Hi,
I'm trying to analyze linux memory dumps with scudettesbranch r2040, but it doesn't seems to work.
Is there something I do wrong?
Ubuntu 11.04 64bit (acquired with lime, padded format)
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "N:\Lime\Ubuntu-11.04-64-bit\u64.padded"
In [2]: session.profile_file = "N:\Lime\Ubuntu-11.04-64-bit\myprofile.zip"
In [3]: session.profile = profiles.Linux64
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
WARNING:root:comm has no offset in object task_struct. Check that vtypes has a concrete definition for it.
WARNING:root:name has no offset in object net_device. Check that vtypes has a concrete definition for it.
WARNING:root:s_id has no offset in object super_block. Check that vtypes has a concrete definition for it.
WARNING:root:sun_path has no offset in object sockaddr_un. Check that vtypes has a concrete definition for it.
WARNING:root:x86_model_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it.
WARNING:root:x86_vendor_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it.
WARNING:root:name has no offset in object module. Check that vtypes has a concrete definition for it.
Offset Name Pid Uid
ERROR:root:Error: Type task_struct has no member tasks
---------------------------------------------------------------------------
AttributeError Traceback (most recent call last)
<ipython-input-4-a5edbfb3c155> in <module>()
----> 1 vol(plugins.pslist)
H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls, *args, **kwargs)
217 result = plugin_cls(*args, **kwargs)
218 try:
--> 219 result.render(ui_renderer)
220 except KeyboardInterrupt:
221 self.report_progress("Aborted!\r\n", force=True)
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self, outfd)
49 "Offset", "Name", "Pid", "Uid"))
50
---> 51 for task in self.pslist():
52 outfd.write("0x{0:08x} {1:20s} {2:15s} {3:15s}\n".format(
53 task.obj_offset, task.comm, str(task.pid), str(task.uid)))
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self)
42
43 # walk the ->tasks list, note that this will *not* display "swapper"
---> 44 for task in init_task.tasks:
45 yield task
46
H:\Volatility\Scudette\volatility\obj.pyc in __getattr__(self, attr)
921 if attr not in self.members:
922 raise AttributeError("Type {0} has no member {1}".format(
--> 923 self.obj_name, attr))
924
925 return self.m(attr)
AttributeError: Type task_struct has no member tasks
Ubuntu 11.04 64bit (acquired with lime, raw format)
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "N:\\Lime\\Ubuntu-11.04-64-bit\\u64.raw"
In [2]: session.profile_file = "N:\\Lime\\Ubuntu-11.04-64-bit\\myprofile.zip"
In [3]: session.profile = profiles.Linux64
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
WARNING:root:comm has no offset in object task_struct. Check that vtypes has a concrete definition for it.
WARNING:root:name has no offset in object net_device. Check that vtypes has a concrete definition for it.
WARNING:root:s_id has no offset in object super_block. Check that vtypes has a concrete definition for it.
WARNING:root:sun_path has no offset in object sockaddr_un. Check that vtypes has a concrete definition for it.
WARNING:root:x86_model_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it.
WARNING:root:x86_vendor_id has no offset in object cpuinfo_x86. Check that vtypes has a concrete definition for it.
WARNING:root:name has no offset in object module. Check that vtypes has a concrete definition for it.
Offset Name Pid Uid
Out[4]: <volatility.plugins.linux.pslist.LinuxPsList at 0x2e50930>
Fedora 15 32bit (acquired with lime, raw format)
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "N:\\Lime\\Fedora-15-32bit\\f32.raw"
In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip"
In [3]: session.profile = profiles.Linux32
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute'
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
In [5]: session.kernel_address_space = "standard"
In [6]: vol plugins.pslist
------> vol(plugins.pslist)
Offset Name Pid Uid
ERROR:root:Error: 'init_task'
---------------------------------------------------------------------------
KeyError Traceback (most recent call last)
<ipython-input-6-a5edbfb3c155> in <module>()
----> 1 vol(plugins.pslist)
H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls, *args, **kwargs)
217 result = plugin_cls(*args, **kwargs)
218 try:
--> 219 result.render(ui_renderer)
220 except KeyboardInterrupt:
221 self.report_progress("Aborted!\r\n", force=True)
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self, outfd)
49 "Offset", "Name", "Pid", "Uid"))
50
---> 51 for task in self.pslist():
52 outfd.write("0x{0:08x} {1:20s} {2:15s} {3:15s}\n".format(
53 task.obj_offset, task.comm, str(task.pid), str(task.uid)))
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self)
35 def pslist(self):
36 """A generator of task_struct objects for all running tasks."""
---> 37 init_task_addr = self.profile.constants["init_task"]
38
39 init_task = self.profile.Object(theType="task_struct",
KeyError: 'init_task'
Fedora 15 32bit (virtual box snapshot)
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "V:\\VM\\Fedora Core 15 32-bit\\Snapshots\\2012-07-17T14-50-40-994836400Z.sav"
In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip"
In [3]: session.profile = profiles.Linux32
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
ERROR:root:Fatal Error: invalid literal for int() with base 10: 'Attribute'
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.
In [5]: session.kernel_address_space = "vboxelf"
In [6]: vol plugins.pslist
------> vol(plugins.pslist)
Offset Name Pid Uid
ERROR:root:Error: 'init_task'
---------------------------------------------------------------------------
KeyError Traceback (most recent call last)
<ipython-input-7-a5edbfb3c155> in <module>()
----> 1 vol(plugins.pslist)
H:\Volatility\Scudette\volatility\session.pyc in vol(self, plugin_cls, *args, **kwargs)
217 result = plugin_cls(*args, **kwargs)
218 try:
--> 219 result.render(ui_renderer)
220 except KeyboardInterrupt:
221 self.report_progress("Aborted!\r\n", force=True)
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in render(self, outfd)
49 "Offset", "Name", "Pid", "Uid"))
50
---> 51 for task in self.pslist():
52 outfd.write("0x{0:08x} {1:20s} {2:15s} {3:15s}\n".format(
53 task.obj_offset, task.comm, str(task.pid), str(task.uid)))
H:\Volatility\Scudette\volatility\plugins\linux\pslist.pyc in pslist(self)
35 def pslist(self):
36 """A generator of task_struct objects for all running tasks."""
---> 37 init_task_addr = self.profile.constants["init_task"]
38
39 init_task = self.profile.Object(theType="task_struct",
KeyError: 'init_task'
The analysis works with Windows XP SP3
H:\Volatility\Scudette>h:\Python27\python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.
IPython 0.13 -- An enhanced Interactive Python.
? -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help -> Python's own help system.
object? -> Details about 'object', use 'object??' for extra details.
Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "W:\XP SP3\XP SP3-Snapshot7.vmem"
In [2]: session.profile = profiles.WinXPSP3x86
In [3]: vol plugins.pslist
------> vol(plugins.pslist)
Offset (V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------
0x867c49c8 System 4 0 54 216 ------ False - -
0x8656b020 smss.exe 556 4 3 17 ------ False 2008-11-19 19:30:19 -
[...]
Out[3]: <volatility.plugins.windows.taskmods.WinPsList at 0x21668f0>
Thanks in advance for your help!
Sebastien