search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

Return partial results if the user requests it #369

Closed AsafEitani closed 8 months ago

AsafEitani commented 3 years ago

Describe the bug Running dlllist result in error:

python C:\Users\user\volatility3\vol.py -vvv -r json -f dump.dd windows.dlllist
Volatility 3 Framework 1.2.1-beta.1
INFO     root        : Volatility plugins path: ['C:\\Users\\user\\volatility3\\volatility\\plugins', 'C:\\Users\\user\\volatility3\\volatility\\framework\\plugins']
INFO     root        : Volatility symbols path: ['C:\\Users\\user\\volatility3\\volatility\\symbols', 'C:\\Users\\user\\volatility3\\volatility\\framework\\symbols']
DEBUG    volatility.framework: No module named 'Crypto'
DEBUG    volatility.framework: Failed to import module volatility.plugins.windows.cachedump based on file: windows\cachedump
DEBUG    volatility.framework: No module named 'Crypto'
DEBUG    volatility.framework: Failed to import module volatility.plugins.windows.hashdump based on file: windows\hashdump
DEBUG    volatility.framework: No module named 'Crypto'
DEBUG    volatility.framework: Failed to import module volatility.plugins.windows.lsadump based on file: windows\lsadump
INFO     root        : The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.cachedump, volatility.plugins.windows.hashdump, volatility.plugins.windows.lsadump
INFO     volatility.framework.automagic: Detected a windows category plugin
INFO     volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.DllList.primary
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.DllList.nt_symbols
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.DllList.primary
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.DllList.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.DllList.primary
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.DllList
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.DllList.nt_symbols
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.DllList.nt_symbols
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.DllList.nt_symbols
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.DllList
INFO     volatility.framework.automagic: Running automagic: LayerStacker
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.DllList.primary
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.DllList.nt_symbols
DEBUG    volatility.framework.automagic.windows: DTB was found at: 0x1aa000
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.DllList.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.DllList.primary
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.DllList.nt_symbols
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.DllList.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.DllList.primary.memory_layer
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.DllList.nt_symbols
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.DllList.nt_symbols
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.DllList.nt_symbols
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.DllList
DEBUG    volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO     volatility.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility.framework.automagic: Running automagic: WintelHelper
INFO     volatility.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.DllList.nt_symbols
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.DllList.nt_symbols
Level 9  volatility.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.DllList.nt_symbols
DEBUG    volatility.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility.framework.symbols.windows.pdb: Using symbol library: ntkrnlmp.pdb\D9AA3BF08C8A487FA12ED4A362EF4F17-1
DEBUG    volatility.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf800f4079000

DEBUG    volatility.framework.symbols: Unresolved reference: nt_symbols1!_EPROCESS_QUOTA_BLOCK
DEBUG    volatility.framework.symbols: Unresolved reference: nt_symbols1!_PAGEFAULT_HISTORY
DEBUG    volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_ACCESS_STATE
DEBUG    volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_CPU_RATE_CONTROL
DEBUG    volatility.framework.symbols: Unresolved reference: nt_symbols1!_JOB_NOTIFICATION_INFORMATION
DEBUG    volatility.framework.symbols: Unresolved reference: nt_symbols1!_ACTIVATION_CONTEXT_DATA
DEBUG    volatility.framework.symbols: Unresolved reference: nt_symbols1!_FLS_CALLBACK_INFO
DEBUG    volatility.framework.symbols: Unresolved reference: nt_symbols1!_ASSEMBLY_STORAGE_MAP
DEBUG    volatility.framework.symbols: Unresolved reference: nt_symbols1!_SCSI_REQUEST_BLOCK
DEBUG    volatility.framework.symbols: Unresolved reference: nt_symbols1!_ACTIVATION_CONTEXT
DEBUG    volatility.framework.symbols: Unresolved reference: nt_symbols1!_LDRP_DLL_SNAP_CONTEXT

DEBUG    root        : Traceback (most recent call last):
  File "C:\Users\user\volatility3\volatility\cli\__init__.py", line 312, in run
    renderers[args.renderer]().render(constructed.run())
  File "C:\Users\user\volatility3\volatility\cli\text_renderer.py", line 352, in render
    grid.populate(visitor, final_output)
  File "C:\Users\user\volatility3\volatility\framework\renderers\__init__.py", line 212, in populate
    for (level, item) in self._generator:
  File "C:\Users\user\volatility3\volatility\framework\plugins\windows\dlllist.py", line 133, in _generator
    errors = 'replace'), format_hints.Hex(entry.DllBase),
  File "C:\Users\user\volatility3\volatility\framework\objects\__init__.py", line 721, in __getattr__
    member = template(context = self._context, object_info = object_info)
  File "C:\Users\user\volatility3\volatility\framework\objects\templates.py", line 72, in __call__
    return self.vol.object_class(context = context, object_info = object_info, **arguments)
  File "C:\Users\user\volatility3\volatility\framework\objects\__init__.py", line 120, in __new__
    value = cls._unmarshall(context, data_format, object_info)
  File "C:\Users\user\volatility3\volatility\framework\objects\__init__.py", line 307, in _unmarshall
    data = context.layers.read(object_info.layer_name, object_info.offset, length)
  File "C:\Users\user\volatility3\volatility\framework\interfaces\layers.py", line 542, in read
    return self[layer].read(offset, length, pad)
  File "C:\Users\user\volatility3\volatility\framework\layers\linear.py", line 38, in read
    for (offset, _, mapped_offset, mapped_length, layer) in self.mapping(offset, length, ignore_errors = pad):
  File "C:\Users\user\volatility3\volatility\framework\layers\intel.py", line 197, in mapping
    chunk_offset, page_size, layer_name = self._translate(offset)
  File "C:\Users\user\volatility3\volatility\framework\layers\intel.py", line 317, in _translate
    return self._translate_swap(self, offset, self._bits_per_register // 2)
  File "C:\Users\user\volatility3\volatility\framework\layers\intel.py", line 275, in _translate_swap
    return super()._translate(offset)
  File "C:\Users\user\volatility3\volatility\framework\layers\intel.py", line 99, in _translate
    entry, position = self._translate_entry(offset)
  File "C:\Users\user\volatility3\volatility\framework\layers\intel.py", line 125, in _translate_entry
    "Page Fault at entry " + hex(entry) + " in table " + name)
volatility.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x0 in table page directory

Volatility was unable to read a requested page:
Page error 0x30 in layer primary2_Process18704_1 (Page Fault at entry 0x0 in table page directory)

        * Memory smear during acquisition (try re-acquiring if possible)
        * An intentionally invalid page lookup (operating system protection)
        * A bug in the plugin/volatility (re-run with -vvv and file a bug)

Every other plugin runs without page fault errors...

Context Volatility Version: 1.2.1-beta.1 Operating System: Windows 10 Python Version: 3.6.9 Suspected Operating System: Windows 8.1 Command: python C:\Users\user\volatility3\vol.py -vvv -r json -f dump.dd windows.dlllist

To Reproduce Steps to reproduce the behavior:

  1. Use command dlllist
  2. See error

Expected behavior DllList should return a partial result if not all pages are reachable.

ikelos commented 3 years ago

The problem we have with returning partial results is that we need to let the user know that they were partial results, which means the UI needs to know what's gone wrong, and that's done by throwing the exceptions that we throw. There was some work on supporting continued output after an error, but that needs to be enabled per-renderer and at the moment defaults to clearly displaying the error (and terminating). I've done some work on adding the ability to provide options to renderers, but I don't want to rush that through without the proper thought, so this issue will probably stay open for a little bit I'm afraid...

github-actions[bot] commented 10 months ago

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] commented 8 months ago

This issue was closed because it has been inactive for 60 days since being marked as stale.