search

TimsterMon / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

obj.py issues with Linux file-related plugins #365

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Several Linux plugins exit with an error in obj.py.  In my testing, the 
following modules are affected:

linux_find_file
linux_lsof
linux_mount
linux_mount_cache
linux_proc_maps
linux_tmpfs

Tested against volatility 2.2 and 2.3_alpha (linux_lsof appears to work under 
volatility 2.2) running on CentOS 6.3 x86 (kernel 2.6.32-279.14.1.el6.i686).  
Memory image and profile available from 
http://deer-run.com/~hal/mem-forensics.tgz

Here is the output from linux_lsof with stack trace:

[root@localhost mem-forensics]# vol.py --plugins=. 
--profile=LinuxCentOS-2_6_32-279_14_1x86 -f centos.lime linux_lsof
Volatile Systems Volatility Framework 2.3_alpha
Pid      FD       Path
-------- -------- ----
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 186, in <module>
    main()
  File "/usr/local/bin/vol.py", line 177, in main
    command.execute()
  File "/usr/local/src/volatility-20121208/volatility/plugins/linux/common.py", line 57, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/usr/local/src/volatility-20121208/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/usr/local/src/volatility-20121208/volatility/plugins/linux/lsof.py", line 53, in render_text
    self.table_row(outfd, task.pid, fd, linux_common.get_path(task, filp))
  File "/usr/local/src/volatility-20121208/volatility/plugins/linux/common.py", line 315, in get_path
    return do_get_path(rdentry, rmnt, dentry, vfsmnt)
  File "/usr/local/src/volatility-20121208/volatility/plugins/linux/common.py", line 281, in do_get_path
    if dentry == vfsmnt.mnt_root or dentry == dentry.d_parent:
  File "/usr/local/src/volatility-20121208/volatility/obj.py", line 536, in __getattr__
    return getattr(result, attr)
  File "/usr/local/src/volatility-20121208/volatility/obj.py", line 746, in __getattr__
    return self.m(attr)
  File "/usr/local/src/volatility-20121208/volatility/obj.py", line 728, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct mnt_parent has no member mnt_root

Original issue reported on code.google.com by h...@deer-run.com on 8 Dec 2012 at 8:12

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 10 Dec 2012 at 2:13

GoogleCodeExporter commented 9 years ago 
Hey Hal,

So these errors happened because you generated the profile with 2.2. Until 2.3 
is officially released, I would recommend sticking with trunk for the Linux 
support. I have attached a profile for your kernel built with 2.3, and all the 
plugins that you listed work with it.

I will be closing this bug as fixed, if something is still broke just comment 
here or a file a new bug.

Original comment by atc...@gmail.com on 10 Dec 2012 at 6:29

Attachments: