search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.67k stars 455 forks source link

Backtrace in Windows automagic #1218

Closed atcuno closed 1 month ago

atcuno commented 3 months ago

I triggered this backtrace when mass running plugins across samples:

DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
DEBUG    volatility3.framework.interfaces.layers: Scan Failure: unpack requires a buffer of 8 bytes
DETAIL 3 volatility3.framework.interfaces.layers: Traceback (most recent call last):

  File "/home/fs/vol3api/volatility3/volatility3/framework/interfaces/layers.py", line 258, in scan
    yield from scan_chunk(value)

  File "/home/fs/vol3api/volatility3/volatility3/framework/interfaces/layers.py", line 373, in _scan_chunk
    return list(scanner(data, chunk_end - len(data)))

  File "/home/fs/vol3api/volatility3/volatility3/framework/automagic/windows.py", line 188, in __call__
    result = test(data, data_offset, page_offset)

  File "/home/fs/vol3api/volatility3/volatility3/framework/automagic/windows.py", line 140, in __call__
    dtb = super().__call__(data, data_offset, page_offset)

  File "/home/fs/vol3api/volatility3/volatility3/framework/automagic/windows.py", line 70, in __call__
    (ptr,) = struct.unpack(self.ptr_struct, ptr_data)

struct.error: unpack requires a buffer of 8 bytes

I can dig in if needed, but I haven't dealt with the automagic for Windows before, so thought someone else would be able to fix it properly quicker.

ikelos commented 3 months ago

Ok, so this is quite strange. The relevant lines are:

        for ref in range(0, self.page_size, self.ptr_size):
            ptr_data = page[ref : ref + self.ptr_size]
            (ptr,) = struct.unpack(self.ptr_struct, ptr_data)

Which can basically only go wrong if page_size isn't a multiple of ptr_size and I don't knwo that we ever have a page_size that isn't 4096 (I guess for really large pages)? Do you have the image that caused this, and can you either share it or look for basic info about it (page size, intel layer type, 32, pae, 64, that kind of thing)?

ikelos commented 3 months ago

(For what it's worth, ptr_size is set in the __init__ as self.ptr_size = struct.calcsize(ptr_struct) so a mismatch between those two would be nigh on impossible...

ikelos commented 3 months ago

Either that or your image is truncated, and this was looking at the last page? Also seems a bit questionable, but possible?

ikelos commented 1 month ago

If you're going to mark a ticket as completed, please provide a short description for the resolution, even if it's just "no longer relevant" or similar? Otherwise it leaves people who come across the ticket scratching their head as to what changed...

atcuno commented 1 month ago

Weird, I thought I did. Basically this was a Linux sample in our pool of Windows samples that triggered weird code paths in the scanning. Fixing it will be addressed in another ticket soon related to bugs we are finding in mass testing.