stephanelpaul / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

HIVESCAN NOT FOUND #125

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Hello, 

Im using Volatility 1.3-Beta 
(https://www.volatilesystems.com/volatility/1.3/Volatility-1.3_Beta.zip) on Mac 
OS X v.10.6.8. I installed python 2.6.

When I run the command "python volatility hivescan -f 
/Users/giuseppespecchio/Desktop/Volatility/xp-laptop-2011-07-25.mem"
I receive this message error:

/Applications/forensics/Volatility-1.3_Beta/forensics/win32/crashdump.py:31: 
DeprecationWarning: the sha module is deprecated; use the hashlib module instead
  import sha
Error: Invalid module [hivescan].

    ... <<OMISSIS>> ...

    Example: volatility pslist -f /path/to/my/file

so, I have tried to find this plug-in, but I didn't find it!

$ ls -R
AUTHORS.txt MANIFEST    forensics   vmodules.py vtypes.py
CHANGELOG.txt   MANIFEST.in memory_objects  vmodules.pyc    vtypes.pyc
CREDITS.txt PKG-INFO    memory_plugins  volatility  vutils.py
LEGAL.txt   README.txt  setup.py    vsyms.py    vutils.pyc
LICENSE.txt README.win  thirdparty  vsyms.pyc

./forensics:
__init__.py commands.py object2.py  symbols.py  x86.pyc
__init__.pyc    commands.pyc    object2.pyc symbols.pyc
addrspace.py    object.py   registry.py win32
addrspace.pyc   object.pyc  registry.pyc    x86.py

./forensics/win32:
__init__.py     hiber_addrspace.py  scan.py
__init__.pyc        hiber_addrspace.pyc scan.pyc
crash_addrspace.py  info.py         scan2.py
crash_addrspace.pyc info.pyc        scan2.pyc
crashdump.py        meta_info.py        tasks.py
crashdump.pyc       meta_info.pyc       tasks.pyc
datetime.py     modules.py      vad.py
datetime.pyc        modules.pyc     vad.pyc
executable.py       network.py      xpress.py
executable.pyc      network.pyc     xpress.pyc
handles.py      registry.py
handles.pyc     registry.pyc

./memory_objects:
Windows

./memory_objects/Windows:
xp_sp2.py   xp_sp2.pyc

./memory_plugins:
example1.py example2.py example3.py
example1.pyc    example2.pyc    example3.pyc

./thirdparty:
__init__.py __init__.pyc    progressbar.py  progressbar.pyc

Anyone can help me ?

Original issue reported on code.google.com by peppe...@gmail.com on 28 Jul 2011 at 8:45

GoogleCodeExporter commented 9 years ago
Please use the newer code found in the trunk of this SVN.  You can see how to 
install it on here: http://code.google.com/p/volatility/wiki/FullInstallation

Original comment by jamie.l...@gmail.com on 29 Jul 2011 at 12:16

GoogleCodeExporter commented 9 years ago
Hi Jamei,
but on my Mac Os X 10.6, I've some problem with the installation of Yara 1.4 
and Yara-Python 1.4a such as the version 1.5 
(http://code.google.com/p/yara-project/downloads/detail?name=yara-1.5.tar.gz)

$ make
make  all-recursive
Making all in libyara
make  all-am
/bin/sh ./libtool --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.     -g -O2 
-MT grammar.lo -MD -MP -MF .deps/grammar.Tpo -c -o grammar.lo grammar.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -g -O2 -MT grammar.lo -MD -MP -MF 
.deps/grammar.Tpo -c grammar.c  -fno-common -DPIC -o .libs/grammar.o
In file included from ast.h:20,
                 from grammar.y:8:
yara.h:21:18: error: pcre.h: No such file or directory
In file included from ast.h:20,
                 from grammar.y:8:
yara.h:121: error: expected specifier-qualifier-list before ‘pcre’
grammar.y: In function ‘reduce_external_string_operation’:
grammar.y:1148: error: ‘REGEXP’ has no member named ‘regexp’
grammar.y:1150: error: ‘REGEXP’ has no member named ‘regexp’
grammar.y:1152: error: ‘REGEXP’ has no member named ‘extra’
grammar.y:1152: error: ‘REGEXP’ has no member named ‘regexp’
make[3]: *** [grammar.lo] Error 1
make[2]: *** [all] Error 2
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2

infact when i run the command python vol.py -h, I receive this message:
YARA is not installed, see http://code.google.com/p/yara-project/
Usage: Volatility - A memory forensics analysis platform.

Options:
...

Original comment by peppe...@gmail.com on 29 Jul 2011 at 9:01

GoogleCodeExporter commented 9 years ago
You have to install pcre for yara.  If you have installed pcre, it is possible 
that it might not see it for some reason.  I had this happen when I installed 
it because pcre was installed from ports.  Basically I had to change the 
includes in libyara/scan.c and libyara/yara.h from 

#include <pcre.h>

to

#include "/opt/local/include/pcre.h"

Anyway, not having yara should not effect commands other than some of the 
malware ones in spite of the fact that you see a message complaining that it is 
not there.  Try to use hivescan and see if it works.

Original comment by jamie.l...@gmail.com on 29 Jul 2011 at 9:39

GoogleCodeExporter commented 9 years ago
Since I see that hivescan works (from issue 126) I will close this one.

Original comment by jamie.l...@gmail.com on 29 Jul 2011 at 9:43

GoogleCodeExporter commented 9 years ago
OK I haven't installed the pcre library, so I've downloaded it from 
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.02.tar.bz2

Original comment by peppe...@gmail.com on 29 Jul 2011 at 9:59