qwhai / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

lsadump import error on start #207

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
Just start vol.py on windows.

What is the expected output? What do you see instead?
Volatile Systems Volatility Framework 2.1_alpha

Actual:
*** Failed to import volatility.plugins.registry.lsadump (ImportError: DLL load 
failed: %1 is not a valid Win32 application.)

What version of the product are you using? On what operating system?
Version:
C:\bin\volatility>svn info
Path: .
Working Copy Root Path: C:\bin\volatility
URL: http://volatility.googlecode.com/svn/trunk
Repository Root: http://volatility.googlecode.com/svn
Repository UUID: 8d5d6628-2090-11de-9909-f37ff7dbbc12
Revision: 1362
Node Kind: directory
Schedule: normal
Last Changed Author: michael.hale@gmail.com
Last Changed Rev: 1362
Last Changed Date: 2012-02-11 21:37:42 +0100 (Szo, 11 febr. 2012)

OS:
Windows 7 SP1 x64

Original issue reported on code.google.com by moltes...@gmail.com on 12 Feb 2012 at 12:46

GoogleCodeExporter commented 9 years ago
Hi there, I can't see any reason that lsadump should produce that kind of 
error.  Could you please delete all .pyc and .pyo files under the 
volatility/plugins directory, and try again?

Original comment by mike.auty@gmail.com on 12 Feb 2012 at 3:33

GoogleCodeExporter commented 9 years ago
C:\Users\dmk\volatility>cd volatility\plugins

C:\Users\dmk\volatility\volatility\plugins>del *.pyc

C:\Users\dmk\volatility\volatility\plugins>del *.pyo
Could Not Find C:\Users\dmk\volatility\volatility\plugins\*.pyo

C:\Users\dmk\volatility\volatility\plugins>cd ..\..

C:\Users\dmk\volatility>vol.py -f ..\win7sp1x64.dmp --profile=Win7SP1x64 -h
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.registry.lsadump (ImportError: DLL load 
failed: %1 is not a valid Win32 application.)
Usage: Volatility - A memory forensics analysis platform.

:(

Original comment by moltes...@gmail.com on 12 Feb 2012 at 4:21

GoogleCodeExporter commented 9 years ago
Sorry, I wasn't clear enough, you need to remove all the pyc files under 
volatility/plugins and all of its subdirectories (in this case, specifically 
volatility/plugins/registry).

Thinking about it further, this is probably an issue with your pycrypto 
installation.  Please ensure that you have successfully installed pycrypto for 
windows.  You should test that you can do the following without error in python:

import Crypto.Hash import MD5, MD4, HMAC
import Crypto.Cipher import ARC4, DES

Original comment by mike.auty@gmail.com on 12 Feb 2012 at 5:03

GoogleCodeExporter commented 9 years ago
Sorry, it is a user error. I installed pycrypto for x86, but this is an x64 
platform.

Python 2.7.2 (default, Jun 12 2011, 14:24:46) [MSC v.1500 64 bit (AMD64)] on 
win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import volatility.win32.lsasecrets
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "volatility\win32\lsasecrets.py", line 31, in <module>
    import volatility.win32.hashdump as hashdump
  File "volatility\win32\hashdump.py", line 31, in <module>
    from Crypto.Hash import MD5, MD4
ImportError: DLL load failed: %1 is not a valid Win32 application.

now i need to compile pycrypto for x64...

thanks

Original comment by moltes...@gmail.com on 12 Feb 2012 at 5:08

GoogleCodeExporter commented 9 years ago
No problem, glad we figured out what was wrong.  5:)

Original comment by mike.auty@gmail.com on 12 Feb 2012 at 5:10