search

monnappa22 / Psinfo

Psinfo is a Volatility plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block) and displays the collected information and suspicious memory regions for all the processes running on the system. This plugin should allow a security analyst to get the process related information and spot any process anamoly without having to run multiple plugins.
35 stars 15 forks source link

Vad_found referenced before assignment #1

Open morriscode opened 7 years ago

morriscode commented 7 years ago

So maybe I'm just installing it wrong or something, every plugin works but psinfo.. I keep getting the following error

sam@sam-mintandmate ~/volatility $ sudo python vol.py --profile=Win7SP1x64 -f /media/sam/storage/md1.dmp psinfo -p 6764 Volatility Foundation Volatility Framework 2.6 WARNING : volatility.debug : NoneObject as string: Pointer ProcessParameters invalid WARNING : volatility.debug : NoneObject as string: Pointer ProcessParameters invalid WARNING : volatility.debug : NoneObject as string: Invalid offset 0 for dereferencing Buffer as String Traceback (most recent call last): File "vol.py", line 192, in main() File "vol.py", line 183, in main command.execute() File "/home/sam/volatility/volatility/commands.py", line 147, in execute func(outfd, data) File "/home/sam/volatility/volatility/plugins/psinfo.py", line 171, in render_text for (proc_peb_info, proc_vad_info, parent_proc_info, similar_procs) in data: File "/home/sam/volatility/volatility/plugins/psinfo.py", line 158, in calculate self.update_proc_vad_info(proc_peb_info) File "/home/sam/volatility/volatility/plugins/psinfo.py", line 93, in update_proc_vad_info if vad_found == False: UnboundLocalError: local variable 'vad_found' referenced before assignment

mesand commented 6 years ago

I have similar problem: WARNING : volatility.debug : NoneObject as string: Invalid offset 1115808 for dereferencing Buffer as String Traceback (most recent call last): File "vol.py", line 192, in main() File "vol.py", line 183, in main command.execute() File "/media/mesand/1C7214F47214D47C/Users/m.sandor/Documents/Iskola/11.szemeszter/DigitalForensics/MemoryForensics/volatility_linux/volatility/volatility/commands.py", line 147, in execute func(outfd, data) File "/media/mesand/1C7214F47214D47C/Users/m.sandor/Documents/Iskola/11.szemeszter/DigitalForensics/MemoryForensics/volatility_linux/volatility/volatility/plugins/psinfo.py", line 171, in render_text for (proc_peb_info, proc_vad_info, parent_proc_info, similar_procs) in data: File "/media/mesand/1C7214F47214D47C/Users/m.sandor/Documents/Iskola/11.szemeszter/DigitalForensics/MemoryForensics/volatility_linux/volatility/volatility/plugins/psinfo.py", line 154, in calculate self.update_proc_peb_info(psdata) File "/media/mesand/1C7214F47214D47C/Users/m.sandor/Documents/Iskola/11.szemeszter/DigitalForensics/MemoryForensics/volatility_linux/volatility/volatility/plugins/psinfo.py", line 45, in update_proc_peb_info self.proc_peb_info[pid].extend([str(proc_cmd_line), UnboundLocalError: local variable 'proc_cmd_line' referenced before assignment

edit: SOLUTION Just add the following lines to the beginning of the "update_proc_peb_info" function (line 21): proc_cmd_line = "" proc_image_baseaddr = 0 mod_baseaddr = 0 mod_size = 0 mod_basename = "" mod_fullname = ""

Note: I have never used python so it may not be the proper solution, but now it works for me.

monnappa22 commented 6 years ago

Thanks for letting me know, it's been a while since I wrote the plugin and I haven't updated. I will find some time to figure out what's causing the issue.

On Nov 20, 2017 19:05, "mesand" notifications@github.com wrote:

I have the same problem. The plugin is currently not in a working state

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/monnappa22/Psinfo/issues/1#issuecomment-345696922, or mute the thread https://github.com/notifications/unsubscribe-auth/AED5rYpXd37rWLipJ9euXfftsTwz1SHAks5s4YAagaJpZM4MDean .

monnappa22 commented 6 years ago

Could you please let me know what is the Volatility profile you are getting error for?. I would like to recreate the problem if possible.

On Nov 20, 2017 19:05, "mesand" notifications@github.com wrote:

I have the same problem. The plugin is currently not in a working state

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/monnappa22/Psinfo/issues/1#issuecomment-345696922, or mute the thread https://github.com/notifications/unsubscribe-auth/AED5rYpXd37rWLipJ9euXfftsTwz1SHAks5s4YAagaJpZM4MDean .

mesand commented 6 years ago

I have used Windows XP SP3. The analysed file type is vmem.

  1. nov. 21. 11:48 ezt írta ("monnappa22" notifications@github.com):

Could you please let me know what is the Volatility profile you are getting error for?. I would like to recreate the problem if possible.

On Nov 20, 2017 19:05, "mesand" notifications@github.com wrote:

I have the same problem. The plugin is currently not in a working state

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/monnappa22/Psinfo/issues/1#issuecomment-345696922, or mute the thread https://github.com/notifications/unsubscribe-auth/ AED5rYpXd37rWLipJ9euXfftsTwz1SHAks5s4YAagaJpZM4MDean .

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/monnappa22/Psinfo/issues/1#issuecomment-345988823, or mute the thread https://github.com/notifications/unsubscribe-auth/AWIzCARLSlhJcALNHzsMO0ebqqYYTGjnks5s4qpqgaJpZM4MDean .

dineepthomas commented 5 years ago

I am having the same issue for profile --profile=WinXPSP3x86, --profile=Win8SP0x64 but for --profile=Win7SP1x64 it's working absolutely fine. So I think the issue is with the usage of WindowsXP and Windows8 profile. So I would suggest not using this for profile other than win7 until it gets fixed by the author.

vol.py --profile=WinXPSP3x86 -f rustock.vmem psinfo Volatility Foundation Volatility Framework 2.6 Traceback (most recent call last): File "vol.py", line 192, in main() File "vol.py", line 183, in main command.execute() File "/home/dthomas/volatility/volatility/commands.py", line 147, in execute func(outfd, data) File "/home/dthomas/volatility/volatility/plugins/hollowfind.py", line 206, in render_text for (hol_proc_peb_info, hol_proc_vad_info, hol_pid, hol_type, similar_procs, parent_proc_info) in data: File "/home/dthomas/volatility/volatility/plugins/hollowfind.py", line 179, in calculate self.update_proc_peb_info(psdata) File "/home/dthomas/volatility/volatility/plugins/hollowfind.py", line 50, in update_proc_peb_info self.proc_peb_info[pid].extend([str(proc_cmd_line), UnboundLocalError: local variable 'proc_cmd_line' referenced before assignment