search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

Windows.ldrmodules issue #1158

Closed henrique-paiva-uece closed 4 months ago

henrique-paiva-uece commented 4 months ago

Describe the bug

I'm starting to use volatility and I'm facing some problem with windows.ldrmodules. I performed a fresh installation of Windows 10 on Virtual Box and got the memory dump from it with DumpIt and Magnet RAM Capture.So, I installed volatility3 on a WSL Ubuntu 24.04 to analyze it. But when I execute the following command, I get an error.

Context Volatility Version: 3 Operating System: Ubuntu 24.04 Python Version: 3 Suspected Operating System: Windows 10 64 bits Command: python3 volatility3/vol.py -f dump4.raw -vvv windows.ldrmodules

output

INFO volatility3.cli: Volatility plugins path: ['/home/volatility3/volatility3/plugins', '/home/volatility3/volatility3/framework/plugins'] INFO volatility3.cli: Volatility symbols path: ['/home/volatility3/volatility3/symbols', '/home/volatility3/volatility3/framework/symbols'] INFO volatility3.framework.automagic: Detected a windows category plugin INFO volatility3.framework.automagic: Running automagic: ConstructionMagic DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic INFO volatility3.framework.automagic: Running automagic: LayerStacker DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1aa000 DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1aa000 DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.LdrModules.kernel.layer_name.memory_layer DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules.kernel DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.LdrModules DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 4831838207 DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer'] INFO volatility3.framework.automagic: Running automagic: WinSwapLayers INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.LdrModules.kernel.symbol_table_name DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf80346600000 DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/D9424FC4861E47C10FAD1B35DEC6DCC8-1 INFO volatility3.framework.automagic: Running automagic: SymbolFinder INFO volatility3.framework.automagic: Running automagic: KernelModule DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_STORAGE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_TIMER DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_AWEINFO DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_MI_ZERO_THREAD_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_MI_SLAB_ALLOCATOR_ENTRY Volatility 3 Framework 2.7.1Pid Process Base InLoad InInit InMem MappedPath4 System 0x77740000 False False False \Windows\SysWOW64\ntdll.dll 4 System 0x7fffd4390000 False False False \Windows\System32\vertdll.dll DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT DEBUG volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_LDRP_LOAD_CONTEXT 4 System 0x7fffd43d0000 False False False \Windows\System32\ntdll.dll 328 smss.exe 0x7fffd43d0000 True True True \Windows\System32\ntdll.dll 328 smss.exe 0x7ff744750000 True False True \Windows\System32\smss.exe 428 csrss.exe 0x254f9180000 False False False \Windows\System32\pt-BR\winsrv.dll.mui 428 csrss.exe 0x254f9170000 False False False \Windows\System32\pt-BR\csrss.exe.mui 428 csrss.exe 0x7ff6c24d0000 True False True \Windows\System32\csrss.exe 428 csrss.exe 0x7fffd1f50000 True True True \Windows\System32\KernelBase.dll 428 csrss.exe 0x7fffd1a90000 True True True \Windows\System32\csrsrv.dll 428 csrss.exe 0x7fffd1a50000 True True True \Windows\System32\winsrv.dll 428 csrss.exe 0x7fffd1a10000 True True True \Windows\System32\sxssrv.dll 428 csrss.exe 0x7fffd17e0000 True True True \Windows\System32\sxs.dll 428 csrss.exe 0x7fffd1a20000 True True True \Windows\System32\winsrvext.dll 428 csrss.exe 0x7fffd1a70000 True True True \Windows\System32\basesrv.dll 428 csrss.exe 0x7fffd1e00000 True True True \Windows\System32\ucrtbase.dll 428 csrss.exe 0x7fffd1b60000 True True True \Windows\System32\msvcp_win.dll 428 csrss.exe 0x7fffd1f00000 True True True \Windows\System32\cfgmgr32.dll 428 csrss.exe 0x7fffd3500000 True True True \Windows\System32\kernel32.dll 428 csrss.exe 0x7fffd27e0000 True True True \Windows\System32\gdi32.dll 428 csrss.exe 0x7fffd2280000 True True True \Windows\System32\gdi32full.dll ... 6896 SgrmBroker.exe 0x7fffd1b60000 False False False \Windows\System32\msvcp_win.dll 6896 SgrmBroker.exe 0x7fffd1910000 False False False \Windows\System32\sspicli.dll 6896 SgrmBroker.exe 0x7fffd18f0000 False False False \Windows\System32\umpdc.dll 6896 SgrmBroker.exe 0x7fffd1990000 False False False \Windows\System32\powrprof.dll 6896 SgrmBroker.exe 0x7fffd1e00000 False False False \Windows\System32\ucrtbase.dll 6896 SgrmBroker.exe 0x7fffd1c70000 False False False \Windows\System32\bcrypt.dll 6896 SgrmBroker.exe 0x7fffd3500000 False False False \Windows\System32\kernel32.dll 6896 SgrmBroker.exe 0x7fffd2ae0000 False False False \Windows\System32\msvcrt.dll 6896 SgrmBroker.exe 0x7fffd26b0000 False False False \Windows\System32\imagehlp.dll 6896 SgrmBroker.exe 0x7fffd23a0000 False False False \Windows\System32\bcryptprimitives.dll 6896 SgrmBroker.exe 0x7fffd2b90000 False False False \Windows\System32\rpcrt4.dll 6896 SgrmBroker.exe 0x7fffd43d0000 False False False \Windows\System32\ntdll.dll 6896 SgrmBroker.exe 0x7fffd3e00000 False False False \Windows\System32\sechost.dllDEBUG volatility3.cli: Traceback (most recent call last): File "/home/volatility3/volatility3/cli/init.py", line 469, in run renderer.render(grid) File "/home/volatility3/volatility3/cli/text_renderer.py", line 198, in render grid.populate(visitor, outfd) File "/home/volatility3/volatility3/framework/renderers/init.py", line 245, in populate for level, item in self._generator: File "/home/volatility3/volatility3/framework/plugins/windows/ldrmodules.py", line 72, in _generator if dos_header.e_magic != 0x5A4D: ^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/objects/init.py", line 963, in getattr member = template(context=self._context, object_info=object_info) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/objects/templates.py", line 96, in call return self.vol.object_class( ^^^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/objects/init.py", line 168, in new value = cls._unmarshall(context, data_format, object_info) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/objects/init.py", line 202, in unmarshall data = context.layers.read( ^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/interfaces/layers.py", line 638, in read return self[layer].read(offset, length, pad) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/layers/linear.py", line 45, in read for offset, , mapped_offset, mapped_length, layer in self.mapping( File "/home/volatility3/volatility3/framework/layers/intel.py", line 295, in mapping for offset, size, mapped_offset, mapped_size, map_layer in self._mapping( File "/home/volatility3/volatility3/framework/layers/intel.py", line 351, in _mapping chunk_offset, page_size, layer_name = self._translate(offset) ^^^^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/layers/intel.py", line 503, in _translate return self._translate_swap(self, offset, self._bits_per_register // 2) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/layers/intel.py", line 450, in _translate_swap return super()._translate(offset) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/layers/intel.py", line 155, in _translate entry, position = self._translate_entry(offset) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/layers/intel.py", line 221, in _translate_entry table = self._get_valid_table(base_address) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/layers/intel.py", line 256, in _get_valid_table table = self._context.layers.read( ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/interfaces/layers.py", line 638, in read return self[layer].read(offset, length, pad) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/home/volatility3/volatility3/framework/layers/physical.py", line 161, in read raise exceptions.InvalidAddressException( volatility3.framework.exceptions.InvalidAddressException: Offset outside of the buffer boundariesVolatility was unable to read a requested page: 0x1f05001a0000 in layer memory_layer (Offset outside of the buffer boundaries) The base memory file being incomplete (try re-acquiring if possible) Memory smear during acquisition (try re-acquiring if possible) An intentionally invalid page lookup (operating system protection) A bug in the plugin/volatility3 (re-run with -vvv and file a bug)

eve-mem commented 4 months ago

This looks to me to be likely to be smear related. Can look to update the plugin to handle it.

Do other plugins like pslist etc work okay?

henrique-paiva-uece commented 4 months ago

Hi, The other plugins that I tried are working fine.

How can I update this plugin?

eve-mem commented 4 months ago

If you wanted to work on this, if you look in the plugin where it's reading values out, we'd need to have some in a try/except block - and if it fails replacing the value with an Unavailable value instead.

eve-mem commented 4 months ago

Here's a somewhat similar example for a linux plugin :

https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3%2Fframework%2Fplugins%2Flinux%2Fiomem.py#L65-L73

eve-mem commented 4 months ago

Hello @henrique-paiva-uece

Could you give the changes here a try: https://github.com/volatilityfoundation/volatility3/pull/1160

They should fix this issue for you.

henrique-paiva-uece commented 4 months ago

Hello, @eve-mem ,

It works great! Tks so much.

eve-mem commented 4 months ago

Great glad to hear it