[Vol-users] Error when using Printkey

Brendan Dolan-Gavitt bdolangavitt at wesleyan.edu
Thu Jan 28 00:22:31 CST 2010


Hi,

As far as I know VolRip does not currently work with 1.4. It was  
developed for 1.3, and should be working on that version. I've seen  
two things cause the error you saw originally:

1. Not having the volreg tarball unpacked correctly. In particular,  
make sure memory_objects/Windows/registry.py exists.
2. Several months ago, there was a bug in 1.3 that prevented custom  
object behaviors from working correctly, which could also cause the  
error you saw. If you happened to pull a version from SVN at that  
point, you could run into trouble.

Could you try the following?

1. Get the latest version of 1.3:
	svn checkout http://volatility.googlecode.com/svn/trunk/Volatility
2. Unpack VolReg into the Volatility directory
3. Unpack VolRip into the Volatility directory
4. Run the following on the xp-laptop-2005-06-25.img image (available  
from NIST):
	python volatility printkey -o 0xe1035b60 -f /home/moyix/mem-images/ 
xp-laptop-2005-06-25.img

You should get a listing of the keys in the SYSTEM hive. If any of  
these steps fail, write back and let me know where and how, and we  
can go from there.

Thanks,
Brendan Dolan-Gavitt

On Jan 27, 2010, at 1:12 PM, Mark Morgan wrote:

> Michael I fixed the directory structure but now I am getting  
> segmentation fault.
>
> morgan/Memory\ Images/PhysicalMemory.bin at 0xe1035b60 -f system
>
> Parsed Plugins file.
> Launching compname v.20080324
> Segmentation fault
>
> Mark
>
>
> On Wed, Jan 27, 2010 at 10:01 AM, Michael Hale Ligh  
> <michael.hale at gmail.com> wrote:
> Hey Mark,
>
> Do you have the following directory structure?
>
> $VOLHOME/volatility
> $VOLHOME/rip.pl
> $VOLHOME/vtypes.py
> $VOLHOME/rrplugins
> $VOLHOME/regwrap.py
>
> vtypes.py should be in the same directory as rip.pl but according  
> to your output, rip.pl can't find vtypes.py.
>
> MHL
>
> On Wed, Jan 27, 2010 at 12:53 PM, Mark Morgan  
> <mark.morgan47 at gmail.com> wrote:
> Michael thanks for the info.  I got past that little problem but  
> have one problem when I am processing the image using the regripper  
> through volatility.  I downloaded the latest volreg and volrip into  
> the latest svn version.  I ran the following command:
>
> root at morgan-laptop:/digitalforensics/Volatility-1.4_beta1# perl  
> rip.pl -r /home/morgan/Memory\Images\PhysicalMemory.bin at 0xe1035b60 - 
> f system
>
> And I get the following errror:
>
>
> Traceback (most recent call last):
>   File "<string>", line 1, in <module>
> ImportError: No module named vtypes
> Error -- py_eval raised an exception at rip.pl line 21.
>
> Have I left something out or am I simply missing a step?/
>
> Mark
>
>
>
>
>
> On Tue, Jan 26, 2010 at 5:03 PM, Michael Cohen <scudette at gmail.com>  
> wrote:
> Mark,
>  The following will check out all branches (including experimental):
>
> svn checkout http://volatility.googlecode.com/svn/ volatility
>
> Michael.
>
> On Wed, Jan 27, 2010 at 11:58 AM, Mark Morgan  
> <mark.morgan47 at gmail.com> wrote:
> > I do not have the beta branch.  Where do you get that version?
> >
> > Mark
> >
> >
> > On Tue, Jan 26, 2010 at 3:31 PM, Michael Cohen  
> <scudette at gmail.com> wrote:
> >>
> >> Mark,
> >>  Are you getting the same bug with the 1.4beta branch?  We have
> >> rewritten much of the object framework. It looks like its  
> passing an
> >> int rather than an object somewhere here.
> >>
> >> Michael.
> >>
> >> On Wed, Jan 27, 2010 at 9:19 AM, Mark Morgan  
> <mark.morgan47 at gmail.com>
> >> wrote:
> >> > I am trying to use printkey against a Windows XP image and  
> keep getting
> >> > an
> >> > error when I use printkey.  I have also provided the commands  
> I used for
> >> > hivescan and hivelist which work great but printkey does not.   
> Does
> >> > anyone
> >> > have any suggestions as to why.  I initially thought it was  
> because it
> >> > was
> >> > SP3 so I ran the same plugins against the xp- 
> laptop-2005-06-25.img that
> >> > was
> >> > suggested to use in Brendan's guide but I get the same  
> results.  Anyone
> >> > have
> >> > any thoughts as to why???
> >> >
> >> >
> >> > Mark Morgan
> >> > 702-942-2556
> >> >
> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./ 
> volatility
> >> > hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin
> >> >
> >> > Offset (hex)
> >> >
> >> > 181006344 0xac9f008
> >> >
> >> > 181033824 0xaca5b60
> >> >
> >> > 189972488 0xb52c008
> >> >
> >> > 202671368 0xc148508
> >> >
> >> > 544586592 0x2075bb60
> >> >
> >> > 642878304 0x26518b60
> >> >
> >> > 643895304 0x26611008
> >> >
> >> > 678736920 0x2874b418
> >> >
> >> > 740933640 0x2c29c008
> >> >
> >> > 742706016 0x2c44cb60
> >> >
> >> > 789179232 0x2f09eb60
> >> >
> >> > 798029088 0x2f90f520
> >> >
> >> > 1107776776 0x42075508
> >> >
> >> > 1874516240 0x6fbad910
> >> >
> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./ 
> volatility
> >> > hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o  
> 0xac9f008
> >> >
> >> > Address Name
> >> >
> >> > 0xe6348910 \Documents and Settings\144553\Local Settings 
> \Application
> >> > Data\Microsoft\Windows\UsrClass.dat
> >> >
> >> > 0xebe6e508 \Documents and Settings\144553\NTUSER.DAT
> >> >
> >> > 0xe8287508 \WINDOWS\system32\config\systemprofile\Local
> >> > Settings\Application
> >> > Data\Microsoft\Windows\UsrClass.dat
> >> >
> >> > 0xe1895520 \Documents and Settings\LocalService\Local
> >> > Settings\Application
> >> > Data\Microsoft\Windows\UsrClass.dat
> >> >
> >> > 0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT
> >> >
> >> > 0xe1396008 \Documents and Settings\NetworkService\Local
> >> > Settings\Application
> >> > Data\Microsoft\Windows\UsrClass.dat
> >> >
> >> > 0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT
> >> >
> >> > 0xe4f8eb60 \WINDOWS\system32\config\SAM
> >> >
> >> > 0xe77b9b60 \WINDOWS\system32\config\SECURITY
> >> >
> >> > 0xe77cd008 \WINDOWS\system32\config\SOFTWARE
> >> >
> >> > 0xe77ca418 \WINDOWS\system32\config\DEFAULT
> >> >
> >> > 0xe18b6008 [no name]
> >> >
> >> > 0xe1035b60 \WINDOWS\system32\config\SYSTEM
> >> >
> >> > 0xe102e008 [no name]
> >> >
> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./ 
> volatility
> >> > printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o  
> 0xe1035b60
> >> >
> >> > Key name: [9252] (Stable)
> >> >
> >> > Last updated: Wed Jul 29 02:08:26 2009
> >> >
> >> > Subkeys:
> >> >
> >> > Traceback (most recent call last):
> >> >
> >> > File "./volatility", line 219, in <module>
> >> >
> >> > main()
> >> >
> >> > File "./volatility", line 215, in main
> >> >
> >> > command.execute()
> >> >
> >> > File "memory_plugins/registry/printkey.py", line 97, in execute
> >> >
> >> > for s in subkeys(key):
> >> >
> >> > File "/digitalforensics/Volatility-1.3_Beta/forensics/win32/ 
> rawreg.py",
> >> > line
> >> > 144, in subkeys
> >> >
> >> > s.is_valid() and s.Signature == NK_SIG]
> >> >
> >> > AttributeError: 'int' object has no attribute 'is_valid'
> >> >
> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$ ./ 
> volatility
> >> > ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin
> >> >
> >> > Image Name: /home/morgan/Memory Images/PhysicalMemory.bin
> >> >
> >> > Image Type: Service Pack 3
> >> >
> >> > VM Type: pae
> >> >
> >> > DTB: 0x33e000
> >> >
> >> > Datetime: Tue Aug 04 11:02:35 2009
> >> >
> >> > _______________________________________________
> >> > Vol-users mailing list
> >> > Vol-users at volatilityfoundation.org
> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >> >
> >> >
> >
> >
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20100128/aa447fa4/attachment-0001.html


More information about the Vol-users mailing list