-
Notifications
You must be signed in to change notification settings - Fork 390
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Page error in layer when dumping Windows 10 hashes #1162
Comments
This was a commit made by @gcmoreira , hopefully he can diagnose what's now happening here. I've reverted it for now, pending review to see what problem it was causing. It might be it was too restrictive, or there may be more off-by-one issues in the codebase. Thanks for providing the memory image that caused the problems, that should help a lot in discovering the issue... |
Hm that's weird, now I'm even more curious why the test cases didn't fail. @ikelos Any idea? @ikelos and @arepi-nemui >>> 1 > 5 > 10
False
>>> 1 > 100 > 10
False
>>> 1 > -1 > 10
False And this is what we want to detect to raise the exception: >>> not (1 <= 5 <= 10)
False
>>> not (1 <= 100 <= 10)
True
>>> not (1 <= -1 <= 10)
True So, I think here there is bug somewhere else that was never detected because of that funny if. Setting a breakpoint in that line I got this: >> hex(self.minimum_address), hex(offset), hex(self.maximum_address)
('0x0', '0xffffc60795389024', '0xffffffffffff') So, @ikelos the fix I proposed was actually correct. The problem is that >> not (self.minimum_address <= self.decanonicalize(offset) <= self.maximum_address)
False Unfortunately, it seems that _translate_entry is called with both canonical and not canonical addresses. It looks like this will work for all cases, but it needs to be tested properly. >> not (self.minimum_address <= offset <= self.canonicalize(self.maximum_address))
False I will need more time to figure out how to properly fix this. Feel free to continue investigating this if you'd like. |
if |
Describe the bug
After commit e5a5b89, volatility is no longer able to run various modules on a memory dump from a Windows 10 system, such as windows.hashdump.Hashdump and windows.info.Info.
Context
Volatility Version: Commit e5a5b89 and later
Operating System: Linux
Python Version: 3.12.3
Suspected Operating System: Windows 10
Command:
python vol.py -f memory.dmp -vvv windows.hashdump.Hashdump
To Reproduce
Steps to reproduce the behavior:
Example output
Additional information
memory.dmp: https://www.mediafire.com/file/c0v7xmu0f6kq2lr/memory.dmp.gz/file
The text was updated successfully, but these errors were encountered: