search

volatilityfoundation / volatility

An advanced memory forensics framework
http://volatilityfoundation.org/
GNU General Public License v2.0
7.16k stars 1.27k forks source link

need more than 2 values to unpack #610

Closed Waterman178 closed 5 years ago

Waterman178 commented 5 years ago

[43] pyrebox(464)> %vol drivermodule -a 0xfffff80003c5b1fc Module Driver Alt. Name Service Key

VolShell: Error while executing volatility command need more than 2 values to unpack What is the problem?

Waterman178 commented 5 years ago

After viewing the source code(drivermodule.py), I found the cause of the problem.The "data" contains only two parameters:found_module,found_driver. Finally,accessing the array out of bounds.There is another problem. You must first enter “%vol drivermodule“ and then enter“ %vol drivermodule -a 0xfffff80003c6a1fc“,otherwise it will prompt "no such option: -a".I don't know where the problem is, but at least it doesn't affect the use.After I fixed the source code, I have to start it again. Otherwise, it doesn't work. Is there a command to load it directly?

` if self._config.ADDR: find_address = self._config.ADDR found_module = tasks.find_module(mods, mod_addrs, mods.values([0].obj_vm.address_mask(find_address)) if found_module: found_module = found_module.BaseDllName or found_module.FullDllName else: found_module = "UNKNOWN"

        for driver in drivers:
            if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
                header = driver.get_object_header()
                found_driver = header.NameInfo.Name

        yield (found_module, found_driver)

     def unified_output(self, data):
    return TreeGrid([("Module", str),
                     ("Driver", str),
                     ("Alt. Name", str),
                     ("Service Key", str)],
                    self.generator(data))

`

[1] pyrebox> %vol drivermodule Module Driver Alt. Name Service Key

ACPI.sys ACPI ACPI \Driver\ACPI Wdf01000.sys Wdf01000 Wdf01000 \Driver\Wdf01000 UNKNOWN RAW \FileSystem\RAW hal.dll ACPI_HAL \Driver\ACPI_HAL \Driver\ACPI_HAL ntoskrnl.exe WMIxWDM \Driver\WMIxWDM \Driver\WMIxWDM amd_xata.sys amd_xata amd_xata \Driver\amd_xata msisadrv.sys msisadrv msisadrv \Driver\msisadrv pci.sys pci pci \Driver\pci vdrvroot.sys vdrvroot vdrvroot \Driver\vdrvroot partmgr.sys partmgr partmgr \Driver\partmgr volmgr.sys volmgr volmgr \Driver\volmgr compbatt.sys Compbatt Compbatt \Driver\Compbatt mountmgr.sys mountmgr mountmgr \Driver\mountmgr volmgrx.sys volmgrx volmgrx \Driver\volmgrx intelide.sys intelide intelide \Driver\intelide ntoskrnl.exe PnpManager \Driver\PnpManager \Driver\PnpManager nvraid.sys nvraid nvraid \Driver\nvraid atapi.sys atapi atapi \Driver\atapi fltmgr.sys FltMgr FltMgr \FileSystem\FltMgr fileinfo.sys FileInfo FileInfo \FileSystem\FileInfo amdxata.sys amdxata amdxata \Driver\amdxata Ntfs.sys Ntfs Ntfs \FileSystem\Ntfs CLFS.SYS CLFS CLFS \Driver\CLFS ksecdd.sys KSecDD KSecDD \Driver\KSecDD cng.sys CNG CNG \Driver\CNG ndis.sys NDIS NDIS \Driver\NDIS pcw.sys pcw pcw \Driver\pcw Fs_Rec.sys Fs_Rec Fs_Rec \FileSystem\Fs_Rec tcpip.sys Tcpip Tcpip \Driver\Tcpip ksecpkg.sys KSecPkg KSecPkg \Driver\KSecPkg

[2] pyrebox> %vol drivermodule -a 0xfffff80003c6a1fc Module Driver Alt. Name Service Key

ntoskrnl.exe UNKNOWN UNKNOWN UNKNOWN

iMHLv2 commented 5 years ago

Sorry, but we're unfamiliar with pyrebox - its a framework built on top of volatility. I would seek help from the pyrebox developers.

Waterman178 commented 5 years ago

Sorry, but we're unfamiliar with pyrebox - its a framework built on top of volatility. I would seek help from the pyrebox developers.

No, there is a bug with your source code. Please read carefully what I wrote.

iMHLv2 commented 5 years ago

@Waterman178 its possible there was a bug in that plugin in the past, but you're referencing code that's over 2 years old. The most recent version of the plugin is here:

https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/drivermodule.py

What version of Volatility are you working with?