search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

apihooks #342

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Volatile Systems Volatility Framework 2.2_alpha
2. http://files.sempersecurus.org/dumps/cridex_memdump.zip
3. python vol.py --profile=WinXPSP2x86 -f 
/home/analyst/memory-samples/cridex.vmem -p 1640 apihooks

What is the expected output? What do you see instead?
Traceback (most recent call last):
  File "vol.py", line 185, in <module>
    main()
  File "vol.py", line 176, in main
    command.execute()
  File "/home/analyst/Volatility/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/home/analyst/Volatility/volatility/plugins/malware/apihooks.py", line 1008, in render_text
    for process, module, hook in data:
  File "/home/analyst/Volatility/volatility/plugins/malware/apihooks.py", line 983, in calculate
    process_space, dll, module_group):
  File "/home/analyst/Volatility/volatility/plugins/malware/apihooks.py", line 829, in get_hooks
    for hook in self.check_syscall(addr_space, module, module_group):
  File "/home/analyst/Volatility/volatility/plugins/malware/apihooks.py", line 474, in check_syscall
    for op in distorm3.Decompose(function_address, data, distorm3.Decode32Bits):
  File "/usr/local/lib/python2.7/dist-packages/distorm3/__init__.py", line 931, in Decompose
    return list( DecomposeGenerator(offset, code, type, features) )
  File "/usr/local/lib/python2.7/dist-packages/distorm3/__init__.py", line 892, in DecomposeGenerator
    yield Instruction(di, code[instruction_off : instruction_off + di.size], dt)
  File "/usr/local/lib/python2.7/dist-packages/distorm3/__init__.py", line 789, in __init__
    self.operands.append(self._extractOperand(di, operand))
  File "/usr/local/lib/python2.7/dist-packages/distorm3/__init__.py", line 823, in _extractOperand
    raise ValueError("Unknown operand type encountered: %d!" % operand.type)
ValueError: Unknown operand type encountered: 32!

What version of the product are you using? On what operating system?
Volatile Systems Volatility Framework 2.2_alpha
I also tried volatility-2.1.tar.gz 

Please provide any additional information below.
My setup:
http://www.evild3ad.com/1747/how-to-install-volatility-on-ubuntu-12-04-lts/

Thank you very much!

evild3ad

Original issue reported on code.google.com by evild3ad...@googlemail.com on 1 Sep 2012 at 11:35

GoogleCodeExporter commented 9 years ago 
Hi, I believe this is related to your distorm3 installation. If you see the 
distorm3 homepage (http://code.google.com/p/distorm/) it says "August 8 2012: 
The latest Python binding is broken at the moment. It will be fixed as soon as 
I am back from the vacation. Sorry :("

I have a bit older distorm3 version installed and there is no problem:

$ svn checkout https://volatility.googlecode.com/svn/trunk/ volatility

$ svn info | grep Revision
Revision: 2273

$ python vol.py -f ~/Downloads/cridex.vmem -p 1640 apihooks
Volatile Systems Volatility Framework 2.2_alpha
************************************************************************
Hook mode: Usermode
Hook type: Inline/Trampoline
Process: 1640 (reader_sl.exe)
Victim module: ntdll.dll (0x7c900000 - 0x7c9af000)
Function: ntdll.dll!LdrLoadDll at 0x7c9163a3
Hook address: 0x3da300
Hooking module: <unknown>

Disassembly(0):
0x7c9163a3 e9583fac83       JMP 0x3da300
0x7c9163a8 68f864917c       PUSH DWORD 0x7c9164f8
0x7c9163ad e8f984ffff       CALL 0x7c90e8ab
0x7c9163b2 a1c8b0977c       MOV EAX, [0x7c97b0c8]
0x7c9163b7 8945e4           MOV [EBP+0xffffffe4], EAX
0x7c9163ba 8b               DB 0x8b

You can check the distorm3 revision number like this:

>>> import distorm3
>>> distorm3.__revision__
'$Id: distorm.py 186 2010-05-01 14:20:41Z gdabah $

The standalone volatility 2.1 doesn't have the problem either 
(http://volatility.googlecode.com/files/volatility-2.1.standalone.exe) so its 
nothing we change in our code necessarily. I'll contact the author of distorm3 
and see if he can figure out what's going on with the library.

Original comment by michael.hale@gmail.com on 1 Sep 2012 at 3:59

GoogleCodeExporter commented 9 years ago 
Yep definitely appears like a distorm3 issue. You'll have to downgrade from 3.3 
to 3.1 until the distorm3 author fixes the python bindings. A 3.1 build is 
available here:

http://distorm.googlecode.com/files/distorm-package3.1.zip

With that installed, it should fix your problems. Feel free to write me 
directly (michael.hale@gmail.com) or the leave an issue on the distorm3 issue 
tracker if you still have issues.

Original comment by michael.hale@gmail.com on 2 Sep 2012 at 5:16