failure on lsadump when the right keys aren't memory resident

[GoogleCodeExporter]

Hey guys, 

lsadump works for most of my memory samples, but in one (nothing special about 
the one, its just an XPSP3), I get this error:

$ python volatility.py -f xpsp3.bin lsadump -y 0xe1035b60 -s 0xe14c6758
Volatile Systems Volatility Framework 1.4_rc1
WARNING : volatility.win32.rawreg: Couldn't find subkey Lsa of Control
Traceback (most recent call last):
  File "volatility.py", line 126, in <module>
    main()
  File "volatility.py", line 117, in main
    command.execute()
  File "/Users/M/Desktop/Volatility-1.4_rc1_r648/volatility/commands.py", line 77, in execute
    data = self.calculate()
  File "/Users/M/Desktop/Volatility-1.4_rc1_r648/volatility/plugins/registry/lsadump.py", line 80, in calculate
    secrets = lsasecrets.get_memory_secrets(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
  File "/Users/M/Desktop/Volatility-1.4_rc1_r648/volatility/win32/lsasecrets.py", line 144, in get_memory_secrets
    return get_secrets(sysaddr, secaddr)
  File "/Users/M/Desktop/Volatility-1.4_rc1_r648/volatility/win32/lsasecrets.py", line 112, in get_secrets
    lsakey = get_lsa_key(secaddr, bootkey)
  File "/Users/M/Desktop/Volatility-1.4_rc1_r648/volatility/win32/lsasecrets.py", line 54, in get_lsa_key
    md5.update(bootkey)
TypeError: update() argument 1 must be string or read-only buffer, not None

So I guess in lsasecrets.py instead of this:

bootkey = hashdump.get_bootkey(sysaddr)
lsakey = get_lsa_key(secaddr, bootkey)

We should put a check:

bootkey = hashdump.get_bootkey(sysaddr)
if not bootkey:
   return None
lsakey = get_lsa_key(secaddr, bootkey)

Original issue reported on code.google.com by michael.hale@gmail.com on 9 Feb 2011 at 3:08

[GoogleCodeExporter]

This issue was closed by revision r746.

Original comment by mike.auty@gmail.com on 9 Feb 2011 at 9:01

• Changed state: Fixed