tomchop / volatility-autoruns Goto Github PK
View Code? Open in Web Editor NEWAutoruns plugin for the Volatility framework
License: GNU General Public License v2.0
volatility-autoruns's Issues
UnicodeDecodeError due to truncated data when running autoruns
Getting a Unicode error on this image; stack trace below. Results in no output given. Can this error be caught so some output is given?
Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 5, in
pkg_resources.run_script('volatility==2.5', 'vol.py')
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 528, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1394, in run_script
execfile(script_filename, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in
main()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 119, in execute
data = self.calculate()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 531, in calculate
self.tasks = self.get_tasks()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 450, in get_tasks
parsed = self.parse_task_xml(task_xml)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 466, in parse_task_xml
xml = xml.decode('utf-16')
File "/usr/lib/python2.7/encodings/utf_16.py", line 16, in decode
return codecs.utf_16_decode(input, errors, True)
UnicodeDecodeError: 'utf16' codec can't decode byte 0x00 in position 0: truncated data
Autoruns problems with Volatility 2.5
Hi Tom,
I'm having a problem with autoruns (your latest build) and a Win7SP1x86 memory image. The error I'm getting is:
Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
File "vol1.py", line 192, in <module>
main()
File "vol1.py", line 183, in main
command.execute()
File "/home//Desktop/vol-2.5_clean/volatility/commands.py", line 119, in execute
data = self.calculate()
File "/home/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 527, in calculate
self.tasks = self.get_tasks()
File "/home/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 446, in get_tasks
parsed = self.parse_task_xml(task_xml)
File "/home/Desktop/vol-2.5_clean/volatility/plugins/autoruns.py", line 462, in parse_task_xml
xml = xml.decode('utf-16')
File "/usr/lib/python2.7/encodings/utf_16.py", line 16, in decode
return codecs.utf_16_decode(input, errors, True)
UnicodeDecodeError: 'utf16' codec can't decode byte 0x00 in position 0: truncated data
Extract services from memory
Compare memory services vs. registry services, ร la psxview
Migrate to volatility3
'Autoruns' object has no attribute 'sdb'
Trying to run the plugin, but i get the following error:
File ".../volatility/plugins/autoruns.py", line 654, in render_text
if self.sdb:
AttributeError: 'Autoruns' object has no attribute 'sdb'
Error
Traceback (most recent call last):
File "/usr/bin/vol.py", line 192, in
main()
File "/usr/bin/vol.py", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 120, in execute
data = self.calculate()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/community/ThomasChopitea/autoruns.py", line 519, in calculate
self.services = self.get_services()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/community/ThomasChopitea/autoruns.py", line 309, in get_services
service = self.parse_service_key(service)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/community/ThomasChopitea/autoruns.py", line 287, in parse_service_key
entry = entry.replace('\x00', '')
AttributeError: 'NoneType' object has no attribute 'replace'
autoruns.py not working
I put autoruns in the contrib/plugins directory (where I have other working plugins, such as mimikatz,) but when I try to run autoruns, I get the following output
Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "/usr/share/volatility/vol.py", line 192, in
main()
File "/usr/share/volatility/vol.py", line 174, in main
command = cmdsmodule
File "/usr/share/volatility/contrib/plugins/autoruns.py", line 133, in init
hivelist.HiveList.init(self, config, _args, *_kwargs)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/common.py", line 50, in init
help = "Skip unallocated objects (e.g. 0xbad0b0b0)")
File "/usr/lib/python2.7/dist-packages/volatility/conf.py", line 363, in add_option
self.optparser.add_option("-{0}".format(short_option), "--{0}".format(option), **args)
File "/usr/lib/python2.7/optparse.py", line 1020, in add_option
self._check_conflict(option)
File "/usr/lib/python2.7/optparse.py", line 995, in _check_conflict
option)
optparse.OptionConflictError: option -W/--show-unallocated: conflicting option string(s): -W
Autoruns.py error
I just downloaded autoruns.py and installed it in the contrib/plugins folder. I specify the --plugins=/contrib/plugins option but I"m getting the error: *** Failed to import volatility.plugins.autoruns (SyntaxError: invalid syntax (autoruns.py, line 265)) What is wrong with the syntax of that line?
values = {str(name): str(dat) for name, dat in self.regapi.reg_yield_values(hive_name='system', key='', given_root=service_key)}
Catch NoneType within parse_service_key check
Traceback:
Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
File "/opt/tools/volatility/vol.py", line 192, in <module>
main()
File "/opt/tools/volatility/vol.py", line 183, in main
command.execute()
File "/opt/tools/volatility/volatility/commands.py", line 119, in execute
data = self.calculate()
File "/other_plugins/community/ThomasChopitea/autoruns.py", line 519, in calculate
self.services = self.get_services()
File "/other_plugins/community/ThomasChopitea/autoruns.py", line 309, in get_services
service = self.parse_service_key(service)
File "/other_plugins/community/ThomasChopitea/autoruns.py", line 287, in parse_service_key
entry = entry.replace('\x00', '')
AttributeError: 'NoneType' object has no attribute 'replace
In this instance, entry was empty.
Unicode Encode Error: 'ascii' codec can't encode character u'\u1720'
Hey Tom,
I'm getting a Unicode error when using Autoruns (latest build from yesterday) with Vol 2.4 (I tried both python and precompiled versions). Image is a WinXPSP2x86 sample.
Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 192, in <module>
main()
File "/usr/local/bin/vol.py", line 183, in main
command.execute()
File "/home/gmucfrs/vol/volatility-2.4/volatility/commands.py", line 103, in execute
data = self.calculate()
File "/home/gmucfrs/vol/volatility-2.4/volatility/plugins/autoruns.py", line 521, in calculate
self.services = self.get_services()
File "/home/gmucfrs/vol/volatility-2.4/volatility/plugins/autoruns.py", line 311, in get_services
service = self.parse_service_key(service)
File "/home/gmucfrs/vol/volatility-2.4/volatility/plugins/autoruns.py", line 265, in parse_service_key
values = {str(name): str(dat) for name, dat in self.regapi.reg_yield_values(hive_name='system', key='', given_root=service_key)}
File "/home/gmucfrs/vol/volatility-2.4/volatility/plugins/autoruns.py", line 265, in <dictcomp>
values = {str(name): str(dat) for name, dat in self.regapi.reg_yield_values(hive_name='system', key='', given_root=service_key)}
UnicodeEncodeError: 'ascii' codec can't encode character u'\u1720' in position 0: ordinal not in range(128)
Thanks,
Jared
UnboundLocalError: local variable 'dllname' referenced before assignment
Hello,
I ran the autoruns plugin against a windows XP memory dump and had the following error message :
Volatility Foundation Volatility Framework 2.3.1
WARNING : volatility.obj : NoneObject as string: Value data is unreadable
Traceback (most recent call last):
File "/usr/bin/volatility", line 184, in
main()
File "/usr/bin/volatility", line 175, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 98, in execute
data = self.calculate()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 461, in calculate
self.winlogon_registrations = self.get_winlogon_registrations()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 207, in get_winlogon_registrations
reg = self.parse_winlogon_registration_key(subkey)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 237, in parse_winlogon_registration_key
pids = self.find_pids_for_imagepath(dllname)
UnboundLocalError: local variable 'dllname' referenced before assignment
Is the plugin supposed to work only on volatility 2.4 and superior ?
Autoruns issue
I've received this error when attempting to run the autoruns plugin for a Win7SP1x64 system...
File "/usr/bin/vol.py", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 119, in execute
data = self.calculate()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 492, in calculate
self.winlogon = self.get_winlogon()
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 227, in get_winlogon
valdict = self.dict_for_key(winlogon_key)
File "/usr/lib/python2.7/dist-packages/volatility/plugins/autoruns.py", line 182, in dict_for_key
for v in rawreg.values(key):
File "/usr/lib/python2.7/dist-packages/volatility/win32/rawreg.py", line 128, in values
return [ v for v in key.ValueList.List.dereference()
AttributeError: 'NoneType' object has no attribute 'ValueList'
Error for profile 19041
Hi,
I get an error when running this plugin with profile 19041 (Volatility 2.6.1).
Nothing more is shown when adding -v
ERROR : volatility.debug : Unable to find registry hives.
It works for older profiles.
Any ideas?
Add shim extraction
Add COM hijacking
Autoruns is not working
Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 5, in <module>
pkg_resources.run_script('volatility==2.5', 'vol.py')
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 528, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1394, in run_script
execfile(script_filename, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in <module>
main()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 120, in execute
data = self.calculate()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 525, in calculate
self.winlogon = self.get_winlogon()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 236, in get_winlogon
valdict = self.dict_for_key(winlogon_key)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 191, in dict_for_key
for v in rawreg.values(key):
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/win32/rawreg.py", line 128, in values
return [ v for v in key.ValueList.List.dereference()
AttributeError: 'NoneType' object has no attribute 'ValueList'
TypeError when analyzing memory
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 5, in
pkg_resources.run_script('volatility==2.5', 'vol.py')
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 528, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 1394, in run_script
execfile(script_filename, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in
main()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 119, in execute
data = self.calculate()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 529, in calculate
self.services = self.get_services()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 315, in get_services
service = self.parse_service_key(service)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/plugins/autoruns.py", line 275, in parse_service_key
startup = int(values.get("Start"))
TypeError: int() argument must be a string or a number, not 'NoneType'
autoruns.py error
File "/usr/local/bin/vol.py", line 192, in
main()
File "/usr/local/bin/vol.py", line 183, in main
command.execute()
Below you'll find the error output...I've done a fresh clone and attempted to run against a variety of supported images with no luck.
File "/usr/local/Cellar/volatility/2.6/libexec/lib/python2.7/site-packages/volatility/commands.py", line 120, in execute
data = self.calculate()
File "/usr/local/Cellar/volatility/2.6/libexec/lib/python2.7/site-packages/volatility/plugins/autoruns.py", line 523, in calculate
self.winlogon = self.get_winlogon()
File "/usr/local/Cellar/volatility/2.6/libexec/lib/python2.7/site-packages/volatility/plugins/autoruns.py", line 236, in get_winlogon
valdict = self.dict_for_key(winlogon_key)
File "/usr/local/Cellar/volatility/2.6/libexec/lib/python2.7/site-packages/volatility/plugins/autoruns.py", line 191, in dict_for_key
for v in rawreg.values(key):
File "/usr/local/Cellar/volatility/2.6/libexec/lib/python2.7/site-packages/volatility/win32/rawreg.py", line 128, in values
return [ v for v in key.ValueList.List.dereference()
AttributeError: 'NoneType' object has no attribute 'ValueList'
crash
Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
File "/usr/bin/volatility", line 192, in
main()
File "/usr/bin/volatility", line 183, in main
command.execute()
File "/usr/lib/python2.7/dist-packages/volatility/commands.py", line 103, in execute
data = self.calculate()
File "/root/ch2/volatility-autoruns/autoruns.py", line 519, in calculate
self.services = self.get_services()
File "/root/ch2/volatility-autoruns/autoruns.py", line 309, in get_services
service = self.parse_service_key(service)
File "/root/ch2/volatility-autoruns/autoruns.py", line 287, in parse_service_key
entry = entry.replace('\x00', '')
AttributeError: 'NoneType' object has no attribute 'replace'
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.