search

spender-sandbox / cuckoo-modified

Modified edition of cuckoo
395 stars 178 forks source link

Generic error - Volatility #442

Closed ghost closed 7 years ago

ghost commented 7 years ago

Running 1.3NG latest pull , Volatility 2.6 Could someone shed some light here?

2017-04-21 17:06:56,411 [modules.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label cuckoo1 to path /media/cuckoo/Storage/cuckoo/storage/analyses/7/memory.dmp 2017-04-21 17:07:02,640 [volatility.debug] WARNING: NoneObject as string: Cannot find process session 2017-04-21 17:07:02,642 [volatility.debug] WARNING: NoneObject as string: Cannot find process session 2017-04-21 17:07:02,648 [volatility.debug] WARNING: NoneObject as string: Pointer ObjectTable invalid 2017-04-21 17:07:02,653 [volatility.debug] WARNING: NoneObject as string: Pointer ObjectTable invalid 2017-04-21 17:07:02,684 [volatility.debug] WARNING: NoneObject as string: Pointer ObjectTable invalid 10.0.1.18 - - [21/Apr/2017 17:07:14] "GET /browse/page/1 HTTP/1.1" 200 168732 [x86] Gathering all referenced SSDTs from KTHREADs... Finding appropriate address space for tables... 10.0.1.18 - - [21/Apr/2017 17:08:04] "GET /browse/page/1 HTTP/1.1" 200 168732 2017-04-21 17:08:38,314 [modules.processing.memory] ERROR: Generic error executing volatility Traceback (most recent call last): File "/media/cuckoo/Storage/cuckoo/modules/processing/memory.py", line 1154, in run results = vol.run(manager=machine_manager, vm=task_machine) File "/media/cuckoo/Storage/cuckoo/modules/processing/memory.py", line 1059, in run results["yarascan"] = vol.yarascan() File "/media/cuckoo/Storage/cuckoo/modules/processing/memory.py", line 582, in yarascan for o, addr, hit, content in command.calculate(): File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py", line 292, in calculate rules = self._compile_rules() File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/malware/malfind.py", line 238, in _compile_rules except yara.SyntaxError, why: AttributeError: 'module' object has no attribute 'SyntaxError'

Thanks folks!!

spender-sandbox commented 7 years ago

What version of yara? That seems to be the issue.

-Brad

ghost commented 7 years ago

Yara 3.2.0..

doomedraven commented 7 years ago

try at least 3.4

ghost commented 7 years ago

OK, what about the volatility errors above?

doomedraven commented 7 years ago

that as i remember was happening with old yara, try firts newes one, i personally use 3.4 as i had problems with 3.5, but try it first

ghost commented 7 years ago

Will do, thanks!!

ghost commented 7 years ago

errors still persist, seems it may be the mem dump created by my samples.. I'll close for now...