Closed GoogleCodeExporter closed 8 years ago
Volatility 1.3 only supports Windows XP SP2, and as such the plugins you
mentioned may not work against an XP SP3 box. Version 1.4_rc1 has basic
support for Windows XP SP3, and you can test and see if the newer version works.
You can get a copy of volatility-1.4 using subversion (see
http://code.google.com/p/volatility/source/checkout) and you'll find the code
under branch/Volatility-1.4_rc1. Please note, when running plugins against an
XPSP3 image, you'll need to tell volatility to use the XPSP3 profile by adding
"--profile=WinXPSP3".
If that solves it, please let us know, so we can mark this as fixed. If you're
still having trouble, also let us know and we can try to help you debug the
problem further...
Original comment by mike.auty@gmail.com
on 15 Nov 2010 at 11:33
Please also note that issue 6 may be relevant here.
Original comment by mike.auty@gmail.com
on 15 Nov 2010 at 11:34
Original comment by mike.auty@gmail.com
on 23 Nov 2010 at 8:32
[deleted comment]
I'm getting the following error on most commands now:
$ python volatility.py connections -f XPSP3.vmem --profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
File "volatility.py", line 126, in <module>
main()
File "volatility.py", line 90, in main
config.parse_options(False)
File "/TESTING/vol_1.4/volatility/conf.py", line 225, in parse_options
(opts, args) = self.optparser.parse_args()
File "/usr/lib/python2.6/optparse.py", line 1394, in parse_args
stop = self._process_args(largs, rargs, values)
File "/TESTING/vol_1.4/volatility/conf.py", line 84, in _process_args
return optparse.OptionParser._process_args(self, largs, rargs, values)
File "/usr/lib/python2.6/optparse.py", line 1438, in _process_args
self._process_short_opts(rargs, values)
File "/usr/lib/python2.6/optparse.py", line 1545, in _process_short_opts
option.process(opt, value, values, self)
File "/usr/lib/python2.6/optparse.py", line 788, in process
self.action, self.dest, opt, value, values, parser)
File "/usr/lib/python2.6/optparse.py", line 808, in take_action
self.callback(self, opt, value, parser, *args, **kwargs)
File "/TESTING/vol_1.4/volatility/plugins/fileparam.py", line 35, in set_location
if parser.values.location == None:
AttributeError: Values instance has no attribute 'location'
I know it's probably temporary, but thought I'd post it for now in case it
helps
Original comment by jamie.l...@gmail.com
on 24 Nov 2010 at 5:10
Errr, yep, can you please ensure you remove all your .pyc files since you
updated, as that may have an effect on this...
If you hop on channel, I can talk through various things to check until we
figure out what's going wrong. 5:)
Original comment by mike.auty@gmail.com
on 24 Nov 2010 at 5:15
Hey guys, just had a second free and an XPSP3 image available, so I tested this
to give another perspective. In my case, it worked fine without
"--profile=WinXPSP3" but when I added "--profile=WinXPSP3" I got an error. This
is with rev 553 of 1.4 branch, Python 2.6 and OS X.
$ python volatility.py connections -f XPSP3.vmem
Volatile Systems Volatility Framework 1.4_rc1
Local Address Remote Address Pid
172.16.237.156:2734 65.55.249.67:80 1904
172.16.237.156:2723 63.84.59.32:80 1904
172.16.237.156:2731 65.55.197.248:80 1904
172.16.237.156:2749 72.14.204.148:80 1904
172.16.237.156:2767 65.54.81.47:80 1904
$ python volatility.py connections -f XPSP3.vmem --profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Local Address Remote Address Pid
Traceback (most recent call last):
File "volatility.py", line 126, in <module>
main()
File "volatility.py", line 117, in main
command.execute()
File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 101, in execute
func(outfd, data)
File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/plugins/connections.py", line 43, in render_text
for conn in data:
File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/win32/network.py", line 107, in determine_connections
conn = entry.dereference()
File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 531, in dereference
name = self.obj_name)
File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 240, in Object
**kwargs)
File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 675, in __init__
raise RuntimeError("No members specified for CType")
RuntimeError: No members specified for CType
Original comment by michael.hale@gmail.com
on 29 Nov 2010 at 6:07
Yep, so this is because the plugin attempts to overlay additional fields into
the _TCPT_OBJECT, which exists in the XPSP2 manually created vtypes, but not
the XPSP3 auto-generated one. It only happens to certain images based on how
deep a table is (as to whether the _TCPT_OBJECT gets instantiated or not).
This may get fixed as part of labarum_X's work on autogenerated XPSP2, but
otherwise it'll require the _TCPT_OBJECT to be defined once by the plugin
(assuming it doesn't change across all the profiles), or it could be defined
several times based on common DLL versions, and then those could be found
first, or it could be defined by profile. It mostly depends on how/where this
symbol is defined on the system.
Original comment by mike.auty@gmail.com
on 29 Nov 2010 at 10:27
What if we do an update to the WinXPSP3 profile (in xp_sp3_x86.py) like we have
in WinXPSP2?
xp_sp3_x86_vtypes.ntoskrnl_types.update( {\
'_ADDRESS_OBJECT' : [ 0x68, { \
'Next' : [ 0x0, ['pointer', ['_ADDRESS_OBJECT']]], \
'LocalIpAddress' : [ 0x0c, ['unsigned long']], \
'LocalPort' : [ 0x30, ['unsigned short']], \
'Protocol' : [ 0x32, ['unsigned short']], \
'Pid' : [ 0x148, ['unsigned long']], \
'CreateTime' : [ 0x158, ['_LARGE_INTEGER']], \
} ], \
'_TCPT_OBJECT' : [ 0x20, { \
'Next' : [ 0x0, ['pointer', ['_TCPT_OBJECT']]], \
'RemoteIpAddress' : [ 0xc, ['unsigned long']], \
'LocalIpAddress' : [ 0x10, ['unsigned long']], \
'RemotePort' : [ 0x14, ['unsigned short']], \
'LocalPort' : [ 0x16, ['unsigned short']], \
'Pid' : [ 0x18, ['unsigned long']], \
} ], \
})
That seems to work:
./volatility.py -f ds_fuzz_hidden_proc.img --no-cache --profile=WinXPSP3x86
connections
Volatile Systems Volatility Framework 1.4_rc1
Local Address Remote Address Pid
192.168.101.128:31337 192.168.101.1:1158 1696
192.168.101.128:1035 192.168.101.1:445 4
$ ./volatility.py -f ds_fuzz_hidden_proc.img --no-cache --profile=WinXPSP3x86
sockets
Volatile Systems Volatility Framework 1.4_rc1
Pid Port Proto Create Time
684 500 17 2008-11-26 07:38:45
512 1028 6 2008-11-26 07:38:53
4 445 6 2008-11-26 07:38:11
932 135 6 2008-11-26 07:38:20
1264 1900 17 2008-11-26 07:38:53
4 1035 6 2008-11-26 07:43:07
4 139 6 2008-11-26 07:38:28
1696 31337 6 2008-11-26 07:44:16
1064 123 17 2008-11-26 07:38:53
684 0 255 2008-11-26 07:38:45
4 137 17 2008-11-26 07:38:28
1264 1900 17 2008-11-26 07:38:53
684 4500 17 2008-11-26 07:38:45
4 138 17 2008-11-26 07:38:28
4 445 17 2008-11-26 07:38:11
1064 123 17 2008-11-26 07:38:53
Whereas before I get the crash:
$ ./volatility.py -f ds_fuzz_hidden_proc.img --no-cache --profile=WinXPSP3x86
connections
Volatile Systems Volatility Framework 1.4_rc1
Local Address Remote Address Pid
Traceback (most recent call last):
File "./volatility.py", line 126, in <module>
main()
File "./volatility.py", line 117, in main
command.execute()
File "/volatility/Vol_1.4/volatility/commands.py", line 101, in execute
func(outfd, data)
File "/volatility/Vol_1.4/volatility/plugins/connections.py", line 50, in render_text
local = "{0}:{1}".format(conn.LocalIpAddress, conn.LocalPort)
File "/volatility/Vol_1.4/volatility/obj.py", line 301, in __getattr__
raise AttributeError("Unable to resolve attribute {0} on {1}".format(attr, self.obj_name))
AttributeError: Unable to resolve attribute LocalIpAddress on Array 82
$ ./volatility.py -f ds_fuzz_hidden_proc.img --no-cache --profile=WinXPSP3x86
sockets
Volatile Systems Volatility Framework 1.4_rc1
Pid Port Proto Create Time
WARNING : volatility.obj : Cant find object _ADDRESS_OBJECT in profile
<volatility.plugins.overlays.windows.xp_sp3_x86.WinXPSP3x86 object at
0xa8a312c>?Traceback (most recent call last):
File "./volatility.py", line 126, in <module>
main()
File "./volatility.py", line 117, in main
command.execute()
File "/volatility/Vol_1.4/volatility/commands.py", line 101, in execute
func(outfd, data)
File "/volatility/Vol_1.4/volatility/plugins/sockets.py", line 38, in render_text
for sock in data:
File "/volatility/Vol_1.4/volatility/win32/network.py", line 140, in determine_sockets
while sock.is_valid():
AttributeError: 'NoneType' object has no attribute 'is_valid'
Original comment by jamie.l...@gmail.com
on 31 Dec 2010 at 5:08
This issue was closed by revision r573.
Original comment by mike.auty@gmail.com
on 31 Dec 2010 at 5:34
Ok, just a quick note that this is now fixed using Jamie's fix of copying the
appropriate structures into a file and updating them into each profile's types.
I also cleaned up some of the imports in the profiles in the process.
Please note, this will only solve the problem for XPSP3, but that's what this
specific issue was about. Retrieving networking information for Vista and
above is all part of issue 6, so anyone following this should go there for
those operating systems.
As ever, feel free to reopen this issue if the fix doesn't work properly, or
you believe the problem still exists. 5:)
Original comment by mike.auty@gmail.com
on 31 Dec 2010 at 5:37
Original issue reported on code.google.com by
geraintg...@gmail.com
on 15 Nov 2010 at 8:09