ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

problems using bitmaps in overlays #431

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
This was an issue raised on vol-users so I'm copying it here to make sure we 
don't forget about it. A copy of the original message is below, but see the URL 
for replies.  

http://lists.volatilesystems.com/pipermail/vol-users/2013-April/000893.html

""" I'm currently attempting to code up a bitmap (within an overlay) that 
consists of an array of 4 ulongs.

With (say) a single ulong, the following works great:

  profile.merge_overlay({
    'XXX': [ None, ['Flags', {'target': 'unsigned long', 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]]
  })

However, the obvious generalisation to 4 ulongs:

  profile.merge_overlay({
    'XXX': [ None, ['Flags', {'target': ['array', 4, ['unsigned long']], 'bitmap': { 'A': 0, 'B': 1, 'C': 2 }}]]
  })

fails. Looking at the source, the profile.merge_overlay calls:

  obj.Object(['array', 4, ['unsigned long']], offset=0, ..)

and this function in turn raises an exception (i.e. TypeError: unhashable type: 
'list') when it calls:

  vm.profile.has_type(['array', 4, ['unsigned long']])

Attempts at using obj.Array instead also flounder.

Does anyone have any hints or tips as to how best to deal with bitmaps that are 
arrays of bytes, ulongs or similar? Is it a case of having to extend the 
obj.Flags class so that such things can be handled?"""

Original issue reported on code.google.com by michael.hale@gmail.com on 20 Jun 2013 at 2:03

GoogleCodeExporter commented 9 years ago

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 9:22

GoogleCodeExporter commented 9 years ago

Original comment by mike.auty@gmail.com on 18 Feb 2015 at 6:55