Re: [Vol-users] AttributeError: 'linux_mount' object has no attribute 'parse_mnt' error when trying to list tmpfs in Linux/Windows using Volatility 2.4

14 Oct 2014

      Hello Andrew,
                      Thank you for the fix (commit
b6a7ae43a977041de9ff13b4ebaa605bb3829a34). I was able to list the
Linux tmpfs filesystems in the RAM dump. But I'm not able to recover
the contents. The tmpfs was mounted on a Centos 7 x86_64 VM (Esxi
server) and used 3.10.0-123 kernel

RAM dump generated using.
insmod /root/source/LiME-master/src/lime-3.10.0-123.el7.x86_64.ko
"path=/var/crash/ramtmpfs.lime format=lime"

[srini@localhost volatility]$
[srini@localhost volatility]$ python
/home/srini/source/volatility/volatility/vol.py
--plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
/mnt/data/home/srini/ovf/ramtmpfs.lime linux_tmpfs -L
Volatility Foundation Volatility Framework 2.4
1 -> /run
2 -> /sys/fs/cgroup
3 -> /dev/shm
4 -> /mnt/ramdisk

[srini@localhost volatility]$ python
/home/srini/source/volatility/volatility/vol.py
--plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
/mnt/data/home/srini/ovf/ramtmpfs.lime linux_tmpfs -S 4 -D decode
Volatility Foundation Volatility Framework 2.4

Traceback (most recent call last):
  File "/home/srini/source/volatility/volatility/vol.py", line 192, in
<module>
    main()
  File "/home/srini/source/volatility/volatility/vol.py", line 183, in main
    command.execute()
  File
"/home/srini/source/volatility/volatility/volatility/plugins/linux/common.py",
line 62, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/srini/source/volatility/volatility/volatility/commands.py",
line 127, in execute
    func(outfd, data)
  File
"/home/srini/source/volatility/volatility/volatility/plugins/linux/tmpfs.py",
line 155, in render_text
    for (i, path) in data:
  File
"/home/srini/source/volatility/volatility/volatility/plugins/linux/tmpfs.py",
line 141, in calculate
    self.walk_sb(root_dentry)
  File
"/home/srini/source/volatility/volatility/volatility/plugins/linux/tmpfs.py",
line 101, in walk_sb
    self.process_directory(root_dentry, parent = cur_dir)
  File
"/home/srini/source/volatility/volatility/volatility/plugins/linux/tmpfs.py",
line 83, in process_directory
    for page in
linux_find_file.linux_find_file(self._config).get_file_contents(inode):
  File
"/home/srini/source/volatility/volatility/volatility/plugins/linux/find_file.py",
line 236, in get_file_contents
    data = self.get_page_contents(inode, idx)
  File
"/home/srini/source/volatility/volatility/volatility/plugins/linux/find_file.py",
line 207, in get_page_contents
    page_addr = self.find_get_page(inode, idx)
  File
"/home/srini/source/volatility/volatility/volatility/plugins/linux/find_file.py",
line 198, in find_get_page
    page = self.radix_tree_lookup_slot(inode.i_mapping.page_tree, offset)
  File
"/home/srini/source/volatility/volatility/volatility/plugins/linux/find_file.py",
line 175, in radix_tree_lookup_slot
    height = node.height
  File "/home/srini/source/volatility/volatility/volatility/obj.py",
line 747, in __getattr__
    return self.m(attr)
  File "/home/srini/source/volatility/volatility/volatility/obj.py",
line 729, in m
    raise AttributeError("Struct {0} has no member
{1}".format(self.obj_name, attr))
AttributeError: Struct radix_tree_node has no member height

On Tue, Oct 14, 2014 at 1:37 AM, Andrew Case &lt;atcuno(a)gmail.com&gt; wrote:
...
  Hello,

 This has been fixed. Please git pull and it should work. Let me know if
 you still have issues and thanks for the bug report.

 Thanks,
 Andrew (@attrc)

 On 10/13/2014 01:51 AM, Srinivasan J wrote:
> Hi,
>    I am trying to recover tmpfs from a RAM lime dump using volatility
> 2.4 in Linux/Windows, but I hit the  "AttributeError: 'linux_mount'
> object has no attribute 'parse_mnt'". Is this a known issue?
>
> Thanks,
> Srini
>
>
> [srini@localhost volatility-2.4]$ python
> /home/srini/vola/setup/volatility-2.4/vol.py
> --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
> /mnt/data/home/srini/ovf/ramtmpfs.lime linux_tmpfs -L
> Volatility Foundation Volatility Framework 2.4
> Traceback (most recent call last):
> File "/home/srini/vola/setup/volatility-2.4/vol.py", line 192, in
<module>
> main()
> File "/home/srini/vola/setup/volatility-2.4/vol.py", line 183, in main
> command.execute()
> File
"/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/common.py",
> line 62, in execute
> commands.Command.execute(self, *args, **kwargs)
> File "/home/srini/vola/setup/volatility-2.4/volatility/commands.py",
> line 127, in execute
> func(outfd, data)
> File
"/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py",
> line 157, in render_text
> for (i, path) in data:
> File
"/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py",
> line 148, in calculate
> tmpfs_sbs = self.get_tmpfs_sbs()
> File
"/home/srini/vola/setup/volatility-2.4/volatility/plugins/linux/tmpfs.py",
> line 120, in get_tmpfs_sbs
> for (sb, _dev_name, path, fstype, _rr, _mnt_string) in
> linux_mount.linux_mount(self._config).parse_mnt(mnts):
> AttributeError: 'linux_mount' object has no attribute 'parse_mnt'
>
>
> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
> tandalone>
>
> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
> tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7
> x64 -f D:\volat\ramtmpfs.lime linux_tmpfs -L
> Volatility Foundation Volatility Framework 2.4
> Traceback (most recent call last):
> File "<string>", line 192, in <module>
> File "<string>", line 183, in main
> File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.c
> ommon", line 62, in execute
> File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.commands",
line
> 127, in execute
> File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t
> mpfs", line 157, in render_text
> File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t
> mpfs", line 148, in calculate
> File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.t
> mpfs", line 120, in get_tmpfs_sbs
> AttributeError: 'linux_mount' object has no attribute 'parse_mnt'
>
> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
> tandalone>volatility-2.4.standalone.exe --plugins=profile --profile=Linuxcentos7
> x64 -f D:\volat\ramtmpfs.lime linux_cpuinfo
> Volatility Foundation Volatility Framework 2.4
> Processor Vendor Model
> ------------ ---------------- -----
> 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz
>
> C:\Users\sjayarajan\Downloads\volatility_2.4.win.standalone\volatility_2.4.win.s
> tandalone>
>
>
> [srini@localhost volatility-2.4]$ python
> /home/srini/vola/setup/volatility-2.4/vol.py
> --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent
> os7x64 --info | more
> Volatility Foundation Volatility Framework 2.4
>
>
> Profiles
> --------
> Linuxcentos7x64 - A Profile for Linux centos7 x64
> VistaSP0x64 - A Profile for Windows Vista SP0 x64
> VistaSP0x86 - A Profile for Windows Vista SP0 x86
> VistaSP1x64 - A Profile for Windows Vista SP1 x64
> VistaSP1x86 - A Profile for Windows Vista SP1 x86
> VistaSP2x64 - A Profile for Windows Vista SP2 x64
> VistaSP2x86 - A Profile for Windows Vista SP2 x86
>
>
> [srini@localhost volatility-2.4]$ python
> /home/srini/vola/setup/volatility-2.4/vol.py
> --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
> /mnt/data/home/srini/ovf/ramtmpfs.lime linux_cpuinfo
> Volatility Foundation Volatility Framework 2.4
> Processor Vendor Model
> ------------ ---------------- -----
> 0 GenuineIntel Intel(R) Xeon(R) CPU E5-2609 v2 @ 2.50GHz
>
> [srini@localhost volatility-2.4]$ python
> /home/srini/vola/setup/volatility-2.4/vol.py
> --plugins=/mnt/data/home/srini/ovf --profile=Linuxcentos7x64 -f
> /mnt/data/home/srini/ovf/ramtmpfs.lime linux_mount
> Volatility Foundation Volatility Framework 2.4
> hugetlbfs /dev/hugepages hugetlbfs rw,relatime
>
> devtmpfs /dev devtmpfs rw,nosuid
>
> tmpfs /dev/shm tmpfs rw,nosuid,nodev
>
> devpts /dev/pts devpts rw,relatime,nosuid,noexec
>
> cgroup /sys/fs/cgroup/memory cgroup rw,relatime,nosuid,nodev,noexec
>
> tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec
>
> proc /proc proc rw,relatime,nosuid,nodev,noexec
>
> /dev/mapper/centos-root / xfs rw,relatime
>
> tmpfs /run tmpfs rw,nosuid,nodev
>
> sysfs /sys sysfs rw,relatime,nosuid,nodev,noexec
>
> sunrpc /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime
>
> mqueue /dev/mqueue mqueue rw,relatime
>
> debugfs /sys/kernel/debug debugfs rw,relatime
>
> selinuxfs /sys/fs/selinux selinuxfs rw,relatime
>
> securityfs /sys/kernel/security securityfs rw,relatime,nosuid,nodev,noexec
>
> cgroup /sys/fs/cgroup/systemd cgroup rw,relatime,nosuid,nodev,noexec
>
> pstore /sys/fs/pstore pstore rw,relatime,nosuid,nodev,noexec
>
> cgroup /sys/fs/cgroup/cpuset cgroup rw,relatime,nosuid,nodev,noexec
>
> sunrpc /proc/fs/nfsd nfsd rw,relatime
>
> tmpfs /mnt/ramdisk tmpfs rw,relatime
> cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,relatime,nosuid,nodev,noexec
>
> configfs /sys/kernel/config configfs rw,relatime
>
> cgroup /sys/fs/cgroup/devices cgroup rw,relatime,nosuid,nodev,noexec
>
> systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime
>
> cgroup /sys/fs/cgroup/freezer cgroup rw,relatime,nosuid,nodev,noexec
>
> cgroup /sys/fs/cgroup/net_cls cgroup rw,relatime,nosuid,nodev,noexec
>
> cgroup /sys/fs/cgroup/blkio cgroup rw,relatime,nosuid,nodev,noexec
>
> /dev/sda1 /boot xfs rw,relatime
>
> cgroup /sys/fs/cgroup/perf_event cgroup rw,relatime,nosuid,nodev,noexec
>
> cgroup /sys/fs/cgroup/hugetlb cgroup rw,relatime,nosuid,nodev,noexec
>
>
> [srini@localhost volatility-2.4]$ python
> /home/srini/vola/setup/volatility-2.4/vol.py
> --plugins=/mnt/data/home/srini/ovf --profile=Linuxcent
> os7x64 -f /mnt/data/home/srini/ovf/ramtmpfs.lime linux_bash
> Volatility Foundation Volatility Framework 2.4
> Pid Name Command Time Command
> -------- -------------------- ------------------------------ -------
> 15151 bash 2014-10-12 01:35:58 UTC+0000 ./configure
> 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides tcpsic
> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls -ltrh
> 15151 bash 2014-10-12 01:35:58 UTC+0000 mv lmbench3 lmbench3-3.10
> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
> 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/
> 15151 bash 2014-10-12 01:35:58 UTC+0000 yum intall isic
> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
> 15151 bash 2014-10-12 01:35:58 UTC+0000 yum provides dwarfdump
> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
> 15151 bash 2014-10-12 01:35:58 UTC+0000 cd 3.10.0-123.el7.x86_64/
> 15151 bash 2014-10-12 01:35:58 UTC+0000 uname -a
> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
> 15151 bash 2014-10-12 01:35:58 UTC+0000 yum install isic
> 15151 bash 2014-10-12 01:35:58 UTC+0000 cd linux/
> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
> 15151 bash 2014-10-12 01:35:58 UTC+0000 ls
> 15151 bash 2014-10-12 01:35:58 UTC+0000 make
> 15151 bash 2014-10-12 01:35:58 UTC+0000 ifconfig
> 15151 bash 2014-10-12 01:35:58 UTC+0000 cd lmbench3-3.10
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> 

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

Re: [Vol-users] AttributeError: 'linux_mount' object has no attribute 'parse_mnt' error when trying to list tmpfs in Linux/Windows using Volatility 2.4