vadinfo, vaddump, and vadwalk commands don't work with profile=Win7SP0x86.
Its because in XP the EPROCESS.VadRoot is a pointer to _MMVAD but in Win7 its a
little different:
kd> dt _EPROCESS
...
+0x278 VadRoot : _MM_AVL_TABLE
+0x000 BalancedRoot : _MMADDRESS_NODE
+0x000 u1 : <unnamed-tag>
+0x004 LeftChild : (null)
+0x008 RightChild : 0x8594b410 _MMADDRESS_NODE
+0x00c StartingVpn : 0
+0x010 EndingVpn : 0
kd> dt _MMADDRESS_NODE 0x8594b410
ntdll!_MMADDRESS_NODE
+0x000 u1 : <unnamed-tag>
+0x004 LeftChild : 0x85389008 _MMADDRESS_NODE
+0x008 RightChild : 0x854185f8 _MMADDRESS_NODE
+0x00c StartingVpn : 0x75850
+0x010 EndingVpn : 0x7585c
So when the vad commands do task.VadRoot.traverse(), the code in
plugins/overlays/Windows/xp_sp2.py in class _MMVAD fails:
## What type is this struct?
tag = vm.read(offset - 4, 4)
theType = switch.get(tag)
if not theType:
return obj.NoneObject("Tag {0} not knowns".format(tag))
Due to the change in Win7, theType will always be None. At least it appears
that the Win7 nodes still use the same Vad, VadS, Vadl tags though:
kd> db 0x8594b410-4 L4
8594b40c 56 61 64 20 Vad
kd> db 0x85389008-4 L4
85389004 56 61 64 53 VadS
Original issue reported on code.google.com by [email protected]
on 13 Sep 2010 at 2:14
Not really sure how to file this or if its a bug that can really be fixed, but
I thought I should post it anyway.
So the problem is that I was on a previous version of volatility from yesterday
and had generated caches. Today I updated to the latest in svn and sometime
later ran pslist to get the PID of a process and this happened:
root@newubuntu:~/vol# python volatility.py pslist -f winXP-32-SP3.vmem
--profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Name Pid PPid Thds Hnds Time
System 4 0 54 249 1970-01-01 00:00:00
smss.exe 552 4 3 19 2010-08-26 01:00:40
csrss.exe 600 552 11 361 2010-08-26 01:00:41
winlogon.exe 624 552 24 550 2010-08-26 01:00:42
services.exe 668 624 16 250 2010-08-26 01:00:42
lsass.exe 680 624 26 379 2010-08-26 01:00:42
vmacthlp.exe 840 668 1 25 2010-08-26 01:00:42
svchost.exe 852 668 19 198 2010-08-26 01:00:42
svchost.exe 920 668 9 239 2010-08-26 01:00:43
svchost.exe 1016 668 71 1188 2010-08-26 01:00:43
svchost.exe 1060 668 5 73 2010-08-26 01:00:43
svchost.exe 1156 668 13 192 2010-08-26 01:00:43
spoolsv.exe 1312 668 6 51 2010-08-26 01:00:44
VMwareService.e 1608 668 3 144 2010-08-26 01:01:01
alg.exe 2004 668 8 106 2010-08-26 01:01:10
explorer.exe 528 500 17 290 2010-08-26 01:01:31
wscntfy.exe 292 1016 1 28 2010-08-26 01:01:32
VMwareTray.exe 908 528 1 29 2010-08-26 01:01:34
VMwareUser.exe 1004 528 4 76 2010-08-26 01:01:34
msmsgs.exe 1220 528 4 153 2010-08-26 01:01:35
4ยฑOPO 2172747816 2174491220 2174491300 538517528 1970-01-01 00:00:00
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "/home/x/vol/volatility/commands.py", line 96, in execute
func(outfd, data)
File "/home/x/vol/plugins/internal/taskmods.py", line 153, in render_text
task.CreateTime))
File "/home/x/vol/plugins/overlays/Windows/xp_sp2.py", line 167, in __format__
dt = self.as_datetime()
File "/home/x/vol/plugins/overlays/Windows/xp_sp2.py", line 159, in as_datetime
dt = datetime.datetime.utcfromtimestamp(self.v())
ValueError: timestamp out of range for platform time_t
-----------------
now I think the datetime stuff was updated in the revisions that got pulled so
I am sure that is why its broke, but obviously the cache doesn't know about
this....
Again, I am not really sure if this is a bug or not, and if I were doing a real
investigation I wouldn't be updating software in the middle unless something
was really broken....
either way, removing the cache directory under /tmp for the image fixed it and
now everything works as expected
Original issue reported on code.google.com by [email protected]
on 26 Aug 2010 at 2:02
example:
root@newubuntu:~/vol# python volatility.py --no-cache pslist -f XPSP3.vmem
--profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Name Pid PPid Thds Hnds Time
System 4 0 56 382 1970-01-01 00:00:00
smss.exe 552 4 3 19 2010-09-08 14:57:09
csrss.exe 600 552 11 394 2010-09-08 14:57:11
.....
root@newubuntu:~/vol# python volatility.py --no-cache pslist -f
file_that_doesnt_exist --profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
No suitable address space mapping found
Tried to open image as:
WindowsHiberFileSpace32: Filename must be specified and exist
WindowsCrashDumpSpace32: Filename must be specified and exist
JKIA32PagedMemory: No base Address Space
JKIA32PagedMemoryPae: No base Address Space
IA32PagedMemoryPae: Module disabled
IA32PagedMemory: Module disabled
FileAddressSpace: Filename must be specified and exist
--------------
similar to --profile it should validate that the file exists and is readable by
the user
Original issue reported on code.google.com by [email protected]
on 25 Sep 2010 at 7:25
I am missing output for the files command on some PIDs here is a sample:
$ ./volatility.py files -f ~/Work/volatility/xpsp3.vmem profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Pid: 4
File \pagefile.sys
File \WINDOWS\system32\config\default
File \System Volume
Information\_restore{57726F20-9F0F-4D22-B53C-B6F197BAA74A}\RP72\change.log
File \Topology
************************************************************************
now for 1.3.2:
$ ./volatility files -f /Users/gleeda/Work/volatility/xpsp3.vmem
************************************************************************
Pid: 4
File \pagefile.sys
File \WINDOWS\system32\config\default
File \System Volume
Information\_restore{57726F20-9F0F-4D22-B53C-B6F197BAA74A}\RP72\change.log
File \WINDOWS\system32\config\system
File \WINDOWS\system32\config\SECURITY
File \WINDOWS\system32\config\SECURITY.LOG
File \WINDOWS\system32\config\software
File \WINDOWS\system32\config\software.LOG
File \WINDOWS\system32\config\system.LOG
File \WINDOWS\system32\config\default.LOG
File \WINDOWS\system32\config\SAM
File \WINDOWS\system32\config\SAM.LOG
File \Documents and Settings\NetworkService\ntuser.dat.LOG
File \Documents and Settings\NetworkService\NTUSER.DAT
File \Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
File \Documents and Settings\NetworkService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
File \Documents and Settings\LocalService\ntuser.dat.LOG
File \Documents and Settings\LocalService\NTUSER.DAT
File \Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
File \Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
File \Documents and Settings\Administrator\NTUSER.DAT
File \Documents and Settings\Administrator\ntuser.dat.LOG
File \Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
File \Documents and Settings\Administrator\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
File \255
File \WINDOWS\Temp\hlktmp
File \
File \47
File \Topology
************************************************************************
I get the same with or without "profile=WinXPSP3"
Original issue reported on code.google.com by [email protected]
on 29 Aug 2010 at 5:17
Hiya guys,
It looks as though the Files plugin doesn't work on Windows 7 images.
Initially this was due to the array being instantiated at an invalid address,
and throwing an exception (in earlier versions this check was done once the
loop had started), but even with that fixed it still seems to be having issues.
I dunno why the TableCode/ObjectTable stuff isn't working. All the right
profile elements seem to be defined, and that's as far as my knowledge goes, so
I'm going to have to call in an expert to investigate please...
Original issue reported on code.google.com by [email protected]
on 18 Aug 2010 at 1:32
Hey guys,
There are two versions of parse_string (FileScan.parse_string and
ModScan2.parse_string). When using the modscan2 command, I ran into this issue:
Traceback (most recent call last):
File "volatility.py", line 129, in <module>
main()
File "volatility.py", line 120, in main
command.execute()
File "/data/volatility/volatility/commands.py", line 101, in execute
func(outfd, data)
File "/data/volatility/plugins/modscan2.py", line 97, in render_text
self.parse_string(ldr_entry.BaseDllName)))
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-3:
ordinal not in range(128)
The module being printed at the time is not identified by modscan, so it makes
sense that there may be some invalid characters around. However, when I replace
the ModScan2.parse_string with the FileScan.parse_string, it doesn't error out:
\SystemRoot\system32\DRIVERS\swenum.sys 0x00f9eac000 0x002000
swenum.sys
\SystemRoot\system32\drivers\kmixer.sys 0x00f0345000 0x02a000
kmixer.sys
ไ่แบจ๎\REGISTRY\MACHINE\SYSTEM\Con
TOOLS.CO 0x00f9ef2000 0x002000 splitter.sys
\SystemRoot\System32\drivers\dxg.sys 0x00bf9c1000 0x012000 dxg.sys
\SystemRoot\system32\DRIVERS\raspptp.sys 0x00f9b1c000 0x00c000
raspptp.sys
So there are some still invalid characters, but that's unavoidable. At least
using the FileScan's version of parse_string though, the scanner keeps going.
Original issue reported on code.google.com by [email protected]
on 14 Oct 2010 at 9:20
So I am working on a plugin that analyzes a specific userland application and I
hit a bug pretty nasty and non-obvious bug in the Scanner framework.
the problem is that I have created my own vtypes for the application in order
to parse its structures and the way I find the "task" for the proces is either
by the user-supplied PID or by searching by process name. Once I find the
process, I then proceed to add my custom vtypes to the tasks address space so
then I can process them as verinfo does. this works perfect for everything but
scanning.
The bug came when I went to scan the tasks address space, and anytime I tried
to make a structure using the obj.Object method, the return value was always
"None". After wasting an hour debugging the issue, I finally realized the issue
was that my custom vtypes weren't being put into the buffer address space set
as "self.address_space" in the inherited scan class, which means of course it
knows nothing of my custom structure and so it couldn't instantiate it.
I fixed the bug for now by making my check function begin like this:
def check(self, offset):
self.address_space.profile.add_types(my_types)
and then proceed to scan and its working now, but that was very non-obvious.
I believe this actually exposes two bugs,
1) is that even when vol is run with -d, the obj.Object handler gave no error
messages or warnings about why it couldn't instantiate the object
2) the scanning code needs to make the buffer address space object it uses
inherit all the vtypes from the address space you pass it or ugly hacks like my
fix will have to be used in all plugins that want to use custom vtypes with
scanning
Original issue reported on code.google.com by [email protected]
on 28 Aug 2010 at 8:00
Hey guys,
The printkey plugin has a conflicting option string. You change it by modifying
the line in plugins/registry/printkey.py from:
config.add_option('KEY', short_option = 'k',
To:
config.add_option('KEY', short_option = 'K', # just an uppercase K
Original issue reported on code.google.com by [email protected]
on 25 Aug 2010 at 8:40
host machine: 32 bit windows 7 w/ python 2.7
C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py connections
--profile=Win7SP0x86 -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 72, in execute
data = self.calculate()
File "C:\Users\admin\Desktop\vol\plugins\internal\connections.py", line 56, in calculate
result = network.determine_connections(addr_space)
File "C:\Users\admin\Desktop\vol\volatility\win32\network.py", line 104, in determine_connections
target = obj.Curry(obj.Pointer, '_TCPT_OBJECT'))
File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 631, in __init__
parent = parent, name = name)
File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 301, in __init__
raise InvalidOffsetError("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name))
volatility.obj.InvalidOffsetError: Invalid Address 0xC73B2C46, instantiating
None
Original issue reported on code.google.com by [email protected]
on 18 Aug 2010 at 1:38
Hey guys,
I've been seeing this problem:
$ python volatility.py procexedump -f d0.vmem -p 1504 --dump-dir=out
Volatile Systems Volatility Framework 1.4_rc1
************************************************************************
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 98, in execute
func(outfd, data)
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/internal/procdump.py", line 54, in render_text
if task.Peb.ImageBaseAddress == None or task_space == None or task_space.vtop(task.Peb.ImageBaseAddress) == None:
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/addrspace.py", line 84, in __eq__
return self.profile == other.profile and \
AttributeError: 'NoneType' object has no attribute 'profile'
It seems to happen anytime you test an address space with None like this:
ps_ad = p.get_process_address_space()
if ps_ad == None: # this will cause the issue
Original issue reported on code.google.com by [email protected]
on 9 Sep 2010 at 2:24
generates another issue....
C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py files
--profile=Win7SP0x86 --no-cache -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
Pid: 4
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 96, in execute
func(outfd, data)
File "C:\Users\admin\Desktop\vol\plugins\internal\taskmods.py", line 123, in render_text
for h in handles:
File "C:\Users\admin\Desktop\vol\plugins\internal\taskmods.py", line 136, in handle_list
for h in task.handles():
File "C:\Users\admin\Desktop\vol\plugins\overlays\Windows\xp_sp2.py", line 260, in handles
for h in self._make_handle_array(offset, table_levels):
File "C:\Users\admin\Desktop\vol\plugins\overlays\Windows\xp_sp2.py", line 227, in _make_handle_array
for h in self._make_handle_array(offset, level - 1):
File "C:\Users\admin\Desktop\vol\plugins\overlays\Windows\xp_sp2.py", line 219, in _make_handle_array
count = 0x200, parent = self)
File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 631, in __init__
parent = parent, name = name)
File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 301, in __init__
raise InvalidOffsetError("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name))
volatility.obj.InvalidOffsetError: Invalid Address 0x00000000, instantiating
None
Original issue reported on code.google.com by [email protected]
on 17 Aug 2010 at 11:33
host changed to a 32 bit windows 7 running python 2.7. the image is still the
same x86 windows 7 image.
C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py sockets
--profile=Win7SP0x86 -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 72, in execute
data = self.calculate()
File "C:\Users\admin\Desktop\vol\plugins\internal\sockets.py", line 40, in calculate
result = win32.network.determine_sockets(addr_space)
File "C:\Users\admin\Desktop\vol\volatility\win32\network.py", line 139, in determine_sockets
target = obj.Curry(obj.Pointer, "_ADDRESS_OBJECT"))
File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 631, in __init__
parent = parent, name = name)
File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 301, in __init__
raise InvalidOffsetError("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name))
volatility.obj.InvalidOffsetError: Invalid Address 0x7CCC153B, instantiating
None
Original issue reported on code.google.com by [email protected]
on 18 Aug 2010 at 1:34
Hi guys,
Just figured I'd make a place to watch what goes on with respect to making a
console that allows people to do "dt" commands and so on. I've had a first
stab at converting volshell to 1.4. It's not completely converted (I'm not
sure what context offsets are supposed to be, whether from flat or kernel or
process space) and mostly dt doesn't work properly yet, but it should be a base
to go from...
Feel free to submit new versions/diffs of fixes, and when it's in a good
working order, we can commit it as a core plugin.
Original issue reported on code.google.com by [email protected]
on 3 Dec 2010 at 4:22
Attachments:
Hey guys,
I'm getting this error using vadinfo on XP SP2 and SP3 samples.
$ python volatility.py vadinfo -f mem.vmem
Volatile Systems Volatility Framework 1.4_rc1
************************************************************************
Pid: 4
VAD node @823c4200 Start 00010000 End 00033fff Tag Vad
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 96, in execute
func(outfd, data)
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/internal/vadinfo.py", line 49, in render_text
self.write_vad_short(outfd, vad)
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/internal/vadinfo.py", line 65, in write_vad_short
outfd.write("Flags: {0}\n".format(vad.Flags))
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 773, in __getattribute__
return self.m(attr)
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 758, in m
parent = self, name = attr)
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 280, in Object
**kwargs)
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/Basic.py", line 88, in __init__
obj.NativeType.__init__(self, targetType, offset, vm, parent, **args)
TypeError: __init__() got multiple values for keyword argument 'theType'
Original issue reported on code.google.com by [email protected]
on 27 Aug 2010 at 7:22
While the plugin runs and doesn't crash, it doesn't appear to be working
correctly as in no process that I tested did it ever stop dumping memory.
For all process in lsass.exe, taskhost.exe, services.exe, and a few more, all
processes are reported by task manager as around a few hundred Kb to 2 or 3MB.
This was tested on the same VM from which the memory image is produced.
The problem is that for all of the processes mentioned, I let the plugin run
and the "*.dmp" file produced went well over 100MB for all of them before I had
to ctrl+c the script.
It would seem that the code that calculates the size of a process in memory is
broken under windows 7...
Original issue reported on code.google.com by [email protected]
on 18 Aug 2010 at 3:35
Currently the ssdt plugin will return no results for a windows 7 image.
It'd be good if this could be updated to work with windows 7.
Original issue reported on code.google.com by [email protected]
on 18 Aug 2010 at 10:45
root@newubuntu:~/vol# python volatility.py vadinfo --profile=WinXPSP3 -f
winXP-32-SP3.vmem
Volatile Systems Volatility Framework 1.4_rc1
************************************************************************
Pid: 4
VAD node @81bcc2c0 Start 00010000 End 00033fff Tag Vad
Traceback (most recent call last):
File "volatility.py", line 138, in <module>
main()
File "volatility.py", line 129, in main
command.execute()
File "/home/x/vol/volatility/commands.py", line 96, in execute
func(outfd, data)
File "/home/x/vol/plugins/internal/vadinfo.py", line 49, in render_text
self.write_vad_short(outfd, vad)
File "/home/x/vol/plugins/internal/vadinfo.py", line 65, in write_vad_short
outfd.write("Flags: {0}\n".format(vad.Flags))
File "/home/x/vol/volatility/obj.py", line 773, in __getattribute__
return self.m(attr)
File "/home/x/vol/volatility/obj.py", line 755, in m
offset = int(offset) + int(self.offset)
TypeError: int() argument must be a string or a number, not 'function'
Original issue reported on code.google.com by [email protected]
on 26 Aug 2010 at 1:38
Hey guys,
One flaw in the moddump I submitted last week - its missing BDG's original
find_space function. Thus, it cannot dump a few modules (namely win32k.sys).
Here is a new version of moddump.py and a patch file (not sure which you
prefer).
Old version:
$ python volatility.py moddump -f mem.vmem -r win32k -D out
Volatile Systems Volatility Framework 1.4_rc1
Cannot dump win32k.sys at bf800000
New version:
$ python volatility.py moddump -f mem.vmem -r win32k -D out
Volatile Systems Volatility Framework 1.4_rc1
Dumping win32k.sys, Base: bf800000 output: driver.bf800000.sys
One thing we could consider doing in the future is adding the find_space
function to the address space object and having it automatically perform this
search when a user tries to read an address in kernel memory. In WinDbg, you
have to switch to a context of a process with at least one GUI thread before
reading memory owned by win32k.sys...so we could essentially handle that
context switch on the fly.
Btw, can someone remind me how to use the plugins in the contrib directory? I
know they don't show up in the list of plugins by default, and also the
--plugins=contrib/ doesn't work. Lately I've been copying plugins from the
contrib directory into the plugins directory to use them, which kinda defeats
the purpose of putting them in contrib ;-)
Thanks.
Original issue reported on code.google.com by [email protected]
on 18 Oct 2010 at 2:48
Attachments:
Hey guys, I don't think this is a big problem currently, but just FYI because
it came up recently. If a plugin doesn't support output in HTML (or any other
format), but inherits from a plugin that does support it...then we'll see type
and/or tuple unpack exceptions. For example:
class OnePlugin:
def calculate(self):
yield a,b,c
def render_text(self, outfd, data):
pass
def render_html(self, outfd, data):
for a,b,c in data:
pass
class TwoPlugin(OnePlugin):
def calculate(self):
yield a,b,c,d,e,f,g
def render_text(self, outfd, data):
pass
So if someone tries to do "volatility.py twoplugin --output=html" then
OnePlugin.render_html() will be executed with the data yielded by
TwoPlugin.calculate() - and it will result is some exceptions.
Original issue reported on code.google.com by [email protected]
on 9 Dec 2010 at 3:45
I found this whilst examing memdump, which returns a generated list of (pid,
task, pages) where pages is a generator (get_available_pages).
What happens is that the decorator calls generate on the outer generator. The
individual results are appended to the payload and then yielded. At the end,
the payload is dumped. The problem is that, due to the yield, any
sub-generators may get traversed before the dump happens. Then, by the time
they come to be dumped, they return no results.
I've attached a proposed patch, which I'll apply if scudette's happy with it?
The idea is simply to always flatten all available generators. This will have
side effects on functions that terminate the generator early, don't iterate
through it completely. I've kept flatten_generators as a method of the node so
that blocking nodes can pass on the generators without interruption.
The only other solution I can think of is replacing each generator with a
caching generator wrapper such that when it generates a value, the value is
cached (and in the right place). That doesn't strike me as a trivial piece of
engineering, but without it certain caching operations may be much slower than
simply running the plugin without any caching.
Original issue reported on code.google.com by [email protected]
on 23 Aug 2010 at 12:48
Attachments:
Hey guys, I ran into an issue importing some classes from other plugins.
from volatility.plugins.filescan import FileScan, MutantScan,
DriverScan, PoolScanDriver
from volatility.plugins.psscan import ThrdScan, ThreadScan
I do this because some of my malware plugins (like driverirp) inherit from
DriverScan etc. Yesterday on Windows, everything was OK:
C:\Volatility-1.4_rc1>python volatility.py -h
[...]
driverirp [MALWARE] Driver IRP hook detection
mutantscandb [MALWARE] mutantscan extension for highlighting
suspicious mutexes
However, the same code (same plugin file and same Volatility revision) on OSX
caused the following problem:
$ python volatility.py -h
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
File "volatility.py", line 128, in <module>
main()
File "volatility.py", line 90, in main
MemoryRegistry.Init()
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/registry.py",
line 372, in Init
PLUGIN_COMMANDS = VolatilityCommandRegistry(commands.command, modules)
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/registry.py",
line 286, in __init__
raise Exception("Command {0} has already been defined by
{1}".format(command, self.commands[command]))
Exception: Command mutantscan has already been defined by <class
'volatility.plugins.filescan.MutantScan'>
This morning I updated to revision 483 on Windows and now I get the same
problem on Windows as well.
Original issue reported on code.google.com by [email protected]
on 29 Sep 2010 at 1:33
Hey guys,
I've been looking into a TypeError issue and wanted to share what I've found,
though its not a complete fix (nor do I know the exact problem). I placed two
memory dumps at http://www.mnin.org/Archive.zip. You should be able to
reproduce the problem like this:
$ python volatility.py dlllist -f dreamon.bin -p 2596
************************************************************************
cmd.exe pid: 2596
Unable to read PEB for task.
OK, no problem there, except for the PEB is unreadable, but then try one of the
Vad commands:
$ python volatility.py vadinfo -f dreamon.bin -p 2596
************************************************************************
Pid: 2596
Traceback (most recent call last):
File "volatility.py", line 129, in <module>
main()
File "volatility.py", line 120, in main
command.execute()
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 101, in execute
func(outfd, data)
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/vadinfo.py", line 46, in render_text
for vad in task.VadRoot.traverse():
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 592, in __getattribute__
result = self.dereference()
File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 568, in dereference
name = self.name)
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/windows/xp_sp2_x86.py", line 330, in __new__
vm = eprocess.get_process_address_space()
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/windows/xp_sp2_x86.py", line 240, in get_process_address_space
process_as = self.vm.__class__(self.vm.base, dtb = directory_table_base)
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 92, in __init__
self.as_assert(self.is_valid_kernelAS(), "Not a valid Kernel Address Space")
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 128, in is_valid_kernelAS
for (offset, _length) in self.get_available_addresses():
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/standard.py", line 163, in get_available_addresses
for (offset, size) in self.get_available_pages():
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 342, in get_available_pages
if self.entry_present(pte_value):
File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 163, in entry_present
return (entry & 1) == 1
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'
In xp_sp2_x86.py, you can catch the exception by changing:
try:
process_as = self.vm.__class__(self.vm.base, dtb = directory_table_base)
- except AssertionError, _e:
+ except (TypeError, AssertionError), _e:
return obj.NoneObject("Unable to get process AS")
However, that's a temporary fix only. In the other memory sample, the process
in question is pid 3120:
$ python volatility.py dlllist -f conficker.bin -p 3120
************************************************************************
cmd.exe pid: 3120
Unable to read PEB for task.
$ python volatility.py vadinfo -f conficker.bin -p 2596
[same stack trace as above]
Original issue reported on code.google.com by [email protected]
on 15 Oct 2010 at 4:10
In 1.3 with printkey, if you don't specify a key, it prints the top-level list
like this:
$ python volatility printkey -f zeus2x4.vmem -o 0xe1db1470
Key name: $$$PROTO.HIV (Stable)
Last updated: Thu Sep 2 08:25:53 2010
Subkeys:
AppEvents (Stable)
Console (Stable)
Control Panel (Stable)
...
In 1.4, if you don't specify a key, or if you specify a blank key ('') to try
and get the list of top-level keys, you get this:
$ python volatility.py printkey -f zeus2x4.vmem -o 0xe1db1470
Volatile Systems Volatility Framework 1.4_rc1
Usage: Volatility - A memory forensics analysis platform.
volatility.py: error: No registry key specified. Please use -k to specify one
The error message says use -k but it should be -K (capital). However, the 1.4
version still requires you to know the name of a key, which isn't always the
case. I suggest we make a change similar to the following so people can see the
list of top-level keys easily:
plugins/registry/printkey.py @ 83
if not config.key:
#config.error("No registry key specified. Please use -k to specify one")
key = []
else:
key = config.key.split('\\')
...
key = rawreg.open_key(root, key)
Now you can get the same behavior as seen in the 1.3 version. Thoughts?
Original issue reported on code.google.com by [email protected]
on 10 Sep 2010 at 1:20
Hey guys,
Here's a port of moddump for 1.4. Potential issues are that it inherits from
procdump.ProcExeDump instead of disk vs mem being optional, and I've only
tested it on XP[1,2,3] memory samples.
Original issue reported on code.google.com by [email protected]
on 15 Oct 2010 at 3:29
Attachments:
Ideally volatility shouldn't be so dependent on a single command line
configuration option, or more specifically global variables that then don't
allow two different plugins to be run with different option sets.
This is a (low priority) tracking bug so that we can keep a track of
discussions and development in the area without having to trawl back through
lots of IRC discussions. If this gets enough action, we can create a branch in
subversion for it.
Original issue reported on code.google.com by [email protected]
on 2 Sep 2010 at 12:33
the basic problem is that python has the idea of "infinite" sign extension when
dealing with negative numbers that makes dealing with them really annoying.
Here is an example from the python interpreter:
>>> x = 255
>>> print "%x" % x
ff
>>> x = -1
>>> print "%x" % x
-1
>>> x = x & 0xffffffff
>>> print "%x" % x
ffffffff
>>>
>>> x = -1
>>> type(x)
<type 'int'>
>>> x = x & 0xffffffff
>>> type(x)
<type 'long'>
>>>
as you can see when x is "-1" python doesn't treat it as a 4 byte 32 bit
integer but instead treats it as the magic infinitely sign extended number.
only after masking off 32 bits does it then switch to a regular 4 byte 'long'
as opposed to the magic 'int'
so I guess I was wondering of the handler code for obj.Object would be able to
mask to perform the 32bit mask on all integers in structures? If not, the
render_* functions will be long and complicated as all the integer members will
need to be chopped
Original issue reported on code.google.com by [email protected]
on 21 Nov 2010 at 10:29
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.