h2cyber / voldiff Goto Github PK

I got this error today, when VolDiff started hunting for malicious artifacts.
I am not even mediocre with Python, so I am not 100% sure what is happening, other than something with a regex does not seem to be working.

I am on Ubuntu 16.X LTS with Python 2.7

File "VolDiff.py", line 1811, in
main()
File "VolDiff.py", line 1444, in main
path = get_execpath(pid)
File "VolDiff.py", line 617, in get_execpath
if re.search(procnamep + ' pid.*' + str(pid), line, re.IGNORECASE):
File "/usr/lib/python2.7/re.py", line 146, in search
return _compile(pattern, flags).search(string)
File "/usr/lib/python2.7/re.py", line 251, in _compile
raise error, v # invalid expression

Hi I am new to voldiff, while running this error appeared.

Traceback (most recent call last):
File "C:\Users\John\Desktop\VolDiff\VolDiff.py", line 1811, in
main()
File "C:\Users\John\Desktop\VolDiff\VolDiff.py", line 983, in main
print_help()
File "C:\Users\John\Desktop\VolDiff\VolDiff.py", line 194, in print_help
sys.exit()
SystemExit

Any idea what went wrong?

VolDiff - win.zip

path_to_volatility variable must point to volatility executable or python script.
Update at line 23.

hello folks,
thxx a lot for this great tool i just discovered.
i just gave it a try on a win7 ram image profile and i got an out of range error msg.
anything i can do for solve this?Volatility plugin malfind execution in progress...
Volatility plugin procdump execution in progress...
Volatility plugin idt execution in progress...
Volatility plugin gdt execution in progress...
Volatility plugin driverirp execution in progress...
Volatility plugin deskscan execution in progress...
Volatility plugin timers execution in progress...
Volatility plugin gditimers execution in progress...
Volatility plugin ssdt execution in progress...

Hunting for malicious artifacts in memory...
Traceback (most recent call last):
File "VolDiff.py", line 1811, in
main()
File "VolDiff.py", line 1391, in main
ppids = get_all_ppids("explorer.exe|csrss.exe|wininit.exe|winlogon.exe|system")
File "VolDiff.py", line 595, in get_all_ppids
ppids.append(re.sub(' +', ' ', line).split(' ')[3])
IndexError: list index out of range
nocomp@8uR34ud3sL1c0rn35:~/tools/forensic/VolDiff$

best regards

This error came from the "Diffing output results..." step:

Traceback (most recent call last):
  File "VolDiff.py", line 1811, in <module>
    main()
  File "VolDiff.py", line 1220, in main
    if re.search(r"[a-zA-Z\.]\s+%s " % pid, line, re.IGNORECASE):
  File "/usr/lib/python2.7/re.py", line 142, in search
    return _compile(pattern, flags).search(string)
  File "/usr/lib/python2.7/re.py", line 244, in _compile
    raise error, v # invalid expression
sre_constants.error: unbalanced parenthesis

We have the following error:
...
File VolDiff.py, line 1552, in main
report_anomalies("interesting files on disk(filescan).", suspicious files)
File VolDiff.py, line 402, in report anomalies
anomaly_list_to_report = anomaly_list[0:threshold]
TypeError: 'set' object is not subscriptable