8:11 p.m.
Hiya guys,
Here's the first of a few patches. This one should improve the error
checking during the utils.load_as function call. Now if the base
address space can't be instantiated, it raises it's own form of
exception allowing the main program to catch it and report back
gracefully what went wrong.
Without this, just running volatility followed by a plugin name would
fail as the filename address space assumed a filename option would
always be present...
Mike 5:)
diff --git a/Volatility/forensics/utils.py b/Volatility/forensics/utils.py
index 69eccd2..0ff3151 100644
--- a/Volatility/forensics/utils.py
+++ b/Volatility/forensics/utils.py
@@ -19,7 +19,12 @@ def load_as(opts):
## selecting us means we are done:
if not found:
break
+
+ if base_as is None:
+ raise AddrSpaceError("No suitable address space maaping found")
return base_as
-
+class AddrSpaceError(Exception):
+ """Address Space Exception, so we can catch and deal with it in the
main program"""
+ pass
\ No newline at end of file
diff --git a/Volatility/memory_objects/Windows/xp_sp2.py
b/Volatility/memory_objects/Windows/xp_sp2.py
index 7cd97e0..2a8887e 100644
--- a/Volatility/memory_objects/Windows/xp_sp2.py
+++ b/Volatility/memory_objects/Windows/xp_sp2.py
@@ -25,7 +25,7 @@
#pylint: disable-msg=C0111
-from forensics.object2 import CType, NewObject, NativeType, Curry
+from forensics.object2 import CType, NewObject, NoneObject, NativeType, Curry
from vtypes import xpsp2types as types
from forensics.win32.datetime import windows_to_unix_time
import vmodules
diff --git a/Volatility/memory_plugins/address_spaces/standard.py
b/Volatility/memory_plugins/address_spaces/standard.py
index 2712e09..1d4844e 100644
--- a/Volatility/memory_plugins/address_spaces/standard.py
+++ b/Volatility/memory_plugins/address_spaces/standard.py
@@ -23,6 +23,7 @@ class FileAddressSpace(addrspace.BaseAddressSpace):
def __init__(self, base, opts):
addrspace.BaseAddressSpace.__init__(self, base, opts)
assert(base == None)
+ assert(opts['filename'] is not None)
self.name = opts['filename']
self.fname = self.name
self.mode = opts.get('mode','rb')
diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py
index 46737d1..ec642f8 100644
--- a/Volatility/vmodules.py
+++ b/Volatility/vmodules.py
@@ -37,7 +37,6 @@ from forensics.addrspace import FileAddressSpace
from forensics.win32.hiber_addrspace import WindowsHiberFileSpace32
from forensics.win32.crash_addrspace import WindowsCrashDumpSpace32
from forensics.object import read_unicode_string, read_obj
-from forensics.win32.datetime import local_time, windows_to_unix_time
from forensics.win32.tasks import module_base, module_path, module_size,
create_addr_space, process_addr_space, process_command_line, process_dtb,
process_find_pid
from forensics.win32.tasks import process_imagename, process_ldrs, process_list,
process_peb, process_pid, process_handle_table, process_create_time, process_handle_count
from forensics.win32.tasks import process_inherited_from, process_num_active_threads,
process_vadroot
diff --git a/Volatility/volatility.py b/Volatility/volatility.py
index a377749..4e04aeb 100644
--- a/Volatility/volatility.py
+++ b/Volatility/volatility.py
@@ -35,6 +35,7 @@
import sys
import os
import forensics.registry as MemoryRegistry
+import forensics.utils
from vmodules import *
@@ -201,12 +202,15 @@ def main(argv=sys.argv):
print "Error: Invalid module [%s]." % (argv[1])
usage(argv[0])
- if modules.has_key(argv[1]):
- modules[argv[1]].execute(argv[1], argv[2:])
- elif MemoryRegistry.PLUGIN_COMMANDS.commands.has_key(argv[1]):
- command = MemoryRegistry.PLUGIN_COMMANDS[argv[1]](argv[2:])
- command.execute()
-
+ try:
+ if modules.has_key(argv[1]):
+ modules[argv[1]].execute(argv[1], argv[2:])
+ elif MemoryRegistry.PLUGIN_COMMANDS.commands.has_key(argv[1]):
+ command = MemoryRegistry.PLUGIN_COMMANDS[argv[1]](argv[2:])
+ command.execute()
+ except forensics.utils.AddrSpaceError:
+ print "Error: No suitable address space found, please check your
options."
+ usage(argv[0])
if __name__ == "__main__":
main()