monnappa22 / hollowfind Goto Github PK

[enviroment]
win10
python2.7
volatility

[cmd]
PS D:\workspace\2013\Github\volatility-master\volatility-master> python27.exe .\vol.py -f D:\workspace\vms\windows_10_business_editions_version_1903_x64_dvd_e001dd2c.iso\windows_10_business_editions_version_1903_x64_dvd_e001dd2c.iso-6f11cc0a.vmem --profile=Win10x64_18362 hollowfind

Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
File ".\vol.py", line 192, in
main()
File ".\vol.py", line 183, in main
command.execute()
File "D:\workspace\2013\Github\volatility-master\volatility-master\volatility\commands.py", line 147, in execute
func(outfd, data)
File "D:\workspace\2013\Github\volatility-master\volatility-master\volatility\plugins\hollowfind.py", line 206, in render_text
for (hol_proc_peb_info, hol_proc_vad_info, hol_pid, hol_type, similar_procs, parent_proc_info) in data:
File "D:\workspace\2013\Github\volatility-master\volatility-master\volatility\plugins\hollowfind.py", line 179, in calculate
self.update_proc_peb_info(psdata)
File "D:\workspace\2013\Github\volatility-master\volatility-master\volatility\plugins\hollowfind.py", line 50, in update_proc_peb_info
self.proc_peb_info[pid].extend([str(proc_cmd_line),
UnboundLocalError: local variable 'proc_cmd_line' referenced before assignment

Really love this plugin. Any chances if this will be ported to Rekall? Thanks.

HollowFind plugin throws an error when ran against a memory dump.
Specifying a valid process id with the -p flag doesn't make any difference on the outputted error.

AttributeError: Struct _MMVAD_SHORT has no member ControlArea

Wondering if I am missing something, or if this is a real bug?

$ sudo vol.py --plugins=/data/vol/plugins --profile=Win7SP1x86 -f memdump.mem hollowfind
Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
File "/usr/local/bin/vol.py", line 4, in
import('pkg_resources').run_script('volatility==2.5', 'vol.py')
File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 742, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/usr/local/lib/python2.7/dist-packages/pkg_resources/init.py", line 1497, in run_script
exec(code, namespace, namespace)
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in
main()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
command.execute()
File "/usr/local/lib/python2.7/dist-packages/volatility-2.5-py2.7.egg/volatility/commands.py", line 147, in execute
func(outfd, data)
File "/data/vol/plugins/hollowfind.py", line 206, in render_text
for (hol_proc_peb_info, hol_proc_vad_info, hol_pid, hol_type, similar_procs, parent_proc_info) in data:
File "/data/vol/plugins/hollowfind.py", line 179, in calculate
self.update_proc_peb_info(psdata)
File "/data/vol/plugins/hollowfind.py", line 50, in update_proc_peb_info
self.proc_peb_info[pid].extend([str(proc_cmd_line),
UnboundLocalError: local variable 'proc_cmd_line' referenced before assignment
$

when volatility3 support version comes up?