Running Volatility over a LiME dump of ARM64 kali/Debian raises the following error:
python2 vol.py -f C:\Users\22826\Desktop\out.lime --profile=LinuxKali_6_6_9-amd64_profilex64 linux_bash
Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
File "vol.py", line 192, in
main()
File "vol.py", line 183, in main
command.execute()
File "E:\取证\工具\volatility2\volatility\plugins\linux\common.py", line 67, in execute
commands.Command.execute(self, *args, *kwargs)
File "E:\取证\工具\volatility2\volatility\commands.py", line 116, in execute
if not self.is_valid_profile(profs[self._config.PROFILE]()):
File "E:\取证\工具\volatility2\volatility\plugins\overlays\linux\linux.py", line 218, in init
obj.Profile.init(self, args, kwargs)
File "E:\取证\工具\volatility2\volatility\obj.py", line 862, in init
self.reset()
File "E:\取证\工具\volatility2\volatility\plugins\overlays\linux\linux.py", line 232, in reset
self.load_vtypes()
File "E:\取证\工具\volatility2\volatility\plugins\overlays\linux\linux.py", line 269, in load_vtypes
vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
File "E:\取证\工具\volatility2\volatility\dwarf.py", line 74, in init
self.feed_line(line)
File "E:\取证\工具\volatility2\volatility\dwarf.py", line 165, in feed_line
self.process_statement(parsed) # pylint: disable-msg=W0142
File "E:\取证\工具\volatility2\volatility\dwarf.py", line 239, in process_statement
self.id_to_name[statement_id] = [self.base_type_name(data)]
File "E:\取证\工具\volatility2\volatility\dwarf.py", line 128, in base_type_name
return self.tp2vol[data['DW_AT_name'].strip('"')]
KeyError: '__int128'
Running Volatility over a LiME dump of ARM64 kali/Debian raises the following error:
The method referred to #478 can be easily solved.
Adding that type in volatility/dwarf.py