add "translate" function in vmi.py

[mintancy]

An error occurred while running the psxview plugin:

# python vol.py -l vmi://winxpsp3x86 --profile=WinXPSP2x86 psxview
AttributeError: 'PyVmiAddressSpace' object has no attribute 'translate'

After checking the libvmi address plugin, there is no translate function in vmi.py file. So I tried to add these code at the bottom:

    Def translate(self, addr):
        Return self.vmi.translate_kv2p(addr)

And I also modified the code in [malware/psxview.py] (volatilityfoundation/volatility@ca42f0c)
then I got the results:

Offset(P)  Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x065e3da0 HelpSvc.exe            1580 True   True   True     True   True  True    True     
0x06589da0 lsass.exe               556 True   True   True     True   True  True    True     
0x0658d988 svchost.exe             876 True   True   True     True   True  True    True     
0x065c0da0 svchost.exe             924 True   True   True     True   True  True    True     
0x0664c558 wpabaln.exe            1788 True   True   True     True   True  True    True     
0x0660f390 msmsgs.exe             1472 True   True   True     True   True  True    True     
0x06625c10 ctfmon.exe             1444 True   True   True     True   True  True    True     
0x064c5020 spoolsv.exe            1252 True   True   True     True   True  True    True     
0x06621768 services.exe            544 True   True   True     True   True  True    True     
0x06626da0 (?
             ???w.exe            248 True   True   True     True   True  True    True     
0x065fe3c0 wscntfy.exe             276 True   True   True     True   True  True    True     
0x066e93d0 svchost.exe             712 True   True   True     True   True  True    True     
0x066337e8 wmiprvse.exe           1032 True   True   True     True   True  True    True     
0x06624180 svchost.exe             768 True   True   True     True   True  True    True     
0x064e2da0 svchost.exe             828 True   True   True     True   True  True    True     
0x064df9f8 alg.exe                 976 True   True   True     True   True  True    True     
0x066383c0 wuauclt.exe            1360 True   True   True     True   True  True    True     
0x065b0898 winlogon.exe            500 True   True   True     True   True  True    True     
0x064be958 explorer.exe           1300 True   True   True     True   True  True    True     
0x066234d8 logon.scr              1228 True   True   True     True   True  True    True     
0x06618928 taskmgr.exe             896 True   True   True     True   True  True    True     
0x067b7a00 System                    4 True   True   True     True   False False   False    
0x06577128 smss.exe                308 True   True   True     True   False False   False    
0x065b9020 csrss.exe               476 True   True   True     True   False True    True     

Is this a correct result, or is this "translate" function right?

[Wenzel]

Hi

AttributeError: 'PyVmiAddressSpace' object has no attribute 'translate'

That is weird.
I don't remember running into this issue with the Volatility address space before.

Also, I never really used it (only tested with pslist), because I prefer Rekall instead.

-> Do you have this "translate" error only with the psxview plugin ?

-> Could you comment on this PR volatilityfoundation/volatility#500
to try to bring some attention on the upstream integration ?

Thanks.

[Wenzel]

Otherwise I would advise to use the Rekall plugin if possible, since it's already integrated upstream, and Michael Cohen is very eager to reply and integrate new changes.

[mintancy]

Thanks for your reply~@Wenzel
emm...

1. I checked the code in psxview plugin(volatility/plugins/malware/psxview.py) and found that there is a function call which translates the memory's virtual address into a physical address. This function is provided by address space plugin.
   see volatility/plugins/addresspace/lime.py

    def translate(self, addr):
        """Find the offset in the file where a memory address can be found.
        @param addr: a memory address
        """
        firstram = self.runs[0][0]

        if addr < firstram:
            addr = firstram + addr

        return addrspace.AbstractRunBasedMemory.translate(self, addr)

However, this "translate" function is not provided in vmi.py, so I met this error.
But the translation function in libvmi is availible, so I tried to add translate_kv2p(addr) in vmi.py, then fit the requirement.
But I'm not sure is it perfect.

2. I would comment on volatility later.

I would try Rekall plugin later. Thank you very much~