Closed GoogleCodeExporter closed 9 years ago
Hi, I believe this is related to your distorm3 installation. If you see the
distorm3 homepage (http://code.google.com/p/distorm/) it says "August 8 2012:
The latest Python binding is broken at the moment. It will be fixed as soon as
I am back from the vacation. Sorry :("
I have a bit older distorm3 version installed and there is no problem:
$ svn checkout https://volatility.googlecode.com/svn/trunk/ volatility
$ svn info | grep Revision
Revision: 2273
$ python vol.py -f ~/Downloads/cridex.vmem -p 1640 apihooks
Volatile Systems Volatility Framework 2.2_alpha
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1640 (reader_sl.exe)
Victim module: ntdll.dll (0x7c900000 - 0x7c9af000)
Function: ntdll.dll!LdrLoadDll at 0x7c9163a3
Hook address: 0x3da300
Hooking module: <unknown>
Disassembly(0):
0x7c9163a3 e9583fac83 JMP 0x3da300
0x7c9163a8 68f864917c PUSH DWORD 0x7c9164f8
0x7c9163ad e8f984ffff CALL 0x7c90e8ab
0x7c9163b2 a1c8b0977c MOV EAX, [0x7c97b0c8]
0x7c9163b7 8945e4 MOV [EBP+0xffffffe4], EAX
0x7c9163ba 8b DB 0x8b
You can check the distorm3 revision number like this:
>>> import distorm3
>>> distorm3.__revision__
'$Id: distorm.py 186 2010-05-01 14:20:41Z gdabah $
The standalone volatility 2.1 doesn't have the problem either
(http://volatility.googlecode.com/files/volatility-2.1.standalone.exe) so its
nothing we change in our code necessarily. I'll contact the author of distorm3
and see if he can figure out what's going on with the library.
Original comment by michael.hale@gmail.com
on 1 Sep 2012 at 3:59
Yep definitely appears like a distorm3 issue. You'll have to downgrade from 3.3
to 3.1 until the distorm3 author fixes the python bindings. A 3.1 build is
available here:
http://distorm.googlecode.com/files/distorm-package3.1.zip
With that installed, it should fix your problems. Feel free to write me
directly (michael.hale@gmail.com) or the leave an issue on the distorm3 issue
tracker if you still have issues.
Original comment by michael.hale@gmail.com
on 2 Sep 2012 at 5:16
Original issue reported on code.google.com by
evild3ad...@googlemail.com
on 1 Sep 2012 at 11:35