-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handles unable to process sample Volatility 2 reports correctly. UnionType error? #1146
Comments
Closed by #1145 |
Oh sorry, I saw them filed at the end same time and thought they were related. The lower exception says the SAR table couldn't be decoded so I think it might be one for you or @iMHLv2 ? |
@atcuno - I think the UnionType error is a red herring, it's just symptomatic of how the logic works in this part of the handles plugin works. This part is handling the pre windows 7 part, which will raise that Union error because volatility3/volatility3/framework/plugins/windows/handles.py Lines 89 to 97 in 1b3ba6a
The real issue as @ikelos saw is the SAW table error which is being thrown on purpose as Having a quick look at volatility3/volatility3/framework/plugins/windows/handles.py Lines 146 to 148 in 1b3ba6a
The error you have though shows that capstone is there, so I think it'll be something more complex? (and therefore above my pay grade...! 😅) There are only a few routes for volatility3/volatility3/framework/plugins/windows/handles.py Lines 108 to 118 in 1b3ba6a
|
@atcuno Are you able to uncomment this line handy debug line in the handles plugin, and share the results on your sample that doesn't work?
Here is the output on my sample that works: 272709641434864 5 mov qword ptr [rsp + 8], rbx
272709641434869 5 mov qword ptr [rsp + 0x10], rdi
272709641434874 5 mov rax, qword ptr [rsp + 0x30]
272709641434879 3 mov rdi, r9
272709641434882 3 mov rbx, r8
272709641434885 3 mov r11, rcx
272709641434888 3 add dword ptr [rax], 0x28
272709641434891 3 mov r10d, dword ptr [rax]
272709641434894 4 cmp r10d, 0x28
272709641434898 2 jae 0xf807294df71f
272709641434900 6 mov r9d, 0xc0000095
272709641434906 5 jmp 0xf807294df7c6
272709641434911 5 cmp dword ptr [rsp + 0x28], r10d
272709641434916 2 jae 0xf807294df731
272709641434918 6 mov r9d, 0xc0000004
272709641434924 5 jmp 0xf807294df7c6
272709641434929 3 mov rax, qword ptr [rcx]
272709641434932 3 xor r9d, r9d
272709641434935 3 mov r8, qword ptr [r8]
272709641434938 4 sar r8, 0x10 For your sample not to work there either needs to be no sar instruction in the capstone output, or the read on line 164 fails. If you get nothing printed out it'll mean the read failed, and that capstone output will let us work out why it's not ending up with a sar. I've tested my sample using capstone 4.0.2, and then I updated to the latest 5.0.1 and they were both fine. I was wondering if perhaps a capstone update made a difference in the output of the disassembly. Version info on my sample if it ends up being important: Symbols <snip>/ntkrnlmp.pdb/D7ABE9B23BAD553213DE9BB10F1677B8-1.json.xz
Major/Minor 15.19041
MachineType 34404 If you wanted to dig into in volshell, I think you could call |
Hello @ikelos - I think this one still needs to stay open. Maybe auto closed by me referencing this issue in the PR? (sorry!) Don't think we've yet worked out why @atcuno sample doesn't work. The Extra debugging from #1147 might help diagnose it - but I think we still need to look into it. At the moment I'm suspecting that the read fails due to the memory being paged out - but we need to see what is actually happening. If it is the memory being paged out, there is an option to make the handles plugin more resilient by trying to guess this shift value - but really just need to what is actually going on first. |
Ok, sorry it looks like it was linked to the PR (so when the PR gets merged it automatically gets closed). |
Describe the bug
Running windows.handles on a memory sample that Volatility 2 supports fully causes a strange backtrace in Vol3:
Context
Volatility Version: latest develop
Python Version: 3.8
The text was updated successfully, but these errors were encountered: