ikelos
commented
1 month ago If you can get a PR in place for what you're after we can get those tweaked.
Open atcuno opened 2 months ago
ikelos
commented
1 month ago If you can get a PR in place for what you're after we can get those tweaked.
eve-mem
commented
1 month ago @atcuno for the overlapping regions - can I check this is what you're looking for.
In this faked output there is an overlap with the starts and ends of these two entries. For the 0xff94a1d0 it overlaps with 0x8220e848 because the end of the first one is 0x332fff, which is larger than the start of the 0x320000 - an overlap of 0x12fff. If so, do you think it's enough to check if children overlap with there parents - or is it necessary to traverse everything and then check for overlaps?
$ python3 vol.py -r pretty -f win-xp-laptop-2005-06-25.img windows.vadwalk --pid 4012
Volatility 3 Framework 2.10.0
Formatting...0.00 PDB scanning finished
| PID | Process | Offset | Parent | Left | Right | Start | End | Tag
<snip>
* | 4012 | dd.exe | 0xff94a1d0 | 0x81f35458 | 0x8220e848 | 0xffaa0a90 | 0x320000 | 0x332fff | Vad
* | 4012 | dd.exe | 0x8220e848 | 0xff94a1d0 | 0x0 | 0x0 | 0x320000 | 0x32ffff | VadS
<snip>For point two I've made that tiny change here: https://github.com/volatilityfoundation/volatility3/pull/1270
1) traverse should print a debug message if overlapping regions are founded: https://github.com/volatilityfoundation/volatility3/blob/d56cd83510e64f9f875ff1dad11d8c8cbf5995f5/volatility3/framework/symbols/windows/extensions/__init__.py#L76
2) This messages needs to be toned down to debug instead of warning:
https://github.com/volatilityfoundation/volatility3/blob/develop/volatility3/framework/plugins/windows/vadyarascan.py#L71
This warning makes the vad yarascan plugin unusable on many samples (including ones we had for Black Hat and DFRWS) as it prints 1000s of times across processes.