python icon indicating copy to clipboard operation
python copied to clipboard

Published 20 hours ago verified publisher icon libvmi

add "translate" function in vmi.py

Open mintancy opened this issue 6 years ago • 3 comments

An error occurred while running the psxview plugin:

# python vol.py -l vmi://winxpsp3x86 --profile=WinXPSP2x86 psxview
AttributeError: 'PyVmiAddressSpace' object has no attribute 'translate'

After checking the libvmi address plugin, there is no translate function in vmi.py file. So I tried to add these code at the bottom:

    Def translate(self, addr):
        Return self.vmi.translate_kv2p(addr)

And I also modified the code in [malware/psxview.py] (https://github.com/volatilityfoundation/volatility/pull/362/commits/ca42f0c465c9acd9cc0b70e468af23a869e547fa) then I got the results:

Offset(P)  Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x065e3da0 HelpSvc.exe            1580 True   True   True     True   True  True    True     
0x06589da0 lsass.exe               556 True   True   True     True   True  True    True     
0x0658d988 svchost.exe             876 True   True   True     True   True  True    True     
0x065c0da0 svchost.exe             924 True   True   True     True   True  True    True     
0x0664c558 wpabaln.exe            1788 True   True   True     True   True  True    True     
0x0660f390 msmsgs.exe             1472 True   True   True     True   True  True    True     
0x06625c10 ctfmon.exe             1444 True   True   True     True   True  True    True     
0x064c5020 spoolsv.exe            1252 True   True   True     True   True  True    True     
0x06621768 services.exe            544 True   True   True     True   True  True    True     
0x06626da0 (?
             ???w.exe            248 True   True   True     True   True  True    True     
0x065fe3c0 wscntfy.exe             276 True   True   True     True   True  True    True     
0x066e93d0 svchost.exe             712 True   True   True     True   True  True    True     
0x066337e8 wmiprvse.exe           1032 True   True   True     True   True  True    True     
0x06624180 svchost.exe             768 True   True   True     True   True  True    True     
0x064e2da0 svchost.exe             828 True   True   True     True   True  True    True     
0x064df9f8 alg.exe                 976 True   True   True     True   True  True    True     
0x066383c0 wuauclt.exe            1360 True   True   True     True   True  True    True     
0x065b0898 winlogon.exe            500 True   True   True     True   True  True    True     
0x064be958 explorer.exe           1300 True   True   True     True   True  True    True     
0x066234d8 logon.scr              1228 True   True   True     True   True  True    True     
0x06618928 taskmgr.exe             896 True   True   True     True   True  True    True     
0x067b7a00 System                    4 True   True   True     True   False False   False    
0x06577128 smss.exe                308 True   True   True     True   False False   False    
0x065b9020 csrss.exe               476 True   True   True     True   False True    True

Is this a correct result, or is this "translate" function right?

mintancy avatar May 09 '18 03:05 mintancy