[Vol-users] zeusscan2

Michael Hale Ligh michael.hale at gmail.com
Tue Jan 28 00:22:16 CST 2014


I would recommend grabbing a 2.3.1 install, the 2.0 version is more than 3
years old now.

$ svn checkout http://volatility.googlecode.com/svn/trunk/volatility-read-only
$ cd volatility-read-only
$ python vol.py --plugins=contrib/plugins/malware -f mem.dmp zeusscan2

Give that a shot...
MHL


On Mon, Jan 27, 2014 at 1:35 PM, <shorejsi2 at mmm.com> wrote:

>  I'm dealing with what appears to be a new Zeus variant and on a whim I
> tried to run zeusscan2 under a copy of Volatility 2.0 I still hang onto.
> Perhaps not surprisingly, it ends unhappily
>
> Volatile Systems Volatility Framework 2.0
> Traceback (most recent call last):
>   File "vol.py", line 135, in <module>
>     main()
>   File "vol.py", line 126, in main
>     command.execute()
>   File "/home/a05p8zz/VolInstall/volatility-2.0/volatility/commands.py",
> line 101, in execute
>     func(outfd, data)
>   File
> "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py",
> line 330, in render_text
>     for p, start, url, config_key, creds_key, decoded_config,
> decoded_magic in data:
>   File
> "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/zeusscan2.py",
> line 221, in calculate
>     data  = malware.get_vad_data(ps_ad, start, end)
>   File
> "/home/a05p8zz/VolInstall/volatility-2.0/volatility/plugins/malware.py",
> line 856, in get_vad_data
>     return ''.join(pages_one)
> OverflowError: join() result is too long for a Python string
>
>  Now I strongly suspect that the new variant is just enough different that
> it messes with the parsing and results in a runaway, but I just wanted to
> make sure I'm not leaving something on the table here...
>
>  Should this work?
>
>
>                         -=[ Steve ]=-
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140128/6f5d5d17/attachment.html


More information about the Vol-users mailing list