[Vol-users] Plugin errors in scudette-branch

Michael Cohen scudette at gmail.com
Sun Apr 29 13:49:25 CDT 2012


Hi Stefan,

Thanks for helping to test the linux support. I am currently traveling
and will not be able to fix these issue for another week. I will try
to help here, but suggest you open an issue with these bug reports. At
the moment the linux plugins have not all been converted to the new
framework which supports multiple operating systems, so many do not
work completely yet.

On 28 April 2012 13:27, Stefan Steizer <vitax.set at googlemail.com> wrote:
> $ python vol.py
> Welcome to volshell!
> To get help, type 'help()'
>
> In [1]: session.filename = "memory.dd"
> In [2]: session.profile_file = "myprofile.zip"
> In [3]: session.profile = "Linux32"
> In [4]: vol pslist

You must realise that this is an interactive python shell, so a global
name of pslist is not already defined. You can either use "pslist" as
a string, or better use plugins.pslist. The plugins global provides
access to all plugins which are able to run within the current session
(i.e. the ones that support the current profile etc). As usual with
ipython you can type tab twice to see the command completion. For
example plugins.[tab][tab] will offer all the currently available
plugins for the current profile.

> ERROR:root:Constant per_cpu__cpu_info does not exist in profile.
> 0            GenuineIntel     Intel(R) Core(TM)2 Duo CPU     P8600  @
> 2.40GHz
> Out[5]: <volatility.plugins.linux.cpuinfo.CpuInfo object at 0x2fc5190>

It is possible that this constant was renamed with later kernel versions.

> The ifconfig plugin returned on both systems a ValueError.
>
> On Ubuntu:
>
> In [6]: vol "ifconfig"
> ------> vol("ifconfig")
> lo       127.0.0.1        00:00:00:00:00:00
> ERROR:root:Error: Unknown format code 's' for object of type 'int'
> /home/vitax/lin64-support/volatility/plugins/linux/ifconfig.py in
> render(self, outfd)
>      97
>      98             outfd.write("{0:8s} {1:16s} {2:32s}\n".format(
> ---> 99                     net_dev.name, ip, mac_addr))

This looks to me like the ip address (which is normally an address
object) should not be an integer - try replacing line 98 with

ip = "0.0.0.0"


> After that i tried the netstat plugin. I received on both systems an

As you can see from this tracking page
https://sites.google.com/site/volatilityng/todo

The netstat module is not yet converted to the new framework. I guess
we need to improve the error message here through - as "no such
plugin" or something. If you used the plugins global as mentioned
above you would see that it does not have a netstat plugin.

> In the end i tried the dmesg plugin. On Debian it worked well, but on Ubuntu
> i got this error:

I wonder if this is due to the dmesg data actually being utf8 encoded
unicode data. Can you try replacing:

http://code.google.com/p/volatility/source/browse/branches/scudette/volatility/plugins/linux/dmesg.py#43
        return log_buf_addr.dereference_as("String", length=log_buf_len)

with
        return log_buf_addr.dereference_as("UnicodeString", length=log_buf_len)

Thanks,
Michael.


More information about the Vol-users mailing list