search

monnappa22 / HollowFind

Hollowfind is a Volatility plugin to detect different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert the forensic analysis techniques. The plugin detects such attacks by finding discrepancy in the VAD and PEB, it also disassembles the address of entry point to detect any redirection attempts and also reports any suspicious memory regions which should help in detecting any injected code.
131 stars 31 forks source link

UnboundLocalError: local variable 'proc_cmd_line' referenced before assignment #1

Open jasonblanks opened 8 years ago

jasonblanks commented 8 years ago

Wondering if I am missing something, or if this is a real bug?

$ sudo vol.py --plugins=/data/vol/plugins --profile=Win7SP1x86 -f memdump.mem hollowfind Volatility Foundation Volatility Framework 2.5 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 4, in import('pkg_resources').run_script('volatility==2.5', 'vol.py') File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 742, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 1497, in run_script exec(code, namespace, namespace) File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in main() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main command.execute() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 147, in execute func(outfd, data) File "/data/vol/plugins/hollowfind.py", line 206, in render_text for (hol_proc_peb_info, hol_proc_vad_info, hol_pid, hol_type, similar_procs, parent_proc_info) in data: File "/data/vol/plugins/hollowfind.py", line 179, in calculate self.update_proc_peb_info(psdata) File "/data/vol/plugins/hollowfind.py", line 50, in update_proc_peb_info self.proc_peb_info[pid].extend([str(proc_cmd_line), UnboundLocalError: local variable 'proc_cmd_line' referenced before assignment $

monnappa22 commented 8 years ago

Thank you, I would like to replicate this error and try to find out what is the causing this. Could you please let me know if this is a memory image is publicly available?. Also do you know for which process this error is triggered?

Thanks, Monnappa

On Fri, Dec 9, 2016 at 6:14 AM, Jason Blanks notifications@github.com wrote:

Wondering if I am missing something, or if this is a real bug?

$ sudo vol.py --plugins=/data/vol/plugins --profile=Win7SP1x86 -f memdump.mem hollowfind Volatility Foundation Volatility Framework 2.5 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 4, in import('pkg_resources').run_script('volatility==2.5', 'vol.py') File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 742, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 1497, in run_script exec(code, namespace, namespace) File "/usr/local/lib/python2.7/dist-packages/volatility-2.5- py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in main() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5- py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main command.execute() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5- py2.7.egg/volatility/commands.py", line 147, in execute func(outfd, data) File "/data/vol/plugins/hollowfind.py", line 206, in render_text for (hol_proc_peb_info, hol_proc_vad_info, hol_pid, hol_type, similar_procs, parent_proc_info) in data: File "/data/vol/plugins/hollowfind.py", line 179, in calculate self.update_proc_peb_info(psdata) File "/data/vol/plugins/hollowfind.py", line 50, in update_proc_peb_info self.proc_peb_info[pid].extend([str(proc_cmd_line), UnboundLocalError: local variable 'proc_cmd_line' referenced before assignment $

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/monnappa22/HollowFind/issues/1, or mute the thread https://github.com/notifications/unsubscribe-auth/AED5rTxwbVz7tLwB5WA3B62OKEvgc4a3ks5rGKRlgaJpZM4LIdOq .

jasonblanks commented 8 years ago

Not a public image, unfortunately a work image. I've tried singling out random processes and everyone iI have tried produces the same error. Will try and find a public Win7SP1x86 image Monday and test. I did test a public xp image without any error.

$ sudo vol.py --plugins=/data/vol/plugins --profile=Win7SP1x86 -f memdump.mem pslist Volatility Foundation Volatility Framework 2.5 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit

0x84dff9c0 System 4 0 129 796 23...6 0 2016-11-23 20:31:30 UTC+0000 0x873b5cc0 smss.exe 392 4 3 33 ------ 0 2016-11-23 20:31:36 UTC+0000 0x873fe030 csrss.exe 468 452 11 1206 0 0 2016-11-23 20:31:39 UTC+0000 0x8786b630 wininit.exe 512 452 3 102 0 0 2016-11-23 20:31:44 UTC+0000 0x87a8c030 csrss.exe 528 504 11 103 1 0 2016-11-23 20:31:44 UTC+0000 0x87b96a90 winlogon.exe 584 504 3 103 1 0 2016-11-23 20:31:45 UTC+0000 0x87b73d28 services.exe 636 512 10 347 0 0 2016-11-23 20:31:47 UTC+0000 0x87c12a90 lsass.exe 652 512 10 1543 0 0 2016-11-23 20:31:48 UTC+0000 0x87c02820 lsm.exe 660 512 13 337 0 0 2016-11-23 20:31:48 UTC+0000 0x87cb8d28 svchost.exe 764 636 12 691 0 0 2016-11-23 20:31:54 UTC+0000

$ sudo vol.py --plugins=/data/vol/plugins --profile=Win7SP1x86 -f memdump.mem hollowfind -p 660 Volatility Foundation Volatility Framework 2.5 Traceback (most recent call last): File "/usr/local/bin/vol.py", line 4, in import('pkg_resources').run_script('volatility==2.5', 'vol.py') File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 742, in run_script self.require(requires)[0].run_script(script_name, ns) File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 1497, in run_script exec(code, namespace, namespace) File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in main() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main command.execute() File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 147, in execute func(outfd, data) File "/data/vol/plugins/hollowfind.py", line 206, in render_text for (hol_proc_peb_info, hol_proc_vad_info, hol_pid, hol_type, similar_procs, parent_proc_info) in data: File "/data/vol/plugins/hollowfind.py", line 179, in calculate self.update_proc_peb_info(psdata) File "/data/vol/plugins/hollowfind.py", line 50, in update_proc_peb_info self.proc_peb_info[pid].extend([str(proc_cmd_line), UnboundLocalError: local variable 'proc_cmd_line' referenced before assignment

pastrom commented 6 years ago

Hi,

I see this issue has been open a while. Any plans on a fix? I also got the same result in a Win10x64 image.

dineepthomas commented 6 years ago

I am having the same issue for profile --profile=WinXPSP3x86, --profile=Win8SP0x64 but for --profile=Win7SP1x64 it's working absolutely fine. So I think the issue is with the usage of WindowsXP and Windows8 profile. So I would suggest not using this for profile other than win7 until it gets fixed by the author.

vol.py --profile=WinXPSP3x86 -f rustock.vmem hollowfind

Volatility Foundation Volatility Framework 2.6 Traceback (most recent call last): File "vol.py", line 192, in main() File "vol.py", line 183, in main command.execute() File "/home/dthomas/volatility/volatility/commands.py", line 147, in execute func(outfd, data) File "/home/dthomas/volatility/volatility/plugins/hollowfind.py", line 206, in render_text for (hol_proc_peb_info, hol_proc_vad_info, hol_pid, hol_type, similar_procs, parent_proc_info) in data: File "/home/dthomas/volatility/volatility/plugins/hollowfind.py", line 179, in calculate self.update_proc_peb_info(psdata) File "/home/dthomas/volatility/volatility/plugins/hollowfind.py", line 50, in update_proc_peb_info self.proc_peb_info[pid].extend([str(proc_cmd_line), UnboundLocalError: local variable 'proc_cmd_line' referenced before assignment

debugeee commented 4 years ago

This project (Code) is Long Dead! No update for almost 4 years! The malfind switch in Volatility is doing the job, no need for this plugin.

HashTables2 commented 4 years ago

@debugeee as far as I know, malfind and hollowfind do not do the same thing. Malfind looks for regions marked PAGE_EXECUTE_READWRITE while hollowfind will also search for pages marked PAGE_EXECUTE_WRITECOPY which malware can also use.

FWIW - the bug I found which was causing this was due to the fact that one of the processes ended with an ".exe" extension, but didn't have any modules associated with it. I just put a try catch around that portion of the code, not the most elegant solution.