ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

imageinfo TypeError #465

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. took memory image from a win7SP1x64 with 4 GB RAM using win64dd
2. Infoked volatility with: python vol.py imageinfo -f /win7_image.vmem
3. Get Error: TypeError: hex() argument can't be converted to hex

This issue seems to be very similar to 438
see: 
http://code.google.com/p/volatility/issues/detail?can=2&q=438&colspec=ID%20Type%
20Status%20Priority%20Milestone%20Owner%20Summary&id=438

What is the expected output? What do you see instead?

Fehlermeldung Volatility

nutzer@malwar-Analyser:~/volatility-read-only$ python vol.py imageinfo -f 
/home/user/Images/win7_image.vmem 
Volatility Foundation Volatility Framework 2.3.1
Determining profile based on KDBG search...

          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64 (Instantiated with Win7SP0x64)
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/nutzer/volatility-2.3.1/Images/Aegypten/mem_aegypten.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf8000320e0a0L
          Number of Processors : 4
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff8000320fd00L
Traceback (most recent call last):
  File "vol.py", line 184, in <module>
    main()
  File "vol.py", line 175, in main
    command.execute()
  File "/home/nutzer/volatility-read-only/volatility/commands.py", line 122, in execute
    func(outfd, data)
  File "/home/nutzer/volatility-read-only/volatility/plugins/imageinfo.py", line 36, in render_text
    for k, v in data:
  File "/home/nutzer/volatility-read-only/volatility/plugins/imageinfo.py", line 101, in calculate
    yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset))
TypeError: hex() argument can't be converted to hex

What version of the product are you using? On what operating system?

I use volatility trunk, updated this morning last time, on Ubuntu 12.04.3

Please provide any additional information below.

Windows System Information sais it's a: Intel Core i5-2540 CPU @ 2,6GHz 2,6GHz
Number of CPU: 4
Windows Version Windows 7 SP1
RAM: 4 GB

Original issue reported on code.google.com by Florian....@gmail.com on 25 Nov 2013 at 12:16

GoogleCodeExporter commented 9 years ago
can you modify imageinfo as described in comment 3 
(http://code.google.com/p/volatility/issues/detail?id=438#c3) and paste the 
output?

Original comment by jamie.l...@gmail.com on 25 Nov 2013 at 3:00

GoogleCodeExporter commented 9 years ago
Here is the output after modify my source like suggested:
Volatility Foundation Volatility Framework 2.3.1
Determining profile based on KDBG search...

          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/home/nutzer/volatility-2.3.1/Images/Aegypten/mem_aegypten.vmem)
                      PAE type : No PAE
                           DTB : 0x187000L
                          KDBG : 0xf8000320e0a0L
<class 'volatility.obj.Pointer'> 18446735277669023360
<class 'volatility.obj.Pointer'> 18446735827382718848
<class 'volatility.obj.Pointer'> 18446735827430429056
<class 'volatility.obj.Pointer'> 18446735827430896000
<class 'volatility.obj.Pointer'> 0
          Number of Processors : 4
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff8000320fd00L
Traceback (most recent call last):
  File "vol.py", line 184, in <module>
    main()
  File "vol.py", line 175, in main
    command.execute()
  File "/home/nutzer/volatility-read-only/volatility/commands.py", line 122, in execute
    func(outfd, data)
  File "/home/nutzer/volatility-read-only/volatility/plugins/imageinfo.py", line 36, in render_text
    for k, v in data:
  File "/home/nutzer/volatility-read-only/volatility/plugins/imageinfo.py", line 101, in calculate
    yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset))
TypeError: hex() argument can't be converted to hex

Original comment by Florian....@gmail.com on 25 Nov 2013 at 3:27

GoogleCodeExporter commented 9 years ago
hrmmm we might have to just catch the exception then if this is still having 
errors...  

Original comment by jamie.l...@gmail.com on 25 Nov 2013 at 3:30

GoogleCodeExporter commented 9 years ago
Tell me if i can help you with more information or if i should try something 
else.

Original comment by Florian....@gmail.com on 25 Nov 2013 at 3:42

GoogleCodeExporter commented 9 years ago
Hi,
I am experiencing the same issue, in similar conditions (win7 64 bits dump).

Original comment by 0...@phocean.net on 10 Dec 2013 at 7:37

GoogleCodeExporter commented 9 years ago
Patch applied and follow up emails sent -- the issue will be reopened if 
necessary. 

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 5:07

GoogleCodeExporter commented 9 years ago
Noob here, how do I get the patch? I'm running into this same issue with v2.3.1 
from Ubuntu 14.04.

Original comment by lordf...@gmail.com on 29 Jul 2014 at 10:16