Dik1s / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

lsof command needs patch on OS X #474

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Run lsof command on an image of OS X 10.9.1

What is the expected output? What do you see instead?

I expect lsof output.
I see a python stacktrace instead.

What version of the product are you using? On what operating system?

I am using the latest SVN version on OS X 10.9.1
Memory image dumped by OSXPMem.

Please provide any additional information below.

The following ugly patch fixes the issue (100 bytes is arbitrary, can't figure 
out how to get size):

$ svn diff lsof.py
Index: lsof.py
===================================================================
--- lsof.py (revision 114)
+++ lsof.py (working copy)
@@ -434,6 +434,8 @@

        # NOTE: this may be trouble for the 255 UTF-16 filename characters HFS+ allows
        name_addr = Struct.mem.read(name_ptr, 255)
+       if name_addr == None:
+           return struct.unpack('100s', Struct.mem.read(name_ptr, 
100))[0].split('\x00', 1)[0].strip('\x00')
        name = struct.unpack('255s', name_addr)[0]
        return name.split('\x00', 1)[0].strip('\x00')

Original issue reported on code.google.com by cristian...@gmail.com on 3 Feb 2014 at 9:04

GoogleCodeExporter commented 8 years ago

Original comment by michael.hale@gmail.com on 3 Feb 2014 at 10:03

GoogleCodeExporter commented 8 years ago
Hi Cristian, 

Could you please paste us the python stacktrace you see when using the lsof 
command on your 10.9.1 image? 

Andrew, please work with Cristian to get a patch applied to the code base. 

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 5:58

GoogleCodeExporter commented 8 years ago
Hi Michael, Andrew

I am no longer on 10.9.1 (I've upgraded to 10.9.2) but the problem appears on 
10.9.2 too.
Stacktrace follows:

$ sudo python vol.py -i /tmp/memory.dump -o lsof
WARNING Fileproc.getfglob was passed the invalid address deadbeefdeadbeef.
WARNING Vm_map.gettxt was passed the invalid address deadbeefdeadbeef.
[lots of these]
WARNING Vm_map.gettxt was passed the invalid address deadbeefdeadbeef.
Traceback (most recent call last):
  File "vol.py", line 291, in <module>
    main()
  File "vol.py", line 227, in main
    filelist = m_volafox.lsof(pid, vflag)
  File "/Users/diciu/Downloads/volafox-read-only/volafox/volafox.py", line 235, in lsof
    printfilelist(getfilelist(self.x86_mem_pae, self.arch, self.os_version, proc_head, pid, vflag))
  File "/Users/diciu/Downloads/volafox-read-only/volafox/plugins/lsof.py", line 1172, in getfilelist
    fullfilelisting += getfilelistbyproc(proc)
  File "/Users/diciu/Downloads/volafox-read-only/volafox/plugins/lsof.py", line 1098, in getfilelistbyproc
    txt_ptrs = proc.gettxt()
  File "/Users/diciu/Downloads/volafox-read-only/volafox/plugins/lsof.py", line 1073, in gettxt
    txt_ptrs = task.gettxt()
  File "/Users/diciu/Downloads/volafox-read-only/volafox/plugins/lsof.py", line 907, in gettxt
    return vm_map.gettxt()
  File "/Users/diciu/Downloads/volafox-read-only/volafox/plugins/lsof.py", line 870, in gettxt
    txt_ptrs = vm_map_entry.gettxt()
  File "/Users/diciu/Downloads/volafox-read-only/volafox/plugins/lsof.py", line 838, in gettxt
    return vm_object.gettxt()
  File "/Users/diciu/Downloads/volafox-read-only/volafox/plugins/lsof.py", line 800, in gettxt
    return shadow.gettxt()
  File "/Users/diciu/Downloads/volafox-read-only/volafox/plugins/lsof.py", line 805, in gettxt
    return [ pager.gettxt() ]       # NOTE: this may return [ None ] without error
  File "/Users/diciu/Downloads/volafox-read-only/volafox/plugins/lsof.py", line 744, in gettxt
    if vnode.gettype() == -1 or vnode.getname() == None:
  File "/Users/diciu/Downloads/volafox-read-only/volafox/plugins/lsof.py", line 437, in getname
    name = struct.unpack('255s', name_addr)[0]
struct.error: unpack requires a string argument of length 255

I am using the trunk code:

$ svn info
Path: .
Working Copy Root Path: /Users/diciu/Downloads/volafox-read-only
URL: http://volafox.googlecode.com/svn/trunk
Repository Root: http://volafox.googlecode.com/svn
Repository UUID: 139794e7-419e-a2c0-6f24-3fc8368cdcb9
Revision: 114
Node Kind: directory
Schedule: normal
Last Changed Author: rapfer@gmail.com
Last Changed Rev: 114
Last Changed Date: 2014-02-03 16:54:44 +0200 (Mon, 03 Feb 2014)

$ svn stat
?       overlays/13C64x64.overlay
?       volafox/plugins/lsof.py.patch

Original comment by cristian...@gmail.com on 8 Mar 2014 at 6:06

GoogleCodeExporter commented 8 years ago
Hey Cristian,

You have filed a bug in volafox, but this is actually the Volatility project. 
You may want to re-file the bug with them (https://code.google.com/p/volafox) 
so that they can get it fixed.

Also, Volatility does have support through 10.9 currently in trunk, and a small 
patch to fix lsof and netstat for 10.9.1 will be part of Volatility 2.4. If you 
want to try Volatility against 10.9.1 please let me know and I can send you the 
patches.

Original comment by atc...@gmail.com on 9 Mar 2014 at 10:47

GoogleCodeExporter commented 8 years ago
Hey guys, I'm going to close this issue since its not a valid problem in 
Volatility. Cristian, please do open a new ticket if you find bugs in 
Volatility or you can contact Andrew personally or via the Vol-Users mailing 
list for questions related to 10.9.1. 

Original comment by michael.hale@gmail.com on 10 Mar 2014 at 3:21