search

tthtlc / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

mftparser hangs without output #478

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Use the mftparser plugin on image sample with or without options 

What is the expected output? What do you see instead?
Any output after 2 and a half hours on a 16GB ram dump from a Domain Controller 

What version of the product are you using? On what operating system?
Volatility r3586
Ftk imager lite v3.1.1
Kali Linux Analysis VM 1.0.6 with all current updates

Please provide any additional information below.
Currently other tested plugins ~ 20 work as expected on this image like 
shellbags and timeliner which both completed in less than 30 minutes (if you 
want any output of those other plugins please let me know) 
See snips of full debug output in screenshots 
in volpic2 it just goes on forever like that with address spaces that don't 
even exist 
Let me know if you want me to take a new image or the update level of the 
system in question. I reported because I believe it should at least crash out 
(maybe I'm just not waiting long enough)

Thanks!
Wyatt Roersma

Original issue reported on code.google.com by wyattroe...@gmail.com on 11 Feb 2014 at 9:48

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by jamie.l...@gmail.com on 12 Feb 2014 at 9:52

GoogleCodeExporter commented 9 years ago 
Hey Wyatt,

Did you get any valid output before it started to hang?  Is there anyway you 
can share the sample?

Original comment by jamie.l...@gmail.com on 12 Feb 2014 at 9:55

GoogleCodeExporter commented 9 years ago 
I actually now have two samples with similar results the other we let hang for 
about 8 hours. I believe if your willing to sign an NDA I can get the client to 
let you take a look at it yourself.

I had no output on the first image after two and a half hours.

Original comment by wyattroe...@gmail.com on 13 Feb 2014 at 11:08

GoogleCodeExporter commented 9 years ago 
Gleeda, perhaps you can create Wyatt a debug version of the plugin? Seems like 
the code is caught in a loop somewhere, because even if there aren't any MFT 
records in the memory dump, it should finish with 0 results way before 2.5 or 8 
hours is up. 

Wyatt, I assume you still have access to the memory dumps and would be willing 
to run some debug commands?

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 4:21

GoogleCodeExporter commented 9 years ago 
I had asked Wyatt to try the newer version of mftparser, but haven't heard back 
if it worked or not.  I'm making up a debug version anyway for someone else and 
will send it along.  

We can close this here in the meantime.

Original comment by jamie.l...@gmail.com on 7 Mar 2014 at 4:23