tag:blogger.com,1999:blog-6787362638788314904.post6395775283810654141..comments2024-03-07T06:22:55.106-05:00Comments on Push the Red Button: Plugin Post: Robust Process ScannerBrendan Dolan-Gavitthttp://www.blogger.com/profile/17143824408632888880noreply@blogger.comBlogger8125tag:blogger.com,1999:blog-6787362638788314904.post-79052351177230032702010-08-05T10:11:27.416-04:002010-08-05T10:11:27.416-04:00I just did a svn checkout on 1.3.2 and dropped in ...I just did a svn checkout on 1.3.2 and dropped in psscan3 and I get the following errors<br /><br />spaz:memory_plugins larry$ ls<br />example1.py example2.py example3.py example4.py<br />example1.pyc example2.pyc example3.pyc example4.pyc<br />spaz:memory_plugins larry$ cp ../../Volatility-1.3_Beta/memory_plugins/psscan3.py .<br />spaz:memory_plugins larry$ cd ..<br />spaz:Volatility-1.3.2 larry$ python volatility psscan3Traceback (most recent call last):<br /> File "volatility", line 219, in <br /> main()<br /> File "volatility", line 215, in main<br /> command.execute()<br /> File "/Volumes/Shared/vola/Volatility-1.3.2/memory_plugins/psscan3.py", line 164, in execute<br /> space = FileAddressSpace(self.opts.filename)<br /> File "/Volumes/Shared/vola/Volatility-1.3.2/forensics/addrspace.py", line 44, in __init__<br /> self.fhandle = open(fname, mode)<br />TypeError: coercing to Unicode: need string or buffer, NoneType foundUnknownhttps://www.blogger.com/profile/00164569246675572317noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-52377641769701795492010-07-09T16:08:49.018-04:002010-07-09T16:08:49.018-04:00Jamie,
Great point! This is one of the things we ...Jamie,<br /><br />Great point! This is one of the things we mention in the paper. The signature used in the scanner I posted was trained on live processes. When a process exits, one of the things that gets zeroed out is the ObjectTable member, which is used in this signature. You can actually just comment out the check:<br /><br />self.add_constraint(self.check_object_table)<br /><br />This doesn't introduce any false positives, but it does allow exited processes to be found. And the whole thing remains as robust as before :)Brendan Dolan-Gavitthttps://www.blogger.com/profile/17143824408632888880noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-17288210871156534272010-07-09T11:27:05.655-04:002010-07-09T11:27:05.655-04:00Network Forensics,
Can you try using this with a ...Network Forensics,<br /><br />Can you try using this with a clean copy of Volatility 1.3.2 (i.e., check out the source to a new directory, and then drop psscan3 in memory_plugins), and let me know if the problem persists?<br /><br />Thanks,<br />BrendanBrendan Dolan-Gavitthttps://www.blogger.com/profile/17143824408632888880noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-6709888079714637182010-07-08T19:27:44.965-04:002010-07-08T19:27:44.965-04:00Great blog post. Memoryze has always used some ext...Great blog post. Memoryze has always used some extra, secondary sanity checks other than DISPATCHER_HEADER, but we obviously rely on that one too much.<br /><br />I am curious if by adding these new checks for process discovery do you no longer identify some processes that have exited, which may violate some of the assumptions or rules because the OS has freed or zeroed out those parts of the EPROCESS?Jamie Butlerhttps://www.blogger.com/profile/14804311854971869225noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-87097731817289668672010-07-08T17:15:48.803-04:002010-07-08T17:15:48.803-04:00That should say 1.3.2 for the version of volatilit...That should say 1.3.2 for the version of volatility.Network Forensicshttps://www.blogger.com/profile/16054348739373215959noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-54759074587433668932010-07-08T17:15:10.814-04:002010-07-08T17:15:10.814-04:00I am using volatiltiy 1.2.3 and I updated to versi...I am using volatiltiy 1.2.3 and I updated to version 309 using svn. I have tried it on my windows machines as well as my ubuntu machine. I just don't know if I did not update it correctly or what.Network Forensicshttps://www.blogger.com/profile/16054348739373215959noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-47225696191429450982010-07-07T17:49:57.816-04:002010-07-07T17:49:57.816-04:00Hi,
What version of Volatility are you using? I&#...Hi,<br /><br />What version of Volatility are you using? I've tested the plugin with the most recent stable version of Volatility (1.3.2), which you can get by doing:<br /><br />svn checkout http://volatility.googlecode.com/svn/tags/Volatility-1.3.2Brendan Dolan-Gavitthttps://www.blogger.com/profile/17143824408632888880noreply@blogger.comtag:blogger.com,1999:blog-6787362638788314904.post-81005944384480536792010-07-07T13:03:28.070-04:002010-07-07T13:03:28.070-04:00I can run pscan2 successfully against your image b...I can run pscan2 successfully against your image but I get the following error when I run psscan3:<br /><br />$ python volatility psscan3 -f /g/ds_fuzz_hidden_proc.img<br />YARA is not installed, see http://code.google.com/p/yara-project/<br />c:\Python26\lib\site-packages\Crypto\Hash\MD5.py:6: DeprecationWarning: the md5<br />module is deprecated; use hashlib instead<br /> from md5 import *<br />PID PPID Time created Time exited Offset PDB<br /> Remarks<br />------ ------ ------------------------ ------------------------ ---------- -----<br />----- ----------------<br />Scanner () on Offset 0 Error: pop from empt<br />y list<br />Traceback (most recent call last):<br /> File "volatility", line 219, in <br /> main()<br /> File "volatility", line 215, in main<br /> command.execute()<br /> File "c:\Volatility\Volatility\memory_plugins/psscan3.py", line 169, in execut<br />e<br /> scan_addr_space(search_space,scanners)<br /> File "c:\Volatility\Volatility\forensics\win32\scan2.py", line 218, in scan_ad<br />dr_space<br /> o.process(chunk,as_offset+poffset, metadata=metadata)<br /> File "c:\Volatility\Volatility\forensics\win32\scan2.py", line 148, in process<br /><br /> self.process_buffer(buf,self.offset,metadata)<br /> File "c:\Volatility\Volatility\memory_plugins/psscan3.py", line 53, in process<br />_buffer<br /> match_count = self.check_addr(buf, i)<br /> File "c:\Volatility\Volatility\memory_plugins/psscan3.py", line 39, in check_a<br />ddr<br /> val = func(buff,found)<br /> File "c:\Volatility\Volatility\memory_plugins/psscan3.py", line 99, in check_v<br />adroot<br /> val = read_obj_from_buf(buf, types, field, found)<br /> File "c:\Volatility\Volatility\forensics\object.py", line 250, in read_obj_fro<br />m_buf<br /> (offset, current_type) = get_obj_offset(data_types,member_list)<br /> File "c:\Volatility\Volatility\forensics\object.py", line 204, in get_obj_offs<br />et<br /> current_type = member_list.pop()<br />IndexError: pop from empty list<br /><br />any ideas??Network Forensicshttps://www.blogger.com/profile/16054348739373215959noreply@blogger.com