Re: [Vol-dev] [patch] Prevent crash when reading object values
17 Oct
2008
17 Oct
'08
9:58 a.m.
Agreed, thanks! This has bitten me in volshell -- printing out a
whole structure sometimes breaks in the middle because one of the
entries is an invalid pointer...
-Brendan
On Oct 17, 2008, at 8:49 AM, Jesse Kornblum wrote:
Attached please find a patch to prevent the framework
from crashing
when
attempting to read an Object's value from memory that cannot be
accessed
(e.g. marked invalid, paged out, etc). The patch prevents the code
from
crashing but adds the condition that the methods to read values (.v
and
.value) may return None.
In my work I've encountered memory images where a unicode string in
the
ProcessParameters (i.e. Eprocess -> Peb -> ProcessParameters ->
CommandLine) has been marked "in transition". Volatility 1.3 Beta does
not read data from any page marked Invalid and read requests for those
data are returned with None. The methods to read object values do not
error check the read method's return value and always attempt to
unpack
the returned value. Attempting to unpack a None value results in an
unhandled exception.
Developers should be advised that the .v and .value methods can now
legally return None and should error check the return values of those
functions before attempting to use them.
The plugin that generated these exceptions, a check for generally
suspicious
processes and TrueCrypt in particular, will be posted shortly to the
Vol-users mailing list.
cheers,
--
Jesse
jessek(a)speakeasy.net
--- Volatility-1.3_Beta/forensics/object2.py 2008-06-23
14:43:11.000000000 -0400
+++ Volatility-1.3_Beta2/forensics/object2.py 2008-06-23
14:43:12.000000000 -0400
@@ -313,10 +313,16 @@
VType.__init__(self, profile, 0, False, True)
def v(self, theObject):
+ ## Shortcut to value method
return self.value(theObject)
def value(self, theObject):
- (val, ) = struct.unpack("=L", theObject.vm.read
(theObject.offset, 4))
+ ## @return Returns the value of the object if available,
+ ## otherwise None.
+ tmp = theObject.vm.read(theObject.offset, 4)
+ if tmp is None:
+ return None
+ (val, ) = struct.unpack("<L", tmp)
return val
def cdecl(self):
@@ -337,11 +343,16 @@
self.readChar = readChar
def v(self, theObject):
+ ## Shortcut to value method
return self.value(theObject)
def value(self, theObject):
- (val, ) = struct.unpack('='+self.readChar, \
- theObject.vm.read(theObject.offset, self.size))
+ ## @return Returns the value of the object if available,
+ ## otherwise None.
+ tmp = theObject.vm.read(theObject.offset, self.size)
+ if tmp is None:
+ return None
+ (val, ) = struct.unpack('<'+self.readChar, tmp)
return val
def cdecl(self):
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev