Leor3961 / volatility

Automatically exported from code.google.com/p/volatility
0 stars 0 forks source link

issue in cache handling code causes pslist to break #4

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
ran on windows 7 64 host with python 2.7, win7vss.vmem is a 32bit windows 7 
image

C:\Users\admin\Desktop\vol>C:\Python27\python.exe volatility.py  pslist 
--profile=Win7SP0x86  -f win7vss.vmem
Volatile Systems Volatility Framework 1.4_rc1
Name                 Pid    PPid   Thds   Hnds   Time
System                    4      0     90    516 2010-07-06 22:28:46
smss.exe                252      4      2     29 2010-07-06 22:28:46
csrss.exe               348    340     10    441 2010-07-06 22:28:53
wininit.exe             384    340      3     73 2010-07-06 22:28:53
csrss.exe               396    376      8    187 2010-07-06 22:28:53
winlogon.exe            424    376      5    129 2010-07-06 22:28:54
services.exe            492    384     12    216 2010-07-06 22:28:54
lsass.exe               500    384      7    559 2010-07-06 22:28:54
lsm.exe                 508    384     10    142 2010-07-06 22:28:54
svchost.exe             616    492     10    348 2010-07-06 22:28:55
svchost.exe             680    492      8    264 2010-07-06 22:28:56
svchost.exe             728    492     21    425 2010-07-06 22:28:56
svchost.exe             848    492     20    413 2010-07-06 22:28:56
svchost.exe             876    492     44   1333 2010-07-06 22:28:56
svchost.exe            1056    492     16    589 2010-07-06 22:29:31
svchost.exe            1140    492     17    375 2010-07-06 22:29:51
spoolsv.exe            1312    492     13    315 2010-07-06 22:31:06
svchost.exe            1344    492     20    315 2010-07-06 22:31:07
VMwareService.         1488    492      8    200 2010-07-06 22:31:11
dllhost.exe            1944    492     16    187 2010-07-06 22:31:21
msdtc.exe               284    492     15    152 2010-07-06 22:31:24
svchost.exe            1920    492      8    115 2010-07-06 22:33:17
svchost.exe             840    492     15    381 2010-07-06 22:33:18
SearchIndexer.         1464    492     18    624 2010-07-06 22:33:20
TrustedInstall          188    492      8    245 2010-07-06 22:35:08
WmiPrvSE.exe           1768    616      5    112 2010-07-06 22:35:16
SearchFilterHo         1724   1464      6     82 2010-07-06 22:37:36
taskhost.exe           1156    492     10    155 2010-07-06 22:37:54
dwm.exe                 956    848      4     71 2010-07-06 22:38:07
explorer.exe           1880   1720     31    647 2010-07-06 22:38:07
wuauclt.exe            1896    876      6     96 2010-07-06 22:38:14
VMwareTray.exe         2144   1880      5     67 2010-07-06 22:38:29
VMwareUser.exe         2156   1880      9    205 2010-07-06 22:38:30
audiodg.exe            2312    728      5    153 2010-07-06 22:38:44
rundll32.exe           2484    492      1      5 2010-07-06 22:39:08
sdclt.exe              2504    492      1      4 2010-07-06 22:39:09
schtasks.exe           2512    492      2     60 2010-07-06 22:39:09
taskhost.exe           2520    492     11    224 2010-07-06 22:39:10
conhost.exe            2568    348      2     33 2010-07-06 22:39:11
wsqmcons.exe           2576    492      1      3 2010-07-06 22:39:11
SearchProtocol         2680   1464      8    231 2010-07-06 22:39:27
VMwareResoluti         3064   1488      1     23 2010-07-06 22:40:27
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 96, in execute
    func(outfd, data)
  File "C:\Users\admin\Desktop\vol\plugins\internal\taskmods.py", line 146, in render_text
    for task in data:
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 404, in generate
    self.dump(path, payload)
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 409, in dump
    self.node.dump()
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 259, in dump
    self.storage.dump(self.stem, self)
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 357, in dump
    filename = self.filename(url)
  File "C:\Users\admin\Desktop\vol\volatility\cache.py", line 338, in filename
    raise RuntimeError("Storing non relative URLs is not supported now ({0})".format(url))
RuntimeError: Storing non relative URLs is not supported now 
(file:///C:/Users/admin/Desktop/vol/win7vss.vmem/tests/pslist)

Original issue reported on code.google.com by atc...@gmail.com on 17 Aug 2010 at 11:36

GoogleCodeExporter commented 8 years ago
I'm going to close this as a duplicate I think.  The old issue still stands, we 
just identified that it was the cache.

Original comment by mike.auty@gmail.com on 17 Aug 2010 at 11:37