search

ksanchezcld / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
1 stars 0 forks source link

linux_tmpfs -L produces KeyError: 'mnt_hash' #372

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Boot Lubuntu 12.10 64bit Live then mount a HD partition via pcmanfm
2. Dump memory to the mounted drive partition
3. Audit *.lime with linux_tmpfs -L

What is the expected output?
Should be a numeric list of tmpfs files.

What do you see instead?

python vol.py --profile=Linuxlubuntu1210amd64x64 -f 
/media/lubuntu/xxxxxxxx-bfc6-4bd0-983f-xxxxxxxxxxxx/user/Work/lubuntu1210-012413
-21-52.lime linux_tmpfs -L
Volatile Systems Volatility Framework 2.2
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "/home/lubuntu/Downloads/volatility-2.2/volatility/plugins/linux/common.py", line 57, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/lubuntu/Downloads/volatility-2.2/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/home/lubuntu/Downloads/volatility-2.2/volatility/plugins/linux/tmpfs.py", line 177, in render_text
    for (i, path) in data:
  File "/home/lubuntu/Downloads/volatility-2.2/volatility/plugins/linux/tmpfs.py", line 165, in calculate
    tmpfs_sbs = self.get_tmpfs_sbs()
  File "/home/lubuntu/Downloads/volatility-2.2/volatility/plugins/linux/tmpfs.py", line 129, in get_tmpfs_sbs
    for (sb, _dev_name, path, fstype, _rr, _mnt_string) in linux_mount.linux_mount(self._config).parse_mnt(mnts):
  File "/home/lubuntu/Downloads/volatility-2.2/volatility/plugins/linux/mount.py", line 61, in parse_mnt
    for (mnt, ns) in data:
  File "/home/lubuntu/Downloads/volatility-2.2/volatility/plugins/linux/mount.py", line 53, in calculate
    for mnt in outerlist.list_of_type(mnttype, "mnt_hash"):
  File "/home/lubuntu/Downloads/volatility-2.2/volatility/plugins/overlays/linux/linux.py", line 445, in list_of_type
    offset = self.obj_vm.profile.get_obj_offset(obj_type, member)
  File "/home/lubuntu/Downloads/volatility-2.2/volatility/obj.py", line 1010, in get_obj_offset
    offset, _cls = tmp.members[member]
KeyError: 'mnt_hash'

What version of the product are you using? On what operating system?
Volatility-2.2 > Dump from and reviewed on Lubuntu 12.10 64bit LiveDVD
$ uname -a
Linux lubuntu 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:31:23 UTC 2012 
x86_64 x86_64 x86_64 GNU/Linux

Please provide any additional information below.

Original issue reported on code.google.com by peekn...@gmail.com on 25 Jan 2013 at 4:51

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 25 Jan 2013 at 12:46

GoogleCodeExporter commented 9 years ago 
Similar issues occur with other plugins, affected plugins are: linux_tmpfs -L; 
linux_mount; linux_lsof; linux_proc_maps -p (on a non-hidden process). Each 
error message may be different than the one listed for linux_tmpfs -L.

Original comment by peekn...@gmail.com on 25 Jan 2013 at 6:10

GoogleCodeExporter commented 9 years ago 
Hello,

Can you please download svn trunk and try? This issue should be fixed in it 
since about a month ago (we had a similar report then). All of those plugins 
are breaking because they are inheriting same function, so they should all be 
fixed at once.

Original comment by atc...@gmail.com on 29 Jan 2013 at 1:10

GoogleCodeExporter commented 9 years ago

Original comment by michael.hale@gmail.com on 1 Feb 2013 at 4:11