search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

MFTParser crash due to Windows overlay issue #424

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Run the mftparser plugin on a specific memory image.

$ python vol.py -f memory.img --profile=Win7SP1x64 mftparser

What is the expected output? What do you see instead?

The program crashes with the following error:
Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "/Users/jessek/Documents/volatility/trunk/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/Users/jessek/Documents/volatility/trunk/volatility/plugins/mftparser.py", line 675, in render_text
    outfd.write("{0}\n".format(str(i)))
  File "/Users/jessek/Documents/volatility/trunk/volatility/plugins/mftparser.py", line 223, in __str__
    str(self.FileAccessedTime),
  File "/Users/jessek/Documents/volatility/trunk/volatility/plugins/overlays/windows/windows.py", line 290, in __str__
    return "{0}".format(self)
  File "/Users/jessek/Documents/volatility/trunk/volatility/plugins/overlays/windows/windows.py", line 304, in __format__
    dt = self.as_datetime()
  File "/Users/jessek/Documents/volatility/trunk/volatility/plugins/overlays/windows/windows.py", line 294, in as_datetime
    dt = datetime.datetime.utcfromtimestamp(self.v())
  File "/Users/jessek/Documents/volatility/trunk/volatility/plugins/overlays/windows/windows.py", line 284, in v
    return self.windows_to_unix_time(value)
  File "/Users/jessek/Documents/volatility/trunk/volatility/plugins/overlays/windows/windows.py", line 271, in windows_to_unix_time
    unix_time = windows_time / 10000000
TypeError: unsupported operand type(s) for /: 'NoneObject' and 'int'

What version of the product are you using? On what operating system?

Trunk code, revision 3424.

Please provide any additional information below.

The problem appears to be that the windows time is being instantiated with 
None, which is not caught by the sanity check. The attached patch fixes the 
issue.

Original issue reported on code.google.com by jessekornblum on 24 May 2013 at 3:07

Attachments:

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r3425.

Original comment by jamie.l...@gmail.com on 24 May 2013 at 8:57