search

TakahiroHaruyama / openioc_scan

openioc_scan Volatility Framework plugin
GNU General Public License v2.0
42 stars 5 forks source link

I ran into to issues when running the script: #3

Closed jatiki closed 8 years ago

jatiki commented 8 years ago

Thing 1:

File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/volatility/plugins/openioc_scan.py", line 1436, in extract_MFT_entries self.cur.executemany("insert or ignore into files values (?, ?, ?, ?, ?, ?)", records) sqlite3.ProgrammingError: You must not use 8-bit bytestrings unless you use a text_factory that can interpret 8-bit bytestrings (like text_factory = str). It is highly recommended that you instead just switch your application to Unicode strings.

Thing 2:

File "/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/site-packages/volatility/plugins/openioc_scan.py", line 1292, in extract_timers records.append((str(module.DllBase.v()), str(timer.obj_offset), due_time, timer.Period.v(), signaled, str(timer.Dpc.DeferredRoutine.v()))) AttributeError: 'NoneType' object has no attribute 'DllBase'

These changes fix them (albeit maybe not in the nicest way):

< records.append((str(module.DllBase.v()), str(timer.obj_offset), due_time, timer.Period.v(), signaled, str(timer.Dpc.DeferredRoutine.v())))

Quickfix for module=None

  if module is None:
          records.append(('None', str(timer.obj_offset), due_time, timer.Period.v(), signaled, str(timer.Dpc.DeferredRoutine.v())))
        else:
          records.append((str(module.DllBase.v()), str(timer.obj_offset), due_time, timer.Period.v(), signaled, str(timer.Dpc.DeferredRoutine.v())))

1421a1426 debug.debug(a) 1431,1432c1436,1437 < debug.debug('NTFS file info from MFT entry $FN: name={0}, ext={1}, full={2}'.format(name, ext, full))

< records.append((offset, mft_entry.RecordNumber.v(), name, ext, full, size))

                    #records.append((offset, mft_entry.RecordNumber.v(), name, ext, full, size))
                    records.append((offset, mft_entry.RecordNumber.v(), unicode(name), unicode(ext), unicode(full), unicode(size)))
TakahiroHaruyama commented 8 years ago

Thank you so much!

jatiki commented 8 years ago

You are very welcome. Thank you for writing this excellent script. I was very useful to me. I just noticed that in my commit I accidently removed the following line: debug.debug('NTFS file info from MFT entry $FN: name={0}, ext={1}, full={2}'.format(name, ext, full)) Would you prefer that I correct this and send another pull request or do you want to fix this yourself? Sorry for the inconvenience. Regards, Tilo

----- ursprüngliche Nachricht ---------

Subject: Re: [openioc_scan] I ran into to issues when running the script: (#3) Date: Do 25 Feb 2016 11:21:51 CET From: Takahiro Haruyamanotifications@github.com To: TakahiroHaruyama/openioc_scanopenioc_scan@noreply.github.com

Thank you so much!

— Reply to this email directly or view it on GitHub.

---- ursprüngliche Nachricht Ende ----

TakahiroHaruyama commented 8 years ago

No problem. Thanks for correction :-)