search

gh0stisic / volatility

Automatically exported from code.google.com/p/volatility
0 stars 0 forks source link

two small bugs in printkey.py render_text #69

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
1) If the key value is corrupt we get the following crash:

$ ./volatility.py -f ds_fuzz_hidden_proc.img --profile=WinXPSP3x86 printkey -K 
'ControlSet001\Services\Rdbss' -o 0xe1018388
Volatile Systems Volatility Framework 1.4_rc1
Key name: Rdbss
(Stable)
Last updated: 2008-11-26 07:37:49 

Subkeys:
  Enum(Volatile)

Values:
REG_DWORD Type       : 2 (Stable)
REG_DWORD Start      : 1 (Stable)
REG_DWORD ErrorControl : 1 (Stable)
REG_DWORD Tag        : 4 (Stable)
REG_EXPAND_SZ ImagePath  : system32\DRIVERS\rdbss.sys (Stable)
Traceback (most recent call last):
  File "./volatility.py", line 126, in <module>
    main()
  File "./volatility.py", line 117, in main
    command.execute()
  File "/vol_1.4/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/vol_1.4/volatility/plugins/registry/printkey.py", line 108, in render_text
    outfd.write("{0:9} {1:10} : {2} {3}\n".format(tp, v.Name, dat, "(Volatile)" if vol(v) else "(Stable)"))
UnicodeEncodeError: 'ascii' codec can't encode character u'\uc100' in position 
0: ordinal not in range(128)

You could get around it like so:

try:
    outfd.write("{0:9} {1:10} : {2} {3}\n".format(tp, v.Name, dat, "(Volatile)" if vol(v) else "(Stable)"))
except UnicodeEncodeError:
    dat = repr(dat[:255].encode("utf8", "xmlcharrefreplace"))
    outfd.write("{0:9} {1:10} : {2} {3}\n".format(tp, v.Name, dat, "(Volatile)" if vol(v) else "(Stable)"))

output:

$ ./volatility.py -f ds_fuzz_hidden_proc.img --profile=WinXPSP3x86 printkey -K 
'ControlSet001\Services\Rdbss' -o 0xe1018388
Volatile Systems Volatility Framework 1.4_rc1
Key name: Rdbss
(Stable)
Last updated: 2008-11-26 07:37:49 

Subkeys:
  Enum(Volatile)

Values:
REG_DWORD Type       : 2 (Stable)
REG_DWORD Start      : 1 (Stable)
REG_DWORD ErrorControl : 1 (Stable)
REG_DWORD Tag        : 4 (Stable)
REG_EXPAND_SZ ImagePath  : system32\DRIVERS\rdbss.sys (Stable)
REG_SZ    DisplayName : 
'\xec\x84\x80\x0c\xe9\xbc\x88\xee\x85\xb7\xeb\xb5\x90\xee\x84\x94' (Stable)
REG_SZ    Group      : .DLL (Stable)
REG_SZ    Description : Rdbss (Stable)

2) If a subkey Name is None we get the following:

$ ./volatility.py -f win7.dd --profile=Win7SP0x86 printkey -K 'Classes' -o 
0x8bb328d8
Volatile Systems Volatility Framework 1.4_rc1
Key name: Classes
(Stable)
Last updated: 2010-06-16 18:27:54 

Subkeys:
  *(Stable)
  .3g2(Stable)
  .3gp2(Stable)
  .3gpp(Stable)
  .ADT(Stable)
[really long list removed]
  MagicUSBCableProgID(Stable)
  MAPI/IPM.Appointment(Stable)
  MAPI/IPM.StickyNote(Stable)
  McxMdeOutputProfile.OutputProfileMgr.1(Stable)
  Media Type(Stable)
  MediaCenter.WTVFile(Stable)
Traceback (most recent call last):
  File "./volatility.py", line 126, in <module>
    main()
  File "./volatility.py", line 117, in main
    command.execute()
  File "/vol_1.4/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/vol_1.4/volatility/plugins/registry/printkey.py", line 101, in render_text
    outfd.write("  " + s.Name + ("(Volatile)\n" if vol(s) else "(Stable)\n"))
TypeError: cannot concatenate 'str' and 'NoneObject' objects

Just need to make sure it's not None:

for s in rawreg.subkeys(key):
    if s.Name:
        outfd.write("  " + s.Name + ("(Volatile)\n" if vol(s) else "(Stable)\n"))

Original issue reported on code.google.com by jamie.l...@gmail.com on 3 Feb 2011 at 5:30

GoogleCodeExporter commented 9 years ago 
Ok, thanks.  I believe I've fixed both of those in r655.  The s.Name check went 
in as is, but rather than catching a unicode decode error, I've handled the 
possible outputs explicitly (since dat could be a list of unicode strings 
[REG_MUTLI_SZ] or just a unicode string [REG_SZ, et al]).  I've also gone with 
.encode("ascii", "backslashreplace") since we seem to have used that in a few 
other places.

I don't think it should be up to registry returning function to prematurely 
convert to ascii (particularly when we decide to move to python3 which does 
most things internally as unicode), although it would be much easier to add it 
in there.

Anyway, let me know if that's ok/works/a terrible idea/better than sliced 
bread, and then we can figure out what status to give this...  5:)

Original comment by mike.auty@gmail.com on 3 Feb 2011 at 8:42

GoogleCodeExporter commented 9 years ago 
Right... I guess that makes sense.  About REG_MUTLI_SZ I wonder if we should 
print those out item by item, because as is, it prints like:

REG_MULTI_SZ HTTPFilter : [u'HTTPFilter', u'', u''] (Stable)
REG_MULTI_SZ LocalService : [u'Alerter', u'WebClient', u'LmHosts', 
u'RemoteRegistry', u'upnphost', u'SSDPSRV', u'', u''] (Stable)

Or is that clear enough...?  I'm not sure..

Original comment by jamie.l...@gmail.com on 3 Feb 2011 at 8:49

GoogleCodeExporter commented 9 years ago 
ok nevermind... i have the correct update now looks good :-)

Original comment by jamie.l...@gmail.com on 3 Feb 2011 at 9:01

GoogleCodeExporter commented 9 years ago 
Yep, sorry, that was my bad.  r656 actually fixes it for Volatility_1.4rc1.  
However, either way I'm now going to class it as... FIXED!  5:)

Original comment by mike.auty@gmail.com on 3 Feb 2011 at 9:12