[Vol-users] Volatility-Linux TypeError

Andrew Case atcuno at gmail.com
Fri Jan 27 18:42:16 CST 2012


Can we see your command line invocation? It seems to be using the 32bit
profile

Sent from my Droid --
On Jan 26, 2012 7:34 PM, "Patrick Burkard" <pbuml at gmx.de> wrote:

> Hello,
>
> in the last view weeks i've tried to analyze Linux memorydumps with the
> volatility-linux Version (Revision 1313 from svn).
>
> My goal is to show that it is possible to discover hidden processes,
> kernelmodules etc. (for example from a rootkit) from a memory dump. By
> comparing the output from the memorydump analysis with the native
> execution of the system commands.
>
> I created a profile for the current stable Debian version.
> Trying to use this profile leads to the following TypeError:
>
> python volatility.py --profile=LinuxDebian26325 -f ~/Desktop/LF32.ram
> linux_task_list_ps Volatile Systems Volatility Framework 1.4_rc1
> Name                 Pid             Uid
> Traceback (most recent call last):
>  File "volatility.py", line 129, in <module>
>    main()
>  File "volatility.py", line 120, in main
>    command.execute()
>  File
> "/home/dark-eye/Sources/volatility_linux/volatility/commands.py", line
> 101, in execute func(outfd, data) File
>
> "/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_task_list_ps.py",
> line 59, in render_text for task in data: File
>
> "/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_task_list_ps.py",
> line 50, in calculate for task in
> linux_common.walk_list_head("task_struct", "tasks", init_task.tasks,
> self.addr_space): File
>
> "/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_common.py",
> line 110, in walk_list_head yield obj.Object(struct_name, offset =
> list_ptr - offset, vm = addr_space) TypeError: unsupported operand
> type(s) for -: 'instancemethod' and 'int'
>
> I would really appreciate to debug or help to debug this issue. Sadly I
> can't find a way to evaluate the correctness of the kernel-profile. Is
> this a known problem from volatility-linux or could it be the result of
> a failure i've made while creating the debian profile?
>
> Thanks for every hint!
> Greetings
> Patrick
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20120127/104d47ed/attachment.html


More information about the Vol-users mailing list