[Vol-users] mac_psxview command problem on Yosemite

Justin q. Case jcase at moagency.com
Wed May 13 12:29:20 CDT 2015


Hey everyone, I recently built a 10.10.3 Yosemite profile for 10.10.3 image I have.  When I try to run mac_psxview on the image, I’m getting a bunch of errors as shown below.  Any ideas?

bash-3.2# python /usr/local/bin/vol.py -f /users/msquire/desktop/share/macloginELF.dump --profile MacYosemite10_10_3_64bitx64 mac_psxview
Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 5, in <module>
    pkg_resources.run_script('volatility==2.4', 'vol.py')
  File "/Library/Python/2.7/site-packages/pkg_resources/__init__.py", line 729, in run_script
    self.require(requires)[0].run_script(script_name, ns)
  File "/Library/Python/2.7/site-packages/pkg_resources/__init__.py", line 1642, in run_script
    exec(code, namespace, namespace)
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/EGG-INFO/scripts/vol.py", line 192, in <module>
    main()
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/EGG-INFO/scripts/vol.py", line 183, in main
    command.execute()
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/plugins/mac/common.py", line 46, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/commands.py", line 99, in execute
    if not self.is_valid_profile(profs[self._config.PROFILE]()):
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/plugins/overlays/mac/mac.py", line 1098, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 858, in __init__
    self.reset()
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/plugins/overlays/mac/mac.py", line 1117, in reset
    self.load_modifications()
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 940, in load_modifications
    mod.modification(self)
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/plugins/overlays/mac/mac.py", line 1367, in modification
    profile.merge_overlay(mac_overlay)
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 1031, in merge_overlay
    self.vtypes[k] = self._apply_overlay(self.vtypes[k], v)
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 1081, in _apply_overlay
    result.append(self._apply_overlay(type_member[i], overlay[i]))
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 1068, in _apply_overlay
    result[k] = self._apply_overlay(type_member[k], v)
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 1081, in _apply_overlay
    result.append(self._apply_overlay(type_member[i], overlay[i]))
  File "/Library/Python/2.7/site-packages/volatility-2.4-py2.7.egg/volatility/obj.py", line 1072, in _apply_overlay
    if len(overlay) != len(type_member):
TypeError: object of type 'int' has no len()

Using OSXPmem to acquire the images, tried with RAW, ELF (as above), and MACHO types.

This has been killing me, any help would be greatly appreciated!


Thank you!




More information about the Vol-users mailing list