Closed phillip-at-work closed 2 months ago
eve-mem
commented
11 months ago Hello @indigo-pc - I'm quite sure that is related to this dwarf2json issue - https://github.com/volatilityfoundation/dwarf2json/issues/49
I'm not sure there is a full fix for it yet unfortunately.
martinclauss
commented
11 months ago Hey all!
I encountered the same issue:
root@f2cf2fc13a15:/opt/vol/volatility3# ./volshell.py -f /io/dumps/bpfvol3-archlinux-6.6.7-arch1-1_1703148059.dump -l
Volshell (Volatility 3 Framework) 2.5.2
Readline imported successfully Stacking attempts finished
Call help() to see available functions
Volshell mode : Linux
Current Layer : layer_name
Current Symbol Table : symbol_table_name1
Current Kernel Name : kernel
(layer_name) >>> dt(ps()[0])
symbol_table_name1!task_struct (11584 bytes)
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/opt/vol/volatility3/volatility3/cli/volshell/linux.py", line 70, in display_type
return super().display_type(object, offset)
File "/opt/vol/volatility3/volatility3/cli/volshell/generic.py", line 387, in display_type
self._display_value(getattr(volobject, member)),
File "/opt/vol/volatility3/volatility3/framework/objects/__init__.py", line 955, in __getattr__
member = template(context=self._context, object_info=object_info)
File "/opt/vol/volatility3/volatility3/framework/objects/templates.py", line 96, in __call__
return self.vol.object_class(
File "/opt/vol/volatility3/volatility3/framework/objects/__init__.py", line 521, in __new__
return int.__new__(cls, ((value & ((1 << end_bit) - 1)) >> start_bit)) # type: ignore
ValueError: negative shift countI've uploaded some files that could be helpful for debugging on your side (or the dwarf2json devs): https://uni-bonn.sciebo.de/s/zUVwXoctEaEg48u
Thanks a lot!
github-actions[bot]
commented
4 months ago This issue is stale because it has been open for 200 days with no activity.
github-actions[bot]
commented
2 months ago This issue was closed because it has been inactive for 60 days since being marked as stale.
Describe the bug Attempting to display_type for ps() layer returns ValueError: negative shift count.
Context Volatility Version: Volshell (Volatility 3 Framework) 2.5.2 Operating System: MacOS 13.6 Python Version: 3.8.18 Suspected Operating System: Alpine Linux 3.17.3 (v5.15.105-virt kernel) Command: dt( ps()[0] )
To Reproduce Steps to reproduce the behavior:
$ python volshell.py -f /Users/indigo/Projects/alpine-mem-dump/alpine-memory-dump-padded.lime -l>>> dt( ps()[0] )Expected behavior Expected a table of memory offsets, symbols and types to print to the terminal for the given layer.
Example output (layer_name) >>> dt( ps()[0] ) symbol_table_name1!task_struct (11072 bytes) Traceback (most recent call last): File "", line 1, in
File "/Users/indigo/Projects/volatility3/volatility3/cli/volshell/linux.py", line 70, in display_type
return super().display_type(object, offset)
File "/Users/indigo/Projects/volatility3/volatility3/cli/volshell/generic.py", line 387, in display_type
self._display_value(getattr(volobject, member)),
File "/Users/indigo/Projects/volatility3/volatility3/framework/objects/init.py", line 964, in getattr
member = template(context=self._context, object_info=object_info)
File "/Users/indigo/Projects/volatility3/volatility3/framework/objects/templates.py", line 96, in call
return self.vol.object_class(
File "/Users/indigo/Projects/volatility3/volatility3/framework/objects/init.py", line 525, in new
return int.new(cls, ((value & ((1 << end_bit) - 1)) >> start_bit)) # type: ignore
ValueError: negative shift count
Additional information When testing an ubuntu 16 memory dump, I see the expected behavior I describe above. I can fix the issue for the Alpine memory image by revising this module: /Users/indigo/Projects/volatility3/volatility3/framework/objects/init.py
To include the indicated lines:
But I suspect this is a hacky workaround. Perhaps worthy of further scrutiny.