Joel76 / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
0 stars 0 forks source link

IOError: [Errno 22] Invalid argument when running malfind.py #38

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1.vol.py --plugins=/usr/local/src/volatility-2.0/volatility/plugins -f 
memory_dump.raw --profile=WinXPSP3x86 malfind -D malfind/ > malfind.out
2.
3.

What is the expected output? What do you see instead?
I get at least partial output, in that some sections are dumped, but this 
particular image generates the below error.

What version of the product are you using? On what operating system?
# uname -a
Linux aardvark 2.6.32-32-generic #62-Ubuntu SMP Wed Apr 20 21:52:38 UTC 2011 
x86_64 GNU/Linux

malware.py was installed on Nov. 18th...

Image was taken with Helix 2009 R3 live CD

Please provide any additional information below.

# vol.py --plugins=/usr/local/src/volatility-2.0/volatility/plugins -f 
memory_dump.raw --profile=WinXPSP3x86 malfind -D malfind/ > malfind.out
Volatile Systems Volatility Framework 2.0
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 135, in <module>
    main()
  File "/usr/local/bin/vol.py", line 126, in main
    command.execute()
  File "/usr/local/lib/python2.6/dist-packages/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 1042, in render_text
    for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
  File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 992, in calculate
    for ps_ad, start, end, tag, prx, data in self.get_vads(proc):
  File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 909, in get_vads
    ps_ad = proc.get_process_address_space()
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/overlays/windows/windows.py", line 197, in get_process_address_space
    process_as = self.obj_vm.__class__(self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base)
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 89, in __init__
    self.as_assert(getattr(volmag, checkname).v(), "Failed valid Address Space check")
  File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 801, in v
    return self.get_best_suggestion()
  File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 827, in get_best_suggestion
    for val in self.get_suggestions():
  File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 819, in get_suggestions
    for x in self.generate_suggestions():
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/overlays/windows/windows.py", line 505, in generate_suggestions
    if (self.obj_vm.vtop(0xffdf0000)) == (self.obj_vm.vtop(0x7ffe0000)):
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 447, in vtop
    pte = self.get_pte(vaddr, pde)
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 414, in get_pte
    return self._read_long_long_phys(pte_addr)
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 459, in _read_long_long_phys
    string = self.base.read(addr, 8)
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/standard.py", line 97, in read
    self.fhandle.seek(addr)
IOError: [Errno 22] Invalid argument

Original issue reported on code.google.com by jessebow...@gmail.com on 16 Dec 2011 at 7:47

GoogleCodeExporter commented 8 years ago
Thanks for the report Jesse. It looks like your error is due to a similar 
already open issue with the Volatility core (thus I copied your message to 
http://code.google.com/p/volatility/issues/detail?id=150#c15 and CC'd you on 
the issue). 

If you're familiar with applying patches, can you check if the one supplied by 
scudette in comment 14 resolves the issue for you?

http://code.google.com/p/volatility/issues/detail?id=150#c14

Basically just copy everything between these two lines:

Index: branches/lin64-support/volatility/plugins/addrspaces/intel.py
.....
     def get_phys_addr(self, vaddr, pte):

Put them in a file named whatever.patch in the same directory as vol.py and 
then do:

$ patch -p0 < whatever.patch 

Then re-run the command. 

Thanks!

Original comment by michael.hale@gmail.com on 16 Dec 2011 at 8:14

GoogleCodeExporter commented 8 years ago
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This corrected my issue; thank you so much for the quick response!

Cheers,

Jesse

- -- 
Jesse Bowling
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7rqz8ACgkQ5E4CHL/YJ2p4zACguKlAbHi97K3Up2pcTTXOR2fX
uokAnRV4NhkmQyC/Mv/oYi9P6gqHCd4s
=vmIM
-----END PGP SIGNATURE-----

Original comment by jessebow...@gmail.com on 16 Dec 2011 at 8:34

GoogleCodeExporter commented 8 years ago
Closing this out, but issue 150 on the core branch will remain open until the 
patch is applied to the volatility framework. 
http://code.google.com/p/volatility/issues/detail?id=150 

Original comment by michael.hale@gmail.com on 16 Dec 2011 at 11:26