tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

Problem with dwarfparser on Windows #312

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Hi,

It seems there's a problem running dwarfparser.py on Windows. I can't generate 
the json file on Windows, however, I have no problem if I try to make it on 
Ubuntu. 

On Windows, I have:

C:\Users\VM-Seven\Desktop>python 
scudette/volatility/plugins/overlays/linux/dwarfparser.py module_dwarf.ko > 
module.json
Traceback (most recent call last):
  File "scudette/volatility/plugins/overlays/linux/dwarfparser.py", line 319, in <module>
    parser = DWARFParser(open(sys.argv[1]))
  File "scudette/volatility/plugins/overlays/linux/dwarfparser.py", line 276, in __init__
    self._dwarfinfo = self.elffile.get_dwarf_info()
  File "C:\Python27\lib\site-packages\elftools\elf\elffile.py", line 135, in get_dwarf_info
    relocate_dwarf_sections)
  File "C:\Python27\lib\site-packages\elftools\elf\elffile.py", line 294, in _read_dwarf_section
    section_stream, reloc_section)
  File "C:\Python27\lib\site-packages\elftools\elf\relocation.py", line 124, in apply_section_relocations
    self._do_apply_relocation(stream, reloc, symtab)
  File "C:\Python27\lib\site-packages\elftools\elf\relocation.py", line 172, in _do_apply_relocation
    stream_pos=reloc['r_offset'])
  File "C:\Python27\lib\site-packages\elftools\common\utils.py", line 34, in struct_parse
    raise ELFParseError(e.message)
elftools.common.exceptions.ELFParseError: expected 4, found 0

The profile seems to be ok because pslist works:

C:\Users\VM-Seven\Desktop\Scudette>python vol.py
Python 2.7.2 (default, Jun 24 2011, 12:21:10) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.

IPython 0.13 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "E:\Lime\Ubuntu-11.04-64-bit\u64.padded"
In [2]: session.profile_file = "E:\Lime\Ubuntu-11.04-64-bit\myprofile.zip"
In [3]: session.profile = profiles.Linux64
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
Offset   Name                 Pid             Uid
0x88020f4c8000 init                 1               0
0x88020f4c96e0 kthreadd             2               0
0x88020f4cadc0 ksoftirqd/0          3               0
[...]

My configuration is:

- Windows Seven 64bit
- ActivePython 2.7.2.5 32bit
- pyelftools-0.20 (http://pypi.python.org/pypi/pyelftools/#downloads)
- Scudettes branch r2075

Thanks for your help!

Sebastien

Original issue reported on code.google.com by sebastie...@gmail.com on 24 Jul 2012 at 3:11

GoogleCodeExporter commented 9 years ago
Hmm I think the problem is that the file is not opened in binary mode. Can you 
try to replace the line:

File "scudette/volatility/plugins/overlays/linux/dwarfparser.py", line 319, in 
<module>
    parser = DWARFParser(open(sys.argv[1]))

with
File "scudette/volatility/plugins/overlays/linux/dwarfparser.py", line 319, in 
<module>
    parser = DWARFParser(open(sys.argv[1], "rb"))

Original comment by scude...@gmail.com on 24 Jul 2012 at 3:44

GoogleCodeExporter commented 9 years ago
You are right ;)

The problem is that the file is not opened in binary mode.

Thank you!

Original comment by sebastie...@gmail.com on 24 Jul 2012 at 4:01

GoogleCodeExporter commented 9 years ago

Original comment by mike.auty@gmail.com on 29 Jul 2012 at 9:51

GoogleCodeExporter commented 9 years ago
Fixed by r2114

Original comment by scude...@gmail.com on 30 Jul 2012 at 4:25