*** Failed to import volatility.plugins.malfind (ImportError: No module named vutils)

[GoogleCodeExporter]

What steps will reproduce the problem?
The below command is issued...
C:\Python27\Scripts>vol.py -f C:\Python27\RAM\ram.vmem -p 1956 malware.yara -D 
C:\Python27\RAM malfind

What is the expected output? 

What do you see instead?
*** Failed to import volatility.plugins.malfind (ImportError: No module named 
vutils)
Name                 Pid    Start      End        Tag      Hits   Protect

What version of the product are you using? On what operating system?
Vol 2.0 installed on Win7 64bit

Please provide any additional information below.
I am processing a WinXPSP2 32bit RAM dump.

Original issue reported on code.google.com by baperki...@gmail.com on 25 Oct 2011 at 5:25

[GoogleCodeExporter]

In C:\Python27\Scripts, do you have vutils.py ? Malfind depends on vutils.py. 
It is available here: 
http://code.google.com/p/volatility/source/browse/trunk/Volatility/vutils.py?r=2
56

Original comment by Bret...@gmail.com on 25 Oct 2011 at 6:38

[GoogleCodeExporter]

@baperkins2: I think you're using an old version of malfind. Please download 
the latest version here: 
http://code.google.com/p/malwarecookbook/source/browse/trunk/malware.py

P.S. I know you're using an old version because the new one doesn't import 
vutils. The vutils.py is only in Volatility 1.3. 

Original comment by michael.hale@gmail.com on 25 Oct 2011 at 6:54

• Changed state: WontFix

[GoogleCodeExporter]

Thx for the suggestions. However, I am still getting errors, Please see below. 
I am using Vol 2.0.

C:\Python27\Scripts>vol.py -f C:\Python27\RAM\ram.vmem -p 1956 malware.yara -D 
C:\Python27\RAM malfind
Volatile Systems Volatility Framework 2.0
*** Failed to import volatility.plugins.malfind (ImportError: No module named 
forensics.symbols)
Name                 Pid    Start      End        Tag      Hits   Protect

C:\Python27\Scripts>

Original comment by baperki...@gmail.com on 26 Oct 2011 at 2:11

[GoogleCodeExporter]

This is because you are using the wrong version of *malware.py* The version you 
are using is compatible only with the previous version of Volatility.  Please 
download the NEW version of malware.py from here: 
http://malwarecookbook.googlecode.com/svn/trunk/malware.py 

Original comment by jamie.l...@gmail.com on 26 Oct 2011 at 2:19

[GoogleCodeExporter]

I do have the correct version of malware.py installed and resident in 
C:\Python27\Lib\site-packages\volatility\plugins. 

Original comment by baperki...@gmail.com on 26 Oct 2011 at 2:25

[GoogleCodeExporter]

Please delete all *.pyc files then.  I know that it's still picking up the OLD 
malware.py because the NEW malware.py doesn't import "forensics.symbols"

Original comment by jamie.l...@gmail.com on 26 Oct 2011 at 2:27

[GoogleCodeExporter]

OK, so i deleted as suggested, still no go. I then deleted malfind.py and 
malware.py. I then copied just malware.py (NEW version)into the plugins dir. I 
run the command and I get no errors, however, I get no results when I am 
expexting to see some.

Original comment by baperki...@gmail.com on 26 Oct 2011 at 3:08

[GoogleCodeExporter]

What is the command you are running ?

I see the following from before:

vol.py -f C:\Python27\RAM\ram.vmem -p 1956 malware.yara -D C:\Python27\RAM 
malfind

I think you are missing an argument:

vol.py -f C:\Python27\RAM\ram.vmem -p 1956 -y malware.yara -D "C:\Python27\RAM 
malfind"

OR

vol.py -f C:\Python27\RAM\ram.vmem -p 1956 -Y malware.yara -D "C:\Python27\RAM 
malfind"

Original comment by jamie.l...@gmail.com on 26 Oct 2011 at 3:19

[GoogleCodeExporter]

Just to be clear, none of the "Volatility Analyst Pack" plugins from 
code.google.com/p/mhl-malware-scripts are compatible with Volatility 2.0. That 
includes malfind.py, apihooks.py, etc. All of the functionality of those 
plugins has been combined into the single file malware.py from 
code.google.com/p/malwarecookbook (direct links above). 

Based on your comment "installed and resident in 
C:\Python27\Lib\site-packages\volatility\plugins" it appears to me that you're 
using Volatility 2.0's "Volatility 2.0 Windows Module Installer" from 
http://volatility.googlecode.com/files/volatility-2.0.win32.exe. That is 
perfectly fine. 

To be honest, I would delete your whole 
C:\Python27\Lib\site-packages\volatility directory and re-install using the 
volatility-2.0.win32.exe. Then download 
http://malwarecookbook.googlecode.com/svn/trunk/malware.py and place it in 
C:\Python27\Lib\site-packages\volatility\plugins\malware.py. 

I just did the above process on XP and Win7 with no problems at all, so most 
likely you made some small mistake by first installing the older plugins for 
1.3 into the 2.0 framework and didn't clean up correctly. Or perhaps as 
instructed in the previous comment, you're just not using the right command 
line arguments. 

I'm going to re-open this issue until you get it resolved. 

Original comment by michael.hale@gmail.com on 26 Oct 2011 at 3:25

• Changed state: Started

[GoogleCodeExporter]

Here is the command I have settled on.

vol.py -f C:\python27\ram\ram.vmem -p 1956 -Y malware.yara -D C:\python27\ram 
malfind

Original comment by baperki...@gmail.com on 26 Oct 2011 at 3:26

[GoogleCodeExporter]

Did you get the output you expected?  Did you get any output at all?  If not as 
expected, what were you expecting and how do you know that it is incorrect 
(what steps did you do to verify that it is incorrect)?

Original comment by jamie.l...@gmail.com on 26 Oct 2011 at 3:38

[GoogleCodeExporter]

I am following along with this write up (http://www.evild3ad.com/?p=1136) and 
validating the tools so I can utilize the same approach as part of my IR.

I am on this part, "(6.) Let’s try the function ‘malfind’ and the open 
source YARA project". However, the write up gets results showing the injected 
binary and dumps it out. I, however, using the same commands etc get no results 
when executing this part of the write up. Below is my command and results.

C:\Python27\Scripts>vol.py -f C:\Python27\RAM\1.vmem -p 1956 -Y malware.yara -D 
C:\Python27\Ram malfind
Volatile Systems Volatility Framework 2.0
Name                 Pid    Start      End        Tag      Hits   Protect

C:\Python27\Scripts>

)

Original comment by baperki...@gmail.com on 26 Oct 2011 at 4:06

[GoogleCodeExporter]

FYI - I did delete all the plugins and reinstall as suggested.

Original comment by baperki...@gmail.com on 26 Oct 2011 at 4:07

[GoogleCodeExporter]

Just so we are clear: are you using the memory image that he provided in that 
writeup?

Original comment by jamie.l...@gmail.com on 26 Oct 2011 at 4:13

[GoogleCodeExporter]

Yes. That is correct. All is well and I get the documented results up until #6.

Original comment by baperki...@gmail.com on 26 Oct 2011 at 4:16

[GoogleCodeExporter]

So I would suspect malware.yara at this point. Does your malware.yara file have 
a rule called "browsers" in it? 

Original comment by michael.hale@gmail.com on 26 Oct 2011 at 4:22

[GoogleCodeExporter]

Alright, I think I've got it figured out. I'm not sure where you got 
malware.yara from, but its missing the "browsers" rule. The bigger question is 
where evild3ad got his malware.yara which did contain the "browsers" rule since 
I wrote that rule and never made it public (just shared with a few friends). 
Someone must have leaked it. Anyway, since its already out there, I added to 
rule here:

http://code.google.com/p/malwarecookbook/source/detail?r=121

Now that you actually have the signatures, it should work as expected. 

Original comment by michael.hale@gmail.com on 26 Oct 2011 at 4:40

[GoogleCodeExporter]

Ah, there ya go, no rule :( 

OK, so what do I need to do here? Coding is not my area but I can follow logic. 

Original comment by baperki...@gmail.com on 26 Oct 2011 at 4:55

[GoogleCodeExporter]

Just saw your post. I will give it a try. 

Original comment by baperki...@gmail.com on 26 Oct 2011 at 4:57

[GoogleCodeExporter]

Yeah, you don't need to code anything, just use capabilities.yara from my site 
instead of your malware.yara. 

Original comment by michael.hale@gmail.com on 26 Oct 2011 at 5:00

[GoogleCodeExporter]

Even with the browser rule still no go. I will revist this in a little while as 
my case load is still no smaller from this A.M. Thank you for looking into 
this. I will keep you updated.

Original comment by baperki...@gmail.com on 26 Oct 2011 at 5:08

[GoogleCodeExporter]

You have yara installed right? You'd probably get an import error if not, but 
just asking to make sure. Everything seems to be working fine in my testing. 

Original comment by michael.hale@gmail.com on 26 Oct 2011 at 5:42

[GoogleCodeExporter]

Yes I do. Here is the install file name...yara-python-1.4a.win32-py2.7.exe

Original comment by baperki...@gmail.com on 26 Oct 2011 at 5:53

[GoogleCodeExporter]

Yeah that version should be fine. I guess you can test the yara install without 
the rules file. Note the lowercase y instead of Y to supply a search string on 
command line: 

C:\Python27\Scripts>vol.py -f C:\Python27\RAM\1.vmem -p 1956 -y "kernel32" -D 
C:\Python27\Ram malfind

Since "kernel32" should be pretty prevalent, you should get a ton of hits. This 
will at least prove if there's a problem with your yara installation. 

Original comment by michael.hale@gmail.com on 26 Oct 2011 at 6:06

[GoogleCodeExporter]

Yes, tons of hits with that string. So yara is working correctly, now it points 
back to the rules in the yara file.

Original comment by baperki...@gmail.com on 26 Oct 2011 at 6:12

[GoogleCodeExporter]

That's very strange. Maybe you should strip the browsers rule into a separate 
file and try -Y browsers.yara. Either that or create a rule for something you 
already know exists like this:

rule testing { 
  strings: 
  $a = "kernel32"

  condition:
  $a
}

Then run -Y testing.yara. Do either of those tests give you results?

Original comment by michael.hale@gmail.com on 26 Oct 2011 at 8:45

[GoogleCodeExporter]

Now that is interesting. Neither of these scenarios using seperate .yara files 
give me hits. However, as previously noted in comment #24, when I pass the 
search string -y "kernel32" I get hits! So something is up with the parsing of 
the .yara files.

Original comment by baperki...@gmail.com on 27 Oct 2011 at 11:36

[GoogleCodeExporter]

Last thing I can think of is....you do have malware.yara in the same directory 
as vol.py, right? That is, since you're using "-Y malware.yara". If the .yara 
rules are somewhere else, you have to supply a full path like -Y 
C:\directory\to\malware.yara. 

Original comment by michael.hale@gmail.com on 27 Oct 2011 at 1:28

[GoogleCodeExporter]

Success! First I want to thank you for working through this with me. Your last 
comment was exactly the issue, combined with the indication that I had with the 
.yara files not being parsed. I referenced the .yara files directly and bingo, 
it works. Its a homer moment. Details, Details, Details. Thx again.

Original comment by baperki...@gmail.com on 27 Oct 2011 at 1:52

[GoogleCodeExporter]

Original comment by michael.hale@gmail.com on 27 Oct 2011 at 2:28

• Changed state: Fixed