nchen34 / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
0 stars 0 forks source link

volatility 2.1 alpha && malware2.1_alpha.py trunk psxview command bug #41

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
C:\Users\dmk\volatility>vol.py -f ..\win7sp1x64.dmp --profile=Win7SP1x64 psxview
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.registry.lsadump (ImportError: DLL load 
failed: %1 is not a valid Win32 application.)
Offset       Name                 Pid      pslist     psscan     thrdproc   
pspcid     csr_hnds   csr_list
Traceback (most recent call last):
  File "C:\Users\dmk\volatility\vol.py", line 135, in <module>
    main()
  File "C:\Users\dmk\volatility\vol.py", line 126, in main
    command.execute()
  File "C:\Users\dmk\volatility\volatility\commands.py", line 101, in execute
    func(outfd, data)
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3057, in render_text
    for pid, eproc, ps_sources in data:
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3029, in calculate
    pspcid      = self.check_pspcid(addr_space),
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3003, in check_pspcid
    for h in PspCidTable.handles():
  File "C:\Users\dmk\volatility\volatility\plugins\overlays\windows\windows.py", line 432, in handles
    for h in self._make_handle_array(offset, table_levels):
  File "C:\Users\dmk\volatility\volatility\plugins\overlays\windows\windows.py", line 382, in _make_handle_array
    for h in self._make_handle_array(entry, level - 1, depth):
  File "C:\Users\dmk\volatility\volatility\plugins\overlays\windows\windows.py", line 400, in _make_handle_array
    item = self.get_item(entry, handle_value)
TypeError: get_item() takes exactly 2 arguments (3 given)

What version of the product are you using? On what operating system?
Volatility svn trunk version (latest). 

malware2.1_alpha.py

Please provide any additional information below.

in volatility i changed plugins\overlays\windows\windows.py line 400 to
item = entry.Object.dereference_as("_OBJECT_HEADER", parent = entry, 
handle_value = handle_value)
from
item = self.get_item(entry, handle_value)

This looks like solve the above issue, but i have a new:
C:\Users\dmk\volatility>vol.py -f ..\win7sp1x64.dmp --profile=Win7SP1x64 psxview
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.registry.lsadump (ImportError: DLL load 
failed: %1 is not a valid Win32 application.)
Offset       Name                 Pid      pslist     psscan     thrdproc   
pspcid     csr_hnds   csr_list
Traceback (most recent call last):
  File "C:\Users\dmk\volatility\vol.py", line 135, in <module>
    main()
  File "C:\Users\dmk\volatility\vol.py", line 126, in main
    command.execute()
  File "C:\Users\dmk\volatility\volatility\commands.py", line 101, in execute
    func(outfd, data)
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3057, in render_text
    for pid, eproc, ps_sources in data:
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3029, in calculate
    pspcid      = self.check_pspcid(addr_space),
  File "C:\Users\dmk\volatility\volatility\plugins\malware.py", line 3004, in check_pspcid
    if self.is_process_object(h, addr_space):
AttributeError: 'PsXview' object has no attribute 'is_process_object'

Original issue reported on code.google.com by moltes...@gmail.com on 12 Feb 2012 at 12:53

GoogleCodeExporter commented 9 years ago
Sorry about that, please see 
http://code.google.com/p/malwarecookbook/issues/detail?id=39

In other words, once the 2.1 API is solidified, the malware plugins will be 
revised and included in the 2.1 core package.

Original comment by michael.hale@gmail.com on 13 Feb 2012 at 2:17