Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle bug round 2 #1573

Open
atcuno opened this issue Jan 24, 2025 · 0 comments · May be fixed by #1598
Open

Handle bug round 2 #1573

atcuno opened this issue Jan 24, 2025 · 0 comments · May be fixed by #1598
Assignees
@dgmcdona
Labels
parity-release

Comments

@atcuno
Copy link
Contributor

atcuno commented Jan 24, 2025

I triggered the backtrace at the bottom of the ticket on latest develop.

I know a bunch of stuff was fixed here, so this looks like something that maybe wasn't reachable before due to the other bugs. This code is so complicated I don't want to break it, but it looks like maybe individual elements of the array being bad (pointers?) could trigger it. If thats the case just make sure we continue past the bad ones in the fix.

Sample: Win2016x64_14393.lime.raw

25-01-23 22:14:24 volatility3.cli DEBUG    Traceback (most recent call last):
  File "/home/analyst/hashtest/volatility3/cli/__init__.py", line 502, in run
    renderer.render(grid)
  File "/home/analyst/hashtest/volatility3/cli/text_renderer.py", line 232, in render
    grid.populate(visitor, outfd)
  File "/home/analyst/hashtest/volatility3/framework/renderers/__init__.py", line 240, in populate
    for level, item in self._generator:
  File "/home/analyst/hashtest/volatility3/framework/plugins/windows/handles.py", line 321, in _generator
    for entry in self.handles(object_table):
  File "/home/analyst/hashtest/volatility3/framework/plugins/windows/handles.py", line 292, in handles
    yield from self._make_handle_array(TableCode, table_levels)
  File "/home/analyst/hashtest/volatility3/framework/plugins/windows/handles.py", line 256, in _make_handle_array
    yield from self._make_handle_array(entry, level - 1, depth)
  File "/home/analyst/hashtest/volatility3/framework/plugins/windows/handles.py", line 246, in _make_handle_array
    for entry in table:
  File "/usr/local/lib/python3.8/_collections_abc.py", line 874, in __iter__
    v = self[i]
  File "/home/analyst/hashtest/volatility3/framework/objects/__init__.py", line 794, in __getitem__
    result += [self.vol.subtype(context=self._context, object_info=object_info)]
  File "/home/analyst/hashtest/volatility3/framework/objects/templates.py", line 96, in __call__
    return self.vol.object_class(
  File "/home/analyst/hashtest/volatility3/framework/objects/__init__.py", line 168, in __new__
    value = cls._unmarshall(context, data_format, object_info)
  File "/home/analyst/hashtest/volatility3/framework/objects/__init__.py", line 408, in _unmarshall
    data = context.layers.read(object_info.layer_name, object_info.offset, length)
  File "/home/analyst/hashtest/volatility3/framework/interfaces/layers.py", line 635, in read
    return self[layer].read(offset, length, pad)
  File "/home/analyst/hashtest/volatility3/framework/layers/linear.py", line 45, in read
    for offset, _, mapped_offset, mapped_length, layer in self.mapping(
  File "/home/analyst/hashtest/volatility3/framework/layers/intel.py", line 302, in mapping
    for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(
  File "/home/analyst/hashtest/volatility3/framework/layers/intel.py", line 358, in _mapping
    chunk_offset, page_size, layer_name = self._translate(offset)
  File "/home/analyst/hashtest/volatility3/framework/layers/intel.py", line 510, in _translate
    return self._translate_swap(self, offset, self._bits_per_register // 2)
  File "/home/analyst/hashtest/volatility3/framework/layers/intel.py", line 457, in _translate_swap
    return super()._translate(offset)
  File "/home/analyst/hashtest/volatility3/framework/layers/intel.py", line 166, in _translate
    raise exceptions.PagedInvalidAddressException(
volatility3.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x153e5400000000 in page entry
@atcuno atcuno mentioned this issue Jan 24, 2025
Open
14 tasks
dgmcdona added a commit that referenced this issue Jan 31, 2025
@dgmcdona
Windows: Handles - catch exception in handle iteration
718d439 
An `InvalidAddressException` can occur inside of `__iter__` when
iterating over the handle table (the exact exception occurs when
creating the subtype in `objects.Array.__getitem__`. This changes the
handle code to do a manual iteration over the sequence using the array
length and indexes, catching the exception, logging the index, and
continuing.

In the test sample that prompted this change, the exception occurred on
the access of the very last item in the array.

closes #1573
@dgmcdona dgmcdona linked a pull request Jan 31, 2025 that will close this issue
Open
dgmcdona added a commit that referenced this issue Jan 31, 2025
@dgmcdona
Windows: Handles - catch exception in handle iteration
38501f7 
An `InvalidAddressException` can occur inside of `__iter__` when
iterating over the handle table (the exact exception occurs when
creating the subtype in `objects.Array.__getitem__`. This changes the
handle code to do a manual iteration over the sequence using the array
length and indexes, catch the exception, log the index, and continue.

In the test sample that prompted this change, the exception occurred on
the access of the very last item in the array.

closes #1573
dgmcdona added a commit that referenced this issue Jan 31, 2025
@dgmcdona
Windows: Handles - catch exception in handle iteration
1d1af69 
An `InvalidAddressException` can occur inside of `__iter__` when
iterating over the handle table (the exact exception occurs when
creating the subtype in `objects.Array.__getitem__`. This changes the
handle code to do a manual iteration over the sequence using the array
length and indexes, catch the exception, log the index, and continue.

In the test sample that prompted this change, the exception occurred on
the access of the very last item in the array.

closes #1573
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dgmcdona dgmcdona

Labels
parity-release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Windows: Handles - catch exception in handle iteration volatilityfoundation/volatility3
2 participants
@atcuno @dgmcdona