search

JPCERTCC / MalConfScan

Volatility plugin for extracts configuration data of known malware
Other
485 stars 67 forks source link

MemoryError on windows10 with Win10x64_18362 profile #7

Closed Batman781 closed 4 years ago

Batman781 commented 5 years ago

I'm getting memory error during Windows 10 x64 2GB memory dumped from Esxi 6.7 using Win10x64_18362 profile:

Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
  File "/opt/calamity/volatility/vol.py", line 192, in <module>
    main()
  File "/opt/calamity/volatility/vol.py", line 183, in main
    command.execute()
  File "/opt/calamity/volatility/volatility/commands.py", line 147, in execute
    func(outfd, data)
  File "/opt/calamity/volatility/volatility/plugins/malware/malconfscan.py", line 94, in render_text
    for task, start, end, malname, memory_model, config_data in data:
  File "/opt/calamity/volatility/volatility/plugins/malware/malconfscan.py", line 84, in calculate
    for task, vad_base_addr, end, hit, memory_model, config_data in instance.calculate():
  File "/opt/calamity/volatility/volatility/plugins/malware/utils/datperscan.py", line 216, in calculate
    [+] Searching memory by Yara rules.
data = proc_addr_space.zread(vad_base_addr, end - vad_base_addr)
  File "/opt/calamity/volatility/volatility/addrspace.py", line 283, in zread
    return self._read(addr, length, True)
  File "/opt/calamity/volatility/volatility/addrspace.py", line 269, in _read
    return "".join(buff)
MemoryError
shu-tom commented 5 years ago

It looks like malconfscan failed to analyze Malware Datper. Can you share malware hash?

Batman781 commented 5 years ago

Sorry but I've already deleted the malware and changed tool (process hacker)