mkarimim / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

linux_check_fop issue #486

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1.
2.
3.

# ./vol.py  --profile=Linuxfedora19x86 -f /home/fedora_7marzo14.lime 
linux_check_fop
Volatility Foundation Volatility Framework 2.3.1
Symbol Name                                Member                            
Address
------------------------------------------ ------------------------------ 
----------
WARNING : volatility.obj      : Cant find object proc_dir_entry in profile 
<volatility.plugins.overlays.linux.linux.Linuxfedora19x86 object at 0xbe06d4c>?
Traceback (most recent call last):
  File "./vol.py", line 184, in <module>
    main()
  File "./vol.py", line 175, in main
    command.execute()
  File "/root/volatility-2.3.1/volatility/plugins/linux/common.py", line 62, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/root/volatility-2.3.1/volatility/commands.py", line 122, in execute
    func(outfd, data)
  File "/root/volatility-2.3.1/volatility/plugins/linux/check_fops.py", line 143, in render_text
    for (what, member, address) in data:
  File "/root/volatility-2.3.1/volatility/plugins/linux/check_fops.py", line 134, in calculate
    for (name, member, address) in func(f_op_members, modules):
  File "/root/volatility-2.3.1/volatility/plugins/linux/check_fops.py", line 107, in check_proc_root_fops
    for (hooked_member, hook_address) in self.verify_ops(proc_root.proc_fops, f_op_members, modules):
AttributeError: 'NoneType' object has no attribute 'proc_fops'

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?
2.3.1

Please provide any additional information below.
Fedora19 on laptop dell vostro. I have tried the same on a livecd withe the 
same output.
Debug attacched.

Original issue reported on code.google.com by mediome...@gmail.com on 11 Mar 2014 at 9:22

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by michael.hale@gmail.com on 11 Mar 2014 at 2:43

GoogleCodeExporter commented 8 years ago
Hello,

Can you please copy/paste the output of uname -a on the machine being analyzed? 
The plugin is breaking because the structure proc_dir_entry is not within the 
profile, but I am unable to find any kernels (through 3.13) that do not have 
this structure defined.

Original comment by atc...@gmail.com on 11 Mar 2014 at 4:38

GoogleCodeExporter commented 8 years ago

# zip volatility/plugins/overlays/linux/fedora19.zip tools/linux/module.dwarf 
/boot/System.map-3.13.5-101.fc19.i686 

[root@localhost volatility-2.3.1]# uname -a
Linux localhost.localdomain 3.13.5-101.fc19.i686 #1 SMP Tue Feb 25 21:46:59 UTC 
2014 i686 i686 i386 GNU/Linux

Original comment by mediome...@gmail.com on 11 Mar 2014 at 5:20

GoogleCodeExporter commented 8 years ago
[root@localhost volatility-2.3.1]# grep proc_dir_entry 
/boot/System.map-3.13.5-101.fc19.i686
[root@localhost volatility-2.3.1]# 

Original comment by mediome...@gmail.com on 11 Mar 2014 at 5:32

GoogleCodeExporter commented 8 years ago
Hello,

I have the same issue and get the same stacktrace with the following version:
$ uname -a
Linux tux 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:08:14 UTC 2014 i686 
i686 i686 GNU/Linux

Original comment by alnajin...@gmail.com on 28 Jun 2014 at 5:49

GoogleCodeExporter commented 8 years ago
I have fixed this in the 2.4 release of Volatility. Attached is a working 
profile for the kernel version. Please let me know if you experience any issues 
with it.

Original comment by atc...@gmail.com on 10 Jul 2014 at 9:42

Attachments: