search

f-block / volatility-plugins

12 stars 1 forks source link

ptenum.py fails if object has no attribute 'has_member' #3

Closed notonlybytes closed 1 year ago

notonlybytes commented 1 year ago

Hi f-block,

thanks for your volatility plugins contribution! During some tests, the following error code has been issue by ptenum.py:

$ ./vol.py -vvv -f win_10.0.0.19044_mem.bin windows.ptemalfind

Traceback (most recent call last):
  File "/home/devel/Devel/volatility3/./vol.py", line 10, in <module>
    volatility3.cli.main()
  File "/home/devel/Devel/volatility3/volatility3/cli/__init__.py", line 797, in main
    CommandLine().run()
  File "/home/devel/Devel/volatility3/volatility3/cli/__init__.py", line 445, in run
    renderers[args.renderer]().render(constructed.run())
  File "/home/devel/Devel/volatility3/volatility3/cli/text_renderer.py", line 193, in render
    grid.populate(visitor, outfd)
  File "/home/devel/Devel/volatility3/volatility3/framework/renderers/__init__.py", line 241, in populate
    for level, item in self._generator:
  File "/home/devel/Devel/volatility3/volatility3/plugins/windows/ptemalfind.py", line 519, in _generator
    for ptenum, proc_result in self.get_ptemalfind_data(procs, self.context, self.config, self._progress_callback):
  File "/home/devel/Devel/volatility3/volatility3/plugins/windows/ptemalfind.py", line 446, in get_ptemalfind_data
    vad_contains_imagefile = ptenum.vad_contains_image_file(vad)
  File "/home/devel/Devel/volatility3/volatility3/plugins/windows/ptenum.py", line 903, in vad_contains_image_file
    return cls._get_vad_type(vad) == 2
  File "/home/devel/Devel/volatility3/volatility3/plugins/windows/ptenum.py", line 881, in _get_vad_type
    if vad.has_member("u1") and vad.u1.has_member("VadFlags1") and vad.u1.VadFlags1.has_member("VadType"):
AttributeError: 'int' object has no attribute 'has_member'

maybe it helps you to further improve the plugins.

regards notonlybytes

f-block commented 1 year ago

Hi,

thanks for the bug report. I'm currently working on a major release, but this commit should fix your issue. Please let me know if it works for you.

Cheers, Frank

notonlybytes commented 1 year ago

Hi Frank,

thanks for your quick fix! Upcoming major release sounds interesting ...

Unfortunately your quick fix solved it partly only. Here the new error code:

./vol.py -vvv -f win_10.0.0.19044_mem.bin windows.ptemalfind

DEBUG    volatility3.cli: Traceback (most recent call last):
  File "/home/devel/Devel/volatility3/volatility3/cli/__init__.py", line 445, in run
    renderers[args.renderer]().render(constructed.run())
  File "/home/devel/Devel/volatility3/volatility3/cli/text_renderer.py", line 193, in render
    grid.populate(visitor, outfd)
  File "/home/devel/Devel/volatility3/volatility3/framework/renderers/__init__.py", line 241, in populate
    for level, item in self._generator:
  File "/home/devel/Devel/volatility3/volatility3/plugins/windows/ptemalfind.py", line 523, in _generator
    for ptenum, proc_result in self.get_ptemalfind_data(procs, self.context, self.config, self._progress_callback):
  File "/home/devel/Devel/volatility3/volatility3/plugins/windows/ptemalfind.py", line 474, in get_ptemalfind_data
    if pte_run.is_empty:
  File "/usr/lib/python3.10/functools.py", line 981, in __get__
    val = self.func(instance)
  File "/home/devel/Devel/volatility3/volatility3/plugins/windows/ptenum.py", line 470, in is_empty
    return self.read() == self._ptenum_handle._ALL_ZERO_PAGE
  File "/home/devel/Devel/volatility3/volatility3/plugins/windows/ptenum.py", line 576, in read
    return self._data_layer.read(offset, length, **kwargs)
  File "/home/devel/Devel/volatility3/volatility3/framework/layers/physical.py", line 161, in read
    raise exceptions.InvalidAddressException(
volatility3.framework.exceptions.InvalidAddressException: Offset outside of the buffer boundaries

Volatility was unable to read a requested page:
0xc0c00619000 in layer memory_layer (Offset outside of the buffer boundaries)

maybe that helps you again.

cheers notonlybytes

f-block commented 1 year ago

Hi,

is it possible to send me this memory dump? If so, I could create an upload link where you can upload the (ideally compressed) dump.

notonlybytes commented 1 year ago

Hi,

thanks for your offer. In the meantime I've tried another approach and used the .vmem "memory dump" (from the same system) in contrary to a created live memory dump (with dumpit.exe) as the first apporach. With .vmem it worked as expected. ptemalfind was able to iterate through all processes.

extract of it:

6828    e30b76f9454a5f  0x400000    0xdc3fff    PAGE_EXECUTE_READWRITE  Private Memory  Disabled    
Meta Info:
    2500 non empty page(s) (starting at 0x400000) with a total size of 0x9c4000 bytes in this VAD were executable (and for mapped image files also modified).

4d 5a 90 00 03 00 00 00 MZ......
04 00 00 00 ff ff 00 00 ........
b8 00 00 00 00 00 00 00 ........
40 00 00 00 00 00 00 00 @.......
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 00 00 00 00 ........
00 00 00 00 b8 00 00 00 ........    
0x400000:   dec ebp
0x400001:   pop edx
0x400002:   nop 
0x400003:   add byte ptr [ebx], al
0x400005:   add byte ptr [eax], al
0x400007:   add byte ptr [eax + eax], al
0x40000a:   add byte ptr [eax], al

Thanks again for your nice plugin and support!

cheers notonlybytes