[Vol-users] Plugin errors in scudette-branch

Stefan Steizer vitax.set at googlemail.com
Sat Apr 28 06:27:42 CDT 2012


Hi everybody,

i have tried the scudette branch r1628 for linux memory analysis and
received some Errors. My test-systems were Ubuntu 11.10 (Kernel
3.0.0-17-generic, 64 Bit) and Debian 6.0.2.1 (Kernel 2.6.32-5-686, 32
Bit). The plugins i have tested were pslist, cpuinfo, dmesg, ifconfig and
netstat.

As i followed the instructions at the Wiki-Page the first thing i have
noticed was an NameError after the *vol pslist* command:

$ python vol.py
Welcome to volshell!
To get help, type 'help()'

In [1]: session.filename = "memory.dd"
In [2]: session.profile_file = "myprofile.zip"
In [3]: session.profile = "Linux32"
In [4]: vol pslist
------> vol(pslist)
---------------------------------------------------------------------------
NameError                                 Traceback (most recent call last)

/home/vitax/lin64-support/vol.py in <module>()
----> 1
      2
      3
      4
      5

NameError: name 'pslist' is not defined

After i changed the *In [4]: vol pslist* command into *In [4]: vol
"pslist"*the NameError disappeared and the pslist plugin worked well
on both systems.

The next plugin was cpuinfo. On both system i've got the right processor
output, but on Ubuntu i additionally received a warning/error:

In [5]: vol "cpuinfo"
------> vol("cpuinfo")
Processor    Vendor           Model

*ERROR:root:Constant per_cpu__cpu_info does not exist in profile.*
0            GenuineIntel     Intel(R) Core(TM)2 Duo CPU     P8600  @
2.40GHz
Out[5]: <volatility.plugins.linux.cpuinfo.CpuInfo object at 0x2fc5190>

The ifconfig plugin returned on both systems a ValueError.

*On Ubuntu:*

In [6]: vol "ifconfig"
------> vol("ifconfig")
lo       127.0.0.1        00:00:00:00:00:00
ERROR:root:Error: Unknown format code 's' for object of type 'int'
---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)

/home/vitax/lin64-support/vol.py in <module>()
----> 1
      2
      3
      4
      5

/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls,
fd, debug, output, **kwargs)
    194             kwargs['session'] = self
    195             result = plugin_cls(**kwargs)
--> 196             result.render(fd)
    197
    198             return result

/home/vitax/lin64-support/volatility/plugins/linux/ifconfig.py in
render(self, outfd)
     97
     98             outfd.write("{0:8s} {1:16s} {2:32s}\n".format(
---> 99                     net_dev.name, ip, mac_addr))
    100
    101

ValueError: Unknown format code 's' for object of type 'int'

*On Debian:*

In [6]: vol "ifconfig"
------> vol("ifconfig")
lo       127.0.0.1        00:00:00:00:00:00
eth0     10.0.2.15        08:00:27:f6:0e:dd
ERROR:root:Error: Unknown format code 's' for object of type 'int'
---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)

/home/vitax/lin64-support/vol.py in <module>()
----> 1
      2
      3
      4
      5

/home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls,
fd, debug, output, **kwargs)
    194             kwargs['session'] = self
    195             result = plugin_cls(**kwargs)
--> 196             result.render(fd)
    197
    198             return result

/home/vitax/lin64-support/volatility/plugins/linux/ifconfig.pyc in
render(self, outfd)
     97
     98             outfd.write("{0:8s} {1:16s} {2:32s}\n".format(
---> 99                     net_dev.name, ip, mac_addr))
    100
    101

ValueError: Unknown format code 's' for object of type 'int'

After that i tried the netstat plugin. I received on both systems an
AttributeError:

*On Ubuntu:*
*
*
In [7]: vol "netstat"
------> vol("netstat")
---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)

/home/vitax/lin64-support/vol.py in <module>()
----> 1
      2
      3
      4
      5

/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls,
fd, debug, output, **kwargs)
    178         """
    179         if isinstance(plugin_cls, basestring):
--> 180             plugin_cls = getattr(self.plugins, plugin_cls)
    181
    182         if output is not None:

/home/vitax/lin64-support/volatility/session.py in __getattr__(self, attr)
     79             return self.plugins[attr]
     80         except KeyError:
---> 81             raise AttributeError(attr)
     82
     83

AttributeError: netstat

*On Debian:*
*
*
In [7]: vol "netstat"
------> vol("netstat")
ERROR: An unexpected error occurred while tokenizing input
The following traceback may be corrupted or invalid
The error message is: ('EOF in multi-line statement', (40, 0))

---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)

/home/vitax/lin64-support/vol.py in <module>()
----> 1
      2
      3
      4
      5

/home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls,
fd, debug, output, **kwargs)
    178         """
    179         if isinstance(plugin_cls, basestring):
--> 180             plugin_cls = getattr(self.plugins, plugin_cls)
    181
    182         if output is not None:

/home/vitax/lin64-support/volatility/session.pyc in __getattr__(self, attr)
     79             return self.plugins[attr]
     80         except KeyError:
---> 81             raise AttributeError(attr)
     82
     83

AttributeError: netstat

In the end i tried the dmesg plugin. On Debian it worked well, but on
Ubuntu i got this error:

In [8]: vol "dmesg"
------> vol("dmesg")
ERROR:root:Error: 'ascii' codec can't decode byte 0xc2 in position 74140:
ordinal not in range(128)
---------------------------------------------------------------------------
UnicodeDecodeError                        Traceback (most recent call last)

/home/vitax/lin64-support/vol.py in <module>()
----> 1
      2
      3
      4
      5

/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls,
fd, debug, output, **kwargs)
    194             kwargs['session'] = self
    195             result = plugin_cls(**kwargs)
--> 196             result.render(fd)
    197
    198             return result

/home/vitax/lin64-support/volatility/plugins/linux/dmesg.py in render(self,
outfd)
     44
     45     def render(self, outfd):
---> 46         outfd.write(self.get_dmesg())
     47
     48

/home/vitax/lin64-support/volatility/session.py in write(self, data)
    111     def write(self, data):
    112         # Encode the data according to the output encoding.

--> 113         data = data.encode(self.encoding)
    114         try:
    115             self.pager.write(data)

UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 74140:
ordinal not in range(128)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20120428/eed8cb76/attachment.html


More information about the Vol-users mailing list