kernel_virtual_offset is accessed without verification it has been found #1600
Comments
ikelos
changed the title
ikelos
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I was trying to put partial configuration file (removing: kernel_virtual_offset), and got an error, to my understanding, the program should know to fill in the missing values. (I also tried removing both kvo and kernel_offset and got the same results).
Here is the traceback:
./vol.py -c config1.json windows.pslist
Volatility 3 Framework 2.19.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
Traceback (most recent call last):
File "/home/asafm/volatility3/volatility3/framework/interfaces/configuration.py", line 163, in getitem
return self._data[key]
~~~~~~~~~~^^^^^
KeyError: 'kernel_virtual_offset'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/home/asafm/volatility3/./vol.py", line 11, in
volatility3.cli.main()
File "/home/asafm/volatility3/volatility3/cli/init.py", line 924, in main
CommandLine().run()
File "/home/asafm/volatility3/volatility3/cli/init.py", line 512, in run
renderer.render(grid)
File "/home/asafm/volatility3/volatility3/cli/text_renderer.py", line 232, in render
grid.populate(visitor, outfd)
File "/home/asafm/volatility3/volatility3/framework/renderers/init.py", line 240, in populate
for level, item in self._generator:
File "/home/asafm/volatility3/volatility3/framework/plugins/windows/pslist.py", line 270, in _generator
for proc in self.list_processes(
File "/home/asafm/volatility3/volatility3/framework/plugins/windows/pslist.py", line 229, in list_processes
kvo = context.layers[layer_name].config["kernel_virtual_offset"]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/asafm/volatility3/volatility3/framework/interfaces/configuration.py", line 165, in getitem
raise KeyError(key)
KeyError: 'kernel_virtual_offset'
And here is the partial configuration file:
{
"dump": false,
"kernel.class": "volatility3.framework.contexts.Module",
"kernel.layer_name.class": "volatility3.framework.layers.intel.WindowsIntel32e",
"kernel.layer_name.memory_layer.class": "volatility3.framework.layers.physical.FileLayer",
"kernel.layer_name.memory_layer.location": "file:///home/asafm/Downloads/dumps/memdump1.mem",
"kernel.layer_name.page_map_offset": 1744896,
"kernel.layer_name.swap_layers": true,
"kernel.layer_name.swap_layers.number_of_elements": 0,
"kernel.offset": 272693902114816,
"kernel.symbol_table_name.class": "volatility3.framework.symbols.windows.WindowsKernelIntermedSymbols",
"kernel.symbol_table_name.isf_url": "file:///home/asafm/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/8B11040A5928757B11390AC78F6B6925-1.json.xz",
"kernel.symbol_table_name.symbol_mask": 0,
"physical": false,
"pid": []
}
The text was updated successfully, but these errors were encountered: