[Vol-users] Error when using Printkey

Michael Cohen scudette at gmail.com
Tue Jan 26 17:31:35 CST 2010


Mark,
  Are you getting the same bug with the 1.4beta branch?  We have
rewritten much of the object framework. It looks like its passing an
int rather than an object somewhere here.

Michael.

On Wed, Jan 27, 2010 at 9:19 AM, Mark Morgan <mark.morgan47 at gmail.com> wrote:
> I am trying to use printkey against a Windows XP image and keep getting an
> error when I use printkey.  I have also provided the commands I used for
> hivescan and hivelist which work great but printkey does not.  Does anyone
> have any suggestions as to why.  I initially thought it was because it was
> SP3 so I ran the same plugins against the xp-laptop-2005-06-25.img that was
> suggested to use in Brendan's guide but I get the same results.  Anyone have
> any thoughts as to why???
>
>
> Mark Morgan
> 702-942-2556
>
> morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
> hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin
>
> Offset (hex)
>
> 181006344 0xac9f008
>
> 181033824 0xaca5b60
>
> 189972488 0xb52c008
>
> 202671368 0xc148508
>
> 544586592 0x2075bb60
>
> 642878304 0x26518b60
>
> 643895304 0x26611008
>
> 678736920 0x2874b418
>
> 740933640 0x2c29c008
>
> 742706016 0x2c44cb60
>
> 789179232 0x2f09eb60
>
> 798029088 0x2f90f520
>
> 1107776776 0x42075508
>
> 1874516240 0x6fbad910
>
> morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
> hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xac9f008
>
> Address Name
>
> 0xe6348910 \Documents and Settings\144553\Local Settings\Application
> Data\Microsoft\Windows\UsrClass.dat
>
> 0xebe6e508 \Documents and Settings\144553\NTUSER.DAT
>
> 0xe8287508 \WINDOWS\system32\config\systemprofile\Local Settings\Application
> Data\Microsoft\Windows\UsrClass.dat
>
> 0xe1895520 \Documents and Settings\LocalService\Local Settings\Application
> Data\Microsoft\Windows\UsrClass.dat
>
> 0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT
>
> 0xe1396008 \Documents and Settings\NetworkService\Local Settings\Application
> Data\Microsoft\Windows\UsrClass.dat
>
> 0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT
>
> 0xe4f8eb60 \WINDOWS\system32\config\SAM
>
> 0xe77b9b60 \WINDOWS\system32\config\SECURITY
>
> 0xe77cd008 \WINDOWS\system32\config\SOFTWARE
>
> 0xe77ca418 \WINDOWS\system32\config\DEFAULT
>
> 0xe18b6008 [no name]
>
> 0xe1035b60 \WINDOWS\system32\config\SYSTEM
>
> 0xe102e008 [no name]
>
> morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
> printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o 0xe1035b60
>
> Key name: [9252] (Stable)
>
> Last updated: Wed Jul 29 02:08:26 2009
>
> Subkeys:
>
> Traceback (most recent call last):
>
> File "./volatility", line 219, in <module>
>
> main()
>
> File "./volatility", line 215, in main
>
> command.execute()
>
> File "memory_plugins/registry/printkey.py", line 97, in execute
>
> for s in subkeys(key):
>
> File "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py", line
> 144, in subkeys
>
> s.is_valid() and s.Signature == NK_SIG]
>
> AttributeError: 'int' object has no attribute 'is_valid'
>
> morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./volatility
> ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin
>
> Image Name: /home/morgan/Memory Images/PhysicalMemory.bin
>
> Image Type: Service Pack 3
>
> VM Type: pae
>
> DTB: 0x33e000
>
> Datetime: Tue Aug 04 11:02:35 2009
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>


More information about the Vol-users mailing list