search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.68k stars 460 forks source link

windows.vadyarascan broken #1200

Closed heck-gd closed 3 months ago

heck-gd commented 4 months ago

Describe the bug Thanks for improving VAD scanning, it's much appreciated! However there's a small problem in the new code.

Context Volatility Version: Latest develop Operating System: Ubuntu 22.04 Python Version: 3.10 Suspected Operating System: Windows 10 Command: vol.py -f dumptoscan.elf windows.vadyarascan --yara-file rules.yar

To Reproduce Run command above and get no results even if the strings are present.

Additional information The problem seems to be that in this loop, the second tuple member is in fact the size and not the end address.

Printing start and end yields the following for me:

0x7ff5fdfb0000 0x2001000
0x400000 0x57000
0x80000 0xc9000
0x30000 0x1d000
0x10000 0x1000
0x20000 0x1000
0x60000 0x2000
0x50000 0x4000
0x70000 0x10000
heck-gd commented 4 months ago

Also, relating to the same feature - if I fix the bug locally, Volatility runs out of memory scanning a 4 GB memory dump.

Changing the sanity_check size to 2 GB works around that problem. Not sure if that's too restrictive for some use cases.