search

JPCERTCC / MalConfScan

Volatility plugin for extracts configuration data of known malware
Other
485 stars 67 forks source link

malconfscan & malstrscan runtime errors #8

Open omrirefaeli opened 5 years ago

omrirefaeli commented 5 years ago

both plugins resulted an error when running. I am using an ubuntu 16.04 virtual machine, 4 gb RAM, 1 cpu.

malconfscan:

omri@ubuntu:/opt/calamity/MalConfScan$ vol.py -f ~/Desktop/otterctf.vmem --profile=Win7SP1x64 malconfscan Volatility Foundation Volatility Framework 2.6.1 [+] Searching memory by Yara rules. Traceback (most recent call last): File "/usr/local/bin/vol.py", line 4, in import('pkg_resources').run_script('volatility==2.6.1', 'vol.py') File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 719, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 1504, in run_script exec(code, namespace, namespace) File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in main() File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main command.execute() File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/commands.py", line 147, in execute func(outfd, data) File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/malconfscan.py", line 94, in render_text for task, start, end, malname, memory_model, config_data in data: File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/malconfscan.py", line 84, in calculate for task, vad_base_addr, end, hit, memory_model, config_data in instance.calculate(): File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/utils/datperscan.py", line 236, in calculate dec = self.custom_rc4(enc, key, rc4key_seed) File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/utils/datperscan.py", line 97, in custom_rc4 for char in data: TypeError: 'NoneType' object is not iterable

malstrscan:

omri@ubuntu:/opt/calamity/MalConfScan$ vol.py -f ~/Desktop/otterctf.vmem --profile=Win7SP1x64 malstrscan Volatility Foundation Volatility Framework 2.6.1 [+] Searching for malicious memory space. Traceback (most recent call last): File "/usr/local/bin/vol.py", line 4, in import('pkg_resources').run_script('volatility==2.6.1', 'vol.py') File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 719, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/lib/python2.7/dist-packages/pkg_resources/init.py", line 1504, in run_script exec(code, namespace, namespace) File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in main() File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main command.execute() File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/commands.py", line 147, in execute func(outfd, data) File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/malconfscan.py", line 271, in render_text for task, start, end, data, protection, strings in data: File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/malconfscan.py", line 206, in calculate for start, end, memdata, protection in self.detect_injection_proc(proc, space): File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/plugins/malware/malconfscan.py", line 140, in detect_injection_proc data = address_space.zread(vad.Start, vad.End + 1) File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/addrspace.py", line 283, in zread return self._read(addr, length, True) File "/usr/local/lib/python2.7/dist-packages/volatility-2.6.1-py2.7.egg/volatility/addrspace.py", line 269, in _read return "".join(buff) MemoryError

any solutions come in mind? thanks !

ohisama commented 4 years ago

環境は、ubuntu 18.04 LTS volatilityは、apt-get install

volatility malconfscan -f laqma.vmem/laqma.vmem

Volatility Foundation Volatility Framework 2.6 [+] Searching memory by Yara rules. Traceback (most recent call last): File "/usr/bin/volatility", line 192, in main() File "/usr/bin/volatility", line 183, in main command.execute() File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 147, in execute func(outfd, data) File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/malconfscan.py", line 101, in render_text for task, start, end, malname, memory_model, config_data in data: File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/malconfscan.py", line 87, in calculate for task, vad_base_addr, end, hit, memory_model, config_data in instance.calculate(): File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/utils/datperscan.py", line 236, in calculate dec = self.custom_rc4(enc, key, rc4key_seed) File "/usr/lib/python2.7/dist-packages/volatility/plugins/malware/utils/datperscan.py", line 97, in custom_rc4 for char in data: TypeError: 'NoneType' object is not iterable