This repository was archived by the owner on May 16, 2025. It is now read-only.
This repository was archived by the owner on May 16, 2025. It is now read-only.
Windows 8.1 x86 AttributeError: Struct __MMVAD has no member Start #268
Description
I'm trying to use some of the scanning plugins against a Windows 8.1 x86 memory image; however, the source distribution of 2.5 and git master at 9ad8329 raise the following error:
λ C:\Python27\python.exe C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\vol.py -f .\memory.dmp --profile=Win81U1x86 --kdbg=0x81255690 malfind
Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\vol.py", line 192, in <module>
main()
File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\vol.py", line 183, in main
command.execute()
File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\commands.py", line 145, in execute
func(outfd, data)
File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\plugins\malware\malfind.py", line 442, in render_text
for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\plugins\overlays\windows\windows.py", line 485, in get_vads
if not vad.is_valid():
File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\plugins\overlays\windows\vad_vtypes.py", line 39, in is_valid
self.Start < obj.VolMagic(self.obj_vm).MaxAddress.v() and
File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\obj.py", line 748, in __getattr__
return self.m(attr)
File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\obj.py", line 730, in m
raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct _MMVAD has no member Start
The pslist plugin shows the processes I'd expect to see in the image.
Here is the imageinfo:
λ C:\Python27\python.exe C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\vol.py -f .\memory.dmp --profile=Win81U1x86 imageinfo
Volatility Foundation Volatility Framework 2.5
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : Win10x86, Win81U1x86, Win8SP1x86, Win8SP0x86 (Instantiated with Win81U1x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : WindowsCrashDumpSpace32 (Unnamed AS)
AS Layer3 : FileAddressSpace (C:\Users\willi\Documents\Code\volatility\memory.dmp)
PAE type : PAE
DTB : 0x38f44380L
KDBG : 0x81255690L
Number of Processors : 1
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0x81280000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2015-12-14 16:05:01 UTC+0000
Image local date and time : 2015-12-14 11:05:01 -0500
I've tried the other suggested profiles, but none of them give any better results (though, Win8SP0x86 doesn't raise an exception, but also doesn't print any results).
Is this a user error, or is this a bug in Volatility?