VolUtility icon indicating copy to clipboard operation
VolUtility copied to clipboard

Published 20 hours ago verified publisher icon kevthehermit

Error in yarascan

Open gomwan opened this issue 8 years ago • 4 comments

DEBUG Yara String Scanner DEBUG : web.views : Yara String Scanner DEBUG Setting Config CASE to None DEBUG : web.vol_interface : Setting Config CASE to None DEBUG Setting Config WIDE to None DEBUG : web.vol_interface : Setting Config WIDE to None DEBUG Setting Config ALL to None DEBUG : web.vol_interface : Setting Config ALL to None DEBUG Setting Config REVERSE to 0 DEBUG : web.vol_interface : Setting Config REVERSE to 0 DEBUG Setting Config YARA_RULES to google DEBUG : web.vol_interface : Setting Config YARA_RULES to google DEBUG Setting Config SIZE to 256 DEBUG : web.vol_interface : Setting Config SIZE to 256 ERROR Struct VOLATILITY_MAGIC has no member KPCR ERROR : web.views : Struct VOLATILITY_MAGIC has no member KPCR [11/Jun/2016 00:19:53] "POST /ajaxhandler/yara-string/ HTTP/1.1" 200 28

DEBUG : web.views : Yara String Scanner DEBUG Setting Config CASE to None DEBUG : web.vol_interface : Setting Config CASE to None DEBUG Setting Config WIDE to None DEBUG : web.vol_interface : Setting Config WIDE to None DEBUG Setting Config ALL to None DEBUG : web.vol_interface : Setting Config ALL to None DEBUG Setting Config REVERSE to 0 DEBUG : web.vol_interface : Setting Config REVERSE to 0 DEBUG Setting Config YARA_FILE to yararules/Ap0calypse.yar DEBUG : web.vol_interface : Setting Config YARA_FILE to yararules/Ap0calypse.yar DEBUG Setting Config SIZE to 256 DEBUG : web.vol_interface : Setting Config SIZE to 256 ERROR Struct VOLATILITY_MAGIC has no member KPCR ERROR : web.views : Struct VOLATILITY_MAGIC has no member KPCR [11/Jun/2016 00:21:52] "POST /ajaxhandler/yara-string/ HTTP/1.1" 200 28

i using The Yara Scan Memory button on the Tools Bar

can you help me ,thank you so much

gomwan avatar Jun 11 '16 00:06 gomwan

Will have a look and see if i can reproduce the error

kevthehermit avatar Jun 11 '16 13:06 kevthehermit

In you that this function is normal? I deployed two is the error. Is it my image or profile has a problem?

gomwan avatar Jun 12 '16 06:06 gomwan

Which OS is your Image? Have you got the latest version of VolUtility?

You can try running volscan from the command line like normal. This would tell you if your image is ok

kevthehermit avatar Jun 12 '16 09:06 kevthehermit

is centos65x64 Versions Python: 2.7.6 | Volatility: 2.5 | VolUtility: 1.0-dev

i can use linux_yarascan at command line root@MF-Server:/opt/tools/volatility# python vol.py --profile=LinuxCentOS65x64 -f /opt/images/centos65_2.lime linux_yarascan -Y "google" Volatility Foundation Volatility Framework 2.5 Task: polkitd pid 1564 rule r1 addr 0x7f32180e5165 0x7f32180e5165 67 6f 6f 67 6c 65 2d 76 69 64 65 6f 2d 70 6f 69 google-video-poi 0x7f32180e5175 6e 74 65 72 00 00 00 61 75 64 69 6f 2f 78 2d 6d nter...audio/x-m 0x7f32180e5185 34 62 00 74 65 78 74 2f 78 2d 63 72 65 64 69 74 4b.text/x-credit 0x7f32180e5195 73 00 00 74 65 78 74 2f 78 2d 6d 72 6d 6c 00 61 s..text/x-mrml.a ......................

i can't find volscan command, :(

gomwan avatar Jun 12 '16 13:06 gomwan