search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

Plugin errors in scudette-branch #252

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Last month i sent a message ("Plugin errors in scudette-branch") to the 
volatility mailing list. I received the errors, as described in the message, 
using the scudette-branch r1628. Yesterday i tried the revision 1688 on an 
Ubuntu 11.10(Kernel 3.0.0-17-generic, 64 Bit), Debian 6.0.2.1(Kernel 
2.6.32-5-686, 32 Bit). I also tried to analyse the memory images from the 
previous two systems on an Ubuntu 12.04 LTS. Some issues still appear.

I now use, like suggested in the mailing list, the plugins.pslist command 
inside the ipython shell. This works well on all of my three testing 
distributions. But when i use "pslist" as a string, it works on Ubuntu 11.10 
and Debian 6.0.2.1, but on Ubuntu 12.10 i get the following message:

~/lin64-support$ python vol.py 
Python 2.7.3 (default, Apr 20 2012, 22:39:59) 
Type "copyright", "credits" or "license" for more information.

IPython 0.12.1 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

Welcome to volshell! 
To get help, type 'help()'

In [1]: session.filename = "memory.dd"

In [2]: session.profile_file = "ubuntu1204.zip"

In [3]: session.profile = "Linux64"

In [4]: vol "pslist"
  File "<ipython-input-4-c3119ce028aa>", line 1
    vol "pslist"
               ^
SyntaxError: invalid syntax

The ifconfig plugin doesn't show a ValueError on Ubuntu 11.10 any more:

In [6]: vol "ifconfig"
------> vol("ifconfig")
lo       127.0.0.1        00:00:00:00:00:00               
eth0     10.0.2.15        08:00:27:22:d8:0e               
Out[6]: <volatility.plugins.linux.ifconfig.Ifconfig object at 0x2c9b0d0>

On Debian 6.0.2.1 i still get this output:

In [6]: vol "ifconfig"
------> vol("ifconfig")
lo       127.0.0.1        00:00:00:00:00:00               
eth0     10.0.2.15        08:00:27:e9:15:4a               
ERROR:root:Error: Unknown format code 's' for object of type 'int'
---------------------------------------------------------------------------
ValueError                                Traceback (most recent call last)

/home/vitax/lin64-support/vol.py in <module>()
----> 1 
      2 
      3 
      4 
      5 

/home/vitax/lin64-support/volatility/session.py in vol(self, plugin_cls, fd, 
debug, output, **kwargs)
    194             kwargs['session'] = self
    195             result = plugin_cls(**kwargs)
--> 196             result.render(fd)
    197 
    198             return result

/home/vitax/lin64-support/volatility/plugins/linux/ifconfig.py in render(self, 
outfd)
     97 
     98             outfd.write("{0:8s} {1:16s} {2:32s}\n".format(
---> 99                     net_dev.name, ip, mac_addr))
    100 
    101 

ValueError: Unknown format code 's' for object of type 'int'

The netstat plugin shows still the AttributeError, but as i saw at the todo 
list, it isn't implemented yet.

The dmesg plugin doesn't show the UnicodeDecodeError on an Ubuntu 11.10 memory 
image any more.

Original issue reported on code.google.com by vitax....@googlemail.com on 11 May 2012 at 1:45

GoogleCodeExporter commented 9 years ago

Original comment by mike.auty@gmail.com on 11 May 2012 at 11:38

GoogleCodeExporter commented 9 years ago 
Thanks for testing this.

Newer versions of ubuntu seem to use ipython 0.12, while I was mostly using 
ipython 0.11 for development. I have corrected the problems with our ipython 
use so now we can use 0.12 as well.

Unfortunately 0.12 changes some of the default behaviours. In ipython 0.11 you 
could type:

vol "plugin_name"

and it would implicitely convert it to a function call (in python syntax)

vol("plugin_name")

But it seems in 0.12 it no longer does that. I have corrected the documentation 
to use the full function call syntax. I actually liked the previous behavior so 
its unfortunate that it has been changed by ipython. 

Regarding the ifconfig problem, please try to change line
http://code.google.com/p/volatility/source/browse/branches/scudette/volatility/p
lugins/linux/ifconfig.py#89

from ip = 0 to ip = "0.0.0.0"

Original comment by scude...@gmail.com on 13 May 2012 at 7:22

GoogleCodeExporter commented 9 years ago 
@vitax.set are you satisfied / have this working now? Can we close out the 
issue?

Original comment by michael.hale@gmail.com on 13 Jun 2012 at 2:45

GoogleCodeExporter commented 9 years ago 
Haven't heard back from @vitax.set, so assuming this is all good and closing 
the issue.

Original comment by michael.hale@gmail.com on 9 Aug 2012 at 2:34