GoogleCodeExporter
commented
8 years ago i meant "--profile=WinXPSP3" still get the same results though.Original comment by jamie.l...@gmail.com on 29 Aug 2010 at 5:24
Closed GoogleCodeExporter closed 8 years ago
GoogleCodeExporter
commented
8 years ago i meant "--profile=WinXPSP3" still get the same results though.Original comment by jamie.l...@gmail.com on 29 Aug 2010 at 5:24
GoogleCodeExporter
commented
8 years ago I did a small test on an XPSP2 image, and sure enough they didn't turn up the
same results.
Looking at the code paths involved, 1.3.2 uses a single function, unrolled, to
look through the various tables of tables. Those that aren't an end-node got
an array size of 0x400, those that were of only 0x200. In the 1.4 code, a
recursive function was used, and each stage was only given an array of 0x200.
I increased the size of arrays with a table_level > 0, and turned up some
additional results, but *not* those missing from the 1.3.2 output. I then
tried using 0x400 for all of the arrays, and again got a few more results, but
the 1.3.2 output still had some that weren't in the 1.4 output.
So really I need to call in someone who knows how these ObjectTables work, and
see if they can figure out what's missing and why. I'll continue having a poke
around and see if I can pull back those remaining entries, but it's really
unclear as to what's going on (and why it doesn't happen all the time).
For those that want it, here's the quick change to 1.4 to get additional
results.Original comment by mike.auty@gmail.com on 2 Sep 2010 at 4:43
Attachments:
GoogleCodeExporter
commented
8 years ago I tried the same fix on my own earlier, but it crashes on the XP SP3 image
above:
$ ./volatility.py files -f ~/Work/volatility/xpsp3.vmem
Volatile Systems Volatility Framework 1.4_rc1
Pid: 4
File \pagefile.sys
File \WINDOWS\system32\config\default
File \System Volume
Information\_restore{57726F20-9F0F-4D22-B53C-B6F197BAA74A}\RP72\change.log
File \Topology
Traceback (most recent call last):
File "./volatility.py", line 138, in <module>
main()
File "./volatility.py", line 129, in main
command.execute()
File "/Users/gleeda/Work/TESTING/vol_1.4/volatility/commands.py", line 96, in execute
func(outfd, data)
File "/Users/gleeda/Work/TESTING/vol_1.4/plugins/internal/taskmods.py", line 123, in render_text
for h in handles:
File "/Users/gleeda/Work/TESTING/vol_1.4/plugins/internal/taskmods.py", line 139, in handle_list
for h in task.handles():
File "/Users/gleeda/Work/TESTING/vol_1.4/plugins/overlays/Windows/xp_sp2.py", line 261, in handles
for h in self._make_handle_array(offset, table_levels):
File "/Users/gleeda/Work/TESTING/vol_1.4/plugins/overlays/Windows/xp_sp2.py", line 228, in _make_handle_array
for h in self._make_handle_array(offset, level - 1):
File "/Users/gleeda/Work/TESTING/vol_1.4/plugins/overlays/Windows/xp_sp2.py", line 237, in _make_handle_array
if item.Type.Name:
File "/Users/gleeda/Work/TESTING/vol_1.4/volatility/obj.py", line 771, in __getattribute__
return self.m(attr)
File "/Users/gleeda/Work/TESTING/vol_1.4/volatility/obj.py", line 756, in m
parent = self, name = attr)
File "/Users/gleeda/Work/TESTING/vol_1.4/volatility/obj.py", line 554, in __init__
parent = parent, profile = profile)
File "/Users/gleeda/Work/TESTING/vol_1.4/volatility/obj.py", line 490, in __init__
BaseObject.__init__(self, theType, offset, vm, parent = parent, name = name)
File "/Users/gleeda/Work/TESTING/vol_1.4/volatility/obj.py", line 298, in __init__
raise InvalidOffsetError("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name))
volatility.obj.InvalidOffsetError: Invalid Address 0x80800000, instantiating
TypeOriginal comment by jamie.l...@gmail.com on 2 Sep 2010 at 5:13
GoogleCodeExporter
commented
8 years ago Hmmmm, I've updated the summary to give a better idea of the problem. The
patch evidently still doesn't do the same thing that 1.3.2 does, so it'll need
a bit more looking into. Thanks for the additional information, hopefully
we'll get this sorted soon... 5:)Original comment by mike.auty@gmail.com on 2 Sep 2010 at 5:18
GoogleCodeExporter
commented
8 years ago just to clarify: you get the same crash with or without "--profile=WinXPSP3"
someone asked me about that ;-)
Also with SP2 I get too many repeated files. For example, when running
against the sample_nist0625_xpsp2.mem sample the following output is repeated
50 times for pid 4:
File \Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
File \Documents and Settings\LocalService\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
File \Documents and Settings\Sarah\NTUSER.DAT
File \Documents and Settings\Sarah\ntuser.dat.LOG
File \Documents and Settings\Sarah\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat
File \Documents and Settings\Sarah\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat.LOG
File \Topology
File \
File \WINDOWS\system32\MsDtc\Trace\dtctrace.log
File \255
File \113
Original comment by jamie.l...@gmail.com on 2 Sep 2010 at 6:27
GoogleCodeExporter
commented
8 years ago Ok, well, I figured out the difference between the two versions, now we just
have to figure out which one's right...
In volatility-1.3.2, the table arrays (rather than the ones that hold objects)
are traversed from 0 to 0x400 in steps of 4 (ADDR_SIZE), whilst the end arrays
(the ones that hold objects) are traversed from 0 to 0x200 in steps of 8
(obj_size of _HANDLE_TABLE_ENTRY).
In volatility-1.4, the table arrays and the table entries are traversed from 0
to 0x200 in steps of 8 (_HANDLE_TABLE_ENTRY size). Volatility-1.4 also stop
traversing a table at the first bad offset (which may not have any impact on
the matter, but does differ from how 1.3 works).
What this is means is that either 1.4 was skipping over half the entries, or
1.3 was finding additional (incorrect) entries, and returning them. The
question is which. Anyone know enough about this to hazard an answer? I'm
happy to produce a patch either way, but at the moment I don't know the exact
rules for how these tables are supposed to work. The XP_SP3 generated type for
HANDLE_TABLE_ENTRY also doesn't really give any clues as to what goes where.Original comment by mike.auty@gmail.com on 2 Sep 2010 at 7:35
GoogleCodeExporter
commented
8 years ago Ok, here's a patch in case 1.3 turns out to be the right solution (although, we
do still need someone to verify this for us). Please test it and let me know
if it gives the same output as 1.3.2 at least.
It seems a little odd, because the _HANDLE_TABLE_ENTRY's Object (which is a
Pointer to Void in both sp2 and sp3) won't actually point to a valid
_OBJECT_HEADER, unless it's anded with 0x00000007. So all in all, it might
just as well be treated as an unsigned int/long. It's therefore entirely
unclear what the point of a _HANDLE_TABLE_ENTRY is?
In that patch, it might also be worth using entry.Value rather than
entry.Object, but only Object is defined for SP2 (in SP3, Value and several
other members are defined). This relates to the need for XPSP2 to be
autogenerated, so we get all the random little members that weren't entered by
hand.
Anyway, for now, this bug is still waiting on someone to say authoritatively
exactly how the ObjectTables work.Original comment by mike.auty@gmail.com on 2 Sep 2010 at 9:04
Attachments:
GoogleCodeExporter
commented
8 years ago This seems to have fixed the problem. I've tested on different images SP3 and
SP2 and don't see this problem now :-)Original comment by jamie.l...@gmail.com on 2 Sep 2010 at 9:30
GoogleCodeExporter
commented
8 years ago I'm reasonably confident that Volatility 1.3.2's is correct. At one point we
had the numbers wrong (we were going off of Schreiber's description, which was
valid for Win2k and not XP), but there should be a changelog entry for the rev
where we fixed that. When I put in that fix I also created a test program that
created a large number of uniquely named mutexes, and verified that handles
found them all.Original comment by moo...@gmail.com on 3 Sep 2010 at 7:05
GoogleCodeExporter
commented
8 years ago Ok, cool, it might be worth running the test program again, if you've still got
it somewhere?
Since we seem to now have parity with the 1.3.2 version I'm going to mark this
as Fixed. Feel free to reopen it if anyone spots something that doesn't look
right/is missing... 5:)Original comment by mike.auty@gmail.com on 3 Sep 2010 at 10:25
Original issue reported on code.google.com by
jamie.l...@gmail.comon 29 Aug 2010 at 5:17