search

shree007 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

procexedump AttributeError with profile #30

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Hey guys, 

I've been seeing this problem:

$ python volatility.py procexedump -f d0.vmem -p 1504 --dump-dir=out
Volatile Systems Volatility Framework 1.4_rc1
************************************************************************
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 98, in execute
    func(outfd, data)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/internal/procdump.py", line 54, in render_text
    if task.Peb.ImageBaseAddress == None or task_space == None or task_space.vtop(task.Peb.ImageBaseAddress) == None:
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/addrspace.py", line 84, in __eq__
    return  self.profile == other.profile and \
AttributeError: 'NoneType' object has no attribute 'profile'

It seems to happen anytime you test an address space with None like this:

ps_ad = p.get_process_address_space()
if ps_ad == None: # this will cause the issue

Original issue reported on code.google.com by michael.hale@gmail.com on 9 Sep 2010 at 2:24

GoogleCodeExporter commented 8 years ago 
The code at line 84 in addrspace.py (the __eq__ function):

 def __eq__(self, other):
        return  self.profile == other.profile and \
            self.__class__ == other.__class__ and self.base == other.base

just assumes that 'other' is an address space without checking

Original comment by atc...@gmail.com on 9 Sep 2010 at 3:52

GoogleCodeExporter commented 8 years ago 
This issue was closed by revision r425.

Original comment by mike.auty@gmail.com on 9 Sep 2010 at 10:27

GoogleCodeExporter commented 8 years ago 
Thanks, this should now be fixed in r425, by shuffling around the checks so 
that __class__ is checked first, None's class and the address spaces shouldn't 
match, so it'll short circuit out of the tests early.  Give me a shout if the 
problem doesn't disappear...

Original comment by mike.auty@gmail.com on 9 Sep 2010 at 10:28