Stan1989 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

impscan can memory leak with --pid option #400

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. vol.py -f Bob.vmem impscan --pid=1752

What is the expected output? What do you see instead?
In order for this command to generate output, it will consume 10-11GB of memory.

What version of the product are you using? On what operating system?
Volatility r3284

Please provide any additional information below.
Looking at the impscan plugin code, it appears that this issue is related to 
the use of Decompose within call_scan. This function appears to generate a 
large in-memory list before allowing the plugin code to iterate over its 
results.

The solution appears to be to use DecomposeGenerator instead.

Original issue reported on code.google.com by carl.pulley on 3 Apr 2013 at 9:37

GoogleCodeExporter commented 9 years ago
Performing a quick grep for Decompose throws up some other code that might also 
benefit from the use of DecomposeGenerator:

  -apihooks.ApiHooks.checks_ucpcall
  -ssdt.find_tables

Both of these bits of code use Decompose with data being set using a size 
pulled from an in-memory data structure. Thus, with untrusted data, a similar 
memory leak could occur?

All other uses of Decompose appear to operate over fixed size data lists.

Original comment by carl.pulley on 3 Apr 2013 at 10:35

GoogleCodeExporter commented 9 years ago
This issue was closed by revision r3292.

Original comment by michael.hale@gmail.com on 3 Apr 2013 at 4:25