Fvoid / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
GNU General Public License v3.0
0 stars 1 forks source link

malfind option error #43

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1.installed latest volatility
2.typed 'vol.py malfind -f coreflood.vmem -dump-dir=outdir 
--yara-rules=./aa.yara'
3.then i got 'vol.py: error: no such option: --dump-dir'

i saw the 'Malware Analyst's Cookbook', and i follow Receipe 16-6.
i wonder how can i fix it.

What version of the product are you using? On what operating system?
latest volatility 2.1_alpha, win7 32bit

Original issue reported on code.google.com by h...@nslab.kaist.ac.kr on 18 Apr 2012 at 3:26

GoogleCodeExporter commented 8 years ago
Hello. There's a different version of malfind supplied with the 2.1 alpha 
branch (as compared to the version in malware.py on this website). The older 
malfind (which is written about in the book) searched for injected code *and* 
allowed you to scan for yara signatures. In the newer version, malfind only 
finds injected code. The plugin for scanning with yara rules is yarascan. 

So in your 2.1 alpha branch just do: 

$ python vol.py malfind -h 
$ python vol.py yarascan -h 

That will show you the options allowed for both plugins. One thing I see is you 
used -dump-dir instead of --dump-dir. 

Original comment by michael.hale@gmail.com on 18 Apr 2012 at 3:40

GoogleCodeExporter commented 8 years ago
Hi Michael,

for  Volatility Framework 2.1_alpha

i tried the following 

vol.py malfind -f c:\memsmpls\zeus.vmem  -dump-dir c:\re\

output is : vol.py: error: no such option: -u

Also tried
vol.py malfind -f c:\memsmpls\zeus.vmem  --dump-dir c:\re\

output is : vol.py: error: no such option: --dump-dir

what is wrong ? please help

Thanks
Tamer

Original comment by tame...@gmail.com on 22 Apr 2012 at 7:28

GoogleCodeExporter commented 8 years ago
Hey Tamer, sorry about that. I just realized the --dump-dir option had gotten 
removed in the transition to the 2.1 alpha base. 

See the following patch and update to r1628 to re-enable the --dump-dir option:

http://code.google.com/p/volatility/source/detail?r=1628

Thanks!

Original comment by michael.hale@gmail.com on 23 Apr 2012 at 2:47

GoogleCodeExporter commented 8 years ago
Hi Michael,

It is working,

Thanks

Original comment by tame...@gmail.com on 24 Apr 2012 at 6:17

GoogleCodeExporter commented 8 years ago
hey, Michael

yarascan works good.

then I should find malware yara rule.

Thanks a lot.

Original comment by ali...@gmail.com on 25 Apr 2012 at 10:22

GoogleCodeExporter commented 8 years ago

Original comment by michael.hale@gmail.com on 2 May 2012 at 6:13