search

CrowdStrike / SuperMem

A python script developed to process Windows memory images based on triage type.
MIT License
259 stars 41 forks source link

ERROR: Cant Find File /path/to/yara/Yarafile.txt #8

Closed Y8765 closed 1 year ago

Y8765 commented 2 years ago

Hello guys , first of all thank you for this awesome tool. attaching a problem occurred while using the software , will be happy to some help thank you

user_wsl@DESKTOP-U2H1XR3:/mnt/c/Users/user/Desktop/SuperMem-main/SuperMem-main$ sudo python3 winSuperMem.py -f Triage-Memory.mem -o 1234/ -tt 3 INFO: ** INFO: File Name: /mnt/c/Users/user/Desktop/SuperMem-main/SuperMem-main/Triage-Memory.mem INFO: Output Directory: /mnt/c/Users/user/Desktop/SuperMem-main/SuperMem-main/1234 INFO: Triage Type: ComprehensiveTriage INFO: Command: winSuperMem.py -f Triage-Memory.mem -o 1234/ -tt 3 INFO: ** INFO: Setting up symbols for Volatility3 with windows.info.Info INFO: Locating profile, DTB, and KDGB for Volatility2

INFO: Started Volatility3 plugin windows.pstree.PsTree INFO: Started Volatility3 plugin windows.cmdline.CmdLine INFO: Started Volatility3 plugin windows.callbacks.Callbacks INFO: Started Volatility3 plugin windows.svcscan.SvcScan INFO: Started Volatility3 plugin windows.registry.userassist.UserAssist INFO: Finished Volatility3 plugin windows.callbacks.Callbacks in 0 seconds INFO: Started Volatility3 plugin windows.pslist.PsList INFO: Started Volatility3 plugin windows.envars.Envars INFO: Started Volatility3 plugin windows.handles.Handles INFO: Finished Volatility3 plugin windows.svcscan.SvcScan in 0 seconds INFO: Started Volatility3 plugin windows.registry.hivelist.HiveList INFO: Started Volatility3 plugin windows.malfind.Malfind INFO: Finished Volatility3 plugin windows.pstree.PsTree in 0 seconds INFO: Started Volatility3 plugin windows.ssdt.SSDT INFO: Finished Volatility3 plugin windows.cmdline.CmdLine in 0 seconds INFO: Started Volatility3 plugin windows.registry.hivescan.HiveScan INFO: Finished Volatility3 plugin windows.registry.userassist.UserAssist in 0 seconds INFO: Started Volatility3 plugin windows.modscan.ModScan INFO: Finished Volatility3 plugin windows.registry.hivelist.HiveList in 0 seconds INFO: Started Volatility3 plugin windows.mutantscan.MutantScan INFO: Finished Volatility3 plugin windows.envars.Envars in 0 seconds INFO: Started Volatility3 plugin windows.psscan.PsScan INFO: Started Volatility3 plugin windows.modules.Modules INFO: Finished Volatility3 plugin windows.registry.hivescan.HiveScan in 0 seconds INFO: Started Volatility3 plugin windows.driverscan.DriverScan INFO: Started Volatility3 plugin windows.getservicesids.GetServiceSIDs INFO: Finished Volatility3 plugin windows.malfind.Malfind in 0 seconds INFO: Started Volatility3 plugin windows.symlinkscan.SymlinkScan INFO: Started Volatility3 plugin windows.dlllist.DllList INFO: Finished Volatility3 plugin windows.ssdt.SSDT in 0 seconds INFO: Started Volatility3 plugin windows.driverirp.DriverIrp INFO: Finished Volatility3 plugin windows.modules.Modules in 0 seconds INFO: Started Volatility3 plugin windows.netscan.NetScan INFO: Finished Volatility3 plugin windows.psscan.PsScan in 0 seconds INFO: Started Volatility3 plugin windows.filescan.FileScan INFO: Finished Volatility3 plugin windows.driverscan.DriverScan in 0 seconds INFO: Started Volatility3 plugin windows.poolscanner.PoolScanner INFO: Finished Volatility3 plugin windows.netscan.NetScan in 0 seconds INFO: Started Bulk Extractor INFO: Finished Volatility3 plugin windows.modscan.ModScan in 0 seconds INFO: Started Strings unicode INFO: Finished Volatility3 plugin windows.filescan.FileScan in 0 seconds INFO: Started Strings ascii INFO: Finished Volatility3 plugin windows.dlllist.DllList in 0 seconds INFO: Started Strings big endian INFO: Finished Bulk Extractor in 0 seconds INFO: Started Volatility2 plugin amcache INFO: Finished Volatility3 plugin windows.driverirp.DriverIrp in 0 seconds INFO: Started Volatility2 plugin getsids INFO: Finished Volatility3 plugin windows.handles.Handles in 0 seconds INFO: Started Volatility2 plugin clipboard INFO: Finished Volatility3 plugin windows.poolscanner.PoolScanner in 0 seconds INFO: Started Volatility2 plugin cmdscan INFO: Finished Volatility3 plugin windows.mutantscan.MutantScan in 0 seconds INFO: Started Volatility2 plugin consoles INFO: Started Volatility3 plugin windows.getsids.GetSIDs INFO: Finished Volatility3 plugin windows.symlinkscan.SymlinkScan in 0 seconds INFO: Started Volatility2 plugin ldrmodules INFO: Finished Volatility3 plugin windows.pslist.PsList in 0 seconds INFO: Started Volatility2 plugin mftparser INFO: Finished Volatility3 plugin windows.getservicesids.GetServiceSIDs in 0 seconds INFO: Started Volatility2 plugin psxview INFO: Finished Volatility3 plugin windows.getsids.GetSIDs in 0 seconds INFO: Started Volatility2 plugin shellbags INFO: Finished Volatility2 plugin cmdscan in 60 seconds INFO: Started Volatility2 plugin shutdowntime INFO: Finished Volatility2 plugin consoles in 64 seconds INFO: Started Volatility2 plugin indx INFO: Finished Volatility2 plugin indx in 8 seconds INFO: Started Volatility2 plugin logfile INFO: Finished Volatility2 plugin logfile in 6 seconds INFO: Started Volatility2 plugin prefetchparser INFO: Finished Volatility2 plugin prefetchparser in 7 seconds INFO: Started Volatility2 plugin schtasks INFO: Finished Volatility2 plugin schtasks in 7 seconds INFO: Started Volatility2 plugin sessions INFO: Finished Volatility2 plugin sessions in 9 seconds INFO: Started Volatility2 plugin shimcachemem INFO: Finished Volatility2 plugin shimcachemem in 6 seconds INFO: Started Volatility2 plugin shimcache INFO: Finished Volatility2 plugin psxview in 125 seconds INFO: Started Volatility2 plugin sockets INFO: Finished Volatility2 plugin shutdowntime in 75 seconds INFO: Started Volatility2 plugin sockscan INFO: Finished Volatility2 plugin sockets in 11 seconds INFO: Started Volatility2 plugin threads INFO: Finished Volatility2 plugin sockscan in 10 seconds INFO: Started Volatility2 plugin usnjrnl INFO: Finished Volatility2 plugin usnjrnl in 7 seconds INFO: Started Volatility2 plugin autoruns INFO: Finished Volatility2 plugin amcache in 156 seconds INFO: Started Volatility2 plugin connections INFO: Finished Volatility2 plugin getsids in 161 seconds INFO: Started Volatility2 plugin connscan INFO: Finished Volatility2 plugin autoruns in 9 seconds INFO: Started Volatility2 plugin hollowfind INFO: Finished Volatility2 plugin connections in 10 seconds INFO: Started Volatility2 plugin malthfind INFO: Finished Volatility2 plugin connscan in 10 seconds INFO: Started Volatility2 plugin timeliner INFO: Finished Volatility2 plugin hollowfind in 10 seconds INFO: Started Volatility2 plugin apihooks INFO: Finished Volatility2 plugin malthfind in 10 seconds INFO: Started Volatility2 plugin messagehooks INFO: Finished Volatility2 plugin clipboard in 177 seconds INFO: Started EVTXTRACT INFO: Finished Volatility2 plugin shimcache in 75 seconds INFO: Started Dumping Registry INFO: Finished Dumping Registry in 0 seconds INFO: Started Dumping DLLs INFO: Finished Dumping DLLs in 0 seconds INFO: Started Dumping Processes INFO: Finished Dumping Processes in 0 seconds INFO: Started Dumping Modules INFO: Finished Dumping Modules in 0 seconds INFO: Finished Volatility2 plugin threads in 99 seconds INFO: Finished Volatility2 plugin mftparser in 266 seconds INFO: Finished EVTXTRACT in 90 seconds INFO: Finished Volatility2 plugin ldrmodules in 320 seconds INFO: Finished Strings ascii in 343 seconds INFO: Finished Volatility2 plugin messagehooks in 168 seconds INFO: Finished Strings unicode in 355 seconds INFO: Finished Strings big endian in 362 seconds INFO: Finished Volatility2 plugin shellbags in 502 seconds INFO: Finished Volatility2 plugin timeliner in 445 seconds INFO: Finished Volatility2 plugin apihooks in 610 seconds Pre-Processing Complete: 100%|█████████████████████████████████████████████████████| 63/63 [13:06<00:00, 12.48s/Command] Dumping Files Complete: : 0Command [00:00, ?Command/s] INFO: Collecting Network IOCs INFO: Running Plaso ERROR: Cant Find File /path/to/yara/Yarafile.txt INFO: Finished all processing in 14 minutes

salty4n6 commented 1 year ago

I ran into the same issue today. I changed the variable path to the following:

YARARULESFILE = "/opt/rules/index.yar"

I'm assuming that's the right file since I haven't played with Yara yet but I'm getting data in my Yara folder now. It's still running.

~Salty

jdlovato commented 1 year ago

A yara file is not included in this repo. You will need to modify the path to a yara file of your choice or use triage type 2.