The following backtrace was raised when analyzing a win8 32-bit memory dump. In
particular, the get_available_pages() function in the intel address space not
only found a page directory entry that pointed back to its own page but the
value has its most significant bit set (turning it into a very large number).
Here is the backtrace:
Traceback (most recent call last):
File "vol.py", line 186, in <module>
main()
File "vol.py", line 177, in main
command.execute()
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/commands.py", line 87, in execute
data = self.calculate()
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/cache.py", line 577, in wrapper
return f(s, *args, **kwargs)
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/pstree.py", line 110, in calculate
for task in tasks.pslist(addr_space)
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/pstree.py", line 109, in <genexpr>
(int(task.UniqueProcessId), task)
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/win32/tasks.py", line 72, in pslist
for p in get_kdbg(addr_space).processes():
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/win32/tasks.py", line 48, in get_kdbg
kdbgo = obj.VolMagic(addr_space).KDBG.v()
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/obj.py", line 779, in v
return self.get_best_suggestion()
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/obj.py", line 805, in get_best_suggestion
for val in self.get_suggestions():
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/obj.py", line 797, in get_suggestions
for x in self.generate_suggestions():
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/overlays/windows/windows.py", line 754, in generate_suggestions
for val in scanner.scan(self.obj_vm):
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/kdbgscan.py", line 84, in scan
for offset in scan.BaseScanner.scan(self, address_space, offset, maxlen):
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/scan.py", line 95, in scan
for (range_start, range_size) in sorted(address_space.get_available_addresses()):
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/addrspaces/paged.py", line 116, in get_available_addresses
for (offset, size) in self.get_available_pages():
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/addrspaces/intel.py", line 284, in get_available_pages
pte_entry = self._read_long_long_phys(pte_curr)
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/addrspaces/intel.py", line 252, in _read_long_long_phys
string = self.base.read(addr, 8)
File "/Users/michaelligh/Desktop/GitHub/volatility_omfw/volatility/plugins/addrspaces/standard.py", line 98, in read
self.fhandle.seek(addr)
OverflowError: Python int too large to convert to C long
The AS gets a pgd_curr value of 0x189018 and uses read_long_long_phys to get 8
bytes:
0189018: 6390 1800 0000 0080 63e8 4e1f 0000 0000 c.......c.N.....
Those 8 bytes are 0x8000000000189000 as an integer.
You can reproduce the error with any memory dump:
$ python vol.py -f XPSP3-8c391840.vmem volshell
Volatile Systems Volatility Framework 2.3_beta
Current context: process System, pid=4, ppid=0 DTB=0x319000
Welcome to volshell! Current memory image is:
To get help, type 'hh()'
>>> self.addrspace.base.read(0xffffffffffffffffff, 1)
Traceback (most recent call last):
File "<console>", line 1, in <module>
File "/Users/michaelligh/Desktop/volatility23/volatility/plugins/addrspaces/standard.py", line 98, in read
self.fhandle.seek(addr)
OverflowError: Python int too large to convert to C long
Original issue reported on code.google.com by michael.hale@gmail.com on 9 Oct 2013 at 12:44
Original issue reported on code.google.com by
michael.hale@gmail.com
on 9 Oct 2013 at 12:44