Giter Site home page Giter Site logo

Comments (4)

gleeda avatar gleeda commented on June 4, 2024

also get the same backtrace on malfind (not surprising)

from volatility.

gleeda avatar gleeda commented on June 4, 2024

As I'm looking at the code where it breaks, I'm puzzled about why we are adding the obj_offset for the current VAD node within the for loop.... it seems like it should be added beforehand, so that all children will have it in the visited set... for some reason this doesn't make sense to me. if you apply the patch below, we are able to get the rest of the VAD nodes for the process that was causing the crash:

diff --git a/volatility/plugins/overlays/windows/vad_vtypes.py b/volatility/plugins/overlays/windows/vad_vtypes.py
index e685c6e..889f95b 100644
--- a/volatility/plugins/overlays/windows/vad_vtypes.py
+++ b/volatility/plugins/overlays/windows/vad_vtypes.py
@@ -64,12 +64,13 @@ class VadTraverser(obj.CType):
         elif depth and str(self.Tag) != "":
             return

+        visited.add(self.obj_offset)
         for c in self.LeftChild.traverse(visited = visited, depth = depth + 1):
-            visited.add(self.obj_offset)
+            #visited.add(self.obj_offset)
             yield c

         for c in self.RightChild.traverse(visited = visited, depth = depth + 1):
-            visited.add(self.obj_offset)
+            #visited.add(self.obj_offset)
             yield c

 class VadFlags(obj.CType):

i'm going to see if this change effects other working samples.

from volatility.

gleeda avatar gleeda commented on June 4, 2024

committed to c11111e

I didn't see any changes between a handful of samples

from volatility.

gleeda avatar gleeda commented on June 4, 2024

in case you want to verify, you can do:

$ python vol.py -f SampleRepository/crash/VistaSP2x86/VistaSP2x86.dmp --profile=VistaSP2x86 vadinfo -p 3620

from volatility.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.