Hey Carl, 

I copied this into our bug tracker (https://code.google.com/p/volatility/issues/detail?id=431). Don't expect an immediate fix, but just wanted you to know it will get addressed...

MHL


On Fri, Apr 19, 2013 at 10:07 AM, Michael Hale Ligh <michael.hale@gmail.com> wrote:
Hey Carl, 

Another way to try would be:

profile.merge_overlay({
   'XXX' : [ None, ['array', 4, ['Flags', dict(target = 'unsigned long', bitmap = { 'A': 0, 'B': 1, 'C': 2 })]]],
})

In that case, Struct.XXX[0] should be the first element in the array which is a Flags type. However, I ran into similar errors as you did, and I'm not entirely sure my approach would produce the structure you need even if it did work. This shows the error that I see:

>>> flags = obj.Object("Array", targetType = "Flags", offset = address, vm = addrspace, count = 2)
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/Users/mike/Desktop/volatility/volatility/obj.py", line 173, in Object
    result = vm.profile.types[theType](offset = offset, vm = vm, name = name, **kwargs)
  File "/Users/mike/Desktop/volatility/volatility/obj.py", line 582, in __init__
    if self.current.size() == 0:
  File "/Users/mike/Desktop/volatility/volatility/obj.py", line 435, in size
    return struct.calcsize(self.format_string)
TypeError: Struct() argument 1 must be string, not Array

So just posting this here for documentation. Any other devs know why this doesn't work or how to get around it? 

MHL


On Wed, Apr 17, 2013 at 5:54 PM, Carl Pulley <c.pulley@acme-labs.org.uk> wrote:
Hi all,
  I'm currently attempting to code up a bitmap (within an overlay) that consists of an array of 4 ulongs.

With (say) a single ulong, the following works great:

  profile.merge_overlay({
    'XXX': [ None, ['Flags', {'target': 'unsigned long', 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]]
  })

However, the obvious generalisation to 4 ulongs:

  profile.merge_overlay({
    'XXX': [ None, ['Flags', {'target': ['array', 4, ['unsigned long']], 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]]
  })

fails. Looking at the source, the profile.merge_overlay calls:

  obj.Object(['array', 4, ['unsigned long']], offset=0, ..)

and this function in turn raises an exception (i.e. TypeError: unhashable type: 'list') when it calls:

  vm.profile.has_type(['array', 4, ['unsigned long']])

Attempts at using obj.Array instead also flounder.

Does anyone have any hints or tips as to how best to deal with bitmaps that are arrays of bytes, ulongs or similar? Is it a case of having to extend the obj.Flags class so that such things can be handled?

Many thanks,

  Carl._______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users