search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

Volatility3 linux.Bash plugin not working #1032

Closed 4n6-fl closed 10 months ago

4n6-fl commented 11 months ago

Describe the bug When trying to run the linux.bash.Bash command I am not getting results at all ,only the following output: Volatility 3 Framework 2.5.0 Progress: 100.00 Stacking attempts finished
PID Process CommandTime Command WARNING volatility3.framework.symbols.linux.extensions: The mte 0x90e0c679d81e has all ready been seen, no further results will be produced for this node. WARNING volatility3.framework.symbols.linux.extensions: The mte 0x90e0ef6abc1e has all ready been seen, no further results will be produced for this node. WARNING volatility3.framework.symbols.linux.extensions: The mte 0x90e0ef5a4b1e has all ready been seen, no further results will be produced for this node.

Context all other plugin are working great Volatility Version: Volatility 3 Framework 2.5.0 Operating System: Linux Python Version: Python 3.11.5 Suspected Operating System: Linux Command: python3 vol.py -f /mnt/test.lime linux.bash

To Reproduce Steps to reproduce the behavior:

  1. Use command 'python3 vol.py -f /mnt/test.lime linux.bash'
  2. See error

Expected behavior expect to see the history of bash commands

Example output Volatility 3 Framework 2.5.0 INFO volatility3.cli: Volatility plugins path: ['/home/nfsuper/volatility/volatility3/plugins', '/home/nfsuper/volatility/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/home/nfsuper/volatility/volatility3/symbols', '/home/nfsuper/volatility/volatility3/framework/symbols'] DEBUG volatility3.framework: Traceback (most recent call last): File "/home/nfsuper/volatility/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/home/nfsuper/volatility/volatility3/framework/plugins/windows/hashdump.py", line 10, in from Crypto.Cipher import AES, ARC4, DES ModuleNotFoundError: No module named 'Crypto'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.hashdump based on file: /home/nfsuper/volatility/volatility3/framework/plugins/windows/hashdump.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/nfsuper/volatility/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/home/nfsuper/volatility/volatility3/framework/plugins/windows/skeleton_key_check.py", line 18, in import pefile ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.skeleton_key_check based on file: /home/nfsuper/volatility/volatility3/framework/plugins/windows/skeleton_key_check.py INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/nfsuper/volatility/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/home/nfsuper/volatility/volatility3/framework/plugins/windows/netstat.py", line 15, in from volatility3.plugins.windows import netscan, modules, info, verinfo File "/home/nfsuper/volatility/volatility3/framework/plugins/windows/netscan.py", line 17, in from volatility3.plugins.windows import info, poolscanner, verinfo File "/home/nfsuper/volatility/volatility3/framework/plugins/windows/verinfo.py", line 21, in import pefile ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.netstat based on file: /home/nfsuper/volatility/volatility3/framework/plugins/windows/netstat.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/nfsuper/volatility/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/home/nfsuper/volatility/volatility3/framework/plugins/windows/cachedump.py", line 8, in from Crypto.Cipher import ARC4, AES ModuleNotFoundError: No module named 'Crypto'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.cachedump based on file: /home/nfsuper/volatility/volatility3/framework/plugins/windows/cachedump.py INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/nfsuper/volatility/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/home/nfsuper/volatility/volatility3/framework/plugins/windows/netscan.py", line 17, in from volatility3.plugins.windows import info, poolscanner, verinfo File "/home/nfsuper/volatility/volatility3/framework/plugins/windows/verinfo.py", line 21, in import pefile ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.netscan based on file: /home/nfsuper/volatility/volatility3/framework/plugins/windows/netscan.py DEBUG volatility3.framework: Traceback (most recent call last): File "/home/nfsuper/volatility/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/home/nfsuper/volatility/volatility3/framework/plugins/windows/lsadump.py", line 8, in from Crypto.Cipher import ARC4, DES, AES ModuleNotFoundError: No module named 'Crypto'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.lsadump based on file: /home/nfsuper/volatility/volatility3/framework/plugins/windows/lsadump.py INFO volatility3.plugins.windows.verinfo: Python pefile module not found, plugin (and dependent plugins) not available DEBUG volatility3.framework: Traceback (most recent call last): File "/home/nfsuper/volatility/volatility3/framework/init.py", line 185, in import_file importlib.import_module(module) File "/usr/lib/python3.10/importlib/init.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "", line 1050, in _gcd_import File "", line 1027, in _find_and_load File "", line 1006, in _find_and_load_unlocked File "", line 688, in _load_unlocked File "", line 883, in exec_module File "", line 241, in _call_with_frames_removed File "/home/nfsuper/volatility/volatility3/framework/plugins/windows/verinfo.py", line 21, in import pefile ModuleNotFoundError: No module named 'pefile'

DEBUG volatility3.framework: Failed to import module volatility3.plugins.windows.verinfo based on file: /home/nfsuper/volatility/volatility3/framework/plugins/windows/verinfo.py INFO volatility3.cli: The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.netscan, volatility3.plugins.windows.netstat, volatility3.plugins.windows.skeleton_key_check, volatility3.plugins.windows.verinfo INFO volatility3.framework.automagic: Detected a linux category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name DEBUG volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 6.2.0-1013-aws (buildd@bos03-amd64-006) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #13~22.04.1-Ubuntu SMP Fri Sep 8 17:29:56 UTC 2023 (Ubuntu 6.2.0-1013.13~22.04.1-aws 6.2.16)\n\x00': file:///home/nfsuper/volatility/volatility3/framework/symbols/linux/linux-image-6.2.0-1013-aws.json and file:///home/nfsuper/volatility/volatility3/symbols/linux-image-6.2.0-1013-aws.json DEBUG volatility3.framework.automagic.linux: Identified banner: b'Linux version 6.2.0-1013-aws (buildd@bos03-amd64-006) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #13~22.04.1-Ubuntu SMP Fri Sep 8 17:29:56 UTC 2023 (Ubuntu 6.2.0-1013.13~22.04.1-aws 6.2.16)\n\x00' DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!netns_ipvs DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_pkg_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_rcv_lists_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!can_dev_rcv_lists DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_route DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats_rsn DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_stats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mpls_dev DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!tipc_bearer DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!udp_tunnel_nic DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!phylink DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_conn DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cached_keys DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_cqm_config DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!sfp DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!libipw_device DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!smc_hashinfo DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!dsa_8021q_context DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!uapi_definition DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!hw_stats_device_data DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!rdma_restrack_root DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!cfg80211_internal_bss DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_port DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_gid_table DEBUG volatility3.framework.symbols: Unresolved reference: LintelStacker1!ib_pkey_cache DEBUG volatility3.framework.automagic.linux: Linux ASLR shift values determined: physical 94400000 virtual 2b800000 DEBUG volatility3.framework.automagic.linux: DTB was found at: 0x97610000 Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name.memory_layer Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Bash.kernel.layer_name.memory_layer.base_layer Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash.kernel Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Bash DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'LimeLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: LinuxSymbolFinder Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Bash.kernel.symbol_table_name DEBUG volatility3.framework.automagic.symbol_cache: Duplicate entry for identifier b'Linux version 6.2.0-1013-aws (buildd@bos03-amd64-006) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #13~22.04.1-Ubuntu SMP Fri Sep 8 17:29:56 UTC 2023 (Ubuntu 6.2.0-1013.13~22.04.1-aws 6.2.16)\n\x00': file:///home/nfsuper/volatility/volatility3/framework/symbols/linux/linux-image-6.2.0-1013-aws.json and file:///home/nfsuper/volatility/volatility3/symbols/linux-image-6.2.0-1013-aws.json DEBUG volatility3.framework.automagic.symbol_finder: Identified banner: b'Linux version 6.2.0-1013-aws (buildd@bos03-amd64-006) (x86_64-linux-gnu-gcc-11 (Ubuntu 11.4.0-1ubuntu1~22.04) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #13~22.04.1-Ubuntu SMP Fri Sep 8 17:29:56 UTC 2023 (Ubuntu 6.2.0-1013.13~22.04.1-aws 6.2.16)\n\x00' DEBUG volatility3.framework.automagic.symbol_finder: Using symbol library: file:///home/nfsuper/volatility/volatility3/framework/symbols/linux/linux-image-6.2.0-1013-aws.json INFO volatility3.framework.automagic: Running automagic: KernelModule

PID Process CommandTime Command DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!assoc_array_ptr DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!netns_ipvs DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mtd_info DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_pkg_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_rcv_lists_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!can_dev_rcv_lists DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_route DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sctp_mib DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats_rsn DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_stats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!garp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mpls_dev DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!mrp_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!tipc_bearer DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!udp_tunnel_nic DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!pcpu_dstats DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!phylink DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_conn DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cached_keys DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_cqm_config DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!sfp DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!libipw_device DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!smc_hashinfo DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!dsa_8021q_context DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!uapi_definition DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!hw_stats_device_data DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!rdma_restrack_root DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!cfg80211_internal_bss DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_port DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_gid_table DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!ib_pkey_cache DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!maple_enode DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!maple_pnode INFO volatility3.framework.symbols.linux.extensions: adding vma: 55c06c490000 55c06c4f9000 | 55c06c4f9000 55c06c490000 WARNING volatility3.framework.symbols.linux.extensions: The mte 0x90e0c679d81e has all ready been seen, no further results will be produced for this node. DEBUG volatility3.framework.interfaces.layers: Scan Failure: Sections have no size, nothing to scan INFO volatility3.framework.symbols.linux.extensions: adding vma: 55c06c490000 55c06c4f9000 | 55c06c4f9000 55c06c490000 WARNING volatility3.framework.symbols.linux.extensions: The mte 0x90e0ef6abc1e has all ready been seen, no further results will be produced for this node. DEBUG volatility3.framework.interfaces.layers: Scan Failure: Sections have no size, nothing to scan INFO volatility3.framework.symbols.linux.extensions: adding vma: 55bd31270000 55bd314aa000 | 55bd314aa000 55bd31270000 WARNING volatility3.framework.symbols.linux.extensions: The mte 0x90e0ef5a4b1e has all ready been seen, no further results will be produced for this node. DEBUG volatility3.framework.interfaces.layers: Scan Failure: Sections have no size, nothing to scan

eve-mem commented 11 months ago

Hello! Thanks for this bug report - it may be an issue with the parsing of the maple tree that was added in this PR https://github.com/volatilityfoundation/volatility3/pull/928

Since then I have thought of some ways to improve the parsing, but you're the first person to raise an issue. Thank you very much for doing so!

You're seeing the error from here: https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/symbols/linux/extensions/__init__.py#L320

Unfortunately I think it'll be difficult to debug without seeing the memory image. Is it something you're able to share?

4n6-fl commented 11 months ago

Thanks for your reply ! Unfortunately it is not an image I am able to share , is there any other way we can try to debug it ?

eve-mem commented 11 months ago

If i made a volshell script or a rough plugin that took the memory dump and made a redacted copy with only the minimum parts needed in it for debugging, would you be happy to share that?

You'd be able to run strings etc to see that all the private parts are gone, and inspect it in a hex editor etc. It would also compress extremely well as it'll mostly be empty.

That way I'd be able to debug it using volatility. No doubt I'd forget to include something, so there would probably be a little back and forth too.

4n6-fl commented 11 months ago

Yes I am open to that option , you can share a volshell script or a rough plugin and I will share the output with you

eve-mem commented 11 months ago

Okay, I'll see if I'm able to find the time to do that. Might take me a while... :S

4n6-fl commented 11 months ago

Thanks ! any chance that it will be easier to ask it in the slack community ? maybe someone else came across this error ?

eve-mem commented 11 months ago

It never hurts to ask!

4n6-fl commented 11 months ago

All right so I might give it a chance and ask there also

4n6-fl commented 11 months ago

OK updating that @eve-mem helped me with the following fix: https://github.com/eve-mem/volatility3/commit/8b20d5fe506e4d829586946a05535e2dd4c95012 and it solved the issue ! Thanks

eve-mem commented 11 months ago

Hey @4n6-fl this hasn't actually fixed the core problem, it's just side stepped it. I would still very much like to see what's going on with the maple trees to fix the problem correctly.

4n6-fl commented 11 months ago

no problem I will continue it with you

ikelos commented 10 months ago

Reopening this because there's more to fix and it looks like the fix has been found thanks to @eve-mem ... 5;)