search

Leor3961 / volatility

Automatically exported from code.google.com/p/volatility
0 stars 0 forks source link

Need to check if val.Type in VALUE_TYPES #56

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
When running against keys that have values that are not found in VALUE_TYPES 
you get the following error:

$ ./volatility.py -f ds_fuzz_hidden_proc.img --no-cache --profile=WinXPSP3x86 
printkey -o 0xE1482008 -K 'SAM\Domains\Account\Users\Names\guest'
Volatile Systems Volatility Framework 1.4_rc1
Key name: Guest
(Stable)
Last updated: 2008-09-19 16:16:32 

Subkeys:

Values:
Traceback (most recent call last):
  File "./volatility.py", line 126, in <module>
    main()
  File "./volatility.py", line 117, in main
    command.execute()
  File "/TESTING/vol_1.4/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/TESTING/vol_1.4/volatility/plugins/registry/printkey.py", line 105, in render_text
    tp, dat = rawreg.value_data(v)
  File "/TESTING/vol_1.4/volatility/win32/rawreg.py", line 144, in value_data
    valtype = VALUE_TYPES[val.Type.v()]
KeyError: 501 

$ ./volatility.py -f ds_fuzz_hidden_proc.img --no-cache --profile=WinXPSP3x86 
printkey -o 0xE1482008 -K 'SAM\Domains\Account\Users\Names\moyix'
Volatile Systems Volatility Framework 1.4_rc1
Key name: moyix
(Stable)
Last updated: 2008-09-19 20:29:49 

Subkeys:

Values:
Traceback (most recent call last):
  File "./volatility.py", line 126, in <module>
    main()
  File "./volatility.py", line 117, in main
    command.execute()
  File "/TESTING/vol_1.4/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/TESTING/vol_1.4/volatility/plugins/registry/printkey.py", line 105, in render_text
    tp, dat = rawreg.value_data(v)
  File "/TESTING/vol_1.4/volatility/win32/rawreg.py", line 144, in value_data
    valtype = VALUE_TYPES[val.Type.v()]
KeyError: 1003

Perhaps you should modify value_data like this:

    try:
        valtype = VALUE_TYPES[val.Type.v()]
    except KeyError:
        valtype = "REG_UNKNOWN_%X" % val.Type.v()

Output after fix:

$ ./volatility.py -f ds_fuzz_hidden_proc.img --no-cache --profile=WinXPSP3x86 
printkey -o 0xE1482008 -K 'SAM\Domains\Account\Users\Names\moyix'
Volatile Systems Volatility Framework 1.4_rc1
Key name: moyix
(Stable)
Last updated: 2008-09-19 20:29:49 

Subkeys:

Values:
REG_UNKNOWN_3EB            :  (Stable)

Original issue reported on code.google.com by jamie.l...@gmail.com on 6 Jan 2011 at 2:49

GoogleCodeExporter commented 8 years ago 
Hmmm, those values are very odd, since 501 for the guest is the default 
Relative ID for that user, and 1003 would be the RID for the third or fourth 
user added to the system.  That suggests that val's been filled with the wrong 
thing (not a type, but actual data), so I'm going to try and replicate this and 
then see if I can get to the bottom of it...

Original comment by mike.auty@gmail.com on 6 Jan 2011 at 9:46

GoogleCodeExporter commented 8 years ago 
Ok, so according to [1] 

"However, note that in some instances, Windows and third-party software does 
not honor this convention and instead uses the data type field in the VK record 
for other purposes. (One example is in the Windows SAM hive, where this field 
is used to store user IDs.)"

I'm not sure how best to detect these.  The key.DataLength is 0x80000000, which 
[2] thinks indicates that the value is actually stored in the type, so I'm 
going to code up a patch around that theory.  If anyone has any better 
suggestions, let me know...  5:)

[1] http://www.sentinelchicken.com/data/TheWindowsNTRegistryFileFormat.pdf
[2] http://www.beginningtoseethelight.org/ntsecurity/index.php#3E59AFD2F6CCC6E8

Original comment by mike.auty@gmail.com on 6 Jan 2011 at 11:09

GoogleCodeExporter commented 8 years ago 
This issue was closed by revision r584.

Original comment by mike.auty@gmail.com on 6 Jan 2011 at 11:20