Nicebear / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Using volatility 2.3 beta (revision 3460) with imageinfo plugin on memory dump collected with winpmem results in TypeError #438

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Took memory dump of 64-bit Win 7 VM (VirtualBox) using "winpmem-1.3.1.exe 
myvm.mem"
2. Invoked volatility with "$ vol.py -f myvm.mem imageinfo"
3. Received "TypeError: hex() argument can't be converted to hex" at end of run.

What is the expected output? What do you see instead? I get the expected 
output, but also receive a TypeError

What version of the product are you using? On what operating system?
volatility 2.3_beta (revision 3460 and also tried revision 3420) on Ubuntu 12 
LTS.

Please provide any additional information below.

Aside from this error, things appear to work correctly.

$ vol.py -f myvm.mem imageinfo
Volatile Systems Volatility Framework 2.3_beta
Determining profile based on KDBG search...

          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (myvm.mem)
                      PAE type : PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002a4a0a0
          Number of Processors : 32
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a4bd00L
                KPCR for CPU 1 : 0xfffff880009e5000L
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 186, in <module>
    main()
  File "/usr/local/bin/vol.py", line 177, in main
    command.execute()
  File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 34, in render_text
    for k, v in data:
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 99, in calculate
    yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset))
TypeError: hex() argument can't be converted to hex

Original issue reported on code.google.com by jessebow...@gmail.com on 5 Aug 2013 at 8:15

GoogleCodeExporter commented 8 years ago
Jesse, 

Do you happen to know if the system truly has 32 processors? (Note "Number of 
Processors : 32")

If not, I can see how that would cause the error you're seeing - as we'd try to 
read outside the bounds of an array. If 32 processors is accurate, can you 
re-acquire with winpmem, with another live tool, or via the virtualbox 
debugvm/dumpguestcore method (http://wiki.yobi.be/wiki/RAM_analysis) and see if 
you get the same error?

Thanks!

Original comment by michael.hale@gmail.com on 6 Aug 2013 at 4:34

GoogleCodeExporter commented 8 years ago
Nope, only two processors!

Tried reading a direct debugvm ELF file, same essential error:

$ vol.py -f test.elf imageinfo
Volatile Systems Volatility Framework 2.3_beta
Determining profile based on KDBG search...

          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (test.elf)
                      PAE type : PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002a4a0a0
          Number of Processors : 32
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a4bd00L
                KPCR for CPU 1 : 0xfffff880009e5000L
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 186, in <module>
    main()
  File "/usr/local/bin/vol.py", line 177, in main
    command.execute()
  File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 34, in render_text
    for k, v in data:
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 99, in calculate
    yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset))
TypeError: hex() argument can't be converted to hex

Reacquiring with winpmem gave the same results.

Attempting to carve out the memory section based on the directions in your link 
appear to be out of date (or the source of some of the issue?). My output from 
objdump is:

$ objdump -h test.elf|egrep -w "(Idx|load1)"
Idx Name          Size      VMA               LMA               File off  Algn
  1 load1         80000000  0000000000000000  0000000000000000  00000bec  2**0

bec = 3052 / 32 = 95.375 ...Which doesn't seem like a likely offset!

Anything else I can do to test this?

Cheers!

Original comment by jessebow...@gmail.com on 6 Aug 2013 at 7:04

GoogleCodeExporter commented 8 years ago
Hi Jesse, 

Thanks for the info. Actually there is one more thing you can do, if its not 
too much trouble. Can you add a debug statement in the file 
volatility/plugins/overlays/windows/kdbg_vtypes.py immediately after line 105:

https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/over
lays/windows/kdbg_vtypes.py#105

So it should appear like this:

105 for p in cpu_array:
106     print type(p), p

And then paste the output of imageinfo again? It doesn't appear like an 
acquisition error at this point if the ELF gave you the same problem. 

Thanks!

Original comment by michael.hale@gmail.com on 6 Aug 2013 at 7:24

GoogleCodeExporter commented 8 years ago
$ vol.py -f test.elf imageinfo
Volatile Systems Volatility Framework 2.3_beta
Determining profile based on KDBG search...

          Suggested Profile(s) : Win2008R2SP0x64, Win7SP1x64, Win7SP0x64, Win2008R2SP1x64
                     AS Layer1 : AMD64PagedMemory (Kernel AS)
                     AS Layer2 : VirtualBoxCoreDumpElf64 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/bowling/test.elf)
                      PAE type : PAE
                           DTB : 0x187000L
                          KDBG : 0xf80002a4a0a0
<class 'volatility.obj.Pointer'> 18446735277660880512
<class 'volatility.obj.Pointer'> 18446735827382718848
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
<class 'volatility.obj.Pointer'> 0
          Number of Processors : 32
     Image Type (Service Pack) : 1
                KPCR for CPU 0 : 0xfffff80002a4bd00L
                KPCR for CPU 1 : 0xfffff880009e5000L
Traceback (most recent call last):
  File "/usr/local/bin/vol.py", line 186, in <module>
    main()
  File "/usr/local/bin/vol.py", line 177, in main
    command.execute()
  File "/usr/local/lib/python2.7/dist-packages/volatility/commands.py", line 111, in execute
    func(outfd, data)
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 34, in render_text
    for k, v in data:
  File "/usr/local/lib/python2.7/dist-packages/volatility/plugins/imageinfo.py", line 99, in calculate
    yield ('KPCR for CPU {0}'.format(kpcr.ProcessorBlock.Number), hex(kpcr.obj_offset))
TypeError: hex() argument can't be converted to hex

Original comment by jessebow...@gmail.com on 6 Aug 2013 at 7:32

GoogleCodeExporter commented 8 years ago
This issue was closed by revision r3461.

Original comment by michael.hale@gmail.com on 6 Aug 2013 at 8:07