python icon indicating copy to clipboard operation
python copied to clipboard

Published 20 hours ago verified publisher icon libvmi

Problem with read_unicode_str_va function

Open 0xarash opened this issue 4 years ago • 5 comments

Hello,

I'm trying to read UNICODE_STRING from a structure but hadn't any luck. Here is a info I have about the problem:

I did test on different structures, I could extract the string and the length manually with vmi.read_va, and some other functions

I checked read_unicode_str_va, the returned value.encoding and value.length seems correct, but value.contents not. extracted buffer just have one character of the string.

The host is CentOS 7 and python version is 3.6.8

Here is the error message I receive:

UnicodeDecodeError: 'utf-16-le' codec can't decode byte 0x50 in position 0: truncated data

Here is the snipped code I'm using for test.

with pause(vmi):
    process_type_va = vmi.translate_ksym2v('PsProcessType')
    process_type = vmi.read_addr_va(process_type_va, 0)
    name_off = vmi.get_kernel_struct_offset('_OBJECT_TYPE', 'Name')
    name = vmi.read_unicode_str_va(process_type + name_off, 0)
    print(name)

Any idea how to deal with this problem

0xarash avatar Sep 15 '20 13:09 0xarash