11:53 a.m.
Hello,
It seems you have identified some issues while the rest of the output is
explainable.
1) linux_check_afinfo
Being empty means that nothing is hooked (this is good)
2) linux_check_creds, linux_pidhashtable, linux_psxview
These are missing support for your kernel version. Can you please paste the
output of uname -a on your machine along with the specific version of
centos that you are using?
3) linux_check_evt_arm & linux_check_syscall_arm
These only support ARM based computers (e.g. Android) and I assume your
memory sample is from an Intel based computer. We will soon have a patch
that allows plugins to check what architecture they are being run against
and then these plugins will report they are ARM only instead of having
exceptions.
4) linux_check_tty
This seems like a bug we will have to fix.
Thank you for your report and please get us the kernel & centos version so
we can attempt to fix some of them.
Thanks,
Andrew (@attrc)
On Fri, Mar 22, 2013 at 12:36 PM, <bellissimopython(a)email.it> wrote:
Hi,
I am trying to analyze a memory dump from a Centos server but I have got
some problems.
------ Plugin linux_check_afinfo ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Symbol Name Member
Address
------------------------------------------ ------------------------------
----------
------ Plugin linux_check_creds ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
PIDs
--------
ERROR : volatility.plugins.linux.check_creds: This command is not
supported in this profile.
------ Plugin linux_check_evt_arm ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Check PASS/FAIL Info
------------------------------ --------- ------------------------------
SWI Offset Instruction FAIL -
------ Plugin linux_check_syscall_arm ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Index Address Symbol
---------- ---------- ------------------------------
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line
55, in execute
commands.Command.execute(self, *args, **kwargs)
File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111,
in execute
func(outfd, data)
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 88, in render_text
for (i, call_addr, hooked) in data:
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 66, in calculate
num_syscalls = self._get_syscall_table_size()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/check_syscall_arm.py",
line 38, in _get_syscall_table_size
opcode = obj.Object("unsigned int", offset = vector_swi_addr, vm =
self.addr_space)
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 169, in
Object
offset = int(offset)
TypeError: int() argument must be a string or a number, not 'NoneType'
------ Plugin linux_check_tty ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
Name Address Symbol
---------------- ---------- ------------------------------
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/common.py", line
55, in execute
commands.Command.execute(self, *args, **kwargs)
File "/root/vltlt/volatility-read-only/volatility/commands.py", line 111,
in execute
func(outfd, data)
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py",
line 59, in render_text
for name, call_addr in data:
File
"/root/vltlt/volatility-read-only/volatility/plugins/linux/tty_check.py",
line 52, in calculate
recv_buf = tty_dev.ldisc.ops.receive_buf
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 735, in
__getattr__
return self.m(attr)
File "/root/vltlt/volatility-read-only/volatility/obj.py", line 717, in m
raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct ldisc has no member ops
------ Plugin linux_pidhashtable ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
ERROR : volatility.plugins.linux.pidhashtable: calculate_v2: This profile
is currently unsupported by this plugin. Please file a bug report on our
issue tracker to have supprot added.
Offset Name Pid Uid Gid DTB
Start Time
---------- -------------------- --------------- --------------- ------
---------- ----------
------ Plugin linux_psxview ------
---------------------------------
Volatile Systems Volatility Framework 2.3_alpha
ERROR : volatility.plugins.linux.pidhashtable: calculate_v2: This profile
is currently unsupported by this plugin. Please file a bug report on our
issue tracker to have supprot added.
Offset(V) Name PID pslist pid_hash kmem_cache
---------- -------------------- ------ ------ -------- ----------
The others plugins work fine.
Bye.
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it: http://www.email.it/f
Sponsor:
Una PASQUA in famiglia, in un hotel sul mare. L'Hotel Adelphi Riccione
propone un'offerta con ingresso ai parchi inclusi e i bimbi gratis fino a
tre anni. Piano famiglia a partire da 3 notti in mezza o pensione completa
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12777&d=20130322
--
Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP
autenticato? GRATIS solo con Email.it http://www.email.it/f
Sponsor:
Last minute giugno in all inclusive all'Hotel Fior di Loto di Rimini per
due persone, una settimana, Euro 686 a coppia, pensione completa, bevande
ai pasti, servizio spiaggia
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=12774&d=22-3
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users