search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

Fedora 15 dwarfparser problem (DW_AT_data_member_location) #313

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Hey guys,

I can't analyze Fedora 15 (32 and 64 bit) memory dump. 

I'm not a python programmer, but the problem seems to be related to 
self.attributes['DW_AT_data_member_location'].value (dwarfparser.py line 173, 
r1797 scudette's branch). In Ubuntu this value is a list and in Fedora it's an 
integer...

H:\Volatility\Scudette>python.exe vol.py
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.

IPython 0.13 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: session.filename = "N:\\Lime\\Fedora-15-32bit\\f32.padded"
In [2]: session.profile_file = "N:\\Lime\\Fedora-15-32bit\\myprofile.zip"
In [3]: session.profile = profiles.Linux32
In [4]: vol plugins.pslist
------> vol(plugins.pslist)
ERROR:root:Fatal Error: 'int' object is not iterable
ERROR:root:Failed running plugin pslist: kernel_address_space not specified.

If I try to make a json file, I get a similar error:

seb@ubuntu-64:~/Desktop$ python 
scudette/volatility/plugins/overlays/linux/dwarfparser.py module_dwarf.ko > 
module.json
Traceback (most recent call last):
  File "scudette/volatility/plugins/overlays/linux/dwarfparser.py", line 319, in <module>
    parser = DWARFParser(open(sys.argv[1], "rb"))
  File "scudette/volatility/plugins/overlays/linux/dwarfparser.py", line 280, in __init__
    self.compile()
  File "scudette/volatility/plugins/overlays/linux/dwarfparser.py", line 298, in compile
    t = self.types[die.offset] = DIEFactory(die, self.types, parents)
  File "scudette/volatility/plugins/overlays/linux/dwarfparser.py", line 263, in DIEFactory
    return DIE_LOOKUP[die.tag](die, types, parents)
  File "scudette/volatility/plugins/overlays/linux/dwarfparser.py", line 174, in __init__
    die.cu.structs)
  File "scudette/volatility/plugins/overlays/linux/dwarfparser.py", line 157, in describe_DWARF_expr
    dwarf_expr_dumper.process_expr(expr)
  File "/usr/local/lib/python2.7/dist-packages/pyelftools-0.20-py2.7.egg/elftools/dwarf/dwarf_expr.py", line 119, in process_expr
    self.stream = BytesIO(bytelist2string(expr))
  File "/usr/local/lib/python2.7/dist-packages/pyelftools-0.20-py2.7.egg/elftools/common/utils.py", line 19, in bytelist2string
    return b''.join(int2byte(b) for b in bytelist)
TypeError: 'int' object is not iterable

Debug output from volatility:

H:\Volatility\Scudette>h:\Python27\python.exe vol.py --debug
Python 2.7.3 (default, Apr 10 2012, 23:31:26) [MSC v.1500 32 bit (Intel)]
Type "copyright", "credits" or "license" for more information.

IPython 0.13 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

Welcome to the volatility interactive shell!
To get help, type 'vhelp()'
In [1]: run -i N:\Lime\Fedora-15-64bit\memAnalysis.py
ERROR:root:Fatal Error: 'int' object is not iterable
> h:\python27\lib\site-packages\elftools\common\utils.py(19)bytelist2string()
-> return b''.join(int2byte(b) for b in bytelist)
(Pdb) where
  h:\volatility\scudette\volatility\plugins\core.py(182)GuessAddressSpace()
-> astype=astype, profile=self.profile, **kwargs)
  h:\volatility\scudette\volatility\plugins\addrspaces\amd64.py(55)__init__()
-> super(AMD64PagedMemory, self).__init__(**kwargs)
  h:\volatility\scudette\volatility\plugins\addrspaces\intel.py(92)__init__()
-> for dtb in find_dtb.dtb_hits():
  h:\volatility\scudette\volatility\plugins\linux\common.py(67)dtb_hits()
-> PAGE_OFFSET = (self.profile.get_constant("_text") -
  h:\volatility\scudette\volatility\obj.py(1319)get_constant()
-> if not self._ready: self.compile()
  h:\volatility\scudette\volatility\plugins\overlays\linux\linux.py(243)compile()
-> self.parse_profile_file(self.profile_file)
  h:\volatility\scudette\volatility\plugins\overlays\linux\linux.py(287)parse_profile_file()
-> vtypes = self.load_vtypes(profile_file)
  h:\volatility\scudette\volatility\plugins\overlays\linux\linux.py(263)load_vtypes()
-> parser = dwarfparser.DWARFParser(module)
  h:\volatility\scudette\volatility\plugins\overlays\linux\dwarfparser.py(280)__init__()
-> self.compile()
  h:\volatility\scudette\volatility\plugins\overlays\linux\dwarfparser.py(298)compile()
-> t = self.types[die.offset] = DIEFactory(die, self.types, parents)
  h:\volatility\scudette\volatility\plugins\overlays\linux\dwarfparser.py(263)DIEFactory()
-> return DIE_LOOKUP[die.tag](die, types, parents)
  h:\volatility\scudette\volatility\plugins\overlays\linux\dwarfparser.py(174)__init__()
-> die.cu.structs)
  h:\volatility\scudette\volatility\plugins\overlays\linux\dwarfparser.py(157)describe_DWARF_expr()
-> dwarf_expr_dumper.process_expr(expr)
  h:\python27\lib\site-packages\elftools\dwarf\dwarf_expr.py(119)process_expr()
-> self.stream = BytesIO(bytelist2string(expr))
> h:\python27\lib\site-packages\elftools\common\utils.py(19)bytelist2string()
-> return b''.join(int2byte(b) for b in bytelist)
(Pdb) p bytelist
0
(Pdb) whatis bytelist
<type 'int'>

The function describe_DWARF_expr(expr, structs) (line 143) seems to receive a 
valid DWARFStructs 

structs: <elftools.dwarf.structs.DWARFStructs object at 0x02156B70>
DWARFStructs.little_endian: True
DWARFStructs.dwarf_format: 32
DWARFStructs.address_size: 8
expr: 0

Thanks!

Sebastien

Original issue reported on code.google.com by sebastie...@gmail.com on 24 Jul 2012 at 9:09

GoogleCodeExporter commented 9 years ago 
Hi Sebastian,
  Can you please attach your compiled module_dwarf.ko?

Original comment by scude...@gmail.com on 26 Jul 2012 at 6:51

GoogleCodeExporter commented 9 years ago

Original comment by mike.auty@gmail.com on 29 Jul 2012 at 9:52

GoogleCodeExporter commented 9 years ago 
Thanks for providing the file. Please check r2114 to confirm it fixes the issue.

Original comment by scude...@gmail.com on 30 Jul 2012 at 4:25

GoogleCodeExporter commented 9 years ago 
Thank you, r2114 fixes the issue.

Original comment by sebastie...@gmail.com on 30 Jul 2012 at 8:10

GoogleCodeExporter commented 9 years ago 
Thanks guys, sounds like this can be closed out.

Original comment by michael.hale@gmail.com on 9 Aug 2012 at 4:47