Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

InvalidAddressException raised by windows.statistics on elf64 memory dump #102

Closed
koromodako opened this issue Oct 23, 2019 · 7 comments
Closed
Assignees
Labels
pending-PR This bug has a pending PR waiting for acceptance

Comments

@koromodako
Copy link

First of all, do not hesitate to rename this issue. It's always hard to find something precise enough without being too long.

windows.statistics plugin is raising InvalidAddressException when analyzing a memory dump (elf64 format). This issue might be related to #97.

INFO     volatility.framework.automagic: Detected a windows category plugin
INFO     volatility.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9  volatility.framework.automagic.construct_layers: Failed on requirement: plugins.Statistics
INFO     volatility.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility.framework.automagic: Running automagic: LayerStacker
DEBUG    volatility.framework: Importing module: volatility.framework.layers.lime
DEBUG    volatility.framework: Importing module: volatility.framework.layers.linear
DEBUG    volatility.framework: Importing module: volatility.framework.layers.resources
DEBUG    volatility.framework: Importing module: volatility.framework.layers.crash
DEBUG    volatility.framework: Importing module: volatility.framework.layers.registry
DEBUG    volatility.framework: Importing module: volatility.framework.layers.elf
DEBUG    volatility.framework: Importing module: volatility.framework.layers.intel
DEBUG    volatility.framework: Importing module: volatility.framework.layers.msf
DEBUG    volatility.framework: Importing module: volatility.framework.layers.segmented
DEBUG    volatility.framework: Importing module: volatility.framework.layers.vmware
DEBUG    volatility.framework: Importing module: volatility.framework.layers.physical
DEBUG    volatility.framework: Importing module: volatility.framework.layers.scanners.multiregexp
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
DEBUG    volatility.framework.automagic.windows: Self-referential pointer not in well-known location, moving to recent windows heuristic
INFO     volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility.schemas: All validations will report success, even with malformed input
DEBUG    volatility.framework.automagic.windows: DTB was found at: 0x187000
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary.memory_layer
Level 9  volatility.framework.configuration.requirements: IndexError - No configuration provided: plugins.Statistics.primary.memory_layer.base_layer
INFO     volatility.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility.schemas: All validations will report success, even with malformed input
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DEBUG    volatility.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'Elf64Layer', 'FileLayer']
INFO     volatility.framework.automagic: Running automagic: WintelHelper
INFO     volatility.framework.automagic: Running automagic: KernelPDBScanner

Valid pages (all)	Valid pages (large)	Swapped Pages (all)	Swapped Pages (large)	Invalid Pages (all)	Invalid Pages (large)
Traceback (most recent call last):ading memory                         
  File "/home/user/vol3", line 11, in <module>
    load_entry_point('volatility', 'console_scripts', 'vol')()
  File "/home/user/volatility3/volatility/cli/__init__.py", line 442, in main
    CommandLine().run()
  File "/home/user/volatility3/volatility/cli/__init__.py", line 269, in run
    renderers[args.renderer]().render(constructed.run())
  File "/home/user/volatility3/volatility/cli/text_renderer.py", line 159, in render
    grid.populate(visitor, outfd)
  File "/home/user/volatility3/volatility/framework/renderers/__init__.py", line 196, in populate
    for (level, item) in self._generator:
  File "/home/user/volatility3/volatility/plugins/windows/statistics.py", line 33, in _generator
    _, _, page_size, layer_name = list(layer.mapping(page_addr, 0x2000))[0]
  File "/home/user/volatility3/volatility/framework/layers/intel.py", line 198, in mapping
    raise exceptions.InvalidAddressException(layer_name = layer_name, invalid_address = chunk_offset)
volatility.framework.exceptions.InvalidAddressException
@ikelos
Copy link
Member

ikelos commented Oct 23, 2019

Statistics is one of our less supported plugins (it lives in volatility/plugins rather than volatility/framework/plugins because it's not seen as a core plugin, more as an example for developers to look at to write their own plugins.

Regardless, it really shouldn't be throwing InvalidAddressExceptions, I don't believe, so I'll look into it. It's liable to be a low priority issue I'm afraid though...

@ikelos
Copy link
Member

ikelos commented Oct 24, 2019

Hiya, hopefully I've resolved this, and the statistics plugin now counts the number of unexpected invalid pages (meaning invalid addresses that weren't page faults, ie attempts to read data from the file that couldn't be read).

Please let me know whether this works or not, so know whether to keep it open or close it off... 5:)

@koromodako
Copy link
Author

Sorry for the delay, I still encounter an issue with this one but as you said, this plugin is far less useful than the others so the priority of this issue is much lower for now I think.
I'll try again later. Can you confirm that you attempted to fix this issue on elf64-support branch ?

@ikelos
Copy link
Member

ikelos commented Oct 31, 2019

Ah, sadly not. This was fixed in master, and the elf branch hasn't been merged yet. It's due for merge on the 3rd if that helps...

@koromodako
Copy link
Author

Ok, I'll try again once the PR has been merged. I'll notify you when it's done.

@ikelos ikelos added the pending-PR This bug has a pending PR waiting for acceptance label Oct 31, 2019
@doomedraven
Copy link
Contributor

@ikelos also can be closed as merged no?

@ikelos
Copy link
Member

ikelos commented Nov 3, 2019

Yep, thanks for the reminder! 5:) Feel free to reopen if anyone feels this hasn't been fixed...

@ikelos ikelos closed this as completed Nov 3, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
pending-PR This bug has a pending PR waiting for acceptance
Projects
None yet
Development

No branches or pull requests

3 participants