TypeError getting process address space

[GoogleCodeExporter]

Hey guys, 

I've been looking into a TypeError issue and wanted to share what I've found, 
though its not a complete fix (nor do I know the exact problem). I placed two 
memory dumps at http://www.mnin.org/Archive.zip. You should be able to 
reproduce the problem like this:

$ python volatility.py dlllist -f dreamon.bin -p 2596
************************************************************************
cmd.exe pid:   2596
Unable to read PEB for task.

OK, no problem there, except for the PEB is unreadable, but then try one of the 
Vad commands:

$ python volatility.py vadinfo -f dreamon.bin -p 2596
************************************************************************
Pid:   2596
Traceback (most recent call last):
  File "volatility.py", line 129, in <module>
    main()
  File "volatility.py", line 120, in main
    command.execute()
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/vadinfo.py", line 46, in render_text
    for vad in task.VadRoot.traverse():
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 592, in __getattribute__
    result = self.dereference()
  File "/Users/user/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 568, in dereference
    name = self.name)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/windows/xp_sp2_x86.py", line 330, in __new__
    vm = eprocess.get_process_address_space()
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/overlays/windows/xp_sp2_x86.py", line 240, in get_process_address_space
    process_as = self.vm.__class__(self.vm.base, dtb = directory_table_base)
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 92, in __init__
    self.as_assert(self.is_valid_kernelAS(), "Not a valid Kernel Address Space")
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 128, in is_valid_kernelAS
    for (offset, _length) in self.get_available_addresses():
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/standard.py", line 163, in get_available_addresses
    for (offset, size) in self.get_available_pages():
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 342, in get_available_pages
    if self.entry_present(pte_value):
  File "/Users/user/Desktop/Volatility-1.4_rc1/plugins/addrspaces/intel.py", line 163, in entry_present
    return (entry & 1) == 1
TypeError: unsupported operand type(s) for &: 'NoneType' and 'int'

In xp_sp2_x86.py, you can catch the exception by changing:

try:
    process_as = self.vm.__class__(self.vm.base, dtb = directory_table_base)
-    except AssertionError, _e:
+    except (TypeError, AssertionError), _e:
    return obj.NoneObject("Unable to get process AS")

However, that's a temporary fix only. In the other memory sample, the process 
in question is pid 3120:

$ python volatility.py dlllist -f conficker.bin -p 3120
************************************************************************
cmd.exe pid:   3120
Unable to read PEB for task.

$ python volatility.py vadinfo -f conficker.bin -p 2596
[same stack trace as above]

Original issue reported on code.google.com by michael.hale@gmail.com on 15 Oct 2010 at 4:10

[GoogleCodeExporter]

This issue was closed by revision r499.

Original comment by mike.auty@gmail.com on 15 Oct 2010 at 12:42

• Changed state: Fixed

[GoogleCodeExporter]

Ok, so I've done a slightly better fix by checking entry before trying the 
return.  However, this only fixes this particular instance of the problem, it 
may well be worth putting additional functions into NoneObject so that they can 
be &ed with a value and always return a NoneObject.  __and__ didn't seem to do 
it, but the other option is to add in better error checking in the addrspaces.  
It might be worth doing both.  What's your view on this scudette?

Original comment by mike.auty@gmail.com on 15 Oct 2010 at 12:56