Closed rmohr closed 2 years ago
ikelos
commented
3 years ago Hmmm, interesting. Are you comfortable carrying out git bisections? If not, would you be able to share the memory image you're having trouble with (or a similar one that exhibits the issue)? It looks like the scanner for the module list is no longer finding the list when it used to, but I don't think that code has changed significantly, so it would be good to track down what the exact change that causes the issue is...
ikelos
commented
3 years ago Hiya, this might also have been a very recent issue related to scanning for Windows 64 self-referential entries in the DTB. I found that a PAE image I had was throwing up possible self-refenetial pointers in the region we now scan (which has increased recently as Windows 10 no longer uses a fix pointer, but one that moves within a range which we now scan). I've try to combat these false positives because in my example every entry in the page was marked as valid (which is highly unlikely for a non-PAE DTB).
As such, it would be extremely helpful if you could test the following two things:
If both are yes, then it looks like we've got a solution. If the first one is no, or the first is yes and the second no, then I'll probably still need the image to figure out what's going wrong... 5:S
rmohr
commented
3 years ago
- Does the develop branch now (after having reverted the recent changes) work with your troublesome image?
Current develop branch does not work.
- If so, does the branch for #511 also work as expected?
Does not work either.
I think I can share the image. Asking now.
ikelos
commented
3 years ago Ok, thanks. I think at this point we'll need the image make much further progress...
rmohr
commented
3 years ago Sorry for the delay. I have issues uploading the dump as a zip file.
k0l0ss
commented
3 years ago Hi guys, I may have stomp on the same issue. The image generating that hang on the PdbSignatureScanner is a Microsoft Developer Environment virtual machine. https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
ikelos
commented
3 years ago Hmmm, @k0l0ss thanks for the link, but that seems to be to virtual machines rather than a memory image. Since they're from a public source, would you be willing to get a memory image that exhibits the problem and share it with us? It's really tricky to diagnose these problems without a sample that we know exhibits the issue...
ikelos
commented
3 years ago @k0l0ss Any progress on this? Does the issue still happen with the latest version?
ikelos
commented
2 years ago I'm going to mark this as closed, given there's been no response in three months. Feel free to reopen this, or a file a new ticket if it's still an issue with 2.0.0
uhnomoli
commented
5 months ago I ran into the same issue as described here, develop won't process the sample at all, but switching to v1.0.1 handles it fine. I can't share the sample publicly (possibly privately), but am happy to help debug.
Volatility Version: b187dd9
Operating System: Linux
Python Version: Python 3.11.9
Suspected Operating System: Windows Server 2019
Command: python3 vol.py -vvvvvvv -f ../sample.dmp windows.info
$ git checkout develop
$ python3 vol.py -vvvvvvv -f ../sample.dmp windows.info
Volatility 3 Framework 2.7.1
INFO volatility3.cli: Volatility plugins path: ['/home/kali/volatility3/volatility3/plugins', '/home/kali/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/home/kali/volatility3/volatility3/symbols', '/home/kali/volatility3/volatility3/framework/symbols']
DETAIL 4 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/plugins, /home/kali/volatility3/volatility3/framework/plugins
DETAIL 4 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/automagic
DETAIL 3 volatility3.cli: Cache directory used: /home/kali/.cache/volatility3
INFO volatility3.framework.automagic: Detected a windows category plugin
DETAIL 4 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 4 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 4 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 4 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/kali/volatility3/volatility3/symbols, /home/kali/volatility3/volatility3/framework/symbols
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 4 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 3 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler, OfflineHandler, S3FileSystemHandler, GSFileSystemHandler, LeechCoreHandler
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
DETAIL 4 volatility3.framework.layers.elf: Exception: Bad magic 0x45474150 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using XenCoreDumpStacker
DETAIL 4 volatility3.framework.layers.xen: Exception: Bad magic 0x45474150 at file offset 0x0
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using AVMLStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
DETAIL 4 volatility3.framework.layers.crash: Exception reading crashdump: Invalid dump 0x34365544 at file offset 0x0
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/kali/volatility3/volatility3/symbols, /home/kali/volatility3/volatility3/framework/symbols
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
DETAIL 4 volatility3.framework.symbols.intermed: Searching for symbols in /home/kali/volatility3/volatility3/symbols, /home/kali/volatility3/volatility3/framework/symbols
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
DETAIL 3 volatility3.framework.automagic.stacker: Exception during stacking: range object index out of range
DETAIL 4 volatility3.framework.automagic.stacker: Traceback (most recent call last):
File "/home/kali/volatility3/volatility3/framework/automagic/stacker.py", line 216, in stack_layer
new_layer = stacker.stack(context, initial_layer, progress_callback)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/volatility3/volatility3/framework/layers/crash.py", line 270, in stack
return layer(context, new_name, new_name)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/kali/volatility3/volatility3/framework/layers/crash.py", line 87, in __init__
super().__init__(context, config_path, name)
File "/home/kali/volatility3/volatility3/framework/layers/segmented.py", line 38, in __init__
self._load_segments()
File "/home/kali/volatility3/volatility3/framework/layers/crash.py", line 161, in _load_segments
if (buffer_char[bit_addr >> 3] >> (bit_addr & 0x7)) & 1:
~~~~~~~~~~~^^^^^^^^^^^^^^^
File "/home/kali/volatility3/volatility3/framework/objects/__init__.py", line 781, in __getitem__
series = range(self.vol.count)[i]
~~~~~~~~~~~~~~~~~~~~~^^^
IndexError: range object index out of range
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
DETAIL 2 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: Older windows fixed location self-referential pointers
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: TypeError - Layer is not the required Architecture: FileLayer
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 1782252039
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
INFO volatility3.framework.automagic.pdbscan: No suitable kernels found during pdbscan
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
Unsatisfied requirement plugins.Info.kernel.layer_name:
Unsatisfied requirement plugins.Info.kernel.symbol_table_name:
A translation layer requirement was not fulfilled. Please verify that:
A file was provided to create this layer (by -f, --single-location or by config)
The file exists and is readable
The file is a valid memory image and was acquired cleanly
A symbol table requirement was not fulfilled. Please verify that:
The associated translation layer requirement was fulfilled
You have the correct symbol file for the requirement
The symbol file is under the correct directory or zip file
The symbol file is named appropriately or contains the correct banner
Unable to validate the plugin requirements: ['plugins.Info.kernel.layer_name', 'plugins.Info.kernel.symbol_table_name']$ git checkout v1.0.1
$ python3 vol.py -vvvvvvv -f ../sample.dmp windows.info
Volatility 3 Framework 1.0.1
INFO root : Volatility plugins path: ['/home/kali/volatility3/volatility3/plugins', '/home/kali/volatility3/volatility3/framework/plugins']
INFO root : Volatility symbols path: ['/home/kali/volatility3/volatility3/symbols', '/home/kali/volatility3/volatility3/framework/symbols']
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/plugins, /home/kali/volatility3/volatility3/framework/plugins
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/automagic
Level 7 root : Cache directory used: /home/kali/.cache/volatility3
INFO volatility3.framework.automagic: Detected a windows category plugin
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.primary
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.nt_symbols
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO volatility3.framework.automagic: Running automagic: LayerStacker
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols
Level 7 volatility3.framework.layers.resources: Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, JarHandler
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Bad magic 0x45474150 at file offset 0x0
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsCrashDumpStacker
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/kali/volatility3/volatility3/symbols, /home/kali/volatility3/volatility3/framework/symbols
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
Level 8 volatility3.framework.automagic.stacker: Stacked WindowsCrashDump64Layer using WindowsCrashDumpStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using WindowsIntelStacker
DEBUG volatility3.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1aa000apScanner
Level 8 volatility3.framework.automagic.stacker: Stacked IntelLayer using WindowsIntelStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using QemuStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using LimeStacker
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using Elf64Stacker
Level 6 volatility3.framework.layers.elf: Exception: Offset 0x0 does not exist within the base layer
Level 8 volatility3.framework.automagic.stacker: Attempting to stack using VmwareStacker
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary.memory_layer
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.primary.memory_layer.base_layer
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/kali/volatility3/volatility3/symbols, /home/kali/volatility3/volatility3/framework/symbols
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols
Level 6 volatility3.framework: Importing from the following paths: /home/kali/volatility3/volatility3/framework/layers
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.nt_symbols
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols
Level 9 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'WindowsCrashDump64Layer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: WintelHelper
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols
Level 9 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.nt_symbols
DEBUG volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/kali/volatility3/volatility3/symbols, /home/kali/volatility3/volatility3/framework/symbols
DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/EF9A48AFA50FF07C616585BB01919536-1
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf8060f019000
Progress: 100.00 PDB scanning finished
Variable Value
Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/kali/volatility3/volatility3/symbols, /home/kali/volatility3/volatility3/framework/symbols
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
Kernel Base 0xf8060f019000
DTB 0x1aa000
Symbols file:///home/kali/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/EF9A48AFA50FF07C616585BB01919536-1.json.xz
Is64Bit True
IsPAE False
primary 0 WindowsIntel32e
memory_layer 1 WindowsCrashDump64Layer
base_layer 2 FileLayer
KdDebuggerDataBlock 0xf8060f416a80
NTBuildLab 17763.1.amd64fre.rs5_release.180
CSDVersion 0
KdVersionBlock 0xf8060f419f10
Major/Minor 15.17763
MachineType 34404
KeNumberProcessors 2
SystemTime 2023-10-04 17:33:02
NtSystemRoot C:\Windows
NtProductType NtProductServer
NtMajorVersion 10
NtMinorVersion 0Level 6 volatility3.framework.symbols.intermed: Searching for symbols in /home/kali/volatility3/volatility3/symbols, /home/kali/volatility3/volatility3/framework/symbols
INFO volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG volatility3.schemas: All validations will report success, even with malformed input
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Sun Nov 10 07:20:39 2075
Abyss-W4tcher
commented
5 months ago Hello @uhnomoli,
Looking at https://github.com/volatilityfoundation/volatility3/compare/v1.0.1...v2.7.0#diff-e65b7c43947a5261240d8f8e1c6021dfb092b85e28e9a73661cc7469a7a9bfa8, we can see that the failing bit is located in the WindowsCrashDump32Layer stacking :
The v1.0.1 wasn't using a buffer array, and there might be a need for an additional sanitize check now. I would be interested in acquiring the memory sample to help you debugging, and try to fix the issue.
uhnomoli
commented
5 months ago That'd be great, thanks. Let me know how you'd like me to send it to you. The archive is 280MB in size.
Abyss-W4tcher
commented
5 months ago You can contact me on the Volatility Slack : https://github.com/volatilityfoundation/volatility3?tab=readme-ov-file#bugs-and-support and give me a share link there (Wormhole for example) 👍.
Abyss-W4tcher
commented
5 months ago Here are my observations
I noticed a difference in the summary_header.BitmapSize value, which generates extra iterations, resulting in an OOB buffer_char read (reading a bit value past the end of the bitmap) :
v1.0.1 :
summary_header.BitmapSize -> 435085
v2.7.0 :
summary_header.BitmapSize -> 435184The buffer_char error can be silently ignored with a try except (+ continue), and allow stacking :
However, I think there is another issue. Following commit https://github.com/volatilityfoundation/volatility3/commit/f5e5fd00609e20950df80801ae17f25b44103631, these changes from the v1.0.1 crash structs were made :
I couldn't verify this information, from multiple sources and even Volatility2 :
Switching "Pages" and "BitmapSize" accordingly to the documentation fixes the OOB but raises :
DEBUG volatility3.framework.automagic.windows: Max pointer for hit with test DtbSelfRef64bit not met: 0x6a3efa00 > 0x6a39ffffWith a bit of debugging, I noticed that the maximum layer size was directly impacted by the lower BitmapSize, which correlates with a previous obscure patch that seemed to fix the issue (but with concerns by @ikelos) : https://github.com/volatilityfoundation/volatility3/pull/452#:~:text=I%27m%20still%20a%20little%20confused.
Eventually, we have a snake-biting-its-tail problem, and I'm still investigating...
Abyss-W4tcher
commented
5 months ago windbg command .dumpdebug proved the documentation I found wrong, so no changes needed in the json symbols files :
This makes sense, as the bitmap size will always be equal or greater than the number of allocated pages.
Feel free to try the PR @uhnomoli !
uhnomoli
commented
5 months ago Everything seems to be working great, thanks!
Describe the bug A clear and concise description of what the bug is.
Context Volatility Version: 4cb71366c787a079b8a6c31324630e1d1cf25862 Operating System: Linux Python Version: Python 3.6.8 Suspected Operating System: Windows 10
Command: python3 vol.py -vvv -f windows10.memory.dump windows.info
To Reproduce Steps to reproduce the behavior:
Expected behavior This works perfect on
v1.0.1:Screenshots If applicable, add screenshots to help explain your problem.
Additional information Add any other information about the problem here.