[Vol-users] Unexplained Errors

Brendan Dolan-Gavitt bdolangavitt at wesleyan.edu
Tue Jul 14 22:48:10 CDT 2009


On Jul 14, 2009, at 9:38 PM, Robert Miller wrote:

> Hello Everyone,
>
> I have been dumping memory on a few systems and when I go to  
> process the memory images I get different errors, some of these I  
> think I've found the answers but not sure on others.
>
> Here are the errors I have seen:
>
> procdump:
> =======
> Memory Not Accessible: Virtual Address: 0x4ad50000 File Offset:  
> 0x50000 Size: 0x1000

This is normal and the message is simply informational -- not all  
virtual addresses in memory will be accessible in a given image (some  
may be swapped out to disk). These messages are an attempt to provide  
you with an audit log so you can determine which portions of the  
executable were retrieved successfully.

> pslist:
> ====
> volatility_v1.3/forensics/win32/crashdump.py:31:  
> DeprecationWarning: the sha module is deprecated; use the hashlib  
> module instead
>  import sha
> *** Unable to load module malfind: No module named pydasm
> *** Unable to load module malfind: No module named pydasm
>
> datetime:
> ======
> /volatility_v1.3/forensics/win32/crashdump.py:31:  
> DeprecationWarning: the sha module is deprecated; use the hashlib  
> module instead
>  import sha
> *** Unable to load module malfind: No module named pydasm
> *** Unable to load module malfind: No module named pydasm
>
> I believe the DeprecationWarning is due to the version of Python,  
> which is 2.6.2

None of these messages should prevent pslist or datetime from  
running. Are you finding that this is the case?

The DeprecationWarning is caused by a stray line from testing that  
was left in crashdump.py; the warning is not harmful but if it  
bothers you you can comment that line out.

> The malfind module, not sure why I downloaded the module and have  
> not looked into it, however there should not be an issue, but there  
> is.

As described here:
http://mnin.blogspot.com/2009/01/malfind-volatility-plug-in.html

you will need pydasm to use malfind:
http://dkbza.org/pydasm.html

> Any Advice?

Hope this helps,
Brendan


More information about the Vol-users mailing list