libvmi
add "translate" function in vmi.py
An error occurred while running the psxview plugin:
# python vol.py -l vmi://winxpsp3x86 --profile=WinXPSP2x86 psxview
AttributeError: 'PyVmiAddressSpace' object has no attribute 'translate'
After checking the libvmi address plugin, there is no translate function in vmi.py file. So I tried to add these code at the bottom:
Def translate(self, addr):
Return self.vmi.translate_kv2p(addr)
And I also modified the code in [malware/psxview.py] (https://github.com/volatilityfoundation/volatility/pull/362/commits/ca42f0c465c9acd9cc0b70e468af23a869e547fa) then I got the results:
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x065e3da0 HelpSvc.exe 1580 True True True True True True True
0x06589da0 lsass.exe 556 True True True True True True True
0x0658d988 svchost.exe 876 True True True True True True True
0x065c0da0 svchost.exe 924 True True True True True True True
0x0664c558 wpabaln.exe 1788 True True True True True True True
0x0660f390 msmsgs.exe 1472 True True True True True True True
0x06625c10 ctfmon.exe 1444 True True True True True True True
0x064c5020 spoolsv.exe 1252 True True True True True True True
0x06621768 services.exe 544 True True True True True True True
0x06626da0 (?
???w.exe 248 True True True True True True True
0x065fe3c0 wscntfy.exe 276 True True True True True True True
0x066e93d0 svchost.exe 712 True True True True True True True
0x066337e8 wmiprvse.exe 1032 True True True True True True True
0x06624180 svchost.exe 768 True True True True True True True
0x064e2da0 svchost.exe 828 True True True True True True True
0x064df9f8 alg.exe 976 True True True True True True True
0x066383c0 wuauclt.exe 1360 True True True True True True True
0x065b0898 winlogon.exe 500 True True True True True True True
0x064be958 explorer.exe 1300 True True True True True True True
0x066234d8 logon.scr 1228 True True True True True True True
0x06618928 taskmgr.exe 896 True True True True True True True
0x067b7a00 System 4 True True True True False False False
0x06577128 smss.exe 308 True True True True False False False
0x065b9020 csrss.exe 476 True True True True False True True
Is this a correct result, or is this "translate" function right?
Hi
AttributeError: 'PyVmiAddressSpace' object has no attribute 'translate'
That is weird. I don't remember running into this issue with the Volatility address space before.
Also, I never really used it (only tested with pslist), because I prefer Rekall instead.
-> Do you have this "translate" error only with the psxview plugin ?
-> Could you comment on this PR https://github.com/volatilityfoundation/volatility/pull/500 to try to bring some attention on the upstream integration ?
Thanks.
Otherwise I would advise to use the Rekall plugin if possible, since it's already integrated upstream, and Michael Cohen is very eager to reply and integrate new changes.
Thanks for your reply~@Wenzel emm...
- I checked the code in psxview plugin(volatility/plugins/malware/psxview.py) and found that there is a function call which translates the memory's virtual address into a physical address. This function is provided by address space plugin. see volatility/plugins/addresspace/lime.py
def translate(self, addr):
"""Find the offset in the file where a memory address can be found.
@param addr: a memory address
"""
firstram = self.runs[0][0]
if addr < firstram:
addr = firstram + addr
return addrspace.AbstractRunBasedMemory.translate(self, addr)
However, this "translate" function is not provided in vmi.py, so I met this error.
But the translation function in libvmi is availible, so I tried to add translate_kv2p(addr) in vmi.py, then fit the requirement.
But I'm not sure is it perfect.
- I would comment on volatility later.
I would try Rekall plugin later. Thank you very much~