Ayyanarklncit / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Some files that have OBJECT_HEADER.Flags == 0x66 are missed by filescan #441

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Run filescan plugin on an image
2.
3.

What is the expected output? What do you see instead?
Some files are missed

What version of the product are you using? On what operating system?
2.2 on Ubuntu Linux. I am able to reproduce on the updated svn code as well.

Please provide any additional information below.
File scan (and other scanners) assume that the object body (FILE_OBJECT) is the 
last member of the allocation and that there is no "gap" between the end of the 
object and end of allocation. While this is true in most cases, it ins't in 
cases when an object is created by the kernel (OBJECT_HEADER.Flag & 0x2) with 
pool type NonPagedPoolCacheAligned. Accordingly, filescan misses such objects. 
PFA, a fixed version of filescan that should address this problem. 
The fix has been tested on volatility 2.2 and the latest version on svn.
While it is possible that the bug is present in other scanners as well, we have 
only tested it on filescan.

Original issue reported on code.google.com by prakar...@gmail.com on 26 Aug 2013 at 3:27

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 30 Aug 2013 at 2:37

GoogleCodeExporter commented 9 years ago
Code to support this should be available in the 2.4 beta branch, which we'll 
supply to prakar177 for testing purposes. If this issue needs to be reopened, 
we will do so. 

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 5:21