Fixed a bug in Mounted unicode handling (Bug0097) and some small bug …

…fixes to volatility. darcs-hash:20090202193500-f1522-5300ee876e86bbef1406436fdb5bb92cb238874a.gz
anarchivist · Feb 2, 2009 · 8a217e2 · 8a217e2
1 parent 00b591b
commit 8a217e2
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 21 deletions.
diff --git a/src/plugins/DiskForensics/FileSystems/Mounted.py b/src/plugins/DiskForensics/FileSystems/Mounted.py
@@ -152,7 +152,8 @@ def load(self, mount_point, iosource_name, scanners=None, directory = None):
         ## the filesystem first, we also need to be running as root or
         ## we may not be able to stat all the files :-(
         def insert_into_table(mode ,root ,name):
-            rel_root = FlagFramework.normpath(mount_point + "/" + root[len(path):] + "/")
+            rel_root = FlagFramework.normpath(DB.expand("%s/%s/" ,
+                                                        (mount_point, root[len(path):])))
             try:
                 s=os.lstat(os.path.join(root,name))
             except OSError:

diff --git a/src/plugins/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/object2.py b/src/plugins/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/object2.py
@@ -192,6 +192,10 @@ def __init__(self, theType, offset, vm, parent=None, profile=None, name=None):
         self.name = name
         self.theType = theType
 
+    def __nonzero__(self):
+        if self.v(): return True
+        return False
+
     def __add__(self, other):
         return other + self.v()
 
@@ -342,7 +346,6 @@ class Pointer(NativeType):
     def __init__(self, theType, offset, vm, parent=None, profile=None, target=None, name=None):
         NativeType.__init__(self, theType, offset = offset, vm=vm, name=name,
                             parent=parent, profile=profile)
-
         self.target = target
         self.format_string = "=L"
 
@@ -362,6 +365,10 @@ def dereference(self):
     def cdecl(self):
         return "Pointer %s" % self.v()
 
+    def __nonzero__(self):
+        if self.dereference(): return True
+        return False
+
     def __repr__(self):
         return "<pointer to [%s ]>" % (self.v())
 

diff --git a/src/plugins/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/win32/tasks.py b/src/plugins/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/win32/tasks.py
@@ -44,24 +44,23 @@ def pslist(addr_space, profile):
 
     ## Try to dereference the KdVersionBlock as a 64 bit struct
     DebuggerDataList = kpcr.KdVersionBlock.dereference_as("_DBGKD_GET_VERSION64").DebuggerDataList
-    if DebuggerDataList.is_valid():
-        PsActiveProcessHead = DebuggerDataList.dereference_as("_KDDEBUGGER_DATA64"
-                                                              ).PsActiveProcessHead \
-                           or DebuggerDataList.dereference_as("_KDDEBUGGER_DATA32"
-                                                              ).PsActiveProcessHead
-    else:
-        PsActiveProcessHead = kpcr.KdVersionBlock.dereference_as("_KDDEBUGGER_DATA32"
-                                                                 ).PsActiveProcessHead
-
-
-    if not PsActiveProcessHead:
-        raise RuntimeError("Unable to find PsActiveProcessHead - is this image supported?")
+    PsActiveProcessHead = DebuggerDataList.dereference_as("_KDDEBUGGER_DATA64"
+                                                          ).PsActiveProcessHead \
+                     or DebuggerDataList.dereference_as("_KDDEBUGGER_DATA32"
+                                                        ).PsActiveProcessHead \
+                     or kpcr.KdVersionBlock.dereference_as("_KDDEBUGGER_DATA32"
+                                                           ).PsActiveProcessHead
+
+    if PsActiveProcessHead:
+        print type(PsActiveProcessHead)
     ## Try to iterate over the process list in PsActiveProcessHead
     ## (its really a pointer to a _LIST_ENTRY)
-    for l in PsActiveProcessHead.dereference_as("_LIST_ENTRY").list_of_type(
-        "_EPROCESS", "ActiveProcessLinks"):
-        yield l
-
+        for l in PsActiveProcessHead.dereference_as("_LIST_ENTRY").list_of_type(
+            "_EPROCESS", "ActiveProcessLinks"):
+            yield l
+    else:
+        raise RuntimeError("Unable to find PsActiveProcessHead - is this image supported?")
+
 def process_list(addr_space, types, symbol_table=None):
     """
     Get the virtual addresses of all Windows processes

diff --git a/...gins/MemoryForensics/Volatility-1.3_Linux_rc.1/memory_plugins/address_spaces/hibernate.py b/...gins/MemoryForensics/Volatility-1.3_Linux_rc.1/memory_plugins/address_spaces/hibernate.py
@@ -45,7 +45,7 @@ def __init__(self, baseAddressSpace, opts):
 	self.PageIndex = 0
         self.AddressList = []
         self.LookupCache = {}
-        self.PageCache = Store(20)
+        self.PageCache = Store(50)
         self.MemRangeCnt = 0
         self.offset = 0
         # Extract header information

diff --git a/src/pyflag/HTMLUI.py b/src/pyflag/HTMLUI.py
@@ -189,7 +189,7 @@ def opt_to_str(self,opts={}, **options):
 
         for k,v in options.items():
             if v:
-                result.append("%s=%r"% (k,quote_quotes(v.__str__())))
+                result.append(DB.expand("%s=%r", (k,quote_quotes(unicode(v)))))
 
         return ' '.join(result)
 
@@ -1204,7 +1204,7 @@ def end_form(self,value='Submit',name='__submit__',**opts):
         ## Do not propagate __ parameters:
         for k,v in self.form_parms:
             if not k.startswith("__"):
-                base += "<input type=hidden name='%s' value=\"%s\">\n" % (k,cgi.escape(v.__str__(), True))
+                base += DB.expand("<input type=hidden name='%s' value=\"%s\">\n", (k,unicode(cgi.escape(v, True))))
 
         base += self.submit(value,name, target=self.form_target, **opts)