search

kkchauhan / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

support raw and raw-padded mac memory dumps from atc-ny #387

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
So using MacMemoryReader with the default Mach-O format, everything works. 
Using MacMemoryReader with -p (raw) we error out with: 

$ python vol.py --profile=Mac10_6_8-32bitx86 -f 
~/Downloads/MacMemoryReader/ram_dump.raw mac_pslist -d 
Volatile Systems Volatility Framework 2.3_alpha
.....
DEBUG   : volatility.plugins.overlays.mac.mac: Requested symbol _BootPML4 not 
found in module kernel

Using MacMemoryReader with -P (raw but padded) we go in an infinite loop:

$ python vol.py --profile=Mac10_6_8-32bitx86 -f 
~/Downloads/MacMemoryReader/ram_dump.padded.raw mac_pslist
Volatile Systems Volatility Framework 2.3_alpha
Offset     Name                 Pid      Uid      Gid      PGID     DTB        
Start Time
---------- -------------------- -------- -------- -------- -------- ---------- 
----------
0x0ec602a0 image                30424    0        0        30416    0x62339000 
Mon, 25 Feb 2013 22:38:51
0x0f8f32a0 mdworker             30422    89       89       30422    0x24...000 
Mon, 25 Feb 2013 22:38:50
0x0fea1000 taskgated            30417    -        -        -55...11 ---------- 
Mon, 25 Feb 2013 22:38:50
0x0ec607e0 airportd             30427    -        -        -55...11 ---------- 
Mon, 25 Feb 2013 22:39:59
0x0fea1000 taskgated            30417    -        -        -55...11 ---------- 
Mon, 25 Feb 2013 22:38:50
0x0ec607e0 airportd             30427    -        -        -55...11 ---------- 
Mon, 25 Feb 2013 22:39:59
0x0fea1000 taskgated            30417    -        -        -55...11 ---------- 
Mon, 25 Feb 2013 22:38:50
0x0ec607e0 airportd             30427    -        -        -55...11 ---------- 
Mon, 25 Feb 2013 22:39:59
......<same processes forever>

Original issue reported on code.google.com by michael.hale@gmail.com on 26 Feb 2013 at 3:53

GoogleCodeExporter commented 8 years ago 
I'm going to close this because the issue is not with the format of the memory 
dumps per se, its a plugin-specific error, most of which has already been fixed 
in the recent mac related commits. Anything remaining will be submitted as 
separate bugs.

Original comment by michael.hale@gmail.com on 31 Mar 2013 at 9:11