When running the following hashdump command on moyix's ds_fuzz image, I get the
following error:
$ ./volatility.py -f ../ds_fuzz_hidden_proc.img --no-cache
--profile=WinXPSP3x86 -y 0XE1018388 -s 0XE1482008 hashdump
Volatile Systems Volatility Framework 1.4_rc1
ERR: Couldn't find subkey Lsa of Control
Traceback (most recent call last):
File "./volatility.py", line 126, in <module>
main()
File "./volatility.py", line 117, in main
command.execute()
File "/Vol_1.4/volatility/commands.py", line 101, in execute
func(outfd, data)
File "/Vol_1.4/volatility/plugins/registry/lsadump.py", line 110, in render_text
for d in data:
File "/Vol_1.4/volatility/win32/hashdump.py", line 303, in dump_hashes
hbootkey = get_hbootkey(samaddr, bootkey)
File "/Vol_1.4/volatility/win32/hashdump.py", line 164, in get_hbootkey
md5.update(F[0x70:0x80] + aqwerty + bootkey + anum)
TypeError: cannot concatenate 'str' and 'NoneType' objects
You can see from there is an error about missing the LSA key in SYSTEM, which
is true:
$ ./volatility.py -f ../ds_fuzz_hidden_proc.img --no-cache
--profile=WinXPSP3x86 -o 0XE1018388 printkey -K 'ControlSet001\Control'
Volatile Systems Volatility Framework 1.4_rc1
Key name: Control
(Stable)
Last updated: 2008-11-26 07:38:18
Subkeys:
AGP(Stable)
Arbiters(Stable)
BackupRestore(Stable)
Biosinfo(Stable)
BootVerificationProgram(Stable)
[snip]
HAL(Stable)
IDConfigDB(Stable)
Keyboard Layout(Stable)
MediaResources(Stable)
Network(Stable)
NetworkProvider(Stable)
[snip]
The problem is that bootkey is not checked before calling get_hbootkey in
dump_hashes (or within the get_hbootkey function itself).
It might be good to check hbootkey in dump_hashes as well after calling
get_hbootkey in case the SAM keys are unreadable as well...
Original issue reported on code.google.com by jamie.l...@gmail.com on 8 Jan 2011 at 11:29
Original issue reported on code.google.com by
jamie.l...@gmail.com
on 8 Jan 2011 at 11:29