ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Exception in linux_netstat on a missing inet_sock.inet_dport attribute (patch attached) #434

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Ubuntu 13.04 64 bit memory image
2. Run linux_netstat
3. Error:

Traceback (most recent call last):
  File "volatility-svn/vol.py", line 186, in <module>
    main()
  File "volatility-svn/vol.py", line 177, in main
    command.execute()
  File "/home/dutchy/volatility-svn/volatility/plugins/linux/common.py", line 58, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/dutchy/volatility-svn/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/home/dutchy/volatility-svn/volatility/plugins/linux/netstat.py", line 91, in render_text
    (dport, sport) = self.format_port(inet_sock)
  File "/home/dutchy/volatility-svn/volatility/plugins/linux/netstat.py", line 128, in format_port
    dport = socket.htons(inet_sock.inet_dport)
  File "/home/dutchy/volatility-svn/volatility/obj.py", line 740, in __getattr__
    return self.m(attr)
  File "/home/dutchy/volatility-svn/volatility/obj.py", line 722, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct inet_sock has no member inet_dport

What version of the product are you using? On what operating system?
SVN revision 3453

Please provide any additional information below.

Fix was fairly simple, I followed the path for the #define as noted in 
https://github.com/torvalds/linux/blob/master/include/net/inet_sock.h

The fix also has some minor refactoring to make sure it does not give an error 
in the future.

I am not sure why it failed in the first place, perhaps Ubuntu removed those 
#defines.

Original issue reported on code.google.com by edwin.sm...@gmail.com on 15 Jul 2013 at 2:41

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 16 Jul 2013 at 12:29

GoogleCodeExporter commented 9 years ago
I felt like I needed to find out the cause :)

I checked my local inet_sock.h - inet_dport is in there, it's pretty much the 
same as in the kernel source on github. I also checked my profile (the 
dwarfdump) and found out that inet_dport is not in there. Why this is the case, 
I don't know yet.

If preferred I can attach my profile, but I should think it's the same for all 
13.04 profiles.

Original comment by edwin.sm...@gmail.com on 16 Jul 2013 at 7:53

GoogleCodeExporter commented 9 years ago
Hey Edwin, thanks for the patch. I made a slight variation that moves these 
APIs into object classes so they're more easily accessible from any plugin 
without having to inherit from linux_netstat. I haven't tested it yet though - 
do you mind making sure I didn't break anything in the process? 

Original comment by michael.hale@gmail.com on 16 Jul 2013 at 2:10

Attachments:

GoogleCodeExporter commented 9 years ago
I'm getting the following error (I'll see if I can find the cause):

Traceback (most recent call last):
  File "volatility-svn/vol.py", line 186, in <module>
    main()
  File "volatility-svn/vol.py", line 177, in main
    command.execute()
  File "/home/dutchy/volatility-svn/volatility/plugins/linux/common.py", line 58, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/dutchy/volatility-svn/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/home/dutchy/volatility-svn/volatility/plugins/linux/netstat.py", line 62, in render_text
    state = inet_sock.state if inet_sock.protocol == "TCP" else ""
  File "/home/dutchy/volatility-svn/volatility/obj.py", line 740, in __getattr__
    return self.m(attr)
  File "/home/dutchy/volatility-svn/volatility/obj.py", line 722, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct inet_sock has no member state

Original comment by edwin.sm...@gmail.com on 16 Jul 2013 at 2:22

GoogleCodeExporter commented 9 years ago
(Nope, I'm at a loss)

Original comment by edwin.sm...@gmail.com on 16 Jul 2013 at 3:05

GoogleCodeExporter commented 9 years ago
My bad, try this one

$ diff linux_netstat2.patch linux_netstat3.patch 
36c36
< +        state = inet_sock.sk.__sk_common.skc_state #pylint: disable-msg=W0212
---
> +        state = self.sk.__sk_common.skc_state #pylint: disable-msg=W0212

Original comment by michael.hale@gmail.com on 17 Jul 2013 at 5:08

Attachments:

GoogleCodeExporter commented 9 years ago
Errrr, src and dst were backwards...

$ diff linux_netstat2.patch linux_netstat4.patch 
36c36
< +        state = inet_sock.sk.__sk_common.skc_state #pylint: disable-msg=W0212
---
> +        state = self.sk.__sk_common.skc_state #pylint: disable-msg=W0212
40c40
< +    def dst_port(self):
---
> +    def src_port(self):
49c49
< +    def src_port(self):
---
> +    def dst_port(self):

Original comment by michael.hale@gmail.com on 17 Jul 2013 at 5:13

Attachments:

GoogleCodeExporter commented 9 years ago
It works!

Original comment by edwin.sm...@gmail.com on 17 Jul 2013 at 7:15

GoogleCodeExporter commented 9 years ago
This issue was closed by revision r3456.

Original comment by michael.hale@gmail.com on 17 Jul 2013 at 2:30