8:12 a.m.
Hi Mike,
Thanks for the patch. Thats a great idea to invent a special
exception for AS's - we could define a way to attach the reasons for
failing each plugin to a single AS object - then we can report why we
failed in details. Each AS plugin might have special reasons to fail
and we can keep track on why each one failed in this way.
Also I took the liberty of updating the older dialect of:
if modules.has_key(argv[1]):
to the more modern pythonic dialect of:
module = argv[1]
if module in modules:
which is slightly more readable.
Michael.
On Sat, Sep 26, 2009 at 10:11 AM, Mike Auty <mike.auty(a)gmail.com> wrote:
Hiya guys,
Here's the first of a few patches. This one should improve the error
checking during the utils.load_as function call. Now if the base
address space can't be instantiated, it raises it's own form of
exception allowing the main program to catch it and report back
gracefully what went wrong.
Without this, just running volatility followed by a plugin name would
fail as the filename address space assumed a filename option would
always be present...
Mike 5:)
diff --git a/Volatility/forensics/utils.py b/Volatility/forensics/utils.py
index 69eccd2..0ff3151 100644
--- a/Volatility/forensics/utils.py
+++ b/Volatility/forensics/utils.py
@@ -19,7 +19,12 @@ def load_as(opts):
## selecting us means we are done:
if not found:
break
+
+ if base_as is None:
+ raise AddrSpaceError("No suitable address space maaping found")
return base_as
-
+class AddrSpaceError(Exception):
+ """Address Space Exception, so we can catch and deal with it in the
main program"""
+ pass
\ No newline at end of file
diff --git a/Volatility/memory_objects/Windows/xp_sp2.py
b/Volatility/memory_objects/Windows/xp_sp2.py
index 7cd97e0..2a8887e 100644
--- a/Volatility/memory_objects/Windows/xp_sp2.py
+++ b/Volatility/memory_objects/Windows/xp_sp2.py
@@ -25,7 +25,7 @@
#pylint: disable-msg=C0111
-from forensics.object2 import CType, NewObject, NativeType, Curry
+from forensics.object2 import CType, NewObject, NoneObject, NativeType, Curry
from vtypes import xpsp2types as types
from forensics.win32.datetime import windows_to_unix_time
import vmodules
diff --git a/Volatility/memory_plugins/address_spaces/standard.py
b/Volatility/memory_plugins/address_spaces/standard.py
index 2712e09..1d4844e 100644
--- a/Volatility/memory_plugins/address_spaces/standard.py
+++ b/Volatility/memory_plugins/address_spaces/standard.py
@@ -23,6 +23,7 @@ class FileAddressSpace(addrspace.BaseAddressSpace):
def __init__(self, base, opts):
addrspace.BaseAddressSpace.__init__(self, base, opts)
assert(base == None)
+ assert(opts['filename'] is not None)
self.name = opts['filename']
self.fname = self.name
self.mode = opts.get('mode','rb')
diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py
index 46737d1..ec642f8 100644
--- a/Volatility/vmodules.py
+++ b/Volatility/vmodules.py
@@ -37,7 +37,6 @@ from forensics.addrspace import FileAddressSpace
from forensics.win32.hiber_addrspace import WindowsHiberFileSpace32
from forensics.win32.crash_addrspace import WindowsCrashDumpSpace32
from forensics.object import read_unicode_string, read_obj
-from forensics.win32.datetime import local_time, windows_to_unix_time
from forensics.win32.tasks import module_base, module_path, module_size,
create_addr_space, process_addr_space, process_command_line, process_dtb,
process_find_pid
from forensics.win32.tasks import process_imagename, process_ldrs, process_list,
process_peb, process_pid, process_handle_table, process_create_time, process_handle_count
from forensics.win32.tasks import process_inherited_from, process_num_active_threads,
process_vadroot
diff --git a/Volatility/volatility.py b/Volatility/volatility.py
index a377749..4e04aeb 100644
--- a/Volatility/volatility.py
+++ b/Volatility/volatility.py
@@ -35,6 +35,7 @@
import sys
import os
import forensics.registry as MemoryRegistry
+import forensics.utils
from vmodules import *
@@ -201,12 +202,15 @@ def main(argv=sys.argv):
print "Error: Invalid module [%s]." % (argv[1])
usage(argv[0])
- if modules.has_key(argv[1]):
- modules[argv[1]].execute(argv[1], argv[2:])
- elif MemoryRegistry.PLUGIN_COMMANDS.commands.has_key(argv[1]):
- command = MemoryRegistry.PLUGIN_COMMANDS[argv[1]](argv[2:])
- command.execute()
-
+ try:
+ if modules.has_key(argv[1]):
+ modules[argv[1]].execute(argv[1], argv[2:])
+ elif MemoryRegistry.PLUGIN_COMMANDS.commands.has_key(argv[1]):
+ command = MemoryRegistry.PLUGIN_COMMANDS[argv[1]](argv[2:])
+ command.execute()
+ except forensics.utils.AddrSpaceError:
+ print "Error: No suitable address space found, please check your
options."
+ usage(argv[0])
if __name__ == "__main__":
main()
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev