[Vol-users] problems with centos

Andrew Case atcuno at gmail.com
Sun Mar 24 10:53:35 CDT 2013


Hello,

It seems you have identified some issues while the rest of the output is
explainable.

1) linux_check_afinfo
Being empty means that nothing is hooked (this is good)

2) linux_check_creds, linux_pidhashtable, linux_psxview
These are missing support for your kernel version. Can you please paste the
output of uname -a on your machine along with the specific version of
centos that you are using?

3) linux_check_evt_arm & linux_check_syscall_arm
These only support ARM based computers (e.g. Android) and I assume your
memory sample is from an Intel based computer. We will soon have a patch
that allows plugins to check what architecture they are being run against
and then these plugins will report they are ARM only instead of having
exceptions.

4) linux_check_tty
This seems like a bug we will have to fix.


Thank you for your report and please get us the kernel & centos version so
we can attempt to fix some of them.

Thanks,
Andrew (@attrc)

On Fri, Mar 22, 2013 at 12:36 PM, <bellissimopython at email.it> wrote:

> Hi,
> I am trying to analyze a memory dump from a Centos server but I have got
> some problems.
>
> ------ Plugin  linux_check_afinfo ------
> ---------------------------------
> Volatile Systems Volatility Framework 2.3_alpha
> Symbol Name                                Member
> Address
> ------------------------------------------ ------------------------------
> ----------
>
>
> ------ Plugin  linux_check_creds ------
> ---------------------------------
> Volatile Systems Volatility Framework 2.3_alpha
> PIDs
> --------
> ERROR   : volatility.plugins.linux.check_creds: This command is not
> supported in this profile.
>
>
> ------ Plugin  linux_check_evt_arm ------
> ---------------------------------
> Volatile Systems Volatility Framework 2.3_alpha
> Check                          PASS/FAIL Info
> ------------------------------ --------- ------------------------------
> SWI Offset Instruction         FAIL      -
>
>
> ------ Plugin  linux_check_syscall_arm ------
> ---------------------------------
> Volatile Systems Volatility Framework 2.3_alpha
>      Index Address    Symbol
> ---------- ---------- ------------------------------
> Traceback (most recent call last):
>   File "vol.py", line 186, in <module>
>     main()
>   File "vol.py", line 177, in main
>     command.execute()
>   File
> "/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line
> 55, in execute
>     commands.Command.execute(self, *args, **kwargs)
>   File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111,
> in execute
>     func(outfd, data)
>   File
>
> "/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
> line 88, in render_text
>     for (i, call_addr, hooked) in data:
>   File
>
> "/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
> line 66, in calculate
>     num_syscalls = self._get_syscall_table_size()
>   File
>
> "/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
> line 38, in _get_syscall_table_size
>     opcode = obj.Object("unsigned int", offset = vector_swi_addr, vm =
> self.addr_space)
>   File "/root/vltlt/volatility-read-only/volatility/obj.py", line 169, in
> Object
>     offset = int(offset)
> TypeError: int() argument must be a string or a number, not 'NoneType'
>
>
> ------ Plugin  linux_check_tty ------
> ---------------------------------
> Volatile Systems Volatility Framework 2.3_alpha
> Name             Address    Symbol
> ---------------- ---------- ------------------------------
> Traceback (most recent call last):
>   File "vol.py", line 186, in <module>
>     main()
>   File "vol.py", line 177, in main
>     command.execute()
>   File
> "/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line
> 55, in execute
>     commands.Command.execute(self, *args, **kwargs)
>   File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111,
> in execute
>     func(outfd, data)
>   File
> "/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py",
> line 59, in render_text
>     for name, call_addr in data:
>   File
> "/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py",
> line 52, in calculate
>     recv_buf = tty_dev.ldisc.ops.receive_buf
>   File "/root/vltlt/volatility-read-only/volatility/obj.py", line 735, in
> __getattr__
>     return self.m(attr)
>   File "/root/vltlt/volatility-read-only/volatility/obj.py", line 717, in m
>     raise AttributeError("Struct {0} has no member
> {1}".format(self.obj_name, attr))
> AttributeError: Struct ldisc has no member ops
>
>
>
> ------ Plugin  linux_pidhashtable ------
> ---------------------------------
> Volatile Systems Volatility Framework 2.3_alpha
> ERROR   : volatility.plugins.linux.pidhashtable: calculate_v2: This profile
> is currently unsupported by this plugin. Please file a bug report on our
> issue tracker to have supprot added.
> Offset     Name                 Pid             Uid             Gid    DTB
>      Start Time
> ---------- -------------------- --------------- --------------- ------
> ---------- ----------
>
>
> ------ Plugin  linux_psxview ------
> ---------------------------------
> Volatile Systems Volatility Framework 2.3_alpha
> ERROR   : volatility.plugins.linux.pidhashtable: calculate_v2: This profile
> is currently unsupported by this plugin. Please file a bug report on our
> issue tracker to have supprot added.
> Offset(V)  Name                    PID pslist pid_hash kmem_cache
> ---------- -------------------- ------ ------ -------- ----------
>
>
> The others plugins work fine.
>
> Bye.
>  --
>  Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
> autenticato? GRATIS solo con Email.it: http://www.email.it/f
>
>  Sponsor:
>  Una PASQUA in famiglia, in un hotel sul mare. L'Hotel Adelphi Riccione
> propone un'offerta con ingresso ai parchi inclusi e i bimbi gratis fino a
> tre anni. Piano famiglia a partire da 3 notti in mezza o pensione completa
>  Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12777&d=20130322
>
>
>
>
>  --
>  Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
> autenticato? GRATIS solo con Email.it http://www.email.it/f
>
>  Sponsor:
>  Last minute giugno in all inclusive all'Hotel Fior di Loto di Rimini per
> due persone, una settimana, Euro 686 a coppia, pensione completa, bevande
> ai pasti, servizio spiaggia
>  Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12774&d=22-3
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130324/1e3586c2/attachment.html


More information about the Vol-users mailing list