search

REMnux / salt-states

This repository maintains the SaltStack state files for the REMnux distro.
https://REMnux.org
38 stars 21 forks source link

yarascan invalid integer #190

Closed wolf0x closed 2 years ago

wolf0x commented 2 years ago

vol.py -f "./Windows 7.vmem" --profile=Win7SP1x64_23418 yarascan -Y "211.211.211.211"

vol.py: error: option -Y: invalid integer value: '211.211.211.211'

Remnux-v7-focal

PDX4N6 commented 2 years ago

the issue is not with volatility or REMnux. It is the syntax in your command, on the REMnux version of volatility 2.6.1 you will need to use the -U flag when passing a string as a rule and the -y when calling a YARA rule file. Hope this helps

yarascan
lennyzeltser commented 2 years ago

@PDX4N6, thank you for diagnosing this issue. @wolf0x, thank you for reporting it.

Yes, I completely forgot that to eliminate conflicts with other Volatility 2 plugins, I had to change the following yarascan options:

To help prevent such confusion in the future I just added a note about it to the Volatility Framework entry on the REMnux documentation site.

wolf0x commented 2 years ago

I tried U but seems its invalid, do I need to update the REMnux?

从 Windows 版邮件https://go.microsoft.com/fwlink/?LinkId=550986发送

From: Lenny Zeltser @.> Sent: Thursday, September 9, 2021 9:01:48 PM To: REMnux/salt-states @.> Cc: @. @.>; Mention @.***> Subject: Re: [REMnux/salt-states] yarascan invalid integer (#190)

@PDX4N6https://github.com/PDX4N6, thank you for diagnosing this issue. @wolf0xhttps://github.com/wolf0x, thank you for reporting it.

Yes, I completely forgot that to eliminate conflicts with other Volatility 2 plugins, I had to change the following yarascan options:

To help prevent such confusion in the future I just added a note about it to the Volatility Framework entry on the REMnux documentation sitehttps://docs.remnux.org/discover-the-tools/perform+memory+forensics#volatility-framework.

― You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/REMnux/salt-states/issues/190#issuecomment-916070243, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADXGZVY4F3EJAMN5OFWO5LDUBCV3ZANCNFSM5DDJEHZA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

lennyzeltser commented 2 years ago

@wolf0x, upgrading REMnux should affect this.

Sorry, I don't know why -U isn't working :-(

digitalsleuth commented 2 years ago

@wolf0x, any chance you can provide the output of sudo remnux version and the sha256sum of the OVA file you used to build the VM? This will help narrow down any changes in versions since you downloaded and spawned the VM you're currently using.

digitalsleuth commented 2 years ago

So, I've taken a look at this and can confirm that the -U option is working. Using a sample memory dump, I first checked to see if the netscan / connscan plugins would find any network connectivity. Confirming one viable IP address, I then used the following:

vol.py -f zeus.dmp --profile=WinXPSP2x86 yarascan -U "65.54.81.89" and

vol.py -f zeus.dmp --profile=WinXPSP2x86 yarascan --yara-rules "65.54.81.89"

Both of these had successful results: YARA_EXAMPLE

@wolf0x, if you can provide me a copy of the Win7 memdump you're using, or use one that you know contains the IP address you're searching for, then that would definitely help confirm that the plugin works on your end.

wolf0x commented 2 years ago

Sleuth,

Many thanks, it could be working. Tkx.

Sent from Mailhttps://go.microsoft.com/fwlink/?LinkId=550986 for Windows 10

From: Digital @.> Sent: Sunday, September 12, 2021 8:32 AM To: @.> Cc: @.**@.>; @.***> Subject: Re: [REMnux/salt-states] yarascan invalid integer (#190)

So, I've taken a look at this and can confirm that the -U option is working. Using a sample memory dump, I first checked to see if the netscan / connscan plugins would find any network connectivity. Confirming one viable IP address, I then used the following:

vol.py -f zeus.dmp --profile=WinXPSP2x86 yarascan -U "65.54.81.89" and

vol.py -f zeus.dmp --profile=WinXPSP2x86 yarascan --yara-rules "65.54.81.89"

Both of these had successful results: [YARA_EXAMPLE]https://user-images.githubusercontent.com/62841822/132966792-3c2465fd-8264-4a74-a229-0faea81866e8.png

@wolf0xhttps://github.com/wolf0x, if you can provide me a copy of the Win7 memdump you're using, or use one that you know contains the IP address you're searching for, then that would definitely help confirm that the plugin works on your end.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/REMnux/salt-states/issues/190#issuecomment-917511956, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADXGZV6WNA3GYIKVFOPHZKTUBPYKBANCNFSM5DDJEHZA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.