[Vol-users] Error when using Printkey

Michael Cohen scudette at gmail.com
Wed Jan 27 21:04:49 CST 2010


Mark,
  AFAIK the regripper stuff was written for use with vol1.3 branch. I
dont know if it works with 1.4 beta. We converted the basic functions
to vol1.4 - i.e. you can look at keys, list them etc, but im not sure
about the perl/python interface - i suspect thats what causing the
segfault. I think I was toying with the notion of writing regripper in
python but I was not that motivated :-)

To make sure what is crashing, run gdb perl
then type "r rip.pl -r
/home/morgan/Memory\Images\PhysicalMemory.bin at 0xe1035b60 -f system" to
run it. when it segfaults you can type bt to show a backtrace or dump
core.

>From memory there were serious problems with the regripper bindings
which unfortunately stemmed from basic design flaws in perl and so
probably that would never be more useful than a mere toy POC.  The
biggest problem I think was that perl has this stupid concept of a
function called in list or string context which allows it to behave
completely differently in each case. When binding a normal language to
perl code it is impossible to predict which context the perl function
expects to get called in and how to map that to a normal function
call. There might have been other problems im not sure.

Hope this helps,
Michael.

On Thu, Jan 28, 2010 at 4:53 AM, Mark Morgan <mark.morgan47 at gmail.com> wrote:
> Michael thanks for the info.  I got past that little problem but have one
> problem when I am processing the image using the regripper through
> volatility.  I downloaded the latest volreg and volrip into the latest svn
> version.  I ran the following command:
>
> root at morgan-laptop:/digitalforensics/Volatility-1.4_beta1# perl rip.pl -r
> /home/morgan/Memory\Images\PhysicalMemory.bin at 0xe1035b60 -f system
>
> And I get the following errror:
>
> Traceback (most recent call last):
>   File "<string>", line 1, in <module>
> ImportError: No module named vtypes
> Error -- py_eval raised an exception at rip.pl line 21.
>
> Have I left something out or am I simply missing a step?/
>
> Mark
>
>
>
>
> On Tue, Jan 26, 2010 at 5:03 PM, Michael Cohen <scudette at gmail.com> wrote:
>>
>> Mark,
>>  The following will check out all branches (including experimental):
>>
>> svn checkout http://volatility.googlecode.com/svn/ volatility
>>
>> Michael.
>>
>> On Wed, Jan 27, 2010 at 11:58 AM, Mark Morgan <mark.morgan47 at gmail.com>
>> wrote:
>> > I do not have the beta branch.  Where do you get that version?
>> >
>> > Mark
>> >
>> >
>> > On Tue, Jan 26, 2010 at 3:31 PM, Michael Cohen <scudette at gmail.com>
>> > wrote:
>> >>
>> >> Mark,
>> >>  Are you getting the same bug with the 1.4beta branch?  We have
>> >> rewritten much of the object framework. It looks like its passing an
>> >> int rather than an object somewhere here.
>> >>
>> >> Michael.
>> >>
>> >> On Wed, Jan 27, 2010 at 9:19 AM, Mark Morgan <mark.morgan47 at gmail.com>
>> >> wrote:
>> >> > I am trying to use printkey against a Windows XP image and keep
>> >> > getting
>> >> > an
>> >> > error when I use printkey.  I have also provided the commands I used
>> >> > for
>> >> > hivescan and hivelist which work great but printkey does not.  Does
>> >> > anyone
>> >> > have any suggestions as to why.  I initially thought it was because
>> >> > it
>> >> > was
>> >> > SP3 so I ran the same plugins against the xp-laptop-2005-06-25.img
>> >> > that
>> >> > was
>> >> > suggested to use in Brendan's guide but I get the same results.
>> >> > Anyone
>> >> > have
>> >> > any thoughts as to why???
>> >> >
>> >> >
>> >> > Mark Morgan
>> >> > 702-942-2556
>> >> >
>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>> >> > ./volatility
>> >> > hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin
>> >> >
>> >> > Offset (hex)
>> >> >
>> >> > 181006344 0xac9f008
>> >> >
>> >> > 181033824 0xaca5b60
>> >> >
>> >> > 189972488 0xb52c008
>> >> >
>> >> > 202671368 0xc148508
>> >> >
>> >> > 544586592 0x2075bb60
>> >> >
>> >> > 642878304 0x26518b60
>> >> >
>> >> > 643895304 0x26611008
>> >> >
>> >> > 678736920 0x2874b418
>> >> >
>> >> > 740933640 0x2c29c008
>> >> >
>> >> > 742706016 0x2c44cb60
>> >> >
>> >> > 789179232 0x2f09eb60
>> >> >
>> >> > 798029088 0x2f90f520
>> >> >
>> >> > 1107776776 0x42075508
>> >> >
>> >> > 1874516240 0x6fbad910
>> >> >
>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>> >> > ./volatility
>> >> > hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o
>> >> > 0xac9f008
>> >> >
>> >> > Address Name
>> >> >
>> >> > 0xe6348910 \Documents and Settings\144553\Local Settings\Application
>> >> > Data\Microsoft\Windows\UsrClass.dat
>> >> >
>> >> > 0xebe6e508 \Documents and Settings\144553\NTUSER.DAT
>> >> >
>> >> > 0xe8287508 \WINDOWS\system32\config\systemprofile\Local
>> >> > Settings\Application
>> >> > Data\Microsoft\Windows\UsrClass.dat
>> >> >
>> >> > 0xe1895520 \Documents and Settings\LocalService\Local
>> >> > Settings\Application
>> >> > Data\Microsoft\Windows\UsrClass.dat
>> >> >
>> >> > 0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT
>> >> >
>> >> > 0xe1396008 \Documents and Settings\NetworkService\Local
>> >> > Settings\Application
>> >> > Data\Microsoft\Windows\UsrClass.dat
>> >> >
>> >> > 0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT
>> >> >
>> >> > 0xe4f8eb60 \WINDOWS\system32\config\SAM
>> >> >
>> >> > 0xe77b9b60 \WINDOWS\system32\config\SECURITY
>> >> >
>> >> > 0xe77cd008 \WINDOWS\system32\config\SOFTWARE
>> >> >
>> >> > 0xe77ca418 \WINDOWS\system32\config\DEFAULT
>> >> >
>> >> > 0xe18b6008 [no name]
>> >> >
>> >> > 0xe1035b60 \WINDOWS\system32\config\SYSTEM
>> >> >
>> >> > 0xe102e008 [no name]
>> >> >
>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>> >> > ./volatility
>> >> > printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o
>> >> > 0xe1035b60
>> >> >
>> >> > Key name: [9252] (Stable)
>> >> >
>> >> > Last updated: Wed Jul 29 02:08:26 2009
>> >> >
>> >> > Subkeys:
>> >> >
>> >> > Traceback (most recent call last):
>> >> >
>> >> > File "./volatility", line 219, in <module>
>> >> >
>> >> > main()
>> >> >
>> >> > File "./volatility", line 215, in main
>> >> >
>> >> > command.execute()
>> >> >
>> >> > File "memory_plugins/registry/printkey.py", line 97, in execute
>> >> >
>> >> > for s in subkeys(key):
>> >> >
>> >> > File
>> >> > "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py",
>> >> > line
>> >> > 144, in subkeys
>> >> >
>> >> > s.is_valid() and s.Signature == NK_SIG]
>> >> >
>> >> > AttributeError: 'int' object has no attribute 'is_valid'
>> >> >
>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>> >> > ./volatility
>> >> > ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin
>> >> >
>> >> > Image Name: /home/morgan/Memory Images/PhysicalMemory.bin
>> >> >
>> >> > Image Type: Service Pack 3
>> >> >
>> >> > VM Type: pae
>> >> >
>> >> > DTB: 0x33e000
>> >> >
>> >> > Datetime: Tue Aug 04 11:02:35 2009
>> >> >
>> >> > _______________________________________________
>> >> > Vol-users mailing list
>> >> > Vol-users at volatilityfoundation.org
>> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >> >
>> >> >
>> >
>> >
>
>


More information about the Vol-users mailing list