search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.73k stars 463 forks source link

hivescan/hivelist issues #186

Closed superponible closed 4 years ago

superponible commented 4 years ago

Describe the bug

There are a few issues with hivelist and hivescan.

  1. hivelist only walks the list forward now

There was a change I tracked back to this commit https://github.com/volatilityfoundation/volatility3/commit/2cad54ea6bc7a6a016f1624671a1e000a0743e85 that prevented the list walking from raising an exception, so the walk backward is no longer performed.

  1. there are cases where walking the list forward and backward can still miss hives

Sometimes invalid addresses (paged, compressed) are encountered when walking the list. If this happens only once in the list, then walking backward from CmpHiveListHead is sufficient. However, if multiple links are broken, it can leave the middle of the list unreachable. E.g., if the list has 10 items, and the 3rd and 7th links are invalid when walking the list, the middle items can't be reached by walking forward or backward. In this case, reverting to scanning may be necessary to find the remaining hives.

  1. Looks like some changes to the pool scanner have broken hivescan

  2. hivescan doesn't work on Win8.1 and Win10 x64 because it's doesn't handle big pool pages.

superponible commented 4 years ago

Started this branch with initial attempts at fixing 1, 2, and 3: https://github.com/volatilityfoundation/volatility3/tree/hivelist_hivescan_fixes

@ikelos I haven't gone over the pool scan changes in detail, but it looked like the type check was based on the _POOL_HEADER which _CMHIVE doesn't have, so that's why I just had it skip, not sure if there's a better fix.

ikelos commented 4 years ago

Cool, looks good. Is it ready to be turned into a pull request or are you still working on it? It all looks great, my spidey sense is tingling about the is_valid call, but I think I just had an issue with people relying on them too much/them not being implemented everywhere in vol2. I don't think I've got a legitimate reason for not liking it (and the code inside it seems right)... 5:)

Yeah, if the pool header doesn't exist, then skipping the test should be fine...

What needs to happen for big pool page support? Is it involved or just a little extra code to get going? Happy to take a look at it when I get some cycles if it's not a major overhaul? 5:)

ikelos commented 4 years ago

Pull request #213 fixed this, so closing it out now. Please feel free to reopen if you think the problem still exists... 5:)