dual core issue?
by Jamie Levy
Hello,
I was just running Volatility on a couple of Linux boxes and received quite
different results. I have tested this on two other boxes to verify the
results and it seems to be a dual core issue.
Here is the expected output on a single core system:
$ cat /proc/version
Linux version 2.6.22.9-91.fc7
$ python -V
Python 2.5
$ Volatility-1.1.1/volatility pslist -f image.vmem
Name Pid PPid Thds Hnds Time
System 4 0 44 182 Thu Jan 01 00:00:00 1970
smss.exe 336 4 3 21 Mon Oct 29 19:23:16 2007
csrss.exe 392 336 9 287 Mon Oct 29 19:23:18 2007
winlogon.exe 416 336 24 453 Mon Oct 29 19:23:19 2007
services.exe 460 416 19 371 Mon Oct 29 19:23:20 2007
lsass.exe 472 416 26 319 Mon Oct 29 19:23:20 2007
svchost.exe 640 460 10 210 Mon Oct 29 19:23:21 2007
svchost.exe 684 460 79 1023 Mon Oct 29 19:23:21 2007
svchost.exe 780 460 4 67 Mon Oct 29 19:23:22 2007
svchost.exe 812 460 12 141 Mon Oct 29 19:23:23 2007
userinit.exe 1000 416 2 32 Mon Oct 29 19:23:25 2007
explorer.exe 1020 1000 12 231 Mon Oct 29 19:23:25 2007
spoolsv.exe 1048 460 6 37 Mon Oct 29 19:23:25 2007
msmsgs.exe 1468 1020 5 124 Mon Oct 29 19:23:33 2007
rundll32.exe 1524 1020 1 72 Mon Oct 29 19:23:37 2007
And here is the output from a dual core system:
$ cat /proc/version
Linux version 2.6.9-55.0.12.ELsmp
$ python -V
Python 2.3.4
$ Volatility-1.1.1/volatility pslist -f image.vmem
/home/jlevy/forensic/Volatility-1.1.1/forensics/x86.py:101: FutureWarning:
x<<y losing bits or changing sign will return a long in Python 2.4 and up
return (pgd_entry & ((ptrs_per_pgd-1) << 22)) | (vaddr &
~((ptrs_per_pgd-1) << 22))
Name Pid PPid Thds Hnds Time
System 4 0 44 182 Thu Jan 01 00:00:00 1970
/home/jlevy/forensic/Volatility-1.1.1/forensics/win32/datetime.py:58:
FutureWarning: x<<y losing bits or changing sign will return a long in
Python 2.4 and up
return (high_time << 32) | low_time
smss.exe 336 4 3 21 Thu Jan 01 00:00:00 1970
csrss.exe 392 336 9 287 Thu Jan 01 00:00:00 1970
winlogon.exe 416 336 24 453 Thu Jan 01 00:00:00 1970
services.exe 460 416 19 371 Thu Jan 01 00:00:00 1970
lsass.exe 472 416 26 319 Thu Jan 01 00:00:00 1970
svchost.exe 640 460 10 210 Thu Jan 01 00:00:00 1970
svchost.exe 684 460 79 1023 Thu Jan 01 00:00:00 1970
svchost.exe 780 460 4 67 Thu Jan 01 00:00:00 1970
svchost.exe 812 460 12 141 Thu Jan 01 00:00:00 1970
userinit.exe 1000 416 2 32 Thu Jan 01 00:00:00 1970
explorer.exe 1020 1000 12 231 Thu Jan 01 00:00:00 1970
spoolsv.exe 1048 460 6 37 Thu Jan 01 00:00:00 1970
msmsgs.exe 1468 1020 5 124 Thu Jan 01 00:00:00 1970
rundll32.exe 1524 1020 1 72 Thu Jan 01 00:00:00 1970
$ Volatility-1.1.1/volatility vaddump -f image.vmem
/home/jlevy/forensic/Volatility-1.1.1/forensics/x86.py:101: FutureWarning:
x<<y losing bits or changing sign will return a long in Python 2.4 and up
return (pgd_entry & ((ptrs_per_pgd-1) << 22)) | (vaddr &
~((ptrs_per_pgd-1) << 22))
The above errors on the dual system have been observed on a dual core laptop
running Ubuntu as well... I was wondering if others have seen this, and if
there is a work around yet?
16 years, 10 months
- 2
- 8