Closed Obad94 closed 4 years ago
This looks like an issue where the windows symbols for Windows 8 aren't as expected. I've asked our Windows expert to give it a look... 5:)
@Obad94 Could you git pull
and try again with the latest code?
No activity, please reopen if this is still an issue...
I ran the windows.modscan.ModScan plugin but it's giving an exception
"C:\Users\NED\Desktop\volatility3-master>python vol.py -f C:\Users\NED\Desktop\Memory_Dumps\Windows_8_Dumps\Malware\WanaCryMalicious.vmem windows.modscan.ModScan Volatility 3 Framework 1.0.0-beta.1 Progress: 0.00 Scanning primary2 using PdbSignatureScanner Offset Base Size Name Path Traceback (most recent call last): File "vol.py", line 10, in
volatility.cli.main()
File "C:\Users\NED\Desktop\volatility3-master\volatility\cli__init.py", line 489, in main
CommandLine().run()
File "C:\Users\NED\Desktop\volatility3-master\volatility\cli__init__.py", line 292, in run
renderers[args.renderer]().render(constructed.run())
File "C:\Users\NED\Desktop\volatility3-master\volatility\cli\text_renderer.py", line 163, in render
grid.populate(visitor, outfd)
File "C:\Users\NED\Desktop\volatility3-master\volatility\framework\renderers\init.py", line 196, in populate
for (level, item) in self._generator:
File "C:\Users\NED\Desktop\volatility3-master\volatility\framework\plugins\windows\modscan.py", line 50, in _generator
for mod in self.scan_modules(self.context, self.config['primary'], self.config['nt_symbols']):
File "C:\Users\NED\Desktop\volatility3-master\volatility\framework\plugins\windows\modscan.py", line 44, in scan_modules
for result in poolscanner.PoolScanner.generate_pool_scan(context, layer_name, symbol_table, constraints):
File "C:\Users\NED\Desktop\volatility3-master\volatility\framework\plugins\windows\poolscanner.py", line 375, in generate_pool_scan
if mem_object.get_object_header().get_object_type(type_map, cookie) != constraint.object_type:
File "C:\Users\NED\Desktop\volatility3-master\volatility\framework\objects\init.py", line 715, in getattr__
raise AttributeError("{} has no attribute: {}.{}".format(agg_name, self.vol.type_name, attr))
AttributeError: StructType has no attribute: nt_symbols1!_LDR_DATA_TABLE_ENTRY.get_object_header"
Context Volatility Version: Volatility 3 Operating System: Windows 10 Python Version: Python 3.7 Suspected Operating System: Windows 8 Command: windows.modscan.ModScan