search

ksanchezcld / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
1 stars 0 forks source link

Crashdumps no longer work in 1.4 #107

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
It looks like processing of crashdumps is somehow broken in 1.4. Under 1.3.2, 
everything works as expected (pslist et al. work).

Here's debug output for trying to do pslist on an XP SP3 image:

moyix@amnesia:~/src/Volatility-1.4_rc1$ ./vol.py pslist -d -f 
~/crashdumps/cassandra/xpsp3_test.dmp --profile=WinXPSP3x86
Volatile Systems Volatility Framework 1.4_rc1
DEBUG   : volatility.cache    : Loading from 
/home/moyix/.cache/volatility/xpsp3_test.dmp.cache/.pickle
DEBUG   : volatility.cache    : Loading from 
/home/moyix/.cache/volatility/xpsp3_test.dmp.cache/tests.pickle
DEBUG   : volatility.cache    : Loading from 
/home/moyix/.cache/volatility/xpsp3_test.dmp.cache/tests/pslist.pickle
DEBUG   : volatility.cache    : Loading from 
/home/moyix/.cache/volatility/xpsp3_test.dmp.cache/tests/pslist/pid%3DNone.pickl
e
DEBUG   : volatility.cache    : Loading from 
/home/moyix/.cache/volatility/xpsp3_test.dmp.cache/tests/pslist/pid%3DNone/offse
t%3DNone.pickle
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x46e7210>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32 object at 
0x46e7290>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.intel.JKIA32PagedMemory object at 0x4aba910>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
 Offset(V)  Name                 PID    PPID   Thds   Hnds   Time 
---------- -------------------- ------ ------ ------ ------ ------------------- 
Could not list tasks, please verify the --profile option and whether this image 
is valid

The image in question is here:
http://amnesia.gtisc.gatech.edu/~moyix/crashdumps/cassandra/xpsp3_test.dmp.bz2

I have verified that it works with Windbg (dmpchk output here: 
http://pastebin.com/bTUmN4gC )

Original issue reported on code.google.com by moo...@gmail.com on 14 Apr 2011 at 6:33

GoogleCodeExporter commented 9 years ago 
Well the dmpchk seems to suggest that Pae's enabled, but the debug output says 
it was selected for normal PagedMemory, rather than PagedMemoryPae.  So my 
guess is this may not relate to crashdump at all, but to the ValidAS checks...

Unfortunately the image is a bit big for me to get at home, so could you please 
run it again with -d -d -d (3 d's) which should identify which of the AS checks 
fail and therefore which succeed.  Once we know that we might get a better idea 
at what's going on...

Original comment by mike.auty@gmail.com on 14 Apr 2011 at 7:30

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago 
sorry... wrong code base.  repost of -d -d -d:

$ python vol.py -f xpsp3_test.dmp --profile=WinXPSP3x86 pslist --no-cache 
--dtb=0xb280020
Volatile Systems Volatility Framework 1.4_rc1
 Offset(V)  Name                 PID    PPID   Thds   Hnds   Time 
---------- -------------------- ------ ------ ------ ------ ------------------- 
Could not list tasks, please verify the --profile option and whether this image 
is valid
bash-3.2$ python vol.py -f ~/Work/memory_images/xpsp3_test.dmp 
--profile=WinXPSP3x86 pslist --no-cache -d -d -d
Volatile Systems Volatility Framework 1.4_rc1
DEBUG   : volatility.cache    : Disabling Caching
DEBUG   : volatility.cache    : Disabling Caching
DEBUG   : volatility.cache    : Disabling Caching
DEBUG   : volatility.cache    : Disabling Caching
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
No base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: No base 
Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: No 
base Address Space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.standard.FileAddressSpace object at 0x102a9d0d0>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid hibernation 
header
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No xpress signature found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32 object at 
0x102a9d090>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0x00000000, instantiating _IMAGE_HIBER_HEADER
DEBUG1  : volatility.obj      : None object instantiated: Invalid hibernation 
header
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No xpress signature found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG2  : volatility.plugins.overlays.windows.windows: Failed to pass the Moyix 
Valid IA32 AS test
DEBUG2  : volatility.plugins.overlays.windows.windows: Failed to pass the 
labarum_x Valid IA32 AS test
DEBUG   : volatility.utils    : Succeeded instantiating 
<volatility.plugins.addrspaces.intel.JKIA32PagedMemory object at 0x102be3790>
DEBUG   : volatility.utils    : Voting round
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'> 
DEBUG1  : volatility.obj      : None object instantiated: Invalid hibernation 
header
DEBUG1  : volatility.utils    : Failed instantiating WindowsHiberFileSpace32: 
No xpress signature found
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'> 
DEBUG1  : volatility.utils    : Failed instantiating WindowsCrashDumpSpace32: 
Header signature invalid
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemory: Can not 
stack over another paging address space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating JKIA32PagedMemoryPae: Can 
not stack over another paging address space
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemoryPae: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.legacyintel.IA32PagedMemory'> 
DEBUG1  : volatility.utils    : Failed instantiating IA32PagedMemory: Module 
disabled
DEBUG   : volatility.utils    : Trying <class 
'volatility.plugins.addrspaces.standard.FileAddressSpace'> 
DEBUG1  : volatility.utils    : Failed instantiating FileAddressSpace: Must be 
first Address Space
 Offset(V)  Name                 PID    PPID   Thds   Hnds   Time 
---------- -------------------- ------ ------ ------ ------ ------------------- 
DEBUG1  : volatility.obj      : None object instantiated: No suggestions 
available
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0x-0000001, instantiating _KDDEBUGGER_DATA64
DEBUG1  : volatility.obj      : None object instantiated: No suggestions 
available
DEBUG1  : volatility.obj      : None object instantiated: Invalid Address 
0x-0000001, instantiating _KPCR
DEBUG1  : volatility.obj      : None object instantiated: KDDEBUGGER structure 
not found using either KDBG signature or KPCR pointer
Could not list tasks, please verify the --profile option and whether this image 
is valid

Original comment by jamie.l...@gmail.com on 14 Apr 2011 at 7:52

GoogleCodeExporter commented 9 years ago 
Ok, so just to update people on this, it turns out most of the problem seem to 
occur because of the ValidAS checking.  The plain old simple check allows the 
image the IA32PagedMemory to be accepted, when in fact the image requires 
IA32PagedMemoryPae.  Both the moyix and labarum_x checks do not allow the image 
through, so disabling the final plain old simple check solves the problem.

This leads to the question of whether the moyix and labarum_x checks will catch 
everything correctly?  Can we rely on just them?

Original comment by mike.auty@gmail.com on 14 Apr 2011 at 9:23

GoogleCodeExporter commented 9 years ago

Original comment by mike.auty@gmail.com on 21 Apr 2011 at 8:19

GoogleCodeExporter commented 9 years ago 
So, this has been fixed in r1000 (!) by removing the third check, and no ill 
effects have been seen on all the available crashdumps (or any normal images 
either).

Original comment by mike.auty@gmail.com on 21 Jun 2011 at 7:22