Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows 8.1 x86 AttributeError: Struct __MMVAD has no member Start #268

Closed
williballenthin opened this issue Dec 14, 2015 · 5 comments
Closed

Windows 8.1 x86 AttributeError: Struct __MMVAD has no member Start #268

williballenthin opened this issue Dec 14, 2015 · 5 comments
Labels
Win8

Comments

@williballenthin
Copy link

I'm trying to use some of the scanning plugins against a Windows 8.1 x86 memory image; however, the source distribution of 2.5 and git master at 9ad8329 raise the following error:

λ C:\Python27\python.exe C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\vol.py -f .\memory.dmp --profile=Win81U1x86 --kdbg=0x81255690 malfind
Volatility Foundation Volatility Framework 2.5
Traceback (most recent call last):
  File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\vol.py", line 192, in <module>
    main()
  File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\vol.py", line 183, in main
    command.execute()
  File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\commands.py", line 145, in execute
    func(outfd, data)
  File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\plugins\malware\malfind.py", line 442, in render_text
    for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
  File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\plugins\overlays\windows\windows.py", line 485, in get_vads
    if not vad.is_valid():
  File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\plugins\overlays\windows\vad_vtypes.py", line 39, in is_valid
    self.Start < obj.VolMagic(self.obj_vm).MaxAddress.v() and
  File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\obj.py", line 748, in __getattr__
    return self.m(attr)
  File "C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\volatility\obj.py", line 730, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct _MMVAD has no member Start

The pslist plugin shows the processes I'd expect to see in the image.

Here is the imageinfo:

λ C:\Python27\python.exe C:\Users\willi\Downloads\volatility-2.5\volatility-2.5\vol.py -f .\memory.dmp --profile=Win81U1x86 imageinfo
Volatility Foundation Volatility Framework 2.5
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win10x86, Win81U1x86, Win8SP1x86, Win8SP0x86 (Instantiated with Win81U1x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : WindowsCrashDumpSpace32 (Unnamed AS)
                     AS Layer3 : FileAddressSpace (C:\Users\willi\Documents\Code\volatility\memory.dmp)
                      PAE type : PAE
                           DTB : 0x38f44380L
                          KDBG : 0x81255690L
          Number of Processors : 1
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0x81280000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2015-12-14 16:05:01 UTC+0000
     Image local date and time : 2015-12-14 11:05:01 -0500

I've tried the other suggested profiles, but none of them give any better results (though, Win8SP0x86 doesn't raise an exception, but also doesn't print any results).

Is this a user error, or is this a bug in Volatility?
@iMHLv2
Copy link
Contributor

iMHLv2 commented Dec 14, 2015

Thanks for reporting...definitely not a user error kind of thing. Let me look into it and I'll post back.

@iMHLv2
Copy link
Contributor

iMHLv2 commented Dec 16, 2015

Alright, can you try reverting the changes made to lines 445 and 449 in 7ff07bd (not the whole patch, just those lines). In other words, go back to using just StartingVpn and EndingVpn, not the combination of StartingVpnHigh and EndingVpnHigh. It appears those "High" members were added at some point and we apparently haven't figured out exactly when.

Also, if you happen to have access to the ntoskrnl.exe file on disk for that sample, can you lookup the build number? It should be 6.3.9600.X and if X is greater than 17031 then you have Update 1 installed. Let me know the value of X for your system if possible - that will help narrow down exactly when this change occurred.

@williballenthin
Copy link
Author

After reverting those changes, malfind produced results that looked good! vadinfo also gives results that seem reasonable.

ntoskrnl.exe has version 6.3.9600.17415.

@gleeda gleeda added the Win8 label Feb 16, 2016
@Nordwald
Copy link

Hi there,

I want to confirm: the problem still persists, the patch proposed by iMHLv2 works for me.

My ntoskrnl.exe has version 6.3.9600.17415 as well. Please consider reverting 7ff07bd or shifting it to another profile.

@iMHLv2
Copy link
Contributor

iMHLv2 commented Sep 28, 2016

This should all be good now...the StartingVpnHigh and EndingVpnHigh members were introduced starting in Windows 8 but only for 64-bit versions of the OS. 32-bit versions of Win8 and Win10 do not have StartingVpnHigh and EndingVpnHigh. Thanks!

@iMHLv2 iMHLv2 closed this as completed Sep 28, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Win8
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@williballenthin @gleeda @Nordwald @iMHLv2