Michael Hale Ligh
michael.hale at gmail.com
Tue Jan 28 00:22:16 CST 2014
I would recommend grabbing a 2.3.1 install, the 2.0 version is more than 3
years old now.
$ svn checkout http://volatility.googlecode.com/svn/trunk/volatility-read-only
$ cd volatility-read-only
$ python vol.py --plugins=contrib/plugins/malware -f mem.dmp zeusscan2
Give that a shot...
On Mon, Jan 27, 2014 at 1:35 PM, <shorejsi2 at mmm.com> wrote:
> I'm dealing with what appears to be a new Zeus variant and on a whim I
> tried to run zeusscan2 under a copy of Volatility 2.0 I still hang onto.
> Perhaps not surprisingly, it ends unhappily
> Volatile Systems Volatility Framework 2.0
> Traceback (most recent call last):
> File "vol.py", line 135, in <module>
> File "vol.py", line 126, in main
> File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/commands.py",
> line 101, in execute
> func(outfd, data)
> line 330, in render_text
> for p, start, url, config_key, creds_key, decoded_config,
> decoded_magic in data:
> line 221, in calculate
> data = malware.get_vad_data(ps_ad, start, end)
> line 856, in get_vad_data
> return ''.join(pages_one)
> OverflowError: join() result is too long for a Python string
> Now I strongly suspect that the new variant is just enough different that
> it messes with the parsing and results in a runaway, but I just wanted to
> make sure I'm not leaving something on the table here...
> Should this work?
> -=[ Steve ]=-
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users