Volatility-Linux TypeError
by Patrick Burkard
Hello,
in the last view weeks i've tried to analyze Linux memorydumps with the
volatility-linux Version (Revision 1313 from svn).
My goal is to show that it is possible to discover hidden processes,
kernelmodules etc. (for example from a rootkit) from a memory dump. By
comparing the output from the memorydump analysis with the native
execution of the system commands.
I created a profile for the current stable Debian version.
Trying to use this profile leads to the following TypeError:
python volatility.py --profile=LinuxDebian26325 -f ~/Desktop/LF32.ram
linux_task_list_ps Volatile Systems Volatility Framework 1.4_rc1
Name Pid Uid
Traceback (most recent call last):
File "volatility.py", line 129, in <module>
main()
File "volatility.py", line 120, in main
command.execute()
File
"/home/dark-eye/Sources/volatility_linux/volatility/commands.py", line
101, in execute func(outfd, data) File
"/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_task_list_ps.py",
line 59, in render_text for task in data: File
"/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_task_list_ps.py",
line 50, in calculate for task in
linux_common.walk_list_head("task_struct", "tasks", init_task.tasks,
self.addr_space): File
"/home/dark-eye/Sources/volatility_linux/volatility/plugins/linux_common.py",
line 110, in walk_list_head yield obj.Object(struct_name, offset =
list_ptr - offset, vm = addr_space) TypeError: unsupported operand
type(s) for -: 'instancemethod' and 'int'
I would really appreciate to debug or help to debug this issue. Sadly I
can't find a way to evaluate the correctness of the kernel-profile. Is
this a known problem from volatility-linux or could it be the result of
a failure i've made while creating the debian profile?
Thanks for every hint!
Greetings
Patrick
12 years, 9 months
- 5
- 11
Vote Volatility: 2011 Toolsmith Tool of the Year
by AAron Walters
In case you may have missed it, Volatility 2.0 has been nominated for the
ISSA Journal's Toolsmith Tool of the Year. If you believe in open source
forensics tools and want to show your support for the Volatility team,
please take a few moments to cast your vote! Feel free to tell all your
friends and family to vote as well! You have until January 31 to vote from
all your machines!
http://holisticinfosec.blogspot.com/2011/12/choose-2011-toolsmith-tool-of-y…
X September - Volatility for memory analysis
If you need extra motivation, you may want to check out the 64-bit Beta
support recently merged into trunk! Bug reports welcome! Enjoy!
Thanks,
The Volatility Project (TVP)
12 years, 9 months
- 1
- 0