Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

distorm3 v3.5.0 breaks volatility #719

Closed
nganhkhoa opened this issue Jun 4, 2020 · 3 comments
Closed

distorm3 v3.5.0 breaks volatility #719

nganhkhoa opened this issue Jun 4, 2020 · 3 comments

Comments

@nganhkhoa
Copy link 

Volatility Foundation Volatility Framework 2.6.1
*** Failed to import volatility.plugins.linux.malfind (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.malware.timers (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.overlays.windows.win8 (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.linux.process_stack (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.drivermodule (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.linux.check_inline_kernel (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.overlays.mac.mac (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.linux.check_syscall (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.overlays.windows.win8_kdbg (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.timeliner (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.malware.apihooks (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.multiscan (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.volshell (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.linux.linux_volshell (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.dumpcerts (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.linux.netscan (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.mac.mac_volshell (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.tcaudit (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.malware.devicetree (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.overlays.windows.win10 (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.malware.threads (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.mac.apihooks_kernel (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.malware.idt (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.linux.linux_truecrypt (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.mbrparser (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.mac.check_syscall_shadow (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.linux.linux_yarascan (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.malware.malfind (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.ssdt (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.mac.apihooks (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.overlays.linux.linux (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.malware.impscan (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.mac.malfind (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.malware.callbacks (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)
*** Failed to import volatility.plugins.mac.mac_yarascan (OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi)

Solution: Use distorm v3.4.4

pip uninstall distorm3
pip install distorm3==3.4.4
@kathrynmcbain
Copy link

Spent hours stuck with this - thanks for the solution!

@digitalsleuth digitalsleuth mentioned this issue Jul 28, 2020
Closed
@atcuno
Copy link
Contributor

atcuno commented Jul 29, 2020

Thanks for this report. I am pretty certain this is an issue with distorm3 itself and not Volatility. I did pip install distorm3 and got 3.5, and then in just the regular Python interperter produced the following:

# python
Python 2.7.17 (default, Jul 20 2020, 15:37:01) 
[GCC 7.5.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import distorm3
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python2.7/dist-packages/distorm3/__init__.py", line 56, in <module>
    _distorm = _load_distorm()
  File "/usr/local/lib/python2.7/dist-packages/distorm3/__init__.py", line 53, in _load_distorm
    return cdll.LoadLibrary(_distorm_file)
  File "/usr/lib/python2.7/ctypes/__init__.py", line 444, in LoadLibrary
    return self._dlltype(name)
  File "/usr/lib/python2.7/ctypes/__init__.py", line 366, in __init__
    self._handle = _dlopen(self._name, mode)
OSError: /usr/local/lib/python2.7/dist-packages/_distorm3.so: undefined symbol: operands_set_tsi

@atcuno atcuno closed this as completed Jul 29, 2020
@gdabah gdabah mentioned this issue Dec 4, 2020
Closed
@gdabah
Copy link

gdabah commented Dec 4, 2020

@nganhkhoa Can you please check latest version 3.5.1 and let me know if it works or not?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@atcuno @gdabah @kathrynmcbain @nganhkhoa