search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.21k stars 1.27k forks source link

ValueError: invalid literal for int() with base 16: '128 (-128)' #866

Open BoBppy opened 10 months ago

BoBppy commented 10 months ago

os:Ubuntu20.04

uname -a :

Linux ubuntu 5.4.0-26-lowlatency #30-Ubuntu SMP PREEMPT Mon Apr 20 17:51:18 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

also tried in 5.4.0-165 lowlatency or generic

Error message:

python vol.py -f ubuntu.lime --profile=LinuxUbuntux64 linux_arp
Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
  File "vol.py", line 192, in <module>
    main()
  File "vol.py", line 183, in main
    command.execute()
  File "/home/bob/volatility/volatility/plugins/linux/common.py", line 67, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/bob/volatility/volatility/commands.py", line 116, in execute
    if not self.is_valid_profile(profs[self._config.PROFILE]()):
  File "/home/bob/volatility/volatility/plugins/overlays/linux/linux.py", line 218, in __init__
    obj.Profile.__init__(self, *args, **kwargs)
  File "/home/bob/volatility/volatility/obj.py", line 862, in __init__
    self.reset()
  File "/home/bob/volatility/volatility/plugins/overlays/linux/linux.py", line 232, in reset
    self.load_vtypes()
  File "/home/bob/volatility/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes
    vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
  File "/home/bob/volatility/volatility/dwarf.py", line 73, in __init__
    self.feed_line(line)
  File "/home/bob/volatility/volatility/dwarf.py", line 164, in feed_line
    self.process_statement(**parsed) #pylint: disable-msg=W0142
  File "/home/bob/volatility/volatility/dwarf.py", line 201, in process_statement
    self.vtypes[name] = [ int(data['DW_AT_byte_size'], self.base), {} ]
ValueError: invalid literal for int() with base 16: '128 (-128)'

i have pulled #852 and #854 ,but ineffective.

Abyss-W4tcher commented 10 months ago

Hello, recent gcc and dwarfdump versions output symbols in a format not implemented by Volatility2. You can try to patch it yourself. Check valid "DW_AT_byte_size" format from another dump/profile and edit volatility/volatility/dwarf.py#L201 to match the ones from your profile.

Ultimately, you should try using Volatility3, as it won't have any problem with this kernel version :) .

Regards

t0toto commented 7 months ago

So how should I edit volatility/volatility/dwarf.py?

mischw commented 3 months ago

So how should I edit volatility/volatility/dwarf.py?

I think at the bottom of the README there is a patch by him: https://github.com/Abyss-W4tcher/volatility2-profiles?tab=readme-ov-file#volatility-patches

Abyss-W4tcher commented 2 months ago

So how should I edit volatility/volatility/dwarf.py?

I think at the bottom of the README there is a patch by him: Abyss-W4tcher/volatility2-profiles#volatility-patches

Hi, this patch applies to another issue, but it might help to implement the one needed in your case 👍