How to access data normally exposed by plugin.calculate()?
by Bridgey theGeek
Hi all,
I'm trying to access the data that's exposed by the messagehooks plugin,
specifically:
volatility.plugins.gui.messagehooks.MessageHooks().calculate()
I want to be able to work with the window_stations and atom_tables that are
yielded by the method.
I tried making a new instance of the class and manually calling:
mh = messagehooks.MessageHooks(atoms.Atoms, sessions.SessionsMixin)
for x in mh.calculate():
print x
However when run, I get an attribute error:
File "plugin.py", line 81, in calculate()
for x in mh.calculate():
File ".../messagehooks.py", line 68, in calculate
in atoms.Atoms(self._config).calculate())
File ".../messagehooks.py", line 6, in <genexpr>
atom_tables = dict((atom_table, winsta)
File ".../atoms.py", line 153, in calculate
for wndsta in windowstations.WndScan(self._config).calculate():
File ".../common.py", line 45, in __init__
config.add_option("VIRTUAL", short_option = "V", default = False,
AttributeError: type object 'Atoms' has no attribute 'add_option'
Is there a better/correct way of getting at the data normally yielded by a
plugin's calculate method?
Thank you,
Adam
9 years, 1 month
- 2
- 2
Re: [Vol-users] Analyzing memory from a QEMU snapshot
by Thomas Hungenberg
On 04.05.2016 17:46, Torres, Geoff (Cyber Security) wrote:
> When you say " Running lqs2mem on the original suspend to disk image does not work", do you mean that you're getting an error? Or that it's creating an image that doesn't work in volatility?
>
> I've ran lqs2mem literally on hundreds of QEMU images with no problems.
>
> Can you post the output of your run?
>
> If I recall correctly, Juerg had to pad a certain section of memory in order to get the structures to line up. It's possible that later versions of QEMU/KVM changed so that padding isn't necessary any more.
Running lqs2mem on the original image returns "Invalid section type: 7"
- Thomas
9 years, 1 month
- 1
- 0