[Vol-users] Error when using Printkey

Mark Morgan mark.morgan47 at gmail.com
Thu Jan 28 14:04:13 CST 2010


Brendan,

I went back and re-installed everything again to include Inline::Python and
it appears Inline did not install correctly so I got regripper working
properly now.  Thanks to everyone for responding to my request.

Mark


On Thu, Jan 28, 2010 at 9:56 AM, Mark Morgan <mark.morgan47 at gmail.com>wrote:

> Brendan I went and downloaded the Volatility1.3.2 version using svn and
> reloaded all the plugins from there to include the regripper plugins.  I can
> get the printkey to work but the rip.pl still gives me a segmentation
> fault.  I have included all the errors I have received based on the advice
> given:
>
> root at morgan-laptop:/digitalforensics/Volatility-1.3.2# perl rip.pl -r
> /home/morgan/Memory\ Images/xp-laptop-2005-06-25.img at 0xe1035b60 -f system
>
> Parsed Plugins file.
> Launching compname v.20080324
> Segmentation fault
>
> root at morgan-laptop:/digitalforensics/Volatility-1.3.2# gdb perl
> GNU gdb (GDB) 7.0-ubuntu
> Copyright (C) 2009 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <
> http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "i486-linux-gnu".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>...
> Reading symbols from /usr/bin/perl...(no debugging symbols found)...done.
> (gdb) r rip.pl -r /home/morgan/Memory Images/PhysicalMemory.bin at 0xe1035b60-f system
> Starting program: /usr/bin/perl rip.pl -r /home/morgan/Memory
> Images/PhysicalMemory.bin at 0xe1035b60 -f system
> [Thread debugging using libthread_db enabled]
>
> Parsed Plugins file.
> Launching compname v.20080324
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in compname: Error -- PyObject_CallObject(...) failed.
>
> compname complete.
> ----------------------------------------
> Launching shutdown v.20080324
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in shutdown: Error -- PyObject_CallObject(...) failed.
>
> shutdown complete.
> ----------------------------------------
> Launching shutdowncount v.20080709
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in shutdowncount: Error -- PyObject_CallObject(...) failed.
>
> shutdowncount complete.
> ----------------------------------------
> Launching timezone v.20080324
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in timezone: Error -- PyObject_CallObject(...) failed.
>
> timezone complete.
> ----------------------------------------
> Launching termserv v.20080418
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in termserv: Error -- PyObject_CallObject(...) failed.
>
> termserv complete.
> ----------------------------------------
> Launching mountdev v.20080324
> mountdev v.20080324
> Get MountedDevices key information from the System hive file.
>
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in mountdev: Error -- PyObject_CallObject(...) failed.
>
> mountdev complete.
> ----------------------------------------
> Launching network v.20080324
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in network: Error -- PyObject_CallObject(...) failed.
>
> network complete.
> ----------------------------------------
> Launching nic_mst2 v.20080324
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in nic_mst2: Error -- PyObject_CallObject(...) failed.
>
> nic_mst2 complete.
> ----------------------------------------
> Launching fw_config v.20080328
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in fw_config: Error -- PyObject_CallObject(...) failed.
>
> fw_config complete.
> ----------------------------------------
> Launching usbstor v.20080418
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in usbstor: Error -- PyObject_CallObject(...) failed.
>
> usbstor complete.
> ----------------------------------------
> Launching devclass v.20080331
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in devclass: Error -- PyObject_CallObject(...) failed.
>
> devclass complete.
> ----------------------------------------
> Launching ide v.20080418
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in ide: Error -- PyObject_CallObject(...) failed.
>
> ide complete.
> ----------------------------------------
> Launching shares v.200800420
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in shares: Error -- PyObject_CallObject(...) failed.
>
> shares complete.
> ----------------------------------------
> Launching svc v.20080610
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in svc: Error -- PyObject_CallObject(...) failed.
>
> svc complete.
> ----------------------------------------
> Launching imagedev v.20080730
> Error: Python error occurred:
>
> Traceback (most recent call last):
>   File "regwrap.py", line 49, in __init__
>     fname,hive_addr = filename.rsplit('@',1)
> ValueError: need more than 1 value to unpack
> Error in imagedev: Error -- PyObject_CallObject(...) failed.
>
> imagedev complete.
> ----------------------------------------
>
> Program exited normally.
> (gdb) bt
> No stack.
> (gdb) exit
> Undefined command: "exit".  Try "help".
> (gdb) ^CxQuit
> (gdb) quit
>
>
> I also provided a complete listing of my Volatility directory to include
> sub-directories for you.  Attached as a txt doc.
>
> Any help will be appreciated.
>
> Mark
>
>
>
>
> On Wed, Jan 27, 2010 at 10:22 PM, Brendan Dolan-Gavitt <
> bdolangavitt at wesleyan.edu> wrote:
>
>>  Hi,
>>
>> As far as I know VolRip does not currently work with 1.4. It was developed
>> for 1.3, and should be working on that version. I've seen two things cause
>> the error you saw originally:
>>
>> 1. Not having the volreg tarball unpacked correctly. In particular, make
>> sure memory_objects/Windows/registry.py exists.
>> 2. Several months ago, there was a bug in 1.3 that prevented custom object
>> behaviors from working correctly, which could also cause the error you saw.
>> If you happened to pull a version from SVN at that point, you could run into
>> trouble.
>>
>> Could you try the following?
>>
>> 1. Get the latest version of 1.3:
>> svn checkout http://volatility.googlecode.com/svn/trunk/Volatility
>> 2. Unpack VolReg into the Volatility directory
>> 3. Unpack VolRip into the Volatility directory
>> 4. Run the following on the xp-laptop-2005-06-25.img image (available from
>> NIST):
>> python volatility printkey -o 0xe1035b60 -f
>> /home/moyix/mem-images/xp-laptop-2005-06-25.img
>>
>> You should get a listing of the keys in the SYSTEM hive. If any of these
>> steps fail, write back and let me know where and how, and we can go from
>> there.
>>
>> Thanks,
>> Brendan Dolan-Gavitt
>>
>> On Jan 27, 2010, at 1:12 PM, Mark Morgan wrote:
>>
>> Michael I fixed the directory structure but now I am getting segmentation
>> fault.
>>
>> morgan/Memory\ Images/PhysicalMemory.bin at 0xe1035b60 -f system
>>
>> Parsed Plugins file.
>> Launching compname v.20080324
>> Segmentation fault
>>
>> Mark
>>
>>
>> On Wed, Jan 27, 2010 at 10:01 AM, Michael Hale Ligh <
>> michael.hale at gmail.com> wrote:
>>
>>> Hey Mark,
>>>
>>> Do you have the following directory structure?
>>>
>>> $VOLHOME/volatility
>>> $VOLHOME/rip.pl
>>> $VOLHOME/vtypes.py
>>> $VOLHOME/rrplugins
>>> $VOLHOME/regwrap.py
>>>
>>> vtypes.py should be in the same directory as rip.pl but according to
>>> your output, rip.pl can't find vtypes.py.
>>>
>>> MHL
>>>
>>> On Wed, Jan 27, 2010 at 12:53 PM, Mark Morgan <mark.morgan47 at gmail.com>wrote:
>>>
>>>> Michael thanks for the info.  I got past that little problem but have
>>>> one problem when I am processing the image using the regripper through
>>>> volatility.  I downloaded the latest volreg and volrip into the latest svn
>>>> version.  I ran the following command:
>>>>
>>>> root at morgan-laptop:/digitalforensics/Volatility-1.4_beta1# perl rip.pl-r /home/morgan/Memory\Images\PhysicalMemory.bin at 0xe1035b60-f system
>>>>
>>>> And I get the following errror:
>>>>
>>>>
>>>> Traceback (most recent call last):
>>>>   File "<string>", line 1, in <module>
>>>> ImportError: No module named vtypes
>>>> Error -- py_eval raised an exception at rip.pl line 21.
>>>>
>>>> Have I left something out or am I simply missing a step?/
>>>>
>>>> Mark
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Jan 26, 2010 at 5:03 PM, Michael Cohen <scudette at gmail.com>wrote:
>>>>
>>>>> Mark,
>>>>>  The following will check out all branches (including experimental):
>>>>>
>>>>> svn checkout http://volatility.googlecode.com/svn/ volatility
>>>>>
>>>>> Michael.
>>>>>
>>>>> On Wed, Jan 27, 2010 at 11:58 AM, Mark Morgan <mark.morgan47 at gmail.com>
>>>>> wrote:
>>>>> > I do not have the beta branch.  Where do you get that version?
>>>>> >
>>>>> > Mark
>>>>> >
>>>>> >
>>>>> > On Tue, Jan 26, 2010 at 3:31 PM, Michael Cohen <scudette at gmail.com>
>>>>> wrote:
>>>>> >>
>>>>> >> Mark,
>>>>> >>  Are you getting the same bug with the 1.4beta branch?  We have
>>>>> >> rewritten much of the object framework. It looks like its passing an
>>>>> >> int rather than an object somewhere here.
>>>>> >>
>>>>> >> Michael.
>>>>> >>
>>>>> >> On Wed, Jan 27, 2010 at 9:19 AM, Mark Morgan <
>>>>> mark.morgan47 at gmail.com>
>>>>> >> wrote:
>>>>> >> > I am trying to use printkey against a Windows XP image and keep
>>>>> getting
>>>>> >> > an
>>>>> >> > error when I use printkey.  I have also provided the commands I
>>>>> used for
>>>>> >> > hivescan and hivelist which work great but printkey does not.
>>>>> Does
>>>>> >> > anyone
>>>>> >> > have any suggestions as to why.  I initially thought it was
>>>>> because it
>>>>> >> > was
>>>>> >> > SP3 so I ran the same plugins against the xp-laptop-2005-06-25.img
>>>>> that
>>>>> >> > was
>>>>> >> > suggested to use in Brendan's guide but I get the same results.
>>>>> Anyone
>>>>> >> > have
>>>>> >> > any thoughts as to why???
>>>>> >> >
>>>>> >> >
>>>>> >> > Mark Morgan
>>>>> >> > 702-942-2556
>>>>> >> >
>>>>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>>>>> ./volatility
>>>>> >> > hivescan -f /home/morgan/Memory\ Images/PhysicalMemory.bin
>>>>> >> >
>>>>> >> > Offset (hex)
>>>>> >> >
>>>>> >> > 181006344 0xac9f008
>>>>> >> >
>>>>> >> > 181033824 0xaca5b60
>>>>> >> >
>>>>> >> > 189972488 0xb52c008
>>>>> >> >
>>>>> >> > 202671368 0xc148508
>>>>> >> >
>>>>> >> > 544586592 0x2075bb60
>>>>> >> >
>>>>> >> > 642878304 0x26518b60
>>>>> >> >
>>>>> >> > 643895304 0x26611008
>>>>> >> >
>>>>> >> > 678736920 0x2874b418
>>>>> >> >
>>>>> >> > 740933640 0x2c29c008
>>>>> >> >
>>>>> >> > 742706016 0x2c44cb60
>>>>> >> >
>>>>> >> > 789179232 0x2f09eb60
>>>>> >> >
>>>>> >> > 798029088 0x2f90f520
>>>>> >> >
>>>>> >> > 1107776776 0x42075508
>>>>> >> >
>>>>> >> > 1874516240 0x6fbad910
>>>>> >> >
>>>>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>>>>> ./volatility
>>>>> >> > hivelist -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o
>>>>> 0xac9f008
>>>>> >> >
>>>>> >> > Address Name
>>>>> >> >
>>>>> >> > 0xe6348910 \Documents and Settings\144553\Local
>>>>> Settings\Application
>>>>> >> > Data\Microsoft\Windows\UsrClass.dat
>>>>> >> >
>>>>> >> > 0xebe6e508 \Documents and Settings\144553\NTUSER.DAT
>>>>> >> >
>>>>> >> > 0xe8287508 \WINDOWS\system32\config\systemprofile\Local
>>>>> >> > Settings\Application
>>>>> >> > Data\Microsoft\Windows\UsrClass.dat
>>>>> >> >
>>>>> >> > 0xe1895520 \Documents and Settings\LocalService\Local
>>>>> >> > Settings\Application
>>>>> >> > Data\Microsoft\Windows\UsrClass.dat
>>>>> >> >
>>>>> >> > 0xe1882b60 \Documents and Settings\LocalService\NTUSER.DAT
>>>>> >> >
>>>>> >> > 0xe1396008 \Documents and Settings\NetworkService\Local
>>>>> >> > Settings\Application
>>>>> >> > Data\Microsoft\Windows\UsrClass.dat
>>>>> >> >
>>>>> >> > 0xe139ab60 \Documents and Settings\NetworkService\NTUSER.DAT
>>>>> >> >
>>>>> >> > 0xe4f8eb60 \WINDOWS\system32\config\SAM
>>>>> >> >
>>>>> >> > 0xe77b9b60 \WINDOWS\system32\config\SECURITY
>>>>> >> >
>>>>> >> > 0xe77cd008 \WINDOWS\system32\config\SOFTWARE
>>>>> >> >
>>>>> >> > 0xe77ca418 \WINDOWS\system32\config\DEFAULT
>>>>> >> >
>>>>> >> > 0xe18b6008 [no name]
>>>>> >> >
>>>>> >> > 0xe1035b60 \WINDOWS\system32\config\SYSTEM
>>>>> >> >
>>>>> >> > 0xe102e008 [no name]
>>>>> >> >
>>>>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>>>>> ./volatility
>>>>> >> > printkey -f /home/morgan/Memory\ Images/PhysicalMemory.bin -o
>>>>> 0xe1035b60
>>>>> >> >
>>>>> >> > Key name: [9252] (Stable)
>>>>> >> >
>>>>> >> > Last updated: Wed Jul 29 02:08:26 2009
>>>>> >> >
>>>>> >> > Subkeys:
>>>>> >> >
>>>>> >> > Traceback (most recent call last):
>>>>> >> >
>>>>> >> > File "./volatility", line 219, in <module>
>>>>> >> >
>>>>> >> > main()
>>>>> >> >
>>>>> >> > File "./volatility", line 215, in main
>>>>> >> >
>>>>> >> > command.execute()
>>>>> >> >
>>>>> >> > File "memory_plugins/registry/printkey.py", line 97, in execute
>>>>> >> >
>>>>> >> > for s in subkeys(key):
>>>>> >> >
>>>>> >> > File
>>>>> "/digitalforensics/Volatility-1.3_Beta/forensics/win32/rawreg.py",
>>>>> >> > line
>>>>> >> > 144, in subkeys
>>>>> >> >
>>>>> >> > s.is_valid() and s.Signature == NK_SIG]
>>>>> >> >
>>>>> >> > AttributeError: 'int' object has no attribute 'is_valid'
>>>>> >> >
>>>>> >> > morgan at morgan-laptop:/digitalforensics/Volatility-1.3_Beta$
>>>>> ./volatility
>>>>> >> > ident -f /home/morgan/Memory\ Images/PhysicalMemory.bin
>>>>> >> >
>>>>> >> > Image Name: /home/morgan/Memory Images/PhysicalMemory.bin
>>>>> >> >
>>>>> >> > Image Type: Service Pack 3
>>>>> >> >
>>>>> >> > VM Type: pae
>>>>> >> >
>>>>> >> > DTB: 0x33e000
>>>>> >> >
>>>>> >> > Datetime: Tue Aug 04 11:02:35 2009
>>>>> >> >
>>>>> >> > _______________________________________________
>>>>> >> > Vol-users mailing list
>>>>> >> > Vol-users at volatilityfoundation.org
>>>>> >> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>> >> >
>>>>> >> >
>>>>> >
>>>>> >
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Vol-users mailing list
>>>> Vol-users at volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>>>
>>>>
>>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20100128/cc0b906c/attachment-0001.html


More information about the Vol-users mailing list