search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

Improper check for the presence of distorm3 module inside linux_check_syscall plugin #352

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. On a system without the distorm3 module run the linux_check_syscal plugin

What is the expected output? What do you see instead?

dimitris@BlackBox:~/Volatility/volatility-read-only$ python vol.py -f 
/home/dimitris/MemDumps/plague.lime --profile=LinuxDebianLinux2632x86 
linux_check_syscall
Volatile Systems Volatility Framework 2.2
Table Name      Index Address    Symbol                        
---------- ---------- ---------- ------------------------------
WARNING : volatility.plugins.linux.check_syscall: distorm not installed. The 
best method to calculate the system call table size will not be used.
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "/home/dimitris/Volatility/volatility-read-only/volatility/plugins/linux/common.py", line 57, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/dimitris/Volatility/volatility-read-only/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/home/dimitris/Volatility/volatility-read-only/volatility/plugins/linux/check_syscall.py", line 167, in render_text
    for (table_name, i, call_addr, hooked) in data:
  File "/home/dimitris/Volatility/volatility-read-only/volatility/plugins/linux/check_syscall.py", line 138, in calculate
    sys_call_info = self._get_table_info("sys_call_table")
  File "/home/dimitris/Volatility/volatility-read-only/volatility/plugins/linux/check_syscall.py", line 106, in _get_table_info
    table_size = self._get_table_info_distorm()
  File "/home/dimitris/Volatility/volatility-read-only/volatility/plugins/linux/check_syscall.py", line 80, in _get_table_info_distorm
    mode = distorm3.Decode32Bits
NameError: global name 'distorm3' is not defined

What version of the product are you using? On what operating system?

- I am using the trunk version of Volatility.
- dimitris@BlackBox:~$ uname -a
Linux BlackBox 2.6.32-5-amd64 #1 SMP Sun Sep 23 10:07:46 UTC 2012 x86_64 
GNU/Linux
- dimitris@BlackBox:~$ python -V
Python 2.6.6

Please provide any additional information below.

In volatility/plugins/linux/check_syscall.py, although there is a check for the 
presence of distorm3 in the beginning (has_distorm), it is not used properly 
throughout the module, and as a result the application crashes while trying to 
access distorm3 methods inside _get_table_info_distorm() method, on a system 
where distorm3 is not installed.

Original issue reported on code.google.com by dkaragasidis on 11 Oct 2012 at 9:25

GoogleCodeExporter commented 9 years ago 
Thanks for the report! Just assigning this to andrew.

Original comment by michael.hale@gmail.com on 11 Oct 2012 at 10:11

GoogleCodeExporter commented 9 years ago 
Fixed in http://code.google.com/p/volatility/source/detail?r=2708

thanks for reporting!

Original comment by atc...@gmail.com on 15 Oct 2012 at 5:17