[Vol-dev] [patch] Prevent crash when reading object values

AAron Walters awalters at 4tphi.net
Fri Oct 17 08:37:28 CDT 2008 

Jesse,

You may also want to look into the usage of the is_valid() method of the 
Object class. A developer can use this method to check if a pointer is 
valid so they will not generate an exception.  This technique is used in 
example3.py.

Thanks again,

AW

On Fri, 17 Oct 2008, AAron Walters wrote:

>
>
> Jesse,
>
> Thanks for the patch! I will get it checked in.  I noticed you also made the 
> change for the byte-order.  I've been working on a way to handle that in a 
> generic way so we can handle big-endian images as well.  I look forward to 
> seeing your upcoming plugin.
>
> Thanks,
>
> AW
>
> On Fri, 17 Oct 2008, Jesse Kornblum wrote:
>
>> Attached please find a patch to prevent the framework from crashing when
>> attempting to read an Object's value from memory that cannot be accessed
>> (e.g. marked invalid, paged out, etc). The patch prevents the code from
>> crashing but adds the condition that the methods to read values (.v and
>> .value) may return None.
>> 
>> In my work I've encountered memory images where a unicode string in the
>> ProcessParameters (i.e. Eprocess -> Peb -> ProcessParameters ->
>> CommandLine) has been marked "in transition". Volatility 1.3 Beta does
>> not read data from any page marked Invalid and read requests for those
>> data are returned with None. The methods to read object values do not
>> error check the read method's return value and always attempt to unpack
>> the returned value. Attempting to unpack a None value results in an
>> unhandled exception.
>> 
>> Developers should be advised that the .v and .value methods can now
>> legally return None and should error check the return values of those
>> functions before attempting to use them.
>> 
>> The plugin that generated these exceptions, a check for generally 
>> suspicious
>> processes and TrueCrypt in particular, will be posted shortly to the
>> Vol-users mailing list.
>> 
>> cheers,
>> 
>> -- 
>> Jesse
>> jessek at speakeasy.net
>> 
>> 
>> 
>> 
> _______________________________________________
> Vol-dev mailing list
> Vol-dev at volatilesystems.com
> http://lists.volatilesystems.com/mailman/listinfo/vol-dev
>

More information about the Vol-dev mailing list