[Vol-users] Problem using bitmaps in overlays

Michael Hale Ligh michael.hale at gmail.com
Thu Jun 20 09:04:25 CDT 2013


Hey Carl,

I copied this into our bug tracker (
https://code.google.com/p/volatility/issues/detail?id=431). Don't expect an
immediate fix, but just wanted you to know it will get addressed...

MHL


On Fri, Apr 19, 2013 at 10:07 AM, Michael Hale Ligh
<michael.hale at gmail.com>wrote:

> Hey Carl,
>
> Another way to try would be:
>
> profile.merge_overlay({
>    'XXX' : [ None, ['array', 4, ['Flags', dict(target = 'unsigned long',
> bitmap = { 'A': 0, 'B': 1, 'C': 2 })]]],
> })
>
> In that case, Struct.XXX[0] should be the first element in the array which
> is a Flags type. However, I ran into similar errors as you did, and I'm not
> entirely sure my approach would produce the structure you need even if it
> did work. This shows the error that I see:
>
> >>> flags = obj.Object("Array", targetType = "Flags", offset = address, vm
> = addrspace, count = 2)
> Traceback (most recent call last):
>   File "<console>", line 1, in <module>
>   File "/Users/mike/Desktop/volatility/volatility/obj.py", line 173, in
> Object
>     result = vm.profile.types[theType](offset = offset, vm = vm, name =
> name, **kwargs)
>   File "/Users/mike/Desktop/volatility/volatility/obj.py", line 582, in
> __init__
>     if self.current.size() == 0:
>   File "/Users/mike/Desktop/volatility/volatility/obj.py", line 435, in
> size
>     return struct.calcsize(self.format_string)
> TypeError: Struct() argument 1 must be string, not Array
>
> So just posting this here for documentation. Any other devs know why this
> doesn't work or how to get around it?
>
> MHL
>
>
> On Wed, Apr 17, 2013 at 5:54 PM, Carl Pulley <c.pulley at acme-labs.org.uk>wrote:
>
>> Hi all,
>>   I'm currently attempting to code up a bitmap (within an overlay) that
>> consists of an array of 4 ulongs.
>>
>> With (say) a single ulong, the following works great:
>>
>>   profile.merge_overlay({
>>     'XXX': [ None, ['Flags', {'target': 'unsigned long', 'bitmap': { 'A':
>> 0, 'B': 1, 'C': 2 }}]]
>>   })
>>
>> However, the obvious generalisation to 4 ulongs:
>>
>>   profile.merge_overlay({
>>     'XXX': [ None, ['Flags', {'target': ['array', 4, ['unsigned long']],
>> 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]]
>>   })
>>
>> fails. Looking at the source, the profile.merge_overlay calls:
>>
>>   obj.Object(['array', 4, ['unsigned long']], offset=0, ..)
>>
>> and this function in turn raises an exception (i.e. TypeError: unhashable
>> type: 'list') when it calls:
>>
>>   vm.profile.has_type(['array', 4, ['unsigned long']])
>>
>> Attempts at using obj.Array instead also flounder.
>>
>> Does anyone have any hints or tips as to how best to deal with bitmaps
>> that are arrays of bytes, ulongs or similar? Is it a case of having to
>> extend the obj.Flags class so that such things can be handled?
>>
>> Many thanks,
>>
>>   Carl._______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130620/6445ffbb/attachment.html


More information about the Vol-users mailing list