search

ClaudeZoo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

ssdt_ex issue; please help. #162

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hi guys, 

I am working on this issue from more than two days but i could not figure it 
out, it switch from Linux to  windows but still no luck. 

my issue is when i run ssdt_ex and put the idag.exe in the -D directory i got 
the following result. I install IAD pro free already. 

C:\Volatility 2.0>python vol.py --profile=WinXPSP2x86 -f q.vmem ssdt_ex -D test\

Volatile Systems Volatility Framework 2.1_alpha
  Entry 0x0041: 0xb29d34d8 (NtDeleteValueKey) owned by runtime2.sys
  Entry 0x0047: 0xb29d300a (NtEnumerateKey) owned by runtime2.sys
  Entry 0x0049: 0xb29d31ca (NtEnumerateValueKey) owned by runtime2.sys
  Entry 0x0077: 0xb29d2f5a (NtOpenKey) owned by runtime2.sys
  Entry 0x00f7: 0xb29d338a (NtSetValueKey) owned by runtime2.sys
C:\Volatility 2.0\volatility\plugins\malware.py:3034: DeprecationWarning: struct
 integer overflow masking is deprecated
  pedata = self.rebase(addr_space, base, pedata)
Dumping IDC file to C:\Volatility 2.0\test\driver.b29d1000.sys.idc
Cannot launch IDA: [Error 2] The system cannot find the file specified
Please make sure idal or idag.exe is in your PATH

Thanks

Original issue reported on code.google.com by research...@gmail.com on 27 Oct 2011 at 12:16

GoogleCodeExporter commented 9 years ago 
You don't put idaq.exe in the -D directory. -D is where your output files get 
dumped. idaq.exe stays in the directory where it got installed and you update 
your PATH environment variable to point to it. See: 

http://www.computerhope.com/issues/ch000549.htm

Original comment by michael.hale@gmail.com on 27 Oct 2011 at 1:23

GoogleCodeExporter commented 9 years ago

Original comment by michael.hale@gmail.com on 27 Oct 2011 at 2:29