Volatility Profile Creation Error for Mac OS x 10.9.2 x64

Question

Volatility Profile Creation Error for Mac OS x 10.9.2 x64

Closed this issue 9 years ago · 6 comments

GoogleCodeExporter commented 9 years ago

I have a problem when I tried to create vtypes file for Mac OS X 10.9.2. I 
converted dwarfdump file successfully to converted form. But when I tried to 
create vtypes file from the converted file I got error messages which shown 
below.

sh-3.2# python ../../../../tools/mac/convert.py 
converted.10.9.2.64bit.dwarfdump > 10.9.2.64bit.vtypes

Traceback (most recent call last):
  File "../../../../tools/mac/convert.py", line 659, in <module>
    main()
  File "../../../../tools/mac/convert.py", line 656, in main
    parse_dwarf()     
  File "../../../../tools/mac/convert.py", line 390, in parse_dwarf
    parser.feed_line(line)
  File "../../../../tools/mac/convert.py", line 125, in feed_line
    self.process_statement(**parsed)
  File "../../../../tools/mac/convert.py", line 263, in process_statement
    off = int(data['AT_data_member_location'])
KeyError: 'AT_data_member_location'

Original issue reported on code.google.com by halilozt...@gmail.com on 11 Apr 2014 at 11:04

Answer 1 · 2015-11-16T22:51:25.000Z

[deleted comment]

Answer 2 · 2015-11-16T22:51:25.000Z

Quick and ugly patch, seems to be working though (the script doesn't crash 
anymore and I can use the memory profile with volatility) ;).

51c51,54
<             resolved = self.id_to_name[memb[1:]]
---
>       try:    
>                 resolved = self.id_to_name[memb[1:]]
>             except:
>                 resolved = 0
263,264c266,269
<             off = int(data['AT_data_member_location'])
< 
---
>             try: 
>       off = int(data['AT_data_member_location'])
>       except:
>       off = 0 

Tested on OS X 10.9.1

Original comment by Yggdrasi...@gmail.com on 18 Apr 2014 at 8:03

Answer 3 · 2015-11-16T22:51:25.000Z

Original comment by michael.hale@gmail.com on 19 Apr 2014 at 3:17

Answer 4 · 2015-11-16T22:51:25.000Z

I have the same problem please help .. 
I tried follow the instruction from this page 
https://code.google.com/p/volatility/wiki/MacMemoryForensics
My mac OS version is mac OS X 10.9.2 64bits 



Traceback (most recent call last):
  File "../volatility-trunk/tools/mac/convert.py", line 659, in <module>
    main()
  File "../volatility-trunk/tools/mac/convert.py", line 656, in main
    parse_dwarf()     
  File "../volatility-trunk/tools/mac/convert.py", line 390, in parse_dwarf
    parser.feed_line(line)
  File "../volatility-trunk/tools/mac/convert.py", line 125, in feed_line
    self.process_statement(**parsed)
  File "../volatility-trunk/tools/mac/convert.py", line 263, in process_statement
    off = int(data['AT_data_member_location'])
KeyError: 'AT_data_member_location'

thank you

Original comment by dineshku...@gmail.com on 12 May 2014 at 9:20

Answer 5 · 2015-11-16T22:51:25.000Z

Can you please try this profile and see if it works correctly? 

https://www.dropbox.com/s/2he3xe8inf9ygky/10.9.2.zip

Original comment by atc...@gmail.com on 27 May 2014 at 6:03

Answer 6 · 2015-11-16T22:51:26.000Z

Hi guys, did the 10.9.2.zip profile Andrew posted work for you? If not, feel 
free to reopen but we'll close the issue since there haven't been any replies 
since the end of May.

Original comment by michael.hale@gmail.com on 19 Jun 2014 at 11:45

Changed state: Done