search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

linux_proc_maps AttributeError: Struct mnt has no member mnt_parent #373

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?

1. Boot Lubuntu 12.10 64bit Live then mount a HD partition via pcmanfm
2. Dump memory to the mounted drive partition
3. Create a profile for your Live environment.
4. Audit *.lime with linux_tmpfs -L

What is the expected output?

Should be a list of memory maps for processes.

What do you see instead?

python vol.py -f 
/media/lubuntu/xxxxxxxx-bfc6-4bd0-983f-xxxxxxxxxxxx/user/Work/lubuntu1210-012413
-21-52.lime --profile=LinuxLubuntu1210x64 linux_proc_maps -p 4820
Volatile Systems Volatility Framework 2.2
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "/home/lubuntu/volatility-2.2/volatility/plugins/linux/common.py", line 57, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/lubuntu/volatility-2.2/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/home/lubuntu/volatility-2.2/volatility/plugins/linux/proc_maps.py", line 64, in render_text
    fname = linux_common.get_path(task, vma.vm_file)
  File "/home/lubuntu/volatility-2.2/volatility/plugins/linux/common.py", line 315, in get_path
    return do_get_path(rdentry, rmnt, dentry, vfsmnt)
  File "/home/lubuntu/volatility-2.2/volatility/plugins/linux/common.py", line 282, in do_get_path
    if vfsmnt.mnt_parent == vfsmnt.v():
  File "/home/lubuntu/volatility-2.2/volatility/obj.py", line 536, in __getattr__
    return getattr(result, attr)
  File "/home/lubuntu/volatility-2.2/volatility/obj.py", line 746, in __getattr__
    return self.m(attr)
  File "/home/lubuntu/volatility-2.2/volatility/obj.py", line 728, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct mnt has no member mnt_parent

What version of the product are you using? On what operating system?

Volatility-2.2 > Dump from and reviewed on Lubuntu 12.10 64bit LiveDVD
$ uname -a
Linux lubuntu 3.5.0-17-generic #28-Ubuntu SMP Tue Oct 9 19:31:23 UTC 2012 
x86_64 x86_64 x86_64 GNU/Linux

Please provide any additional information below.

linux_lsof reports the same error as linux_proc_maps.
linux_mount reports the same error as linux_tmpfs -L.

Original issue reported on code.google.com by peekn...@gmail.com on 26 Jan 2013 at 12:37

GoogleCodeExporter commented 9 years ago 
4. Audit *.lime with linux_tmpfs -L should read-> 4. Audit *.lime with 
linux_proc_maps

Original comment by peekn...@gmail.com on 26 Jan 2013 at 12:40

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 28 Jan 2013 at 1:29

GoogleCodeExporter commented 9 years ago 
Hello,

Can you please download svn trunk and try? This issue should be fixed in it 
since about a month ago (we had a similar report then). All of those plugins 
are breaking because they are inheriting same function, so they should all be 
fixed at once.

Original comment by atc...@gmail.com on 29 Jan 2013 at 1:10

GoogleCodeExporter commented 9 years ago 
I downloaded the svn trunk and still have issues with 3 out of 4 of the 
plugins. linux_proc_maps is working while the rest are displaying the keyerror.

$ python vol.py -f /home/lubuntu/Work/lubuntu1210-3-5-0-22.lime 
--profile=LinuxLubuntu1210-3-5-0-22-genericx64 linux_tmpfs -L
Volatile Systems Volatility Framework 2.3_alpha
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/common.py", line 57, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/lubuntu/volatility-read-only/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/tmpfs.py", line 177, in render_text
    for (i, path) in data:
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/tmpfs.py", line 165, in calculate
    tmpfs_sbs = self.get_tmpfs_sbs()
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/tmpfs.py", line 129, in get_tmpfs_sbs
    for (sb, _dev_name, path, fstype, _rr, _mnt_string) in linux_mount.linux_mount(self._config).parse_mnt(mnts):
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/mount.py", line 61, in parse_mnt
    for (mnt, ns) in data:
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/mount.py", line 53, in calculate
    for mnt in outerlist.list_of_type(mnttype, "mnt_hash"):
  File "/home/lubuntu/volatility-read-only/volatility/plugins/overlays/linux/linux.py", line 449, in list_of_type
    offset = self.obj_vm.profile.get_obj_offset(obj_type, member)
  File "/home/lubuntu/volatility-read-only/volatility/obj.py", line 1010, in get_obj_offset
    offset, _cls = tmp.members[member]
KeyError: 'mnt_hash'

$ python vol.py -f /home/lubuntu/Work/lubuntu1210-3-5-0-22.lime 
--profile=LinuxLubuntu1210-3-5-0-22-genericx64 linux_lsof
Volatile Systems Volatility Framework 2.3_alpha
Pid      FD       Path
-------- -------- ----
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/common.py", line 57, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/lubuntu/volatility-read-only/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/lsof.py", line 53, in render_text
    self.table_row(outfd, task.pid, fd, linux_common.get_path(task, filp))
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/common.py", line 315, in get_path
    return do_get_path(rdentry, rmnt, dentry, vfsmnt)
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/common.py", line 282, in do_get_path
    if vfsmnt.mnt_parent == vfsmnt.v():
  File "/home/lubuntu/volatility-read-only/volatility/obj.py", line 536, in __getattr__
    return getattr(result, attr)
  File "/home/lubuntu/volatility-read-only/volatility/obj.py", line 746, in __getattr__
    return self.m(attr)
  File "/home/lubuntu/volatility-read-only/volatility/obj.py", line 728, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct mnt has no member mnt_parent

$ python vol.py -f /home/lubuntu/Work/lubuntu1210-3-5-0-22.lime 
--profile=LinuxLubuntu1210-3-5-0-22-genericx64 linux_mount
Volatile Systems Volatility Framework 2.3_alpha
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/common.py", line 57, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/lubuntu/volatility-read-only/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/mount.py", line 91, in render_text
    for (_sb, dev_name, path, fstype, rr, mnt_string) in data:
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/mount.py", line 61, in parse_mnt
    for (mnt, ns) in data:
  File "/home/lubuntu/volatility-read-only/volatility/plugins/linux/mount.py", line 53, in calculate
    for mnt in outerlist.list_of_type(mnttype, "mnt_hash"):
  File "/home/lubuntu/volatility-read-only/volatility/plugins/overlays/linux/linux.py", line 449, in list_of_type
    offset = self.obj_vm.profile.get_obj_offset(obj_type, member)
  File "/home/lubuntu/volatility-read-only/volatility/obj.py", line 1010, in get_obj_offset
    offset, _cls = tmp.members[member]
KeyError: 'mnt_hash'

$ python vol.py -f /home/lubuntu/Work/lubuntu1210-3-5-0-22.lime 
--profile=LinuxLubuntu1210-3-5-0-22-genericx64 linux_proc_maps -p 1
Volatile Systems Volatility Framework 2.3_alpha
Start              End                Flags  Pgoff  Major  Minor  Inode      
File Path                                                                       
------------------ ------------------ ------ ------ ------ ------ ---------- 
--------------------------------------------------------------------------------
0x00007fa19ca5b000 0x00007fa19ca67000 r-x         0    252      0    8129996 
/lib/x86_64-linux-gnu/libnss_files-2.15.so                                      
0x00007fa19ca67000 0x00007fa19cc66000 ---     49152    252      0    8129996 
/lib/x86_64-linux-gnu/libnss_files-2.15.so                                      
0x00007fa19cc66000 0x00007fa19cc67000 r--     45056    252      0    8129996 
/lib/x86_64-linux-gnu/libnss_files-2.15.so                                      
0x00007fa19cc67000 0x00007fa19cc68000 rw-     49152    252      0    8129996 
/lib/x86_64-linux-gnu/libnss_files-2.15.so

Original comment by peekn...@gmail.com on 31 Jan 2013 at 7:18

GoogleCodeExporter commented 9 years ago

Original comment by michael.hale@gmail.com on 1 Feb 2013 at 4:11

GoogleCodeExporter commented 9 years ago 
Issue 372 has been merged into this issue.

Original comment by michael.hale@gmail.com on 1 Feb 2013 at 4:11

GoogleCodeExporter commented 9 years ago 
I'm including a similar issue from another plugin, linux_find_file.

$ python vol.py -f /home/user/Work/lubuntu1210-3-5-0-22.lime 
--profile=LinuxLubuntu1210-3-5-0-22-genericx64 linux_find_file -F 
"/var/run/utmp"
Volatile Systems Volatility Framework 2.3_alpha
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "/home/user/volatility-read-only/volatility/plugins/linux/common.py", line 57, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/user/volatility-read-only/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/home/user/volatility-read-only/volatility/plugins/linux/find_file.py", line 137, in render_text
    for dentry in data:
  File "/home/user/volatility-read-only/volatility/plugins/linux/find_file.py", line 115, in calculate
    wanted_dentry = self.walk_sbs(find_file)
  File "/home/user/volatility-read-only/volatility/plugins/linux/find_file.py", line 85, in walk_sbs
    sbs = self.get_sbs()
  File "/home/user/volatility-read-only/volatility/plugins/linux/find_file.py", line 78, in get_sbs
    for (sb, _dev_name, path, fstype, _rr, _mnt_string) in linux_mount.linux_mount(self._config).parse_mnt(mnts):
  File "/home/user/volatility-read-only/volatility/plugins/linux/mount.py", line 61, in parse_mnt
    for (mnt, ns) in data:
  File "/home/user/volatility-read-only/volatility/plugins/linux/mount.py", line 53, in calculate
    for mnt in outerlist.list_of_type(mnttype, "mnt_hash"):
  File "/home/user/volatility-read-only/volatility/plugins/overlays/linux/linux.py", line 449, in list_of_type
    offset = self.obj_vm.profile.get_obj_offset(obj_type, member)
  File "/home/user/volatility-read-only/volatility/obj.py", line 1010, in get_obj_offset
    offset, _cls = tmp.members[member]
KeyError: 'mnt_hash'

Original comment by peekn...@gmail.com on 4 Feb 2013 at 2:23

GoogleCodeExporter commented 9 years ago 
Hello,

Can you please svn update and then rebuild the profile for your machine? The 
plugins should then work with the new profile. I will leave the issue opened 
until you report as fixed.

Original comment by atc...@gmail.com on 29 Mar 2013 at 9:34

GoogleCodeExporter commented 9 years ago 
Hi peeknmod, its been a few days so we're going to assume this is working 
properly at this time. If you find otherwise, please do re-open or create a new 
ticket and we'll get back to you asap. 

Thanks!

Original comment by michael.hale@gmail.com on 2 Apr 2013 at 2:41