rh1nox / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
0 stars 0 forks source link

Bug in apihooks when processing rustock.b image #1

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
C:\forensics\Volatility-1.4_rc1>python volatility.py apihooks -f 
..\malware-images\rustock.vmem
Volatile Systems Volatility Framework 1.4_rc1
Name                             Type     Function 
Value
Traceback (most recent call last):
  File "volatility.py", line 126, in <module>
    main()
  File "volatility.py", line 117, in main
    command.execute()
  File "C:\forensics\Volatility-1.4_rc1\volatility\commands.py", line 101, 
in execute
    func(outfd, data)
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
1939, in render_text
    for (proc, type, current_mod, mod, func, src, dst, hooker, instruction) 
in data:
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
1899, in calculate
    for val in self.get_all_hooks(p, ps_ad, procs, mods, mod_addrs):
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
1854, in get_all_hooks
    for val in self.get_hooks(proc, space, mods, mod_addrs, mod, name):
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
1699, in get_hooks
    for exp in mod.exports():
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
528, in exports
    for exp in exp_dir.get_exports():
  File "C:\forensics\Volatility-1.4_rc1\volatility\plugins\malware.py", line 
418, in get_exports
    func_rva = address_of_functions[ordinal]
  File "C:\forensics\Volatility-1.4_rc1\volatility\obj.py", line 655, in 
__getitem__
    pos * self.current.size()
TypeError: unsupported operand type(s) for *: 'NoneObject' and 'int'

Original issue reported on code.google.com by michael.hale@gmail.com on 6 Jan 2011 at 2:31

GoogleCodeExporter commented 8 years ago
This issue was closed by revision r26.

Original comment by michael.hale@gmail.com on 6 Jan 2011 at 4:25