search

TimsterMon / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

bug in mac_trustedbsd #422

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Run the mac_trustedbsd command against any OS X memory sample

What is the expected output? What do you see instead?
It should list nothing or malicious trustedbsd policies if present.
Instead:

Check                                    Name                 Pointer           
---------------------------------------- -------------------- ------------------
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "/Users/what/tools/volatility-test2/volatility/plugins/mac/common.py", line 43, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/Users/what/tools/volatility-test2/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/Users/what/tools/volatility-test2/volatility/plugins/mac/trustedbsd.py", line 73, in render_text
    for (good, check, name, ptr) in data:
  File "/Users/what/tools/volatility-test2/volatility/plugins/mac/trustedbsd.py", line 67, in calculate
    good = common.is_known_address(ptr, kernel_symbol_addresses, kmods, 0) 
TypeError: is_known_address() takes exactly 3 arguments (4 given)

What version of the product are you using? On what operating system?
r3420 on MacMountainLion_10_8_3_AMDx64

Please provide any additional information below.
Code in 
https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/mac/
trustedbsd.py#67 needs to be: 

  good = common.is_known_address(ptr, kernel_symbol_addresses, kmods)

instead of:

  good = common.is_known_address(ptr, kernel_symbol_addresses, kmods, 0) 

This is where the 'problem' was introduced:

https://code.google.com/p/volatility/source/diff?spec=svn3420&r=3311&format=side
&path=/trunk/volatility/plugins/mac/common.py&old_path=/trunk/volatility/plugins
/mac/common.py&old=3174

Original issue reported on code.google.com by cemgur...@gmail.com on 20 May 2013 at 8:00

GoogleCodeExporter commented 9 years ago 
Sorry about the duplicate entry, I guess I hit the submit button twice...

Original comment by cemgur...@gmail.com on 20 May 2013 at 8:09

GoogleCodeExporter commented 9 years ago 
No problem, I'll mark this one as invalid.

Original comment by mike.auty@gmail.com on 20 May 2013 at 8:25