jessekornblum: Volatility Call for Bugs

jessekornblum (

jessekornblum) wrote,
@ 2009-07-05 12:38:00

Entry tags:

hacking, memory analysis

Volatility Call for Bugs
We are aiming to release a new version of the Volatility Framework for memory analysis at the start of August 2009. Although no software is ever perfect, we'd like to publish the best possible code. As such, we're asking everybody to please test out the current version and tell us about any bugs they find.

The code is available on the Volatility homepage on Google Code. As noted on their site, you can download the latest version using Subversion as follows:

svn checkout http://volatility.googlecode.com/svn/trunk/ volatility-read-only

You can download some sample memory images from NIST or hogfly's memory exemplar project, but please feel free to test the framework with your own memory images. Lots of testing has been done with the above images, so the best way to find new bugs is with new memory images! Remember the framework only supports Windows XP Service Pack 2 and 3.

When you find a bug, you can post a comment here, visit the developers on IRC at #Volatility on freenode.net, or write to the developer's mailing list.

Even better than finding a bug is fixing one! By all means please take a stab at fixing whatever problems you find. The best way to submit patches is to make changes to the checked out code and generate a patch file. You can create a patch file like this:

svn diff > mypatches

Here's an example patch to let Volatility run on big-endian systems. Good hunting!

(2 comments) - (Post a new comment)

Hivedump

markmorgan47
2009-07-16 02:48 pm UTC (link)

I can get all the scripts to work except for hivedump, cachedump, and lsadump. I loaded python 2.6 with pycrypto and am using volatility 1.3 Beta. When I run hivedump I get the following error:

C:\VolMem2>python volatility hivedump -f h:\memory.img -o 0xa4cb008 -v
C:\VolMem2\forensics\win32\crashdump.py:31: DeprecationWarning: the sha modul
s deprecated; use the hashlib module instead
import sha
C:\Python26\lib\site-packages\Crypto\Hash\MD5.py:6: DeprecationWarning: the m
module is deprecated; use hashlib instead
from md5 import *
Dumping \Documents and Settings\mmorgan\Local Settings\Application Data\Micro
t\Windows\UsrClass.dat => e138fb60.csv
Dumping \Documents and Settings\mmorgan\NTUSER.DAT => e1393b60.csv
Traceback (most recent call last):
File "volatility", line 219, in
main()
File "volatility", line 215, in main
command.execute()
File "memory_plugins\registry/hivedump.py", line 84, in execute
dump_registry_hive(space, name, prof, include_vals=self.opts.values)
File "C:\VolMem2\forensics\win32\regdump.py", line 34, in dump_registry_hiv
(tp, data) = value_string(v)
File "C:\VolMem2\forensics\win32\rawreg.py", line 220, in value_string
tp, data = value_data(val)
File "C:\VolMem2\forensics\win32\rawreg.py", line 171, in value_data
for chunk in big_data.List:
TypeError: 'int' object is not iterable

Please let me know if I need to uninstall Python 2.6 and revert to python 2.5.

Thanks.

Mark

(Reply to this) (Thread)

	Re: Hivedump jessekornblum 2009-07-16 09:31 pm UTC (link)
	Hi Mark, The sha DeprecationWarnings you've posted about are a known issue. The other issues you're experiencing is new, but I'm not sure what's causing it. Would you mind reposting your problem to the Volatility Users Mailing List? There are more people there who can help. cheers (Reply to this) (Parent)

(2 comments) - (Post a new comment)

Username:		Create an Account Forgot your login or password? Login w/ OpenID
Password:
	Remember Me
	English • Español • Deutsch • Русский…

About

Help

Get Involved

Legal

LJ Labs

Store