KeyError: '__int128' even after appending in dwarf.py

Question

KeyError: '__int128' even after appending in dwarf.py

hd3291 opened this issue 6 months ago · comments

Hi i am still getting following error event after appending '__int128': 'long long', in the dwarf.json

ERROR :

└─# python2 vol.py -f /memory.dmp --profile=Linuxrhelx64 linux_netstat
Volatility Foundation Volatility Framework 2.6.1
Traceback (most recent call last):
File "vol.py", line 192, in
main()
File "vol.py", line 183, in main
command.execute()
File "/home/kali/volatility/volatility/plugins/linux/common.py", line 67, in execute
commands.Command.execute(self, *args, **kwargs)
File "/home/kali/volatility/volatility/commands.py", line 116, in execute
if not self.is_valid_profile(profsself._config.PROFILE):
File "/home/kali/volatility/volatility/plugins/overlays/linux/linux.py", line 218, in init
obj.Profile.init(self, *args, **kwargs)
File "/home/kali/volatility/volatility/obj.py", line 862, in init
self.reset()
File "/home/kali/volatility/volatility/plugins/overlays/linux/linux.py", line 232, in reset
self.load_vtypes()
File "/home/kali/volatility/volatility/plugins/overlays/linux/linux.py", line 269, in load_vtypes
vtypesvar = dwarf.DWARFParser(dwarfdata).finalize()
File "/home/kali/volatility/volatility/dwarf.py", line 74, in init
self.feed_line(line)
File "/home/kali/volatility/volatility/dwarf.py", line 165, in feed_line
self.process_statement(**parsed) #pylint: disable-msg=W0142
File "/home/kali/volatility/volatility/dwarf.py", line 239, in process_statement
self.id_to_name[statement_id] = [self.base_type_name(data)]
File "/home/kali/volatility/volatility/dwarf.py", line 128, in base_type_name
return self.tp2vol[data['DW_AT_name'].strip('"')]
KeyError: '__int128'

Dwarf.py :
tp2vol = {
'_Bool': 'unsigned char',
'char': 'char',
'float': 'float',
'double': 'double',
'long double': 'double',
'int': 'int',
'long int': 'long',
'long long int': 'long long',
'long long unsigned int': 'unsigned long long',
'long unsigned int': 'unsigned long',
'short int': 'short',
'short unsigned int': 'unsigned short',
'signed char': 'signed char',
'unsigned char': 'unsigned char',
'unsigned int': 'unsigned int',
'sizetype' : 'unsigned long',
'ssizetype' : 'long',

'__int128 unsigned': 'unsigned long long',

    '__int128 ': 'long long',

}

predictiple · Answer 1 · Tue May 07 2024 16:00:14 GMT+0800 (China Standard Time)

This is not a Velociraptor issue.