search

tomchop / volatility-autoruns

Autoruns plugin for the Volatility framework
GNU General Public License v2.0
118 stars 20 forks source link

Error for profile 19041 #30

Open swepeba opened 3 years ago

swepeba commented 3 years ago

Hi,

I get an error when running this plugin with profile 19041 (Volatility 2.6.1). Nothing more is shown when adding -v

ERROR : volatility.debug : Unable to find registry hives.

It works for older profiles. Any ideas?

jared703 commented 3 years ago

Are you seeing any hives resident in memory via hivelist?

On Wed, May 12, 2021 at 10:49 AM Peter @.***> wrote:

Hi,

I get an error when running this plugin with profile 19041 (Volatility 2.6.1). Nothing more is shown when adding -v

ERROR : volatility.debug : Unable to find registry hives.

It works for older profiles. Any ideas?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/30, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZGFLTVYZY4Y4UKIGKWRJDTNKIP7ANCNFSM44YYNDUA .

swepeba commented 3 years ago

No, both hivelist and hivescan are empty... Maybe something wrong in the profile from the Volatility project, because when using Volatility3 and windows.registry.hivelist.HiveList on the same memory dump it works fine.

jared703 commented 3 years ago

starting from the correct profile is critical. Is everything else normal (pslist, pscan, etc.)?

On Wed, May 12, 2021 at 12:57 PM Peter @.***> wrote:

No, both hivelist and hivescan are empty... Maybe something wrong in the profile from the Volatility project, because when using Volatility3 and windows.registry.hivelist.HiveList on the same memory dump it works fine.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/30#issuecomment-839940633, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZGFLVN2DQE3SYBFFWXV7TTNKXRHANCNFSM44YYNDUA .

swepeba commented 3 years ago

Yes. All the other plugins work with the same profile. Since hivelist and hivescan do not work either I suppose it might be some problems inside the 19041 profile definition.

jared703 commented 3 years ago

It could be, especially in vol3 is detecting registry data.

On Thu, May 13, 2021 at 1:52 PM Peter @.***> wrote:

Yes. All the other plugins work with the same profile. Since hivelist and hivescan do not work either I suppose it might be some problems inside the 19041 profile definition.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/tomchop/volatility-autoruns/issues/30#issuecomment-840725928, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAZGFLSWACMBBIWINZ2F6PTTNQGXLANCNFSM44YYNDUA .