[Vol-users] Volatility-Linux TypeError

Patrick Burkard pbuml at gmx.de
Fri Jan 27 15:53:37 CST 2012


Hello,

> Can you please repeat this with the latest linux branch
> (linux64-support) or scudettes branch? The current system takes a
> profile generated from dwarf files (in a zip). See instructions in
> tools/linux/README.txt

Thank you for the information about the newer versions in the scudete
and lin64-support branches. I tried those two, but unfortunately
without success. But step by step: I created a new profile for the
analysis target with the steps mentioned in the readme. This seems to
work with a warning at the end of the process that you can see at [1].

When I try to use this profile with the scudete version i still get the
known TypeError with some more warnings and information [2].

The lin64 Version produces another Error Message I posted at [3].

I use volatility on a Debian Squeeze 64-Bit version:
$ uname -a
Linux Ragana 2.6.32-5-amd64 #1 SMP Mon Jan 16 16:22:28 UTC 2012 x86_64
GNU/Linux

Hopefully this information is helpful for you and we can find the
reason for my problems. Please ask if you need more information.

Greetings
Patrick


[1]
/mnt/host/tools/linux/pmem.c: In function ‘pmem_read_partial’:
/mnt/host/tools/linux/pmem.c:142: warning: comparison of distinct
pointer types lacks a cast Building modules, stage 2.
  MODPOST 2 modules
make[4]: Warning: File `/mnt/host/tools/linux/module.mod.c' has
modification time 0,095 s in the future
CC      /mnt/host/tools/linux/module.mod.o LD
[M]  /mnt/host/tools/linux/module.ko
CC      /mnt/host/tools/linux/pmem.mod.o LD
[M]  /mnt/host/tools/linux/pmem.ko make[4]: Warnung: Mit der Uhr stimmt
etwas nicht. Die Bearbeitung könnte unvollständig sein.

[2]
Volatile Systems Volatility Framework 2.1_alpha
WARNING : volatility.obj      : comm has no offset in object
task_struct. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : name has no offset in object
net_device. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : s_id has no offset in object
super_block. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : sun_path has no offset in object
sockaddr_un. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : x86_model_id has no offset in object
cpuinfo_x86. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : x86_vendor_id has no offset in object
cpuinfo_x86. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : name has no offset in object module.
Check that vtypes has a concrete definition for it.
INFO    : volatility.plugins.overlays.linux.linux32: Found dwarf file
module.dwarf
INFO    : volatility.plugins.overlays.linux.linux32: Found dwarf file
boot/System.map-2.6.32-5-686
Loaded profile Linux32
Offset   Name                 Pid             Uid            
Traceback (most recent call last):
  File "./vol.py", line 202, in <module>
    main()
  File "./vol.py", line 192, in main
    command_obj.execute()
  File
"/home/dark-eye/Sources/volatility_scudette/volatility/commands.py", line 166, in execute
    func(outfd, data)
  File
"/home/dark-eye/Sources/volatility_scudette/volatility/plugins/linux/linux_task_list_ps.py", line 61, in render_text
    for task in data:
  File
"/home/dark-eye/Sources/volatility_scudette/volatility/plugins/linux/linux_task_list_ps.py", line 51, in calculate
    for task in linux_common.walk_list_head("task_struct", "tasks",
init_task.tasks, self.addr_space):
  File
"/home/dark-eye/Sources/volatility_scudette/volatility/plugins/linux/linux_common.py", line 121, in walk_list_head
    yield obj.Object(struct_name, offset = list_ptr - offset, vm =
addr_space)
TypeError: unsupported operand type(s) for -: 'instancemethod' and 'int'

[3]
Volatile Systems Volatility Framework 2.1_alpha
WARNING : volatility.obj      : comm has no offset in object
task_struct. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : name has no offset in object
net_device. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : s_id has no offset in object
super_block. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : sun_path has no offset in object
sockaddr_un. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : x86_model_id has no offset in object
cpuinfo_x86. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : x86_vendor_id has no offset in object
cpuinfo_x86. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : name has no offset in object module.
Check that vtypes has a concrete definition for it. WARNING :
volatility.obj      : comm has no offset in object task_struct. Check
that vtypes has a concrete definition for it. WARNING :
volatility.obj      : name has no offset in object net_device. Check
that vtypes has a concrete definition for it. WARNING :
volatility.obj      : s_id has no offset in object super_block. Check
that vtypes has a concrete definition for it. WARNING :
volatility.obj      : sun_path has no offset in object sockaddr_un.
Check that vtypes has a concrete definition for it. WARNING :
volatility.obj      : x86_model_id has no offset in object cpuinfo_x86.
Check that vtypes has a concrete definition for it. WARNING :
volatility.obj      : x86_vendor_id has no offset in object
cpuinfo_x86. Check that vtypes has a concrete definition for it.
WARNING : volatility.obj      : name has no offset in object module.
Check that vtypes has a concrete definition for it. Offset
Name                 Pid             Uid Traceback (most recent call
last): File "./vol.py", line 171, in <module> main() File "./vol.py",
line 161, in main command.execute() File
"/home/dark-eye/Sources/volatility_linux64/volatility/commands.py",
line 135, in execute func(outfd, data) File
"/home/dark-eye/Sources/volatility_linux64/volatility/plugins/linux/linux_task_list_ps.py",
line 62, in render_text for task in data: File
"/home/dark-eye/Sources/volatility_linux64/volatility/plugins/linux/linux_task_list_ps.py",
line 41, in calculate init_task_addr = self.smap["init_task"]
TypeError: 'NoneType' object is unsubscriptable


More information about the Vol-users mailing list