search

zxca112 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

ssdt plugin caching is broken #22

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
How I triggered the bug:

ran the ssdt plugin once against my XP SP3 image and it worked. I then 
immediately re-ran the command, and got this error:

Volatile Systems Volatility Framework 1.4_rc1
SSDT[0] at 804e26a8 with 284 entries
Traceback (most recent call last):
  File "volatility.py", line 138, in <module>
    main()
  File "volatility.py", line 129, in main
    command.execute()
  File "/home/x/vol/volatility/commands.py", line 96, in execute
    func(outfd, data)
  File "/home/x/vol/plugins/ssdt.py", line 1105, in render_text
    syscall_mod = find_module(mods, mod_addrs, syscall_addr)
  File "/home/x/vol/plugins/ssdt.py", line 1028, in find_module
    mod = modlist[mod_addrs[pos]]
IndexError: cannot fit 'long' into an index-sized integer

I confirmed that it is indeed a cache problem, by running the command multiple 
times in a row with --no-cache and it never error and reported the right 
results each time

Original issue reported on code.google.com by atc...@gmail.com on 26 Aug 2010 at 3:05

GoogleCodeExporter commented 9 years ago 
also, I further figured out it was the cache b/c if I deleted ssdt.pickle 
between runs it ran fine

Original comment by atc...@gmail.com on 26 Aug 2010 at 3:06

GoogleCodeExporter commented 9 years ago 
Ok, I'll look into this problem when I get some spare time.  Could you please 
try the ssdt caching against an XPSP2 image and see if the problem is present 
there as well?

Original comment by mike.auty@gmail.com on 27 Aug 2010 at 9:16

GoogleCodeExporter commented 9 years ago 
So it turned out that when the cache was called flatten_generators() was used 
to convert the generators into lists. The way it determined if something needed 
to be flattened was to call iter(item).

Dicts however also have a iterator so it was flattening the dict into a list 
(of the dict keys). When trying to use the cache it then tried to index it as a 
list but the keys were longs. We would have got an index error in any case.

I just committed to experimental - Mike can you merge to rc1 please.

Original comment by scude...@gmail.com on 27 Aug 2010 at 12:04

GoogleCodeExporter commented 9 years ago 
Ok, thanks for the fix scudette!  5:)

It's now checked in to rc1 with some tweaks, so that the contents (and keys) of 
the dicts are also flattened.  I also changed the type calls to isinstance 
calls, so that dict-descended objects will be flattened correctly (just in case 
people ever decide to pass those through).

Original comment by mike.auty@gmail.com on 27 Aug 2010 at 2:31