Comments (4)
also get the same backtrace on malfind (not surprising)
from volatility.
As I'm looking at the code where it breaks, I'm puzzled about why we are adding the obj_offset for the current VAD node within the for loop.... it seems like it should be added beforehand, so that all children will have it in the visited set... for some reason this doesn't make sense to me. if you apply the patch below, we are able to get the rest of the VAD nodes for the process that was causing the crash:
diff --git a/volatility/plugins/overlays/windows/vad_vtypes.py b/volatility/plugins/overlays/windows/vad_vtypes.py
index e685c6e..889f95b 100644
--- a/volatility/plugins/overlays/windows/vad_vtypes.py
+++ b/volatility/plugins/overlays/windows/vad_vtypes.py
@@ -64,12 +64,13 @@ class VadTraverser(obj.CType):
elif depth and str(self.Tag) != "":
return
+ visited.add(self.obj_offset)
for c in self.LeftChild.traverse(visited = visited, depth = depth + 1):
- visited.add(self.obj_offset)
+ #visited.add(self.obj_offset)
yield c
for c in self.RightChild.traverse(visited = visited, depth = depth + 1):
- visited.add(self.obj_offset)
+ #visited.add(self.obj_offset)
yield c
class VadFlags(obj.CType):
i'm going to see if this change effects other working samples.
from volatility.
committed to c11111e
I didn't see any changes between a handful of samples
from volatility.
in case you want to verify, you can do:
$ python vol.py -f SampleRepository/crash/VistaSP2x86/VistaSP2x86.dmp --profile=VistaSP2x86 vadinfo -p 3620
from volatility.
Related Issues (20)
- No module named csv
- I have with add new plugins volatility2.6 . HOT 2
- volatility_2.6_win64_standalone how to add profile?
- No Stand alone version for volatility 2.6.1
- Memory Dump processing
- volatility 2 or 3 linux profile for linux version 5.4.0-33-generic HOT 2
- profile issue in Ubuntu 21.04 while using volatility 2.6 HOT 1
- A translation layer requirement was not fulfilled | A symbol table requirement was not fulfilled
- volatility keeps giving me this messege
- 各位大佬能帮我看下是什么原因吗,用filescan指令时扫到乱码就会报错 HOT 1
- building dwarf2json - go build fails
- ValueError: invalid literal for int() with base 16: '128 (-128)' HOT 2
- Extract images
- 'yara.StringMatch' object is not iterable HOT 1
- No results from plugin windows.handles.Handles HOT 1
- handles page error?
- KeyError: '__int128' with ARM64
- "ArmAddressSpace - EXCEPTION: 'state'"
- Missing parentheses HOT 1
- Infinite determinating profile
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from volatility.