Attached please find a patch to prevent the framework from crashing when
attempting to read an Object's value from memory that cannot be accessed
(e.g. marked invalid, paged out, etc). The patch prevents the code from
crashing but adds the condition that the methods to read values (.v and
.value) may return None.
In my work I've encountered memory images where a unicode string in the
ProcessParameters (i.e. Eprocess -> Peb -> ProcessParameters ->
CommandLine) has been marked "in transition". Volatility 1.3 Beta does
not read data from any page marked Invalid and read requests for those
data are returned with None. The methods to read object values do not
error check the read method's return value and always attempt to unpack
the returned value. Attempting to unpack a None value results in an
unhandled exception.
Developers should be advised that the .v and .value methods can now
legally return None and should error check the return values of those
functions before attempting to use them.
The plugin that generated these exceptions, a check for generally suspicious
processes and TrueCrypt in particular, will be posted shortly to the
Vol-users mailing list.
cheers,
--
Jesse
jessek(a)speakeasy.net
--- Volatility-1.3_Beta/forensics/object2.py 2008-06-23 14:43:11.000000000 -0400
+++ Volatility-1.3_Beta2/forensics/object2.py 2008-06-23 14:43:12.000000000 -0400
@@ -313,10 +313,16 @@
VType.__init__(self, profile, 0, False, True)
def v(self, theObject):
+ ## Shortcut to value method
return self.value(theObject)
def value(self, theObject):
- (val, ) = struct.unpack("=L", theObject.vm.read(theObject.offset, 4))
+ ## @return Returns the value of the object if available,
+ ## otherwise None.
+ tmp = theObject.vm.read(theObject.offset, 4)
+ if tmp is None:
+ return None
+ (val, ) = struct.unpack("<L", tmp)
return val
def cdecl(self):
@@ -337,11 +343,16 @@
self.readChar = readChar
def v(self, theObject):
+ ## Shortcut to value method
return self.value(theObject)
def value(self, theObject):
- (val, ) = struct.unpack('='+self.readChar, \
- theObject.vm.read(theObject.offset, self.size))
+ ## @return Returns the value of the object if available,
+ ## otherwise None.
+ tmp = theObject.vm.read(theObject.offset, self.size)
+ if tmp is None:
+ return None
+ (val, ) = struct.unpack('<'+self.readChar, tmp)
return val
def cdecl(self):
Hi everybody,
This is My First Python(tm), so please be kind! Attached you should
find a patch to cache the PDE values during IA32 address translation.
The resulting speed-up is modest but noteworthy.
I've only enabled caching for non-PAE systems, but it should be easy
enough to copy over to PAE systems as well. What do you think? As a
bonus, this code also includes some endian-neutrality-changes (if
there is such a word) to make the code work better on my Mac.
Hopefully it won't screw up anything else.
Please let me know what you think!
cheers,
--
Jesse
research(a)jessekornblum.com
What is the old object model? Can you give an example of how things have changed?
Will the scripts in vmodules be changing as well, or are they already using the
new model?
--
Jesse
jessek(a)speakeasy.net
On Fri Oct 3 18:07 , AAron Walters sent:
>
>
>Jun,
>
>I don't know about a trap, but it is something. By the way, you may want
>to check out the examples in the memory_plugins directory. These plugins
>all use the new object model which everything will be transitioning to in
>the near future.
>
>Thanks,
>
>AW
>
>On Sat, 4 Oct 2008, Jun Koi wrote:
>
>> On Fri, Oct 3, 2008 at 10:36 PM, AAron Walters awalters(a)4tphi.net> wrote:
>>>
>>> Jun,
>>>
>>> The types variable is instantiated from vtypes.py. This is the part of the
>>> Profile used to describe the operating system's data types.
>>
>> What a trap!
>>
>> Thanks,
>> J
>>
>>
>>
>>
>>> On Fri, 3 Oct 2008, Jun Koi wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to read the code, and found this in vmodules.py:
>>>>
>>>> def get_connections(cmdname, argv):
>>>
>>> > """
>>>>
>>>> Function prints a list of open connections
>>>> """
>>>> op = get_standard_parser(cmdname)
>>>> opts, args = op.parse_args(argv)
>>>>
>>>> star_line = '*'*72
>>>>
>>>> (addr_space, symtab, types) = load_and_identify_image(op, opts) #
>>>> Here
>>>>
>>>> connections = tcb_connections(addr_space, types, symtab)
>>>> ....
>>>>
>>>> I dont understand what the "types" variable above means. Even track
>>>> back the source, I dont see how it is produced.
>>>>
>>>> Anybody could explain a bit, so I can continue to dig? (sorry that my
>>>> Python skill is still very modest)
>>>>
>>>> Thanks,
>>>> J
>>>> _______________________________________________
>>>> Vol-dev mailing list
>>>> Vol-dev(a)volatilityfoundation.org
>>>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
>>>>
>>>
>>
>_______________________________________________
>Vol-dev mailing list
>Vol-dev(a)volatilityfoundation.org
>http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
Hi,
I am trying to read the code, and found this in vmodules.py:
def get_connections(cmdname, argv):
"""
Function prints a list of open connections
"""
op = get_standard_parser(cmdname)
opts, args = op.parse_args(argv)
star_line = '*'*72
(addr_space, symtab, types) = load_and_identify_image(op, opts) # <-- Here
connections = tcb_connections(addr_space, types, symtab)
....
I dont understand what the "types" variable above means. Even track
back the source, I dont see how it is produced.
Anybody could explain a bit, so I can continue to dig? (sorry that my
Python skill is still very modest)
Thanks,
J
