ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Volatility Profile Creation Error for Mac OS x 10.9.2 x64 #494

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I have a problem when I tried to create vtypes file for Mac OS X 10.9.2. I 
converted dwarfdump file successfully to converted form. But when I tried to 
create vtypes file from the converted file I got error messages which shown 
below.

sh-3.2# python ../../../../tools/mac/convert.py 
converted.10.9.2.64bit.dwarfdump > 10.9.2.64bit.vtypes

Traceback (most recent call last):
  File "../../../../tools/mac/convert.py", line 659, in <module>
    main()
  File "../../../../tools/mac/convert.py", line 656, in main
    parse_dwarf()     
  File "../../../../tools/mac/convert.py", line 390, in parse_dwarf
    parser.feed_line(line)
  File "../../../../tools/mac/convert.py", line 125, in feed_line
    self.process_statement(**parsed)
  File "../../../../tools/mac/convert.py", line 263, in process_statement
    off = int(data['AT_data_member_location'])
KeyError: 'AT_data_member_location'

Original issue reported on code.google.com by halilozt...@gmail.com on 11 Apr 2014 at 11:04

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Quick and ugly patch, seems to be working though (the script doesn't crash 
anymore and I can use the memory profile with volatility) ;).

51c51,54
<             resolved = self.id_to_name[memb[1:]]
---
>       try:    
>                 resolved = self.id_to_name[memb[1:]]
>             except:
>                 resolved = 0
263,264c266,269
<             off = int(data['AT_data_member_location'])
< 
---
>             try: 
>       off = int(data['AT_data_member_location'])
>       except:
>       off = 0 

Tested on OS X 10.9.1

Original comment by Yggdrasi...@gmail.com on 18 Apr 2014 at 8:03

GoogleCodeExporter commented 9 years ago

Original comment by michael.hale@gmail.com on 19 Apr 2014 at 3:17

GoogleCodeExporter commented 9 years ago
I have the same problem please help .. 
I tried follow the instruction from this page 
https://code.google.com/p/volatility/wiki/MacMemoryForensics
My mac OS version is mac OS X 10.9.2 64bits 

Traceback (most recent call last):
  File "../volatility-trunk/tools/mac/convert.py", line 659, in <module>
    main()
  File "../volatility-trunk/tools/mac/convert.py", line 656, in main
    parse_dwarf()     
  File "../volatility-trunk/tools/mac/convert.py", line 390, in parse_dwarf
    parser.feed_line(line)
  File "../volatility-trunk/tools/mac/convert.py", line 125, in feed_line
    self.process_statement(**parsed)
  File "../volatility-trunk/tools/mac/convert.py", line 263, in process_statement
    off = int(data['AT_data_member_location'])
KeyError: 'AT_data_member_location'

thank you

Original comment by dineshku...@gmail.com on 12 May 2014 at 9:20

GoogleCodeExporter commented 9 years ago
Can you please try this profile and see if it works correctly? 

https://www.dropbox.com/s/2he3xe8inf9ygky/10.9.2.zip

Original comment by atc...@gmail.com on 27 May 2014 at 6:03

GoogleCodeExporter commented 9 years ago
Hi guys, did the 10.9.2.zip profile Andrew posted work for you? If not, feel 
free to reopen but we'll close the issue since there haven't been any replies 
since the end of May. 

Original comment by michael.hale@gmail.com on 19 Jun 2014 at 11:45