Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

malfind option error #43

Closed
GoogleCodeExporter opened this issue Nov 24, 2015 · 6 comments
Closed

malfind option error #43

GoogleCodeExporter opened this issue Nov 24, 2015 · 6 comments
Labels
auto-migrated Priority-Medium Type-Defect

Comments

@GoogleCodeExporter
Copy link 

What steps will reproduce the problem?
1.installed latest volatility
2.typed 'vol.py malfind -f coreflood.vmem -dump-dir=outdir 
--yara-rules=./aa.yara'
3.then i got 'vol.py: error: no such option: --dump-dir'

i saw the 'Malware Analyst's Cookbook', and i follow Receipe 16-6.
i wonder how can i fix it.

What version of the product are you using? On what operating system?
latest volatility 2.1_alpha, win7 32bit

Original issue reported on code.google.com by h...@nslab.kaist.ac.kr on 18 Apr 2012 at 3:26
@GoogleCodeExporter
Copy link
Author 

Hello. There's a different version of malfind supplied with the 2.1 alpha 
branch (as compared to the version in malware.py on this website). The older 
malfind (which is written about in the book) searched for injected code *and* 
allowed you to scan for yara signatures. In the newer version, malfind only 
finds injected code. The plugin for scanning with yara rules is yarascan. 

So in your 2.1 alpha branch just do: 

$ python vol.py malfind -h 
$ python vol.py yarascan -h 

That will show you the options allowed for both plugins. One thing I see is you 
used -dump-dir instead of --dump-dir.

Original comment by michael.hale@gmail.com on 18 Apr 2012 at 3:40

@GoogleCodeExporter
Copy link
Author 

Hi Michael,

for  Volatility Framework 2.1_alpha

i tried the following 

vol.py malfind -f c:\memsmpls\zeus.vmem  -dump-dir c:\re\

output is : vol.py: error: no such option: -u

Also tried
vol.py malfind -f c:\memsmpls\zeus.vmem  --dump-dir c:\re\

output is : vol.py: error: no such option: --dump-dir

what is wrong ? please help

Thanks
Tamer

Original comment by tame...@gmail.com on 22 Apr 2012 at 7:28

@GoogleCodeExporter
Copy link
Author 

Hey Tamer, sorry about that. I just realized the --dump-dir option had gotten 
removed in the transition to the 2.1 alpha base. 

See the following patch and update to r1628 to re-enable the --dump-dir option:

http://code.google.com/p/volatility/source/detail?r=1628

Thanks!

Original comment by michael.hale@gmail.com on 23 Apr 2012 at 2:47

@GoogleCodeExporter
Copy link
Author 

Hi Michael,

It is working,

Thanks

Original comment by tame...@gmail.com on 24 Apr 2012 at 6:17

@GoogleCodeExporter
Copy link
Author 

hey, Michael

yarascan works good.

then I should find malware yara rule.

Thanks a lot.

Original comment by ali...@gmail.com on 25 Apr 2012 at 10:22

@GoogleCodeExporter
Copy link
Author

Original comment by michael.hale@gmail.com on 2 May 2012 at 6:13

  • Changed state: Done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Priority-Medium Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter