Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

linux_pstree:ERROR : volatility.debug : int() argument must be a string or a number, not 'CType' #290

Closed
warcraft23 opened this issue Mar 16, 2016 · 2 comments
Closed

linux_pstree:ERROR : volatility.debug : int() argument must be a string or a number, not 'CType' #290

warcraft23 opened this issue Mar 16, 2016 · 2 comments
Labels
linux/mac

Comments

@warcraft23
Copy link

Hi,
I have found a bug(maybe it is) in the plugin linux_pstree.It will lead to an exception 'int() argument must be a string or a number,not CType'.

OS Version: Ubuntu 14.04 server
Kernel: 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Volatility version: 2.5 downloaded from github 23 Feb 2016
Affected Plugin: Linux_pstree

what the error is like:

python vol.py -f Ubuntu1404.lime --profile=LinuxUbuntu1404x64 linux_pstree --output=html --output-file=pstree.html
Outputting to: pstree1.html
ERROR   : volatility.debug    : int() argument must be a string or a number, not 'CType'

then I try to debug volatility and find the exception raised from the code below in volatility/plugins/linux/pstree.py

def generator(self, data):
        self.procs = OrderedDict()
        for task in data:
            self.recurse_task(task, 0, 0,self.procs)

        for offset,name,level,pid,ppid,uid,euid,gid in self.procs.values():
            if offset:
                # print euid.obj_offset
                yield(0,[Address(offset),
                         str(name),
                         str(level),
                         int(pid),
                         int(ppid),
                         int(uid),
                         int(gid),
                         int(euid)]) # here is the place where the exception rises

in the variable watcher we can see euid is an instance of CType(I do not know what is CType ).And inside it we can see the real value of euid.It equals the value of euid.obj_offset.

When I try to change the code above into the code like this:

-----
int(euid)]) 
++++
int(euid.obj_offset)]

Then everything goes well.But I think that is not a perfect way to solve it.

I don't know why~
@warcraft23
Copy link
Author

I find that CType is the custom class created by volatility.It has a method called v(self).The method return s the obj_offset value.Maybe we can do like that.But why int(euid) fails?

@atcuno
Copy link
Contributor

atcuno commented May 9, 2016

Hello,

Thanks for reporting the bug. This was an issue as the overlays for uid/gid/euid were returning ctypes instead of forcing it to init. I updated the code with following patch:

079658e

Please let me know if you have any other issues.

@atcuno atcuno closed this as completed May 9, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
linux/mac
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gleeda @atcuno @warcraft23