jessekornblum: Fixing the 'suspicious.py' Volatility module

jessekornblum (

jessekornblum) wrote,
@ 2009-02-14 11:06:00

Entry tags:

hacking, memory analysis

Fixing the 'suspicious.py' Volatility module
Several people have asked about the following error when using the suspicious.py plugin for Volatility:

Traceback (most recent call last):
  File "volatility", line 219, in 
    main()
  File "volatility", line 201, in main
    MemoryRegistry.Init()
  File "/Users/jessek/Volatility-1.3_Beta/forensics/registry.py", line 269, in Init
    OBJECT_CLASSES = VolatilityObjectRegistry(object2.Object)
  File "/Users/jessek/Volatility-1.3_Beta/forensics/registry.py", line 244, in __init__
    raise Exception("Object %s has already been defined by %s" % (obj,self.objects[obj]))
Exception: Object _EPROCESS has already been defined by class 'example3._eprocess'="'example3._EPROCESS'">

The error is caused by a collision of the _EPROCESS object in suspicious.py and example3.py. The easiest way to solve the problem is to remove example3.py from the memory_plugins directory.

(1 comment) - (Post a new comment)

(Anonymous)
2009-02-17 03:49 pm UTC (link)

When I run the script, I get the following error...

Traceback (most recent call last):
File "volatility", line 219, in
main()
File "volatility", line 215, in main
command.execute()
File "memory_plugins/suspicious.py", line 106, in execute
command_line = eprocess.CommandLine
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 96, in __getattribute__
return object.__getattribute__(self, attr)
File "memory_plugins/suspicious.py", line 155, in getCommandLine
if mypeb.ProcessParameters is None:
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 122, in __getattribute__
base_address = self.get_member(attr).v()
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 251, in v
return self.value()
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 255, in value
return self.type.v(self)
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 340, in v
return self.value(theObject)
File "C:\Documents and Settings\User\My Documents\Volatility-1.3_Beta\forensics\object2.py", line 344, in value
theObject.vm.read(theObject.offset, self.size))
File "C:\Python25\lib\struct.py", line 87, in unpack
return o.unpack(s)
struct.error: unpack requires a string argument of length 4

Is there another file that needs to be removed? Thanks.

(Reply to this)

(1 comment) - (Post a new comment)

Username:		Create an Account Forgot your login or password? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

Store

LJ Labs