search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

yarascan.YaraScan doesn't work #101

Closed doomedraven closed 4 years ago

doomedraven commented 4 years ago

memdump and yara will be shared in private

works just fine on vol2

vol.py -f X.dmp --profile=Win7SP1x86 yarascan -y X.yar
Volatility Foundation Volatility Framework 2.6.1
Rule: X
<removed>
python3 vol.py -vvvvvvv -f memdump.dmp yarascan.YaraScan --yara-file test.yar
Volatility 3 Framework 1.0.0-beta.1
INFO     root        : Volatility plugins path: ['/home/X/volatility3/volatility/plugins', '/home/X/volatility3/volatility/framework/plugins']
INFO     root        : Volatility symbols path: ['/home/X/volatility3/volatility/symbols', '/home/X/volatility3/volatility/framework/symbols']
Level 6  volatility.framework: Importing from the following paths: /home/X/volatility3/volatility/plugins, /home/X/volatility3/volatility/framework/plugins
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.statistics
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.registry.certificates
DEBUG    volatility.framework: Importing module: volatility.plugins.yarascan
DEBUG    volatility.framework: Importing module: volatility.plugins.layerwriter
DEBUG    volatility.framework: Importing module: volatility.plugins.timeliner
DEBUG    volatility.framework: Importing module: volatility.plugins.configwriter
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.pstree
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.lsmod
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.lsof
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.pslist
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.bash
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.psaux
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.check_sysctl
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.proc_maps
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.netstat
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.ifconfig
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.malfind
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.check_syscall
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.check_trap_table
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.tasks
DEBUG    volatility.framework: Importing module: volatility.plugins.mac.trustedbsd
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.psscan
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.dlldump
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.cmdline
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.poolscanner
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.mutantscan
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.pstree
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.dlllist
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.driverirp
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.info
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.verinfo
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.moddump
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.symlinkscan
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.strings
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.handles
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.virtmap
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.pslist
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.ssdt
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.vadyarascan
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.vaddump
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.procdump
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.modules
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.filescan
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.malfind
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.callbacks
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.driverscan
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.vadinfo
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.modscan
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.svcscan
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.registry.userassist
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.registry.hivelist
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.registry.hivescan
DEBUG    volatility.framework: Importing module: volatility.plugins.windows.registry.printkey
DEBUG    volatility.framework: Importing module: volatility.plugins.linux.check_afinfo
DEBUG    volatility.framework: Importing module: volatility.plugins.linux.pstree
DEBUG    volatility.framework: Importing module: volatility.plugins.linux.lsmod
DEBUG    volatility.framework: Importing module: volatility.plugins.linux.lsof
DEBUG    volatility.framework: Importing module: volatility.plugins.linux.proc
DEBUG    volatility.framework: Importing module: volatility.plugins.linux.elfs
DEBUG    volatility.framework: Importing module: volatility.plugins.linux.pslist
DEBUG    volatility.framework: Importing module: volatility.plugins.linux.bash
DEBUG    volatility.framework: Importing module: volatility.plugins.linux.malfind
DEBUG    volatility.framework: Importing module: volatility.plugins.linux.check_syscall
Level 6  volatility.framework: Importing from the following paths: /home/X/volatility3/volatility/framework/automagic
DEBUG    volatility.framework: Importing module: volatility.framework.automagic.symbol_finder
DEBUG    volatility.framework: Importing module: volatility.framework.automagic.stacker
DEBUG    volatility.framework: Importing module: volatility.framework.automagic.pdbscan
DEBUG    volatility.framework: Importing module: volatility.framework.automagic.construct_layers
DEBUG    volatility.framework: Importing module: volatility.framework.automagic.symbol_cache
DEBUG    volatility.framework: Importing module: volatility.framework.automagic.windows
DEBUG    volatility.framework: Importing module: volatility.framework.automagic.linux
DEBUG    volatility.framework: Importing module: volatility.framework.automagic.mac
Level 7  root        : Cache directory used: /home/X/.cache/volatility3
INFO     volatility.framework.automagic: No plugin category detected
INFO     volatility.framework.automagic: Running automagic: SymbolBannerCache
INFO     volatility.framework.automagic: Running automagic: MacBannerCache
Level 6  volatility.framework.symbols.intermed: Searching for symbols in /home/X/volatility3/volatility/symbols, /home/X/volatility3/volatility/framework/symbols
INFO     volatility.framework.automagic: Running automagic: LinuxBannerCache
Level 6  volatility.framework.symbols.intermed: Searching for symbols in /home/X/volatility3/volatility/symbols, /home/X/volatility3/volatility/framework/symbols
INFO     volatility.framework.automagic.symbol_cache: Building linux caches...
Level 7  volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 7  volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 7  volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO     volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.YaraScan.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.YaraScan
INFO     volatility.framework.automagic: Running automagic: LayerStacker
Level 6  volatility.framework: Importing from the following paths: /home/X/volatility3/volatility/framework/layers
DEBUG    volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG    volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG    volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG    volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG    volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG    volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG    volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG    volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG    volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG    volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG    volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG    volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 7  volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 8  volatility.framework.automagic.stacker: Attempting to stack using WintelStacker
DEBUG    volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
Level 8  volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6  volatility.framework.symbols.intermed: Searching for symbols in /home/X/volatility3/volatility/symbols, /home/X/volatility3/volatility/framework/symbols
Level 7  volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO     volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility.schemas: All validations will report success, even with malformed input
Level 8  volatility.framework.automagic.stacker: Stacked Elf64Layer using Elf64Stacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using WintelStacker
DEBUG    volatility.framework.automagic.windows: DTB was found at: 0x185000
Level 8  volatility.framework.automagic.stacker: Stacked IntelLayer using WintelStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using WindowsCrashDump32Stacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using MacintelStacker
Level 8  volatility.framework.automagic.stacker: Attempting to stack using LintelStacker
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary.memory_layer
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.YaraScan.primary.memory_layer.base_layer
Level 7  volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 6  volatility.framework.symbols.intermed: Searching for symbols in /home/X/volatility3/volatility/symbols, /home/X/volatility3/volatility/framework/symbols
Level 7  volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
INFO     volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility.schemas: All validations will report success, even with malformed input
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DEBUG    volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'Elf64Layer', 'FileLayer']
INFO     volatility.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility.framework.automagic: Running automagic: WintelHelper
INFO     volatility.framework.automagic: Running automagic: KernelPDBScanner
INFO     volatility.framework.automagic: Running automagic: SymbolFinder
INFO     volatility.framework.automagic: Running automagic: MacSymbolFinder
INFO     volatility.framework.automagic: Running automagic: LinuxSymbolFinder

Offset  Rule
Level 7  volatility.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
ikelos commented 4 years ago

Hiya, so #106 has been merged, but I'm afraid #105 still requires further review because it's a bigger change.

ikelos commented 4 years ago

Hiya, #105 has been merged, which should resolve this issue. Please feel free to reopen it if you still think this is a problem... 5:)