Hi everybody,
i have tried the scudette branch r1628 for linux memory analysis and received some Errors. My test-systems were Ubuntu 11.10 (Kernel 3.0.0-17-generic, 64 Bit) and Debian 6.0.2.1 (Kernel 2.6.32-5-686, 32 Bit). The plugins i have tested were pslist, cpuinfo, dmesg, ifconfig and netstat.
As i followed the instructions at the Wiki-Page the first thing i have noticed was an NameError after the vol pslist command:
$ python vol.py
Welcome to volshell!
To get help, type 'help()'
In [1]: session.filename = "memory.dd"
In [2]: session.profile_file = "myprofile.zip"
In [3]: session.profile = "Linux32"
In [4]: vol pslist
------> vol(pslist)
---------------------------------------------------------------------------
NameError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
NameError: name 'pslist' is not defined
After i changed the In [4]: vol pslist command into In [4]: vol "pslist" the NameError disappeared and the pslist plugin worked well on both systems.
The next plugin was cpuinfo. On both system i've got the right processor output, but on Ubuntu i additionally received a warning/error:
In [5]: vol "cpuinfo"
------> vol("cpuinfo")
Processor Vendor Model
ERROR:root:Constant per_cpu__cpu_info does not exist in profile.
0 GenuineIntel Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz
Out[5]: <volatility.plugins.linux.cpuinfo.CpuInfo object at 0x2fc5190>
The ifconfig plugin returned on both systems a ValueError.
On Ubuntu:
In [6]: vol "ifconfig"
------> vol("ifconfig")
lo 127.0.0.1 00:00:00:00:00:00
ERROR:root:Error: Unknown format code 's' for object of type 'int'
---------------------------------------------------------------------------
ValueError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls, fd, debug, output, **kwargs)
194 kwargs['session'] = self
195 result = plugin_cls(**kwargs)
--> 196 result.render(fd)
197
198 return result
/home/vitax/lin64-support/volatility/plugins/linux/ifconfig.py in render(self, outfd)
97
98 outfd.write("{0:8s} {1:16s} {2:32s}\n".format(
100
101
ValueError: Unknown format code 's' for object of type 'int'
On Debian:
In [6]: vol "ifconfig"
------> vol("ifconfig")
lo 127.0.0.1 00:00:00:00:00:00
eth0 10.0.2.15 08:00:27:f6:0e:dd
ERROR:root:Error: Unknown format code 's' for object of type 'int'
---------------------------------------------------------------------------
ValueError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls, fd, debug, output, **kwargs)
194 kwargs['session'] = self
195 result = plugin_cls(**kwargs)
--> 196 result.render(fd)
197
198 return result
/home/vitax/lin64-support/volatility/plugins/linux/ifconfig.pyc in render(self, outfd)
97
98 outfd.write("{0:8s} {1:16s} {2:32s}\n".format(
100
101
ValueError: Unknown format code 's' for object of type 'int'
After that i tried the netstat plugin. I received on both systems an AttributeError:
On Ubuntu:
In [7]: vol "netstat"
------> vol("netstat")
---------------------------------------------------------------------------
AttributeError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls, fd, debug, output, **kwargs)
178 """
179 if isinstance(plugin_cls, basestring):
--> 180 plugin_cls = getattr(self.plugins, plugin_cls)
181
182 if output is not None:
/home/vitax/lin64-support/volatility/session.py in __getattr__(self, attr)
79 return self.plugins[attr]
80 except KeyError:
---> 81 raise AttributeError(attr)
82
83
AttributeError: netstat
On Debian:
In [7]: vol "netstat"
------> vol("netstat")
ERROR: An unexpected error occurred while tokenizing input
The following traceback may be corrupted or invalid
The error message is: ('EOF in multi-line statement', (40, 0))
---------------------------------------------------------------------------
AttributeError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.pyc in vol(self, plugin_cls, fd, debug, output, **kwargs)
178 """
179 if isinstance(plugin_cls, basestring):
--> 180 plugin_cls = getattr(self.plugins, plugin_cls)
181
182 if output is not None:
/home/vitax/lin64-support/volatility/session.pyc in __getattr__(self, attr)
79 return self.plugins[attr]
80 except KeyError:
---> 81 raise AttributeError(attr)
82
83
AttributeError: netstat
In the end i tried the dmesg plugin. On Debian it worked well, but on Ubuntu i got this error:
In [8]: vol "dmesg"
------> vol("dmesg")
ERROR:root:Error: 'ascii' codec can't decode byte 0xc2 in position 74140: ordinal not in range(128)
---------------------------------------------------------------------------
UnicodeDecodeError Traceback (most recent call last)
/home/vitax/lin64-support/vol.py in <module>()
----> 1
2
3
4
5
/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls, fd, debug, output, **kwargs)
194 kwargs['session'] = self
195 result = plugin_cls(**kwargs)
--> 196 result.render(fd)
197
198 return result
/home/vitax/lin64-support/volatility/plugins/linux/dmesg.py in render(self, outfd)
44
45 def render(self, outfd):
---> 46 outfd.write(self.get_dmesg())
47
48
/home/vitax/lin64-support/volatility/session.py in write(self, data)
111 def write(self, data):
112 # Encode the data according to the output encoding.
--> 113 data = data.encode(self.encoding)
114 try:
115 self.pager.write(data)
UnicodeDecodeError: 'ascii' codec can't decode byte 0xc2 in position 74140: ordinal not in range(128)