mj-5 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

issue with plugin timers and vmware snapshot #492

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
# history |grep VOLATI
   32  export VOLATILITY_PROFILE=Win2003SP2x86
   33  export VOLATILITY_LOCATION=file:///root/win2k3-srv-av-vsus-Snapshot48.vmsn
   81  history |grep VOLATI

# vol  timers
Volatility Foundation Volatility Framework 2.3.1
Offset(V)  DueTime                  Period(ms) Signaled   Routine    Module
---------- ------------------------ ---------- ---------- ---------- ------
Traceback (most recent call last):
  File "vol.py", line 184, in <module>
    main()
  File "vol.py", line 175, in main
    command.execute()
  File "/usr/share/volatility/volatility/commands.py", line 122, in execute
    func(outfd, data)
  File "/usr/share/volatility/volatility/plugins/malware/timers.py", line 187, in render_text
    for timer, module in data:
  File "/usr/share/volatility/volatility/plugins/malware/timers.py", line 145, in calculate
    count = 512)
  File "/usr/share/volatility/volatility/obj.py", line 171, in Object
    offset = int(offset)
TypeError: int() argument must be a string or a number, not 'NoneType'

What version of the product are you using? On what operating system?
vol 2.3.1 on linux. Windows2003 server as analyzed OS

Please provide any additional information below.
The memory captured come from vmware snapshot.

Original issue reported on code.google.com by mediome...@gmail.com on 29 Mar 2014 at 4:46

GoogleCodeExporter commented 8 years ago
Hello, 

Thanks for reporting. It looks like the timer table list head cannot be found. 
Could you please extract the NT kernel module and zip/attach it here? It would 
be a command like this:

$ mkdir OUTPUT 
$ vol moddump -r ntos -D OUTPUT 

Alternately, you can mail the file to me via email at michael @ 
memoryanalysis.net and we can get you a fix after looking into it. 

Original comment by michael.hale@gmail.com on 30 Mar 2014 at 8:34

GoogleCodeExporter commented 8 years ago
ok, kernel attached.

Original comment by mediome...@gmail.com on 30 Mar 2014 at 4:53

Attachments:

GoogleCodeExporter commented 8 years ago
Thanks, I see what the issue is...the reference to KiTimerTableListHead symbol 
is at a negative offset from the start of the function that we use to typically 
find the symbol, but the plugin only looks forward. I can have a fix in a day 
or two. 

Original comment by michael.hale@gmail.com on 31 Mar 2014 at 4:38

GoogleCodeExporter commented 8 years ago
following up via email

Original comment by michael.hale@gmail.com on 18 Jul 2014 at 7:50