Regression added by #1567 : page fault on a windows dump #1889
Description
Describe the bug
Hi !
I'm using a memory image for an exercise I give to students. It used to work fine last year, using vol2 or vol3. This year, vol3's windows.info gives wrong information about Major/Minor and Kernel Base. It will also output a page error : Page error 0xf8073eefc404 in layer layer_name (Page Fault at entry 0x0 in page entry).
I was able to blame PR #1567, which introduced the bug. I was not able to pinpoint any further, as I am not familiar enough with volatility's code. All I know is that checking out before c7dc608 (PR merged) works, and any commit after that one will give wrong results/error.
Context
Volatility Version: 2.19.0 onwards
Operating System: Linux
Python Version: 3.10
Suspected Operating System: Windows
Command: windows.info
To Reproduce
Steps to reproduce the behavior:
Working :
git clone https://github.com/volatilityfoundation/volatility3.git && cd volatility3
git checkout 4cb386858ebe7c62f05b16c9f869fdf762084121
python3 -m venv venv && . venv/bin/activate
pip install -e ".[dev]"
python3 vol.py -f /home/user/Downloads/memory.raw windows.infogives
Volatility 3 Framework 2.18.0
Progress: 100.00 PDB scanning finished
Variable Value
Kernel Base 0xf8073e408000
DTB 0x1ad000
Symbols file:///tmp/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/CA8E2F01B822EDE6357898BFBF862997-1.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf8073f017368
Major/Minor 15.19041
MachineType 34404
KeNumberProcessors 4
SystemTime 2023-09-12 03:28:53+00:00
NtSystemRoot C:\Windows
NtProductType NtProductWinNt
NtMajorVersion 10
NtMinorVersion 0
PE MajorOperatingSystemVersion 10
PE MinorOperatingSystemVersion 0
PE Machine 34404
PE TimeDateStamp Wed Jan 4 04:27:11 1995Whereas :
git clone https://github.com/volatilityfoundation/volatility3.git && cd volatility3
git checkout c7dc608b784a347332db6fc33c6ded0d015dff5e
python3 -m venv venv && . venv/bin/activate
pip install -e ".[dev]"
python3 vol.py -vvv -f /home/user/Downloads/memory.raw windows.infogives
Volatility 3 Framework 2.18.1
INFO volatility3.cli: Volatility plugins path: ['/tmp/volatility3/volatility3/plugins', '/tmp/volatility3/volatility3/framework/plugins']
INFO volatility3.cli: Volatility symbols path: ['/tmp/volatility3/volatility3/symbols', '/tmp/volatility3/volatility3/framework/symbols']
DEBUG volatility3.plugins.yarascan: Using yara-python module
INFO volatility3.framework.automagic: Detected a windows category plugin
INFO volatility3.framework.automagic: Running automagic: ConstructionMagic
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
INFO volatility3.framework.automagic: Running automagic: SymbolCacheMagic
INFO volatility3.framework.automagic: Running automagic: LayerStacker
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ad000
DEBUG volatility3.framework.automagic.windows: DTB was found at: 0x1ad000
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name
DETAIL 1 volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.Info.kernel.layer_name.memory_layer
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info.kernel
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.Info
DEBUG volatility3.framework.automagic.stacker: physical_layer maximum_address: 2147483647
DEBUG volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'FileLayer']
INFO volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO volatility3.framework.automagic: Running automagic: KernelPDBScanner
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DETAIL 1 volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.Info.kernel.symbol_table_name
DEBUG volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf8073e200000
DEBUG volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/CA8E2F01B822EDE6357898BFBF862997-1
INFO volatility3.framework.automagic: Running automagic: SymbolFinder
INFO volatility3.framework.automagic: Running automagic: KernelModule
Variable Value
Kernel Base 0xf8073e200000
DTB 0x1ad000
Symbols file:///tmp/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/CA8E2F01B822EDE6357898BFBF862997-1.json.xz
Is64Bit True
IsPAE False
layer_name 0 WindowsIntel32e
memory_layer 1 FileLayer
KdVersionBlock 0xf8073ee0f368
Major/Minor 3912.6331
MachineType 18441
DEBUG volatility3.cli: Traceback (most recent call last):
File "/tmp/volatility3/volatility3/cli/__init__.py", line 502, in run
renderer.render(grid)
File "/tmp/volatility3/volatility3/cli/text_renderer.py", line 232, in render
grid.populate(visitor, outfd)
File "/tmp/volatility3/volatility3/framework/renderers/__init__.py", line 240, in populate
for level, item in self._generator:
File "/tmp/volatility3/volatility3/framework/plugins/windows/info.py", line 231, in _generator
cpu_count = ntkrnlmp.object(
^^^^^^^^^^^^^^^^
File "/tmp/volatility3/volatility3/framework/contexts/__init__.py", line 264, in object
return self._context.object(
^^^^^^^^^^^^^^^^^^^^^
File "/tmp/volatility3/volatility3/framework/contexts/__init__.py", line 128, in object
return object_template(
^^^^^^^^^^^^^^^^
File "/tmp/volatility3/volatility3/framework/objects/templates.py", line 96, in __call__
return self.vol.object_class(
^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/volatility3/volatility3/framework/objects/__init__.py", line 168, in __new__
value = cls._unmarshall(context, data_format, object_info)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/volatility3/volatility3/framework/objects/__init__.py", line 202, in _unmarshall
data = context.layers.read(
^^^^^^^^^^^^^^^^^^^^
File "/tmp/volatility3/volatility3/framework/interfaces/layers.py", line 635, in read
return self[layer].read(offset, length, pad)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/volatility3/volatility3/framework/layers/linear.py", line 45, in read
for offset, _, mapped_offset, mapped_length, layer in self.mapping(
File "/tmp/volatility3/volatility3/framework/layers/intel.py", line 302, in mapping
for offset, size, mapped_offset, mapped_size, map_layer in self._mapping(
File "/tmp/volatility3/volatility3/framework/layers/intel.py", line 358, in _mapping
chunk_offset, page_size, layer_name = self._translate(offset)
^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/volatility3/volatility3/framework/layers/intel.py", line 510, in _translate
return self._translate_swap(self, offset, self._bits_per_register // 2)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/volatility3/volatility3/framework/layers/intel.py", line 457, in _translate_swap
return super()._translate(offset)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/volatility3/volatility3/framework/layers/intel.py", line 166, in _translate
raise exceptions.PagedInvalidAddressException(
volatility3.framework.exceptions.PagedInvalidAddressException: Page Fault at entry 0x0 in page entry
Volatility was unable to read a requested page:
Page error 0xf8073eefc404 in layer layer_name (Page Fault at entry 0x0 in page entry)
* Memory smear during acquisition (try re-acquiring if possible)
* An intentionally invalid page lookup (operating system protection)
* A bug in the plugin/volatility3 (re-run with -vvv and file a bug)
No further results will be producedExpected behavior
windows.info should work and give accurate Major/Minor and Kernel Base
Example output
See above
Additional information
I can provided the dump used by email, if necessary.
Thanks a lot :)