ECToo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

OverflowError in FileAddressSpace #453

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
The following backtrace was raised when analyzing a win8 32-bit memory dump. In 
particular, the get_available_pages() function in the intel address space not 
only found a page directory entry that pointed back to its own page but the 
value has its most significant bit set (turning it into a very large number). 

Here is the backtrace:

Traceback (most recent call last):
  File "vol.py", line 186, in <module>
    main()
  File "vol.py", line 177, in main
    command.execute()
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/commands.py", line 87, in execute
    data = self.calculate()
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/cache.py", line 577, in wrapper
    return f(s, *args, **kwargs)
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/pstree.py", line 110, in calculate
    for task in tasks.pslist(addr_space)
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/pstree.py", line 109, in <genexpr>
    (int(task.UniqueProcessId), task) 
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/win32/tasks.py", line 72, in pslist
    for p in get_kdbg(addr_space).processes():
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/win32/tasks.py", line 48, in get_kdbg
    kdbgo = obj.VolMagic(addr_space).KDBG.v()
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/obj.py", line 779, in v
    return self.get_best_suggestion()
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/obj.py", line 805, in get_best_suggestion
    for val in self.get_suggestions():
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/obj.py", line 797, in get_suggestions
    for x in self.generate_suggestions():
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/overlays/windows/windows.py", line 754, in generate_suggestions
    for val in scanner.scan(self.obj_vm):
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/kdbgscan.py", line 84, in scan
    for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen):
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/scan.py", line 95, in scan
    for (range_start, range_size) in sorted(address_space.get_available_addresses()):
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/addrspaces/paged.py", line 116, in get_available_addresses
    for (offset, size) in self.get_available_pages():
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/addrspaces/intel.py", line 284, in get_available_pages
    pte_entry = self._read_long_long_phys(pte_curr)
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/addrspaces/intel.py", line 252, in _read_long_long_phys
    string = self.base.read(addr, 8)
  File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/addrspaces/standard.py", line 98, in read
    self.fhandle.seek(addr)
OverflowError: Python int too large to convert to C long

The AS gets a pgd_curr value of 0x189018 and uses read_long_long_phys to get 8 
bytes:

 0189018: 6390 1800 0000 0080 63e8 4e1f 0000 0000  c.......c.N.....

Those 8 bytes are 0x8000000000189000 as an integer. 

You can reproduce the error with any memory dump:

$ python vol.py -f XPSP3-8c391840.vmem volshell
Volatile Systems Volatility Framework 2.3_beta
Current context: process System, pid=4, ppid=0 DTB=0x319000
Welcome to volshell! Current memory image is:
To get help, type 'hh()'
>>> self.addrspace.base.read(0xffffffffffffffffff, 1)
Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/Users/michaelligh/Desktop/volatility23/volatility/plugins/addrspaces/standard.py", line 98, in read
    self.fhandle.seek(addr)
OverflowError: Python int too large to convert to C long

Original issue reported on code.google.com by michael.hale@gmail.com on 9 Oct 2013 at 12:44

GoogleCodeExporter commented 9 years ago
This is now handled properly in the 2.4 beta branch, so I'm closing this issue. 

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 4:29