search

qwhai / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

TypeError in volshell when printing member offsets #172

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
As a result of our overlays w/ lambdas, sometimes volshell encounters a 
TypeError when trying to print structure member offsets:

In [7]: dt("_CONTROL_AREA", 0x81df20a0)
[CType _CONTROL_AREA] @ 0x81DF20A0
0x0   : Segment                        0
0x4   : DereferenceList                2178883748
0xc   : NumberOfSectionReferences      2214592513
0x10  : NumberOfPfnReferences          168296452
0x14  : NumberOfMappedViews            1818517846
0x18  : NumberOfSystemCacheViews       2178965016
0x1c  : NumberOfUserReferences         2178840712
0x20  : u                              2178883776
0x24  : FilePointer                    524250
0x28  : WaitingForDeletion             524250
0x2c  : ModifiedWriteCount             1
0x2e  : FlushInProgressCount           33928
0x30  : WritableUserReferences         2178883744
0x34  : QuadwordPad                    0
---------------------------------------------------------------------------
TypeError                                 Traceback (most recent call last)

/Users/M/volatility_issues/volatility/plugins/volshell.pyc in <module>()
----> 1 
      2 
      3 
      4 
      5 

/Users/M/volatility_issues/volatility/plugins/volshell.pyc in dt(objct, address)
    292                     if isinstance(val, list):
    293                         val = [ str(v) for v in val ]
--> 294                     print "{0:6}: {1:30} {2}".format(hex(o), m, val)
    295             else:
    296                 print "ERROR: first argument not an object or known type"

TypeError: hex() argument can't be converted to hex

In this case, the hex() function is failing because its trying to change a 
'function' type:

<type 'int'> Segment
<type 'int'> DereferenceList
<type 'int'> NumberOfSectionReferences
<type 'int'> NumberOfPfnReferences
<type 'int'> NumberOfMappedViews
<type 'int'> NumberOfSystemCacheViews
<type 'int'> NumberOfUserReferences
<type 'int'> u
<type 'int'> FilePointer
<type 'int'> WaitingForDeletion
<type 'int'> ModifiedWriteCount
<type 'int'> FlushInProgressCount
<type 'int'> WritableUserReferences
<type 'int'> QuadwordPad
<type 'function'> Flags <--------------- this one

Here is a patch for this problem:

Index: volatility/plugins/volshell.py
===================================================================
--- volatility/plugins/volshell.py  (revision 1156)
+++ volatility/plugins/volshell.py  (working copy)
@@ -285,7 +285,7 @@
                 for o, m, t in sorted(membs):
                     print "{0:6}: {1:30} {2}".format(hex(o), m, t)
             elif isinstance(objct, obj.BaseObject):
-                membs = [ (o, m) for m, (o, _c) in objct.members.items() ]
+                membs = [ (o, m) for m, (o, _c) in objct.members.items() if 
isinstance(o, int)]
                 print repr(objct)
                 for o, m in sorted(membs):
                     val = getattr(objct, m)

Original issue reported on code.google.com by michael.hale@gmail.com on 14 Dec 2011 at 4:12

GoogleCodeExporter commented 9 years ago 
While we're at it, here's another version of the patch that also adds the 
ability to pass an address space to dt() - as is already possible for dd(), 
db(), and dis(). 

This is especially helpful for investigating false positives from the scanner 
commands. For example if you run connscan and get back the physical address of 
an alleged connection structure but it looks like an FP, you can then go into 
volshell and use dt(space=your_physical_space) and get a dump of the members.

Original comment by michael.hale@gmail.com on 14 Dec 2011 at 4:23

Attachments:

GoogleCodeExporter commented 9 years ago 
+1 on the dt() change as its already in the linux 64 branch.

Re the function in there. In this case its actually a curried function (i.e. 
calling it would return an actual offset) but we dont seem to really call it 
(we ignore the entire field). I think we should be calling it with the object 
so we can print the correct offset:

if iscallable(o):
   o = o(objct)

Original comment by scude...@gmail.com on 14 Dec 2011 at 5:01

GoogleCodeExporter commented 9 years ago 
Great, thanks Scudette. Here's a new patch with the iscallable check. Look good?

Original comment by michael.hale@gmail.com on 14 Dec 2011 at 5:57

Attachments:

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r1157.

Original comment by michael.hale@gmail.com on 14 Dec 2011 at 9:30