What steps will reproduce the problem?
1.vol.py --plugins=/usr/local/src/volatility-2.0/volatility/plugins -f
memory_dump.raw --profile=WinXPSP3x86 malfind -D malfind/ > malfind.out
2.
3.
What is the expected output? What do you see instead?
I get at least partial output, in that some sections are dumped, but this
particular image generates the below error.
What version of the product are you using? On what operating system?
# uname -a
Linux aardvark 2.6.32-32-generic #62-Ubuntu SMP Wed Apr 20 21:52:38 UTC 2011
x86_64 GNU/Linux
malware.py was installed on Nov. 18th...
Image was taken with Helix 2009 R3 live CD
Please provide any additional information below.
# vol.py --plugins=/usr/local/src/volatility-2.0/volatility/plugins -f
memory_dump.raw --profile=WinXPSP3x86 malfind -D malfind/ > malfind.out
Volatile Systems Volatility Framework 2.0
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 135, in <module>
main()
File "/usr/local/bin/vol.py", line 126, in main
command.execute()
File "/usr/local/lib/python2.6/dist-packages/volatility/commands.py", line 101, in execute
func(outfd, data)
File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 1042, in render_text
for (name,pid,start,end,tag,prx,fname,hits,chunk) in data:
File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 992, in calculate
for ps_ad, start, end, tag, prx, data in self.get_vads(proc):
File "/usr/local/src/volatility-2.0/volatility/plugins/malware.py", line 909, in get_vads
ps_ad = proc.get_process_address_space()
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/overlays/windows/windows.py", line 197, in get_process_address_space
process_as = self.obj_vm.__class__(self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base)
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 89, in __init__
self.as_assert(getattr(volmag, checkname).v(), "Failed valid Address Space check")
File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 801, in v
return self.get_best_suggestion()
File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 827, in get_best_suggestion
for val in self.get_suggestions():
File "/usr/local/lib/python2.6/dist-packages/volatility/obj.py", line 819, in get_suggestions
for x in self.generate_suggestions():
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/overlays/windows/windows.py", line 505, in generate_suggestions
if (self.obj_vm.vtop(0xffdf0000)) == (self.obj_vm.vtop(0x7ffe0000)):
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 447, in vtop
pte = self.get_pte(vaddr, pde)
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 414, in get_pte
return self._read_long_long_phys(pte_addr)
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/intel.py", line 459, in _read_long_long_phys
string = self.base.read(addr, 8)
File "/usr/local/lib/python2.6/dist-packages/volatility/plugins/addrspaces/standard.py", line 97, in read
self.fhandle.seek(addr)
IOError: [Errno 22] Invalid argument