Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linux_pslist with Fedora 21 => AttributeError: 'long' object has no attribute 'tv_sec' #161

Closed
masdif opened this issue Jan 14, 2015 · 6 comments
Closed

linux_pslist with Fedora 21 => AttributeError: 'long' object has no attribute 'tv_sec' #161

masdif opened this issue Jan 14, 2015 · 6 comments
Assignees
@atcuno
Labels
linux/mac

Comments

@masdif
Copy link
Contributor

masdif commented Jan 14, 2015

Error while using linux_pslist with a Fedora 21 profile:

D:\vol>volatility-2.4.standalone.exe --plugins=. -f fedora.lime --profile LinuxFedora_21_3_17_8-300_fc21_x86_64x64 linux_pslist
Volatility Foundation Volatility Framework 2.4
Offset             Name                 Pid             Uid             Gid    DTB                Start Time
------------------ -------------------- --------------- --------------- ------ ------------------ ----------
Traceback (most recent call last):
  File "<string>", line 192, in <module>
  File "<string>", line 183, in main
  File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.common", line 62, in execute
  File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.commands", line 127, in execute
  File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.linux.pslist", line 93, in render_text
  File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.plugins.overlays.linux.linux", line 1545, in get_task_start_time
  File "C:\volatility\build\pyinstaller\out00-PYZ.pyz\volatility.obj", line 254, in __getattr__
AttributeError: 'long' object has no attribute 'tv_sec'

Fedora memory dump and Volatility profile can be provided via download link.

Additionally here the output with debug option. I think this should not end in Python debugger prompt, should it?

D:\vol>volatility-2.4.standalone.exe --plugins=. -f fedora.lime --profile LinuxFedora_21_3_17_8-300_fc21_x86_64x64 -d linux_pslist
Volatility Foundation Volatility Framework 2.4
DEBUG   : volatility.debug    : Fedora_21_3.17.8-300.fc21.x86_64: Found dwarf file System.map-3.17.8-300.fc21.x86_64 with 691 symbols
DEBUG   : volatility.debug    : Fedora_21_3.17.8-300.fc21.x86_64: Found system file System.map-3.17.8-300.fc21.x86_64 with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
DEBUG   : volatility.debug    : Fedora_21_3.17.8-300.fc21.x86_64: Found dwarf file System.map-3.17.8-300.fc21.x86_64 with 691 symbols
DEBUG   : volatility.debug    : Fedora_21_3.17.8-300.fc21.x86_64: Found system file System.map-3.17.8-300.fc21.x86_64 with 1 symbols
DEBUG   : volatility.debug    : Applying modification from BashHashTypes
DEBUG   : volatility.debug    : Applying modification from BashTypes
DEBUG   : volatility.debug    : Applying modification from BasicObjectClasses
DEBUG   : volatility.debug    : Applying modification from ELF32Modification
DEBUG   : volatility.debug    : Applying modification from ELF64Modification
DEBUG   : volatility.debug    : Applying modification from ELFModification
DEBUG   : volatility.debug    : Applying modification from HPAKVTypes
DEBUG   : volatility.debug    : Applying modification from LimeTypes
DEBUG   : volatility.debug    : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.debug    : Applying modification from MachoModification
DEBUG   : volatility.debug    : Applying modification from MachoTypes
DEBUG   : volatility.debug    : Applying modification from MbrObjectTypes
DEBUG   : volatility.debug    : Applying modification from VMwareVTypesModification
DEBUG   : volatility.debug    : Applying modification from VirtualBoxModification
DEBUG   : volatility.debug    : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.debug    : Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.debug    : Applying modification from LinuxMountOverlay
DEBUG   : volatility.debug    : Applying modification from LinuxObjectClasses
DEBUG   : volatility.debug    : Applying modification from LinuxOverlay
Offset             Name                 Pid             Uid             Gid    DTB                Start Time
------------------ -------------------- --------------- --------------- ------ ------------------ ----------
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x0634B870>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x0634B8B0>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0634BAB0>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x0634BE30>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x0634BE10>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.debug    : Succeeded instantiating <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x0634BF30>
DEBUG   : volatility.debug    : Voting round
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
DEBUG   : volatility.debug    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>
> c:\volatility\build\pyinstaller\out00-pyz.pyz\volatility.obj(254)__getattr__()
(Pdb)
@atcuno
Copy link
Contributor

atcuno commented Jan 20, 2015

Hello,

Could you try the latest version of Volatility from git and see if you still have an issue? If so, can you paste the backtrace again so I can track it down better?

@masdif
Copy link
Contributor Author

masdif commented Jan 21, 2015 

$ python vol.py -f ~/vol/fedora.lime --profile LinuxFedora_21_3_17_8-300_fc21_x86_64x64 linux_pslist
Volatility Foundation Volatility Framework 2.4
Traceback (most recent call last):
  File "vol.py", line 192, in <module>
    main()
  File "vol.py", line 183, in main
    command.execute()
  File "/home/foo/github/volatility/volatility/plugins/linux/common.py", line 63, in execute
    commands.Command.execute(self, *args, **kwargs)
  File "/home/foo/github/volatility/volatility/commands.py", line 140, in execute
    func(outfd, data)
  File "/home/foo/github/volatility/volatility/commands.py", line 275, in render_text
    config = self._config), data)
  File "/home/foo/github/volatility/volatility/commands.py", line 269, in _render
    renderer.render(outfd, output)
  File "/home/foo/github/volatility/volatility/renderers/text.py", line 115, in render
    grid_depth = grid.visit(None, lambda x, y: max(y, grid.path_depth(x)), 0)
  File "/home/foo/github/volatility/volatility/renderers/__init__.py", line 242, in visit
    self.populate()
  File "/home/foo/github/volatility/volatility/renderers/__init__.py", line 149, in populate
    for (level, item) in self._generator:
  File "/home/foo/github/volatility/volatility/plugins/linux/pslist.py", line 97, in generator
    str(task.get_task_start_time())])
  File "/home/foo/github/volatility/volatility/plugins/overlays/linux/linux.py", line 1924, in get_task_start_time
    start_secs = start_time.tv_sec + (start_time.tv_nsec / linux_common.nsecs_per / 100)
  File "/home/foo/github/volatility/volatility/obj.py", line 254, in __getattr__
    return getattr(proxied, attr)
AttributeError: 'long' object has no attribute 'tv_sec'
$ python vol.py -f ~/vol/fedora.lime --profile LinuxFedora_21_3_17_8-300_fc21_x86_64x64 linux_pslist -d
Volatility Foundation Volatility Framework 2.4
DEBUG   : volatility.plugins.overlays.linux.linux: Fedora_21_3.17.8-300.fc21.x86_64: Found dwarf file System.map-3.17.8-300.fc21.x86_64 with 691 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: Fedora_21_3.17.8-300.fc21.x86_64: Found system file System.map-3.17.8-300.fc21.x86_64 with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.plugins.overlays.linux.linux: Fedora_21_3.17.8-300.fc21.x86_64: Found dwarf file System.map-3.17.8-300.fc21.x86_64 with 691 symbols
DEBUG   : volatility.plugins.overlays.linux.linux: Fedora_21_3.17.8-300.fc21.x86_64: Found system file System.map-3.17.8-300.fc21.x86_64 with 1 symbols
DEBUG   : volatility.obj      : Applying modification from BashHashTypes
DEBUG   : volatility.obj      : Applying modification from BashTypes
DEBUG   : volatility.obj      : Applying modification from BasicObjectClasses
DEBUG   : volatility.obj      : Applying modification from ELF32Modification
DEBUG   : volatility.obj      : Applying modification from ELF64Modification
DEBUG   : volatility.obj      : Applying modification from ELFModification
DEBUG   : volatility.obj      : Applying modification from HPAKVTypes
DEBUG   : volatility.obj      : Applying modification from LimeTypes
DEBUG   : volatility.obj      : Applying modification from LinuxTruecryptModification
DEBUG   : volatility.obj      : Applying modification from MachoModification
DEBUG   : volatility.obj      : Applying modification from MachoTypes
DEBUG   : volatility.obj      : Applying modification from MbrObjectTypes
DEBUG   : volatility.obj      : Applying modification from VMwareVTypesModification
DEBUG   : volatility.obj      : Applying modification from VirtualBoxModification
DEBUG   : volatility.obj      : Applying modification from LinuxIntelOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxKmemCacheOverlay
DEBUG   : volatility.plugins.overlays.linux.linux: Requested symbol cache_chain not found in module kernel

DEBUG   : volatility.obj      : Applying modification from LinuxMountOverlay
DEBUG   : volatility.obj      : Applying modification from LinuxObjectClasses
DEBUG   : volatility.obj      : Applying modification from LinuxOverlay
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x5c0ac50>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x8380ad0>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x8153410>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x81538d0>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.lime.LimeAddressSpace object at 0x81536d0>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.utils    : Succeeded instantiating <volatility.plugins.addrspaces.amd64.AMD64PagedMemory object at 0x8153890>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'> 
> /home/foo/github/volatility/volatility/obj.py(254)__getattr__()
-> return getattr(proxied, attr)
(Pdb)

@atcuno atcuno assigned atcuno and unassigned atcuno Mar 3, 2015
@atcuno
Copy link
Contributor

atcuno commented Mar 3, 2015

Hello, I believe I fixed this with 485d2c4

Please re-open the bug if you still experience an issue. Thank you for reporting this!

@atcuno atcuno closed this as completed Mar 3, 2015
@masdif
Copy link
Contributor Author

masdif commented Mar 8, 2015

I'm afraid that did not solve it.

Your

if type(start_time) == long:

won't become true. Instead if I check for

if type(start_time) == volatility.obj.NativeType:

(because that's what type(start_time) says) then the Fedora dump takes this way. But this is still not the solution as the next error comes from

def get_time_vars(self):

because

timekeeper_addr = self.obj_vm.profile.get_symbol("timekeeper")

does not find the symbol. That is because there actually is no such symbol in my Fedora's Sytem.map.
Example Fedora:

<snip>
ffffffff81f53650 b timekeeping_suspend_time
ffffffff81f53660 b pvclock_gtod_chain
ffffffff81f53680 b tk_fast_mono
ffffffff81f53700 b shadow_timekeeper
ffffffff81f537c0 b timekeeper_lock
ffffffff81f53800 b tk_core
ffffffff81f538c8 B tick_nsec
ffffffff81f538d0 b ntp_tick_adj
<snip>

Example Ubuntu:

<snip>
ffffffff81eff4a0 b timekeeping_suspend_time
ffffffff81eff4b0 b pvclock_gtod_chain
ffffffff81eff4c0 b shadow_timekeeper
ffffffff81eff568 b timekeeper_seq
ffffffff81eff56c b timekeeper_lock
ffffffff81eff580 b timekeeper
ffffffff81eff628 B tick_nsec
ffffffff81eff630 b ntp_tick_adj
<snip>

I tried some shots in the dark (like trying symbol tk_core instead of timekeeper) but did not really succeed in any way.

@phbnf
Copy link

phbnf commented May 28, 2015

It seems to work for me using tk_fast_mono, have you tried it ?

@bucky2090
Copy link

This bug has not been fixed. I get the exact same error and the same debug dump.
Using Volatility 2.4 (http://downloads.volatilityfoundation.org/releases/2.4/volatility-2.4.zip)
OS = Ubuntu 14.04.3 Server 32-bit (Running in VBox VM)
uname -a = Linux ubuntu-14 3.13.0-24-generic #46-Ubuntu SMP Thu Apr 10 19:08:14 UTC i686 i686 i686 GNU/Linux
Memdump taken with LiME (Compiled kernel module on same host)
Other linux_ work just fine

Can provide the profile and memory dump if needed.

Bucky2090

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@atcuno atcuno

Labels
linux/mac
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@gleeda @atcuno @phbnf @masdif @bucky2090