10:06 p.m.
Greetings,
I rebuilt the 10.7.5 profiles. The 32 bit one causes that odd error. The 64 bit one
works.
I'm doing this all on a 10.8.x (64 bit) system. Perhaps that is the problem?
-David
bash-3.2# !py
python vol.py --info | grep -i mac
Volatile Systems Volatility Framework 2.3_alpha
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
Mac10_6_8-32bitx86 - A Profile for Mac 10.6.8-32bit x86
Mac10_7_5_64bitx64 - A Profile for Mac 10.7.5.64bit x64
linux_slabinfo - Mimics /proc/slabinfo on a running machine
mac_arp - Prints the arp table
mac_check_syscalls - Checks to see if system call table ent
On Feb 24, 2013, at 8:45 PM, David Kovar <dkovar(a)gmail.com> wrote:
Greetings,
That worked:
bash-3.2# python vol.py --info | grep -i Mac
Volatile Systems Volatility Framework 2.3_alpha
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
Mac10_6_8-32bitx86 - A Profile for Mac 10.6.8-32bit x86
linux_slabinfo - Mimics /proc/slabinfo on a running machine
And when I left the old zip files in place, the odd error was present.
My first zip file did work with whatever version of volatility I had before I did the
update. Recreating it probably doesn't make sense. I'll go build a new set.
Thanks very much for the help!
-David
On Feb 24, 2013, at 6:40 PM, Michael Hale Ligh <michael.hale(a)gmail.com> wrote:
I've never seen that error before either.
Try removing all 3 of your zip files from the volatility/plugins/overlays/mac directory
and replace them with the one that is attached.
Then run "vol.py --info | grep Mac" again (I intentionally left off the -i
because profiles will start with Mac and plugins will start with mac, and our first
objective is to make sure the profile is detected).
If you see a Mac 10.6.8 profile after doing this, then there's an issue with how you
created your 3 profiles. If you still see an error, and no Mac 10.6.8 profile, then the
problem is probably related to an environmental / host OS factor, which we can try to
determine if it comes to that.
MHL
On Sun, Feb 24, 2013 at 4:38 PM, David Kovar <dkovar(a)gmail.com> wrote:
Greetings,
Darned '-i'.
Alas, the profiles still aren't showing up.... Interesting, and new to me, Failed
message there.
-David
bash-3.2# !push
pushd volatility/plugins/overlays/mac
/usr/local/src/volatility/volatility/plugins/overlays/mac /usr/local/src/volatility
bash-3.2# pwd
/usr/local/src/volatility/volatility/plugins/overlays/mac
bash-3.2# ls -l
total 2520
drwxr-xr-x 8 root wheel 272 Feb 24 15:19 .svn
-rw-r--r-- 1 root wheel 217337 Feb 24 15:20 10.7.5.32bit.zip
-rw-r--r-- 1 root wheel 494428 Feb 24 15:20 10.7.5.64bit.zip
-rw-r--r-- 1 root wheel 494428 Feb 24 15:20 10.8.2.64bit.zip
-rw-r--r-- 1 root wheel 0 Feb 24 15:19 __init__.py
-rw-r--r-- 1 root wheel 156 Feb 24 15:20 __init__.pyc
-rw-r--r-- 1 root wheel 34737 Feb 24 15:19 mac.py
-rw-r--r-- 1 root wheel 34533 Feb 24 15:20 mac.pyc
bash-3.2# popd
/usr/local/src/volatility
bash-3.2# !py
python vol.py --info | grep -i Mac
Volatile Systems Volatility Framework 2.3_alpha
*** Failed to import volatility.plugins.overlays.mac.mac (TypeError: 'NoneType'
object is not iterable)
MachOAddressSpace - Address space for mach-o files to support atc-ny memory reader
linux_slabinfo - Mimics /proc/slabinfo on a running machine
mac_arp - Prints the arp table
mac_check_syscalls - Checks to see if system call table entries are hooked
mac_check_sysctl - Checks for unknown sysctl handlers
mac_check_trap_table - Checks to see if system call table entries are hooked
mac_dmesg - Prints the kernel debug buffer
mac_dump_maps - Dumps memory ranges of processes
mac_find_aslr_shift - Find the ASLR shift value for 10.8+ images
mac_get_processors - No docs
mac_ifconfig - Lists network interface information for all devices
mac_ip_filters - Reports any hooked IP filters
mac_list_sessions - Enumerates sessions
mac_list_zones - Prints active zones
mac_ls_logins - Lists login contexts
mac_lsmod - Lists loaded kernel modules
mac_lsof - Lists per-process opened files
mac_machine_info - Prints machine information about the sample
mac_mount - Prints mounted device information
mac_netstat - Lists active per-process network connections
mac_notifiers - Detects rootkits that add hooks into I/O Kit (e.g. LogKext)
mac_pgrp_hash_table - Walks the process group hash table
mac_pid_hash_table - Walks the pid hash table
mac_print_boot_cmdline - Prints kernel boot arguments
mac_proc_maps - Gets memory maps of processes
mac_psaux - Prints processes with arguments in userland (**argv)
mac_pslist - List Running Processes
mac_pstree - Show parent/child relationship of processes
mac_psxview - Find hidden processes with various process listings
mac_route - Prints the routing table
mac_runq - No docs
mac_task_zone - Prints active zones
mac_tasks - List Active Tasks
mac_trustedbsd - Lists malicious trustedbsd policies
mac_version - Prints the Mac version
mac_vfs_events - Lists Mac VFS Events
mac_volshell - Shell in the memory image
-David
On Feb 24, 2013, at 3:29 PM, Jamie Levy <jamie.levy(a)gmail.com> wrote:
The plugins are lower cased:
On Sun, Feb 24, 2013 at 4:26 PM, David Kovar <dkovar(a)gmail.com> wrote:
<10.6.8-32bit.zip> Greetings,
Thank you for your help, particularly on a Sunday!
I'm still running into issues with this for some reason. I checked out a new
copy, copied my profiles in, and then:
Sun Feb 24 15:21:49 CST 2013
bash-3.2# python vol.py --info | grep Mac
Volatile Systems Volatility Framework 2.3_alpha
MachOAddressSpace - Address space for mach-o files to support atc-ny
memory reader
mac_version - Prints the Mac version
mac_vfs_events - Lists Mac VFS Events
bash-3.2# ls -l volatility/plugins/overlays/mac
total 2520
drwxr-xr-x 8 root wheel 272 Feb 24 15:19 .svn
-rw-r--r-- 1 root wheel 217337 Feb 24 15:20 10.7.5.32bit.zip
-rw-r--r-- 1 root wheel 494428 Feb 24 15:20 10.7.5.64bit.zip
-rw-r--r-- 1 root wheel 494428 Feb 24 15:20 10.8.2.64bit.zip
-rw-r--r-- 1 root wheel 0 Feb 24 15:19 __init__.py
-rw-r--r-- 1 root wheel 156 Feb 24 15:20 __init__.pyc
-rw-r--r-- 1 root wheel 34737 Feb 24 15:19 mac.py
-rw-r--r-- 1 root wheel 34533 Feb 24 15:20 mac.pyc
-David
On Feb 24, 2013, at 3:10 PM, Michael Hale Ligh <michael.hale(a)gmail.com>
wrote:
David,
It is not intentional for volatility.plugins.overlays.mac to be missing from
setup.py (it was probably missed when merging the old mac branch into
trunk). However, unless you plan on using volatility as a library (i.e.
importing it from other Python scripts), you don't need setup.py at all.
$ svn checkout https://volatility.googlecode.com/svn/trunk/ volatility
$ cd volatility
$ cp <PATH TO YOUR PROFILE>/Mac10.6.zip volatility/plugins/overlays/mac
$ python vol.py --info | grep Mac
Before the 2.3 release, setup.py will be fixed in case you do plan on
installing volatility as a library. Also, pre-built Mac profiles for all
common OS X kernels will be available at that time, so you won't need to
build your own.
MHL
On Sun, Feb 24, 2013 at 2:42 PM, David Kovar <dkovar(a)gmail.com> wrote:
>
> Greetings,
>
> I was adding OS X support to my copy of Volatility per the instructions on
> https://code.google.com/p/volatility/wiki/MacMemoryForensics. It went well
> but I thought I'd pull the most recent version while I was at it.
>
> Mac support went away when I did so. setup.py is now missing:
>
> "volatility.plugins.overlays.mac",
>
> Even when I add that back, vol.py --info doesn't show the OS X profiles.
>
> Is this intentional? Is there a different version that I should be using?
>
> Thanks!
>
> -David
>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92