Re: [Vol-users] Volatility-Linux TypeError
29 Jan
2012
29 Jan
'12
7:05 p.m.
Patrick,
The backtrace you got was because the init_task was not found or
had an invalid address. Can you please check that there is such a
symbol on your System.map. For example:
~/projects/volatility(scudette_playground)$ unzip -p system.zip
boot/System.map-3.0.0-12-server | grep init_task
ffffffff810de840 T ftrace_graph_init_task
ffffffff811065c0 T perf_event_init_task
ffffffff81a69cb0 r __ksymtab_init_task
ffffffff81a7e998 r __kcrctab_init_task
ffffffff81a87790 r __kstrtab_init_task
ffffffff81c0b020 D init_task
ffffffff81eed8a0 b ext4_lazyinit_task
This address (e.g. ffffffff81c0b020) needs to be valid in the kernel
AS. If it appears valid, then maybe we can not parse the kernel AS
properly. I dont think task_structs can be paged in linux so there is
something really wrong if its not there.
Michael.
On 28 January 2012 05:16, Patrick Burkard <pbuml(a)gmx.de> wrote:
Am Sat, 28 Jan 2012 00:39:45 +0100
schrieb Michael Cohen <scudette(a)gmail.com>:
On 27 January 2012 22:53, Patrick Burkard
<pbuml(a)gmx.de> wrote:
Hi Patrick,
Alright ... here we go. This is the content of the profile zip:
dark-eye@Ragana:~/Sources/volatility_linux64$ zipinfo -l
-rw-r--r-- 3.0 unx 1293706 tx 338478 defN 12-Jan-11 18:24
boot/System.map-2.6.32-5-686
-rw-r--r-- 3.0 unx 1364923 tx 130532 defN 12-Jan-27 22:35
module.dwarf 3 files, 3952335 bytes uncompressed, 778032 bytes
compressed: 80.3%
The image is captured from a VirtualBox VM:
GNU/Linuxdark-eye@LOSTFor32:~$ uname -a
Linux LOSTFor32 2.6.32-5-686 #1 SMP Wed Jan 11 12:29:30 UTC 2012 i686
GNU/Linux
An the command I use to start volatility. Maybe there is something that
I've done wrong:
python vol.py --profile Linux32 --profile_file debian_squeeze.zip
-f /home/dark-eye/Desktop/LF32.ram pslist
Thank you again for your time and help
Greetings
Patrick
"/home/dark-eye/Sources/volatility_linux64/volatility/plugins/linux/linux_task_list_ps.py",
line 41, in calculate init_task_addr = self.smap["init_task"]
TypeError: 'NoneType' object is unsubscriptable
This warning means that you do not have a system map loaded - is this
in the zip file? Also from the messages above it seems to load Linux32
profile - are you sure your image is from a 32 bit system or a 64 bit
system?