ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

pstree.py Fails on Win7 x86 Memory Image #458

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Running Volatility 2.3 official
2. Run pstree plugin against Windows 7 x86 memory image
3. Does not fail on all memory images
   Can talk privately with developer about the memory image in question

What is the expected output? What do you see instead?
-------
I expect process list output in tree format.
Instead, traceback:
  Volatility Foundation Volatility Framework 2.3
  Traceback (most recent call last):
    File "vol.py", line 184, in <module>
      main()
    File "vol.py", line 175, in main
      command.execute()
    File "/home/cms/Volatility/volatility/commands.py", line 113, in execute
      func(outfd, data)
    File "/home/cms/Volatility/volatility/plugins/pstree.py", line 102, in render_text
      draw_branch(0, root)
    File "/home/cms/Volatility/volatility/plugins/pstree.py", line 96, in draw_branch
      del data[int(task.UniqueProcessId)]
  KeyError: 4

What version of the product are you using? On what operating system?
-------
Volatility 2.3 official from source on openSUSE 12.3 x64 system.

Please provide any additional information below.
-------
Contact me privately if you have questions about the memory image or need 
additional tests run.

Original issue reported on code.google.com by cshana...@gmail.com on 30 Oct 2013 at 2:45

GoogleCodeExporter commented 9 years ago
That looks a little strange.  The only way I can think that that might come 
about is if you had a) a process with two parents, or b) a process that was its 
own parent.  Would you be able to provide the output of pslist on the same 
image please?

Original comment by mike.auty@gmail.com on 9 Nov 2013 at 2:49

GoogleCodeExporter commented 9 years ago
Seeing the same thing with v2.3.1:

C:\Users\hehe\Desktop>python volatility\vol.py -f <redacted>.img 
--profile=Win7SP0x64 pstree
Volatility Foundation Volatility Framework 2.3.1
Traceback (most recent call last):
  File "c:\tools\volatility\vol.py", line 184, in <module>
    main()
  File "c:\tools\volatility\vol.py", line 175, in main
    command.execute()
  File "c:\tools\volatility\volatility\commands.py", line 122, in execute
    func(outfd, data)
  File "c:\tools\volatility\volatility\plugins\pstree.py", line 102, in render_text
    draw_branch(0, root)
  File "c:\tools\volatility\volatility\plugins\pstree.py", line 96, in draw_branch
    del data[int(task.UniqueProcessId)]
KeyError: 4

I've attached the output of pslist as you requested above (some redactions).

Original comment by hiddenil...@gmail.com on 10 Dec 2013 at 11:28

Attachments:

GoogleCodeExporter commented 9 years ago
A patch to 2.4 has been applied and the two reporting users have been contacted 
for confirmation. 

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 9:00