volatilityfoundation
ValueError: negative shift count for volshell.py dt( ps()[0] )
Describe the bug Attempting to display_type for ps() layer returns ValueError: negative shift count.
Context Volatility Version: Volshell (Volatility 3 Framework) 2.5.2 Operating System: MacOS 13.6 Python Version: 3.8.18 Suspected Operating System: Alpine Linux 3.17.3 (v5.15.105-virt kernel) Command: dt( ps()[0] )
To Reproduce Steps to reproduce the behavior:
- Create a type=padded memory image on the target machine
- On the MacOS host, navigate to volatility3 directory
$ python volshell.py -f /Users/indigo/Projects/alpine-mem-dump/alpine-memory-dump-padded.lime -l- In the resulting interactive shell, run
>>> dt( ps()[0] )
Expected behavior Expected a table of memory offsets, symbols and types to print to the terminal for the given layer.
Example output
(layer_name) >>> dt( ps()[0] )
symbol_table_name1!task_struct (11072 bytes)
Traceback (most recent call last):
File "
Additional information When testing an ubuntu 16 memory dump, I see the expected behavior I describe above. I can fix the issue for the Alpine memory image by revising this module: /Users/indigo/Projects/volatility3/volatility3/framework/objects/init.py
To include the indicated lines:
def __new__(
cls,
context: interfaces.context.ContextInterface,
type_name: str,
object_info: interfaces.objects.ObjectInformation,
base_type: interfaces.objects.Template,
start_bit: int = 0,
end_bit: int = 0,
**kwargs,
) -> "BitField":
value = base_type(context=context, object_info=object_info)
if start_bit < 0: # ADD THIS
start_bit = 0 # ADD THIS
if end_bit < 0: # ADD THIS
end_bit = 0 # ADD THIS
return int.__new__(cls, ((value & ((1 << end_bit) - 1)) >> start_bit)) # type: ignore
But I suspect this is a hacky workaround. Perhaps worthy of further scrutiny.
Hello @indigo-pc - I'm quite sure that is related to this dwarf2json issue - https://github.com/volatilityfoundation/dwarf2json/issues/49
I'm not sure there is a full fix for it yet unfortunately.
Hey all!
I encountered the same issue:
root@f2cf2fc13a15:/opt/vol/volatility3# ./volshell.py -f /io/dumps/bpfvol3-archlinux-6.6.7-arch1-1_1703148059.dump -l
Volshell (Volatility 3 Framework) 2.5.2
Readline imported successfully Stacking attempts finished
Call help() to see available functions
Volshell mode : Linux
Current Layer : layer_name
Current Symbol Table : symbol_table_name1
Current Kernel Name : kernel
(layer_name) >>> dt(ps()[0])
symbol_table_name1!task_struct (11584 bytes)
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/opt/vol/volatility3/volatility3/cli/volshell/linux.py", line 70, in display_type
return super().display_type(object, offset)
File "/opt/vol/volatility3/volatility3/cli/volshell/generic.py", line 387, in display_type
self._display_value(getattr(volobject, member)),
File "/opt/vol/volatility3/volatility3/framework/objects/__init__.py", line 955, in __getattr__
member = template(context=self._context, object_info=object_info)
File "/opt/vol/volatility3/volatility3/framework/objects/templates.py", line 96, in __call__
return self.vol.object_class(
File "/opt/vol/volatility3/volatility3/framework/objects/__init__.py", line 521, in __new__
return int.__new__(cls, ((value & ((1 << end_bit) - 1)) >> start_bit)) # type: ignore
ValueError: negative shift count
I've uploaded some files that could be helpful for debugging on your side (or the dwarf2json devs): https://uni-bonn.sciebo.de/s/zUVwXoctEaEg48u
Thanks a lot!
