search

ksanchezcld / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
1 stars 0 forks source link

malfind - Struct _MMADDRESS_NODE has no member Flags #227

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. vol.py -f file.dump malfind -p 2440 --dump-dir . --profile=Win7SP1x86 

-p is the PID of Explorer, which is supposed to have the Zeus trojan injected 
into it.

The output I'm getting is;

WARNING : volatility.obj      : Deprecation warning: A plugin is making use of 
profile.add_types
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 177, in <module>
    main()
  File "/usr/local/bin/vol.py", line 168, in main
    command.execute()
  File "/usr/local/lib/python2.6/dist-packages/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/malware.py", line 1042, in render_text
    for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/malware.py", line 992, in calculate
    for ps_ad, start, end, tag, prx, data in self.get_vads(proc):
  File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/malware.py", line 923, in get_vads
    yield (ps_ad, start, end, vad.Tag, vad.Flags.Protection >> 24, data)
  File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 778, in __getattr__
    return self.m(attr)
  File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 763, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct _MMADDRESS_NODE has no member Flags

volatility 2.1a SVN Rev 1524, latest malwarecookbook malware.py

Cheers

James

Original issue reported on code.google.com by james.wo...@transmax.com.au on 9 Mar 2012 at 7:14

GoogleCodeExporter commented 9 years ago 
Hi James, 

The malware.py file is for Volatility 2.0 only (you're using it with 2.1 
alpha). The 2.1 release will ship with malfind (it will be in 
volatility/plugins/malware) and this problem is resolved. One of the reasons 
for bringing the malware plugins into the core is to make it easier to keep 
them in sync with changes that are occurring between releases. So for the next 
few weeks if you need to use malfind, please use it with 2.0 from 
http://code.google.com/p/volatility/downloads/list.

Original comment by michael.hale@gmail.com on 9 Mar 2012 at 2:18

GoogleCodeExporter commented 9 years ago 
Thank you! That got it! One PE dump obtained, urge to kill...fading...fading...

Cheers

James

Original comment by james.wo...@transmax.com.au on 12 Mar 2012 at 11:01

GoogleCodeExporter commented 9 years ago 
Thanks for getting back to us James, do you want us to keep this bug open 
still, or are you happy with the resolution?

Original comment by mike.auty@gmail.com on 12 Mar 2012 at 11:18

GoogleCodeExporter commented 9 years ago 
Very happy with the resolution, it wasn't really a bug after all and yes, the 
issue can be closed.

Original comment by james.wo...@transmax.com.au on 13 Mar 2012 at 10:46

GoogleCodeExporter commented 9 years ago

Original comment by michael.hale@gmail.com on 14 Mar 2012 at 1:30