Nicebear / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Exception passing NoneObject UnicodeString to re.search #196

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
I got the following error with dlldump:

$ python vol.py -f VistaSP0x64-9fe7abd5.vmem --profile=VistaSP2x64 -D out/ -p 
536 dlldump -r kernel32 -i 
Volatile Systems Volatility Framework 2.1_alpha
Dumping kernel32.dll, Process: wininit.exe, Base: 77150000 output: 
module.536.c0812c0.77150000.dll
Traceback (most recent call last):
  File "vol.py", line 135, in <module>
    main()
  File "vol.py", line 126, in main
    command.execute()
  File "/Users/Michael/volatility_iat/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/Users/Michael/volatility_iat/volatility/plugins/dlldump.py", line 94, in render_text
    for proc, ps_ad, mod_base, mod_name in data:
  File "/Users/Michael/volatility_iat/volatility/cache.py", line 534, in generate
    for x in g:
  File "/Users/Michael/volatility_iat/volatility/plugins/dlldump.py", line 84, in calculate
    if not mod_re.search(str(mod.FullDllName)) and not mod_re.search(str(mod.BaseDllName)):
TypeError: __str__ returned non-string (type NoneObject)

It successfully dumped the DLL I wanted, but encountered an exception shortly 
thereafter. According to dlllist for the process, there are a few paths that 
can't be resolved:

0x7fefc9c0000   0x007000     C:\Windows\System32\wshtcpip.dll
0x7fefcea0000   0x007000     C:\Windows\System32\wship6.dll
0x7fefd0e0000   0x137000     C:\Windows\system32\CRYPT32.dll
0x7fefd290000   0x019000     C:\Windows\system32\MSASN1.dll
0x7fefcec0000   0x009000     -
0x7fefcb50000   0x054000     -
0x7fefd5a0000   0x0a3000     -
0x77420000   0x009000     -

Those UNICODE_STRING are probably paged and returning NoneObject, which is then 
passed to re.search. So if we plan to return NoneObject for unprintable unicode 
strings, we should check them before passing to re.search. 

Original issue reported on code.google.com by michael.hale@gmail.com on 30 Jan 2012 at 1:19

GoogleCodeExporter commented 8 years ago
I think the problem is that NoneObject.__str__ must return a string
(not another NoneObject). Which string is the question - it might
return some kind of reason (so if you do print on the NoneObject you
get a reason). Alternatively we might return an empty string so it
wont match.

Another option is to check the object before passing to re.search.

Which do you think?
Michael.

Original comment by scude...@gmail.com on 30 Jan 2012 at 2:38

GoogleCodeExporter commented 8 years ago
Someone just reported this issue to me today.  I'm guessing this is also 
related to issue 186.  here's the output they sent:

$ python vol.py -f RAM.img imageinfo
Volatile Systems Volatility Framework 2.1_alpha
Determining profile based on KDBG search...

         Suggested Profile(s) : WinXPSP3x86, WinXPSP2x86 (Instantiated with WinXPSP2x86)
                    AS Layer1 : JKIA32PagedMemoryPae (Kernel AS) 
                    AS Layer2 : FileAddressSpace (/home/<user>/ITSM/RAM.img)
                     PAE type : PAE 
                          DTB : 0xa48000
                         KDBG : 0x8054d2e0
                         KPCR : 0xffdff000
            KUSER_SHARED_DATA : 0xffdf0000
          Image date and time : 1970-01-01 00:00:00
    Image local date and time : 1970-01-01 00:00:00
Traceback (most recent call last):
 File "vol.py", line 135, in <module>
   main()
 File "vol.py", line 126, in main
   command.execute()
 File "/home/<user>/volatility/volatility/commands.py", line 101, in execute
   func(outfd, data)
 File "/home/<user>/volatility/volatility/plugins/imageinfo.py", line 37, in render_text
   for k, v in data:
 File "/home/<user>/volatility/volatility/cache.py", line 534, in generate
   for x in g:
 File "/home/<user>/volatility/volatility/plugins/imageinfo.py", line 112, in calculate
   for csdversion, numprocessors in self.find_task_items(addr_space):
 File "/home/<user>/volatility/volatility/plugins/imageinfo.py", line 149, in find_task_items
   csdvers[str(task.Peb.CSDVersion)] = csdvers.get(str(task.Peb.CSDVersion), 0) + 1 
TypeError: __str__ returned non-string (type NoneObject)

Original comment by jamie.l...@gmail.com on 1 Feb 2012 at 11:00

GoogleCodeExporter commented 8 years ago
This issue was closed by revision r1363.

Original comment by mike.auty@gmail.com on 12 Feb 2012 at 10:01

GoogleCodeExporter commented 8 years ago
NoneObject.__str__ has returned a string since October 2nd (r1100).  This is 
because UNICODE_STRING doesn't verify that it returns a string from __str__.  
Please check that this resolves the issue, and reopen if there are any 
problems...

Original comment by mike.auty@gmail.com on 12 Feb 2012 at 10:04

GoogleCodeExporter commented 8 years ago
All good from my perspective (the command in comment #1 no longer crashes). 
Gleeda you may want to get the user who reported commet #2 to double check

Original comment by michael.hale@gmail.com on 13 Feb 2012 at 3:47