hivelist attribute error w/incorrect profile 'FileAddressSpace' object has no attribute 'vtop'

[GoogleCodeExporter]

It's a Windows 7 image where I forgot to put the profile:

$ python vol.py -f win7vss.vmem hivelist
Volatile Systems Volatility Framework 1.4_rc1
Virtual     Physical    Name
Traceback (most recent call last):
  File "vol.py", line 130, in <module>
    main()
  File "vol.py", line 121, in main
    command.execute()
  File "Volatility-1.4_rc1/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "Volatility-1.4_rc1/volatility/plugins/registry/hivelist.py", line 63, in render_text
    outfd.write("{0:#010x}  {1:#010x}  {2}\n".format(hive.obj_offset, hive.obj_vm.vtop(hive.obj_offset), name))
AttributeError: 'FileAddressSpace' object has no attribute 'vtop'

Maybe we can just use a try/except to handle it:

Index: volatility/plugins/registry/hivelist.py
===================================================================
--- volatility/plugins/registry/hivelist.py (revision 917)
+++ volatility/plugins/registry/hivelist.py (working copy)
@@ -60,7 +60,10 @@
                 except AttributeError:
                     name = "[no name]"
                 # Spec of 10 rather than 8 width, since the # puts 0x at the start, which is included in the width
-                outfd.write("{0:#010x}  {1:#010x}  
{2}\n".format(hive.obj_offset, hive.obj_vm.vtop(hive.obj_offset), name))
+                try:
+                    outfd.write("{0:#010x}  {1:#010x}  
{2}\n".format(hive.obj_offset, hive.obj_vm.vtop(hive.obj_offset), name))
+                except AttributeError:
+                    pass
                 hive_offsets.append(hive.obj_offset)

     @cache.CacheDecorator("tests/hivelist")

Original issue reported on code.google.com by jamie.l...@gmail.com on 30 Mar 2011 at 10:45

[GoogleCodeExporter]

Original comment by jamie.l...@gmail.com on 30 Mar 2011 at 10:47

• Added labels: Milestone-1.4.x

[GoogleCodeExporter]

So actually, this is a fairly hot topic.  We're just trying to figure out 
whether plugins should check that they've got a paged address space, if that's 
what they're expecting.  I think probably they should, but then that'll be an 
awful lot of extra code for a hopefully rare occurance.  I don't think 
try/excepts every would work out, perhaps we should add a requirement to 
utils.load_as that means it'll fail if it can't return a suitably paged AS?

Original comment by mike.auty@gmail.com on 30 Mar 2011 at 10:54

[GoogleCodeExporter]

ahhhh, right...  OK, I'll just let that get sorted out then as I see the 
discussion taking place now :-)

Original comment by jamie.l...@gmail.com on 30 Mar 2011 at 10:59

[GoogleCodeExporter]

Ok, here's a patch that adds the ability to specify "astype = 'virtual'" during 
a utils.load_as call, and it should error if it can't turn the physical AS into 
an appropriate virtual AS.

This should be generic enough to work with any other unusual architectures 
besides IA32 (x64, ARM, etc), since it defines a Virtual AS as something that 
provides a vtop function.

I've removed the storage of astype amongst the Intel ASes, since it wasn't 
standard (only Intel spaces used it), and the intel spaces can't ever be 
anything but virtual.  I've also gone through and changed many of that 
args/kwargs statements.

So let me know if this is an appropriate patch, and then we can apply it.  5:)

Original comment by mike.auty@gmail.com on 12 Apr 2011 at 7:53

[GoogleCodeExporter]

CCing people for review of the patch.

Original comment by mike.auty@gmail.com on 12 Apr 2011 at 7:55

[GoogleCodeExporter]

Hmmm, let's try that with a patch that doesn't cause an infinite loop...

Original comment by mike.auty@gmail.com on 12 Apr 2011 at 8:04

Attachments:

• volatility-virtual-astype.patch

[GoogleCodeExporter]

Ok, that's just been committed.  Now we just need a list of the plugins and 
tick off which ones explicitly require a virtual address space...

Original comment by mike.auty@gmail.com on 13 Apr 2011 at 6:12

[GoogleCodeExporter]

After some discussion with ikelos, I think having astype=virtual be the default 
is the way to go. Here's a rundown of what will need changing for either 
deafult:

                    Change if       Change if
Name                astype=either?  astype=virtual?
./bioskbd.py        No              No
./connections.py    Yes             No
./connscan2.py      No              No
./crashinfo.py      No              No
./dlldump.py        Yes             No
./filescan.py       Yes             No
./hibinfo.py        No              No
./imagecopy.py      No              No
./imageinfo.py      No              Yes
./kdbgscan.py       No              Yes
./kpcrscan.py       No              Yes
./malware.py        Yes             No
./moddump.py        Yes             No
./modscan2.py       Yes             No
./modules.py        Yes             No
./netscan.py        Yes             No
./patcher.py        No              No
./psscan.py         No              No
./pstree.py         Yes             No
hivelist.py         Yes             No
hivescan.py         No              No
lsadump.py          Yes             No
printkey.py         Yes             No
./sockets.py        Yes             No
./sockscan.py       No              No
./ssdt.py           Yes             No
./strings.py        Yes             No
./taskmods.py       Yes             No
./volshell.py       Yes             No

Original comment by moo...@gmail.com on 13 Apr 2011 at 6:56

[GoogleCodeExporter]

Ok, here's a first draft.  People seem against flags, although I think there's 
going to be a good scope for errors surrounding using plain strings.  There's 
no capitalization checking, so everything must be lower case, and the currently 
explicitly defined values are virtual, physical and any.  You can use a type 
outside of that, but the results are fairly open ended.  As usual, please post 
any comments here, or it'll get committed relatively soon...

Original comment by mike.auty@gmail.com on 13 Apr 2011 at 7:36

Attachments:

• vol-virtual-default.patch

[GoogleCodeExporter]

This issue was closed by revision r957.

Original comment by mike.auty@gmail.com on 21 Apr 2011 at 8:18

• Changed state: Fixed

[GoogleCodeExporter]

Ok, no complaints against the patch, so it's been applied.  Please report any 
problems here as soon as possible, and I'll get them fixed up...  5:)

Original comment by mike.auty@gmail.com on 21 Apr 2011 at 8:18