[Vol-users] Error when using Printkey

Mark Morgan mark.morgan47 at gmail.com
Wed Jan 27 12:12:35 CST 2010


Michael I fixed the directory structure but now I am getting segmentation
fault.

morgan/Memory\ Images/PhysicalMemory.bin at 0xe1035b60 -f system

Parsed Plugins file.
Launching compname v.20080324
Segmentation fault

Mark


On Wed, Jan 27, 2010 at 10:01 AM, Michael Hale Ligh
<michael.hale at gmail.com>wrote:

> Hey Mark,
>
> Do you have the following directory structure?
>
> $VOLHOME/volatility
> $VOLHOME/rip.pl
> $VOLHOME/vtypes.py
> $VOLHOME/rrplugins
> $VOLHOME/regwrap.py
>
> vtypes.py should be in the same directory as rip.pl but according to your
> output, rip.pl can't find vtypes.py.
>
> MHL
>
> On Wed, Jan 27, 2010 at 12:53 PM, Mark Morgan <mark.morgan47 at gmail.com>wrote:
>
>> Michael thanks for the info.  I got past that little problem but have one
>> problem when I am processing the image using the regripper through
>> volatility.  I downloaded the latest volreg and volrip into the latest svn
>> version.  I ran the following command:
>>
>> root at morgan-laptop:/digitalforensics/Volatility-1.4_beta1# perl rip.pl -r
>> /home/morgan/Memory\Images\PhysicalMemory.bin at 0xe1035b60 -f system
>>
>> And I get the following errror:
>>
>>
>> Traceback (most recent call last):
>>   File "<string>", line 1, in <module>
>> ImportError: No module named vtypes
>> Error -- py_eval raised an exception at rip.pl line 21.
>>
>> Have I left something out or am I simply missing a step?/
>>
>> Mark
>>
>>
>>
>>
>>
>> On Tue, Jan 26, 2010 at 5:03 PM, Michael Cohen <scudette at gmail.com>wrote:
>>
>>> Mark,
>>>  The following will check out all branches (including experimental):
>>>
>>> svn checkout http://volatility.googlecode.com/svn/ volatility
>>>
>>> Michael.
>>>
>>> On Wed, Jan 27, 2010 at 11:58 AM, Mark Morgan <mark.morgan47 at gmail.com>
>>> wrote:
>>> > I do not have the beta branch.  Where do you get that version?
>>> >
>>> > Mark
>>> >
>>> >
>>> > On Tue, Jan 26, 2010 at 3:31 PM, Michael Cohen <scudette at gmail.com>
>>> wrote:
>>> >>
>>> >> Mark,
>>> >>  Are you getting the same bug with the 1.4beta branch?  We have
>>> >> rewritten much of the object framework. It looks like its passing an
>>> >> int rather than an object somewhere here.
>>> >>
>>> >> Michael.
>>> >>
>>> >> On Wed, Jan 27, 2010 at 9:19 AM, Mark Morgan <mark.morgan47 at gmail.com
>>> >
>>> >> wrote:
>>> >> > I am trying to use printkey against a Windows XP image and keep
>>> getting
>>> >> > an
>>> >> > error when I use printkey.  I have also provided the commands I used
>>> for
>>> >> > hivescan and hivelist which work great but printkey does not.  Does
>>> >> > anyone
>>> >> > have any suggestions as to why.  I initially thought it was because
>>> it
>>> >> > was
>>> >> > SP3 so I ran the same plugins against the xp-laptop-2005-06-25.img
>>> that
>>> >> > was
>>> >> > suggested to use in Brendan's guide but I get the same results.
>>> Anyone
>>> >> > have
>>> >> > any thoughts as to why???
>>> >> >
>>> >> >
>>> >> > Mark Morgan
>>> >> > 702-942-2556
>>> >> >
>>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>>> ./volatility
>>> >> > hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin
>>> >> >
>>> >> > Offset (hex)
>>> >> >
>>> >> > 181006344 0xac9f008
>>> >> >
>>> >> > 181033824 0xaca5b60
>>> >> >
>>> >> > 189972488 0xb52c008
>>> >> >
>>> >> > 202671368 0xc148508
>>> >> >
>>> >> > 544586592 0x2075bb60
>>> >> >
>>> >> > 642878304 0x26518b60
>>> >> >
>>> >> > 643895304 0x26611008
>>> >> >
>>> >> > 678736920 0x2874b418
>>> >> >
>>> >> > 740933640 0x2c29c008
>>> >> >
>>> >> > 742706016 0x2c44cb60
>>> >> >
>>> >> > 789179232 0x2f09eb60
>>> >> >
>>> >> > 798029088 0x2f90f520
>>> >> >
>>> >> > 1107776776 0x42075508
>>> >> >
>>> >> > 1874516240 0x6fbad910
>>> >> >
>>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>>> ./volatility
>>> >> > hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o
>>> 0xac9f008
>>> >> >
>>> >> > Address Name
>>> >> >
>>> >> > 0xe6348910 \Documents and Settings\144553\Local Settings\Application
>>> >> > Data\Microsoft\Windows\UsrClass.dat
>>> >> >
>>> >> > 0xebe6e508 \Documents and Settings\144553\NTUSER.DAT
>>> >> >
>>> >> > 0xe8287508 \WINDOWS\system32\config\systemprofile\Local
>>> >> > Settings\Application
>>> >> > Data\Microsoft\Windows\UsrClass.dat
>>> >> >
>>> >> > 0xe1895520 \Documents and Settings\LocalService\Local
>>> >> > Settings\Application
>>> >> > Data\Microsoft\Windows\UsrClass.dat
>>> >> >
>>> >> > 0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT
>>> >> >
>>> >> > 0xe1396008 \Documents and Settings\NetworkService\Local
>>> >> > Settings\Application
>>> >> > Data\Microsoft\Windows\UsrClass.dat
>>> >> >
>>> >> > 0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT
>>> >> >
>>> >> > 0xe4f8eb60 \WINDOWS\system32\config\SAM
>>> >> >
>>> >> > 0xe77b9b60 \WINDOWS\system32\config\SECURITY
>>> >> >
>>> >> > 0xe77cd008 \WINDOWS\system32\config\SOFTWARE
>>> >> >
>>> >> > 0xe77ca418 \WINDOWS\system32\config\DEFAULT
>>> >> >
>>> >> > 0xe18b6008 [no name]
>>> >> >
>>> >> > 0xe1035b60 \WINDOWS\system32\config\SYSTEM
>>> >> >
>>> >> > 0xe102e008 [no name]
>>> >> >
>>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>>> ./volatility
>>> >> > printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o
>>> 0xe1035b60
>>> >> >
>>> >> > Key name: [9252] (Stable)
>>> >> >
>>> >> > Last updated: Wed Jul 29 02:08:26 2009
>>> >> >
>>> >> > Subkeys:
>>> >> >
>>> >> > Traceback (most recent call last):
>>> >> >
>>> >> > File "./volatility", line 219, in <module>
>>> >> >
>>> >> > main()
>>> >> >
>>> >> > File "./volatility", line 215, in main
>>> >> >
>>> >> > command.execute()
>>> >> >
>>> >> > File "memory_plugins/registry/printkey.py", line 97, in execute
>>> >> >
>>> >> > for s in subkeys(key):
>>> >> >
>>> >> > File
>>> "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py",
>>> >> > line
>>> >> > 144, in subkeys
>>> >> >
>>> >> > s.is_valid() and s.Signature == NK_SIG]
>>> >> >
>>> >> > AttributeError: 'int' object has no attribute 'is_valid'
>>> >> >
>>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>>> ./volatility
>>> >> > ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin
>>> >> >
>>> >> > Image Name: /home/morgan/Memory Images/PhysicalMemory.bin
>>> >> >
>>> >> > Image Type: Service Pack 3
>>> >> >
>>> >> > VM Type: pae
>>> >> >
>>> >> > DTB: 0x33e000
>>> >> >
>>> >> > Datetime: Tue Aug 04 11:02:35 2009
>>> >> >
>>> >> > _______________________________________________
>>> >> > Vol-users mailing list
>>> >> > Vol-users at volatilityfoundation.org
>>> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>> >> >
>>> >> >
>>> >
>>> >
>>>
>>
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20100127/d69fbf35/attachment.html


More information about the Vol-users mailing list