c-aff4
c-aff4 copied to clipboard
Velocidex
Multiple map problems
Using winpmem v3.3.rc1, we created a memory image of an arch linux vm.
The idx file references a non-existent stream. (suspect the idx file has been truncated or not fully written correctly). The idx file has multiple duplicate entries. The map references the non-existent stream.
The map idx looked as follows: 0 => aff4://52470487-b665-46e6-97de-071325d32dbd/PhysicalMemory/data 1 => aff4://52470487-b665-46e6-97de-071325d32dbd/PhysicalMemory/data 2 => aff4://52470487-b665-46e6-97de-071325
0 => aff4://52470487-b665-46e6-97de-071325d32dbd/PhysicalMemory/data 1 => aff4://52470487-b665-46e6-97de-071325d32dbd/PhysicalMemory/data 2 => aff4://52470487-b665-46e6-97de-071325 [0x00000000:0x00001000] => SPARSE [0x00001000:0x0009e000] => stream 1 [0x00000000:0x0009e000] [0x0009f000:0x00061000] => SPARSE [0x00100000:0x00300000] => stream 1 [0x0009e000:0x00300000] [0x00400000:0x00001000] => stream 2 [0x00000000:0x00001000] [0x00401000:0x00bfe000] => stream 1 [0x0039e000:0x00bfe000] [0x00fff000:0x00001000] => SPARSE [0x01000000:0x00001000] => stream 2 [0x00000000:0x00001000] [0x01001000:0x003ff000] => stream 1 [0x00f9c000:0x003ff000] [0x01400000:0x00001000] => stream 2 [0x00001000:0x00001000] [0x01401000:0x3ebef000] => stream 1 [0x0139b000:0x3ebef000]
information.yaml:
Imager: WinPmem 3.3rc1 Registers: CR3: 114032640 NtBuildNumber: 2600 KernBase: 2152558592 NtBuildNumberAddr: 2153066728 Runs:
- start: 4096 length: 647168
- start: 1048576 length: 15724544
- start: 16777216 length: 1056899072
Linpmem uses a different implementation of WriteMapObject_ than Winpmem because Winpmem needs to be able to handle failed reads (for VSM support). We need to update it to the new refactored code base. Thanks for reporting.
