[Vol-users] AttributeError: 'linux_mount' object has no attribute 'parse_mnt' error when trying to list tmpfs in Linux/Windows using Volatility 2.4

Srinivasan J srinidpdk at gmail.com
Tue Oct 14 04:08:09 CDT 2014


Hello Andrew,
                      Thank you for the fix (commit
b6a7ae43a977041de9ff13b4ebaa605bb3829a34). I was able to list the
Linux tmpfs filesystems in the RAM dump. But I'm not able to recover
the contents. The tmpfs was mounted on a Centos 7 x86_64 VM (Esxi
server) and used 3.10.0-123 kernel

RAM dump generated using.
insmod /root/source/LiME-master/src/lime-3.10.0-123.el7.x86_64.ko
"path=/var/crash/ramtmpfs.lime format=lime"

[srini at localhost volatility]$
[srini at localhost volatility]$ python
/home/srini/source/volatility/volatility/vol.py
--plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
/mnt/data/home/srini/ovf/ramtmpfs.lime linux_tmpfs -L
Volatility Foundation Volatility Framework 2.4
1 -> /run
2 -> /sys/fs/cgroup
3 -> /dev/shm
4 -> /mnt/ramdisk

[srini at localhost volatility]$ python
/home/srini/source/volatility/volatility/vol.py
--plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
/mnt/data/home/srini/ovf/ramtmpfs.lime linux_tmpfs -S 4 -D decode
Volatility Foundation Volatility Framework 2.4

Traceback (most recent call last):
  File "/home/srini/source/volatility/volatility/vol.py", line 192, in <module>
    main()
  File "/home/srini/source/volatility/volatility/vol.py", line 183, in main
    command.execute()
  File "/home/srini/source/volatility/volatility/volatility/plugins/linux/common.py",
line 62, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/srini/source/volatility/volatility/volatility/commands.py",
line 127, in execute
    func(outfd, data)
  File "/home/srini/source/volatility/volatility/volatility/plugins/linux/tmpfs.py",
line 155, in render_text
    for (i, path) in data:
  File "/home/srini/source/volatility/volatility/volatility/plugins/linux/tmpfs.py",
line 141, in calculate
    self.walk_sb(root_dentry)
  File "/home/srini/source/volatility/volatility/volatility/plugins/linux/tmpfs.py",
line 101, in walk_sb
    self.process_directory(root_dentry, parent = cur_dir)
  File "/home/srini/source/volatility/volatility/volatility/plugins/linux/tmpfs.py",
line 83, in process_directory
    for page in
linux_find_file.linux_find_file(self._config).get_file_contents(inode):
  File "/home/srini/source/volatility/volatility/volatility/plugins/linux/find_file.py",
line 236, in get_file_contents
    data = self.get_page_contents(inode, idx)
  File "/home/srini/source/volatility/volatility/volatility/plugins/linux/find_file.py",
line 207, in get_page_contents
    page_addr = self.find_get_page(inode, idx)
  File "/home/srini/source/volatility/volatility/volatility/plugins/linux/find_file.py",
line 198, in find_get_page
    page = self.radix_tree_lookup_slot(inode.i_mapping.page_tree, offset)
  File "/home/srini/source/volatility/volatility/volatility/plugins/linux/find_file.py",
line 175, in radix_tree_lookup_slot
    height = node.height
  File "/home/srini/source/volatility/volatility/volatility/obj.py",
line 747, in __getattr__
    return self.m(attr)
  File "/home/srini/source/volatility/volatility/volatility/obj.py",
line 729, in m
    raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct radix_tree_node has no member height

On Tue, Oct 14, 2014 at 1:37 AM, Andrew Case <atcuno at gmail.com> wrote:
> Hello,
>
>
> This has been fixed. Please git pull and it should work. Let me know if
> you still have issues and thanks for the bug report.
>
> Thanks,
> Andrew (@attrc)
>
> On 10/13/2014 01:51 AM, Srinivasan J wrote:
>> Hi,
>>    I am trying to recover tmpfs from a RAM lime dump using volatility
>> 2.4 in Linux/Windows, but I hit the  "AttributeError: 'linux_mount'
>> object has no attribute 'parse_mnt'". Is this a known issue?
>>
>> Thanks,
>> Srini
>>
>>
>> [srini at localhost volatility-2.4]$ python
>> /home/srini/vola/setup/volatility-2.4/vol.py
>> --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
>> /mnt/data/home/srini/ovf/ramtmpfs.lime linux_tmpfs -L
>> Volatility Foundation Volatility Framework 2.4
>> Traceback (most recent call last):
>> File "/home/srini/vola/setup/volatility-2.4/vol.py", line 192, in <module>
>> main()
>> File "/home/srini/vola/setup/volatility-2.4/vol.py", line 183, in main
>> command.execute()
>> File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/common.py",
>> line 62, in execute
>> commands.Command.execute(self, *args, **kwargs)
>> File "/home/srini/vola/setup/volatility-2.4/volatility/commands.py",
>> line 127, in execute
>> func(outfd, data)
>> File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py",
>> line 157, in render_text
>> for (i, path) in data:
>> File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py",
>> line 148, in calculate
>> tmpfs_sbs = self.get_tmpfs_sbs()
>> File "/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py",
>> line 120, in get_tmpfs_sbs
>> for (sb, _dev_name, path, fstype, _rr, _mnt_string) in
>> linux_mount.linux_mount(self._config).parse_mnt(mnts):
>> AttributeError: 'linux_mount' object has no attribute 'parse_mnt'
>>
>>
>> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
>> tandalone>
>>
>> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
>> tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7
>> x64 -f D:\volat\ramtmpfs.lime linux_tmpfs -L
>> Volatility Foundation Volatility Framework 2.4
>> Traceback (most recent call last):
>> File "<string>", line 192, in <module>
>> File "<string>", line 183, in main
>> File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.c
>> ommon", line 62, in execute
>> File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.commands", line
>> 127, in execute
>> File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t
>> mpfs", line 157, in render_text
>> File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t
>> mpfs", line 148, in calculate
>> File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t
>> mpfs", line 120, in get_tmpfs_sbs
>> AttributeError: 'linux_mount' object has no attribute 'parse_mnt'
>>
>> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
>> tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7
>> x64 -f D:\volat\ramtmpfs.lime linux_cpuinfo
>> Volatility Foundation Volatility Framework 2.4
>> Processor Vendor Model
>> ------------ ---------------- -----
>> 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz
>>
>> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
>> tandalone>
>>
>>
>> [srini at localhost volatility-2.4]$ python
>> /home/srini/vola/setup/volatility-2.4/vol.py
>> --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent
>> os7x64 --info | more
>> Volatility Foundation Volatility Framework 2.4
>>
>>
>> Profiles
>> --------
>> Linuxcentos7x64 - A Profile for Linux centos7 x64
>> VistaSP0x64 - A Profile for Windows Vista SP0 x64
>> VistaSP0x86 - A Profile for Windows Vista SP0 x86
>> VistaSP1x64 - A Profile for Windows Vista SP1 x64
>> VistaSP1x86 - A Profile for Windows Vista SP1 x86
>> VistaSP2x64 - A Profile for Windows Vista SP2 x64
>> VistaSP2x86 - A Profile for Windows Vista SP2 x86
>>
>>
>> [srini at localhost volatility-2.4]$ python
>> /home/srini/vola/setup/volatility-2.4/vol.py
>> --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
>> /mnt/data/home/srini/ovf/ramtmpfs.lime linux_cpuinfo
>> Volatility Foundation Volatility Framework 2.4
>> Processor Vendor Model
>> ------------ ---------------- -----
>> 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz
>>
>> [srini at localhost volatility-2.4]$ python
>> /home/srini/vola/setup/volatility-2.4/vol.py
>> --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
>> /mnt/data/home/srini/ovf/ramtmpfs.lime linux_mount
>> Volatility Foundation Volatility Framework 2.4
>> hugetlbfs /dev/hugepages hugetlbfs rw,relatime
>>
>> devtmpfs /dev devtmpfs rw,nosuid
>>
>> tmpfs /dev/shm tmpfs rw,nosuid,nodev
>>
>> devpts /dev/pts devpts rw,relatime,nosuid,noexec
>>
>> cgroup /sys/fs/cgroup/memory cgroup rw,relatime,nosuid,nodev,noexec
>>
>> tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec
>>
>> proc /proc proc rw,relatime,nosuid,nodev,noexec
>>
>> /dev/mapper/centos-root / xfs rw,relatime
>>
>> tmpfs /run tmpfs rw,nosuid,nodev
>>
>> sysfs /sys sysfs rw,relatime,nosuid,nodev,noexec
>>
>> sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime
>>
>> mqueue /dev/mqueue mqueue rw,relatime
>>
>> debugfs /sys/kernel/debug debugfs rw,relatime
>>
>> selinuxfs /sys/fs/selinux selinuxfs rw,relatime
>>
>> securityfs /sys/kernel/security securityfs rw,relatime,nosuid,nodev,noexec
>>
>> cgroup /sys/fs/cgroup/systemd cgroup rw,relatime,nosuid,nodev,noexec
>>
>> pstore /sys/fs/pstore pstore rw,relatime,nosuid,nodev,noexec
>>
>> cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,nosuid,nodev,noexec
>>
>> sunrpc /proc/fs/nfsd nfsd rw,relatime
>>
>> tmpfs /mnt/ramdisk tmpfs rw,relatime
>> cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,relatime,nosuid,nodev,noexec
>>
>> configfs /sys/kernel/config configfs rw,relatime
>>
>> cgroup /sys/fs/cgroup/devices cgroup rw,relatime,nosuid,nodev,noexec
>>
>> systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime
>>
>> cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,nosuid,nodev,noexec
>>
>> cgroup /sys/fs/cgroup/net_cls cgroup rw,relatime,nosuid,nodev,noexec
>>
>> cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,nosuid,nodev,noexec
>>
>> /dev/sda1 /boot xfs rw,relatime
>>
>> cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,nosuid,nodev,noexec
>>
>> cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,nosuid,nodev,noexec
>>
>>
>> [srini at localhost volatility-2.4]$ python
>> /home/srini/vola/setup/volatility-2.4/vol.py
>> --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent
>> os7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_bash
>> Volatility Foundation Volatility Framework 2.4
>> Pid Name Command Time Command
>> -------- -------------------- ------------------------------ -------
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 ./configure
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides tcpsic
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls -ltrh
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 mv lmbench3 lmbench3-3.10
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 yum intall isic
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides dwarfdump
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 cd 3.10.0-123.el7.x86_64/
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 uname -a
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 yum install isic
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 make
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 ifconfig
>> 15151 bash 2014-10-12 01:35:58 UTC+0000 cd lmbench3-3.10
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>


More information about the Vol-users mailing list