Closed steve-rootx closed 4 years ago
After using pythonpath switch, not getting the previous error, however, PY initialization was failed.
Thanks for reporting. I tried this on a clean install system (win10) with recent MemProcFS and Python and I haven't been able to replicate the issue.
1) what operating system are you running on? Windows 10 and which release or Windows 7? 2) what exact python version are you running? What does it say when you start Python both in 1st post and 2nd post. Note that if you happen to be running a 32-bit python that may be the issue (only 64-bit is supported) I should really update the error message. But 32/64-bit does not explain your error message in 1st post.
Hello Master,
Thanks for checking 👍
1) The Windows version is 10 and as you see in the first post it is 18363 build.
2) Python version is 3.6 x64 (as suggested in the usage guide)
3) MemProcFS is the latest downloaded from GitHub repo (MemProcFS_files_and_binaries_v3.3-20200804-2).
Without using Python Path, I am getting following exception.
After using PY path: PluginManager PY initialization failed.
However, I can see the mounted file system. But thinking about Python, as PY API can not be used due to this failure.
The other help I need is to mount Linux memory. As usual, I need to pass the profile for a Linux memory, but unsure how I can specify that or how to retrieve the DTB/cr3 value for the Linux memory image.
Fortunately I got it for the Python Error. :) A silly mistake... 1) Installed Python for all user under C:\Program Files 2) Installed missing Plugin manager : pip install pluginmanager
Please need help for the Linux memory image as requested in previous post. :) Though I read that MemProcFS is supporting Windows only. But was wondering if DMA is possible through FPGA and Linux memory is accessible through PCILeech, we may read the Linux memory in the exact same way as we do for Windows using MemProcFS.
Thank you for the update; it's good to see that it's working.
About analyzing linux images; it's not really supported bar for the very most basic functionality - i.e. analyzing one single process at a given time by supplying its -cr3 / dtb value. I'm not aware about how to find this value in a good way in Linux. For testing I used a kernel module inserted in my test system.
Long story short; MemProcFS is next to useless when it comes to analyzing Linux. You'd be much better off using another tool such as Volatility for Linux.
A tool like this is a lot of work. I've been doing this on my free spare time as a hobby project for some time now. I figured I had better to focus on the OS with the larger market share and make a nice usable really awesome product for that rather than create something mediocre that works just a little on many platforms. I'm not likely to add Linux support any time soon due to lack of time.
Please let me know if you come to think about missing Windows-related analysis features and tasks though. I plan to add some kind of malware scan functionality quite soon. Also if you do find it useful I've opened up for sponsorships via Github sponsors very recently. Just $2 contributed will become $4 for me (Github matches every sponsor contribution).
I'm closing this issue since the problem seems to be resolved.
Hi,
Could you please help me to fix this issue? Looks like may be some incompatibility, however, PY version is 3.6 and latest DOCAN is installed.
Thanks