[Vol-users] Volatility-Linux TypeError

Michael Cohen scudette at gmail.com
Sun Jan 29 18:05:05 CST 2012


Patrick,
   The backtrace you got was because the init_task was not found or
had an invalid address. Can you please check that there is such a
symbol on your System.map. For example:

~/projects/volatility(scudette_playground)$ unzip -p system.zip
boot/System.map-3.0.0-12-server | grep init_task
ffffffff810de840 T ftrace_graph_init_task
ffffffff811065c0 T perf_event_init_task
ffffffff81a69cb0 r __ksymtab_init_task
ffffffff81a7e998 r __kcrctab_init_task
ffffffff81a87790 r __kstrtab_init_task
ffffffff81c0b020 D init_task
ffffffff81eed8a0 b ext4_lazyinit_task

This address (e.g. ffffffff81c0b020) needs to be valid in the kernel
AS. If it appears valid, then maybe we can not parse the kernel AS
properly. I dont think task_structs can be paged in linux so there is
something really wrong if its not there.

Michael.

On 28 January 2012 05:16, Patrick Burkard <pbuml at gmx.de> wrote:
> Am Sat, 28 Jan 2012 00:39:45 +0100
> schrieb Michael Cohen <scudette at gmail.com>:
>
>> On 27 January 2012 22:53, Patrick Burkard <pbuml at gmx.de> wrote:
>> Hi Patrick,
>>
>> > "/home/dark-eye/Sources/volatility_linux64/volatility/plugins/linux/linux_task_list_ps.py",
>> > line 41, in calculate init_task_addr = self.smap["init_task"]
>> > TypeError: 'NoneType' object is unsubscriptable
>>
>> This warning means that you do not have a system map loaded - is this
>> in the zip file? Also from the messages above it seems to load Linux32
>> profile - are you sure your image is from a 32 bit system or a 64 bit
>> system?
>
> Alright ... here we go. This is the content of the profile zip:
>
> dark-eye at Ragana:~/Sources/volatility_linux64$ zipinfo -l
> -rw-r--r--  3.0 unx  1293706 tx   338478 defN 12-Jan-11 18:24
> boot/System.map-2.6.32-5-686
> -rw-r--r--  3.0 unx  1364923 tx   130532 defN 12-Jan-27 22:35
> module.dwarf 3 files, 3952335 bytes uncompressed, 778032 bytes
> compressed:  80.3%
>
> The image is captured from a VirtualBox VM:
> GNU/Linuxdark-eye at LOSTFor32:~$ uname -a
> Linux LOSTFor32 2.6.32-5-686 #1 SMP Wed Jan 11 12:29:30 UTC 2012 i686
> GNU/Linux
>
> An the command I use to start volatility. Maybe there is something that
> I've done wrong:
> python vol.py --profile Linux32 --profile_file debian_squeeze.zip
> -f /home/dark-eye/Desktop/LF32.ram pslist
>
> Thank you again for your time and help
> Greetings
> Patrick


More information about the Vol-users mailing list