search

ksanchezcld / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
1 stars 0 forks source link

vadinfo unicode error #295

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I just let vadinfo run across all the processes and it blew up with this 
backtrace:

Traceback (most recent call last):
  File "vol.py", line 185, in <module>
    main()
  File "vol.py", line 176, in main
    command.execute()
  File "\volatility\commands.py", line 111, in execute
    func(outfd, data)
  File "\volatility\plugins\vadinfo.py", line 100, in render_text
    self.write_vad_control(outfd, vad)
  File "\volatility\plugins\vadinfo.py", line 160, in write_vad_control
    outfd.write("FileObject @{0:08x}, Name: {1}\n".format(file_object.obj_offset, file_object.FileName))
UnicodeEncodeError: 'ascii' codec can't encode characters in position 0-71: 
ordinal not in range(128)

----

I traced back and it was trying to analyze the nEnhancerService process. I can 
patch vadinfo to print the raw unicode buffer if it matters, but I figured the 
error was enough

Original issue reported on code.google.com by atc...@gmail.com on 9 Jul 2012 at 10:51

GoogleCodeExporter commented 9 years ago 
Try this patch:

- outfd.write("FileObject @{0:08x}, Name: {1}\n".format(file_object.obj_offset, 
file_object.FileName))
+ outfd.write("FileObject @{0:08x}, Name: {1}\n".format(file_object.obj_offset, 
str(file_object.FileName or '')))

Original comment by michael.hale@gmail.com on 9 Jul 2012 at 11:14

GoogleCodeExporter commented 9 years ago 
I just hit another one myself using hasdump. Going to log it here to make sure 
we fix both cases. 

$ /usr/bin/python2.6 vol.py -f 
~/Desktop/memory/Win2003SP1x86/Win2K3SP1x86-Snapshot1.vmem 
--profile=Win2003SP1x86 hivelist
Volatile Systems Volatility Framework 2.1_rc1
Virtual    Physical   Name
---------- ---------- ----
0xe1013008 0x17b3e008 [no name]
0xe101c008 0x17b46008 \Device\HarddiskVolume1\WINDOWS\system32\config\system
0xe129c008 0x178c8008 [no name]
0xe1522750 0x16521750 \Device\HarddiskVolume1\WINDOWS\system32\config\SECURITY
0xe1535438 0x15a7c438 \Device\HarddiskVolume1\WINDOWS\system32\config\SAM
0xe1526a80 0x164a7a80 \Device\HarddiskVolume1\WINDOWS\system32\config\software
0xe15203a0 0x164af3a0 \Device\HarddiskVolume1\WINDOWS\system32\config\default
0xe197f310 0x136ea310 \Device\HarddiskVolume1\Documents and 
Settings\NetworkService\NTUSER.DAT
0xe198aa80 0x13604a80 \Device\HarddiskVolume1\Documents and 
Settings\NetworkService\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
0xe19ae718 0x13448718 \Device\HarddiskVolume1\Documents and 
Settings\LocalService\NTUSER.DAT
0xe19be008 0x1336a008 \Device\HarddiskVolume1\Documents and 
Settings\LocalService\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
0xe1ac7a80 0x048c3a80 \Device\HarddiskVolume1\Documents and 
Settings\Administrator\NTUSER.DAT
0xe1a12458 0x02bba458 \Device\HarddiskVolume1\Documents and 
Settings\Administrator\Local Settings\Application 
Data\Microsoft\Windows\UsrClass.dat
Traceback (most recent call last):
  File "vol.py", line 185, in <module>
    main()
  File "vol.py", line 176, in main
    command.execute()
  File "/Users/Michael/volatility_is_valid_profile/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/Users/Michael/volatility_is_valid_profile/volatility/plugins/registry/hivelist.py", line 67, in render_text
    self.table_row(outfd, hive.obj_offset, hive.obj_vm.vtop(hive.obj_offset), name)
  File "/Users/Michael/volatility_is_valid_profile/volatility/commands.py", line 201, in table_row
    result = self._elide(("{0:" + spec.to_string() + "}").format(args[index]), spec.minwidth)
UnicodeEncodeError: 'ascii' codec can't encode character u'\ufffd' in position 
0: ordinal not in range(128)

Original comment by michael.hale@gmail.com on 10 Jul 2012 at 2:23

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r2011.

Original comment by michael.hale@gmail.com on 10 Jul 2012 at 3:20