volatilityfoundation
volatility 3 linux.bash plugin error
Hi, Im trying to run volatility 3 plugins on rhel 7 server using custom profile Ive been created and I get result for most plugins but some of the plugins crashes and outputs only the titles with blank content. main plugins with the issue are: linux.bash.Bash, linux.keyboard_notifiers.keyboard_notifiers, linux.check_creds.check_creds, linux.check_afinfo.check_afinfo.
Ive created the custom profile for kernel 3.10.0-1160.53.1.el7.x86_64 on a new server image. I did it according to https://forensenellanebbia.blogspot.com/2021/02/building-profile-for-volatility-2-and-3.html guide. Basically, after I installed the kernel debug rpms (suited for the exact kernel version according to uname -a) from redhat website, I created the custom profile using dwarf2json with the system.map and vmlinux files. When im running the volatility plugins on this server memory dump (the server I took the system.map and vmlinux for the custom profile from) Im getting the full output from all plugins. BUT, when Im running volatility on other servers’ memory dumps (servers with the same kernel version according to uname -a and banners) some plugins fails. For example, for linux.bash plugin it returns error – InvalidAddressException. The exact error, when running volatility with -vvv is: .../framework/layers/segmented.py, line 85 in find_segment raise exceptions.InvalidAddressException(volatility3.framework.exceptions.InvalidAddress: Invalid Address at dba6000) volatility was unable to read a requested page: 0xdba600 in layer memory_layer (Invalid Address at dba6000)/
I put the profile file ive created on the correct path under framework/symbols/linux. And isfinfo is showing the custom profile. According to banners plugin’ all the memory dumps are the same version as the custom profile.
I acquired all servers’ memory dumps using avml.
Unfortunately the network is offline and I cant upload the relevant files.
any advise? PLEASE HELP :)
Context dwarf2json version: 0.9.0 Avml Version: 0.13.0 Volatility Version: 3.2.11 Operating System: rhel 7 - 3.10.0-1160.53.1.el7.x86_64 Python Version: 3.9 Command: python3.9 vol.py -f <memory.dmp> linux.bash.Bash
It sounds like you've made the symbols correctly. Safe to assume that pslist etc works on all samples? Including the one where bash fails?
It may simply be an issue with smear where the ram is changing while avml is collecting. Are you able to share any of the memory samples? It might be possible to make the bash plugin more capable of handling these errors.
It's always worth trying the most recent version of the develop branch for vol too, git cloning the repo and trying that.
sorry but i cant share the memory samples but is there anything I can test by myself? yes, pslist plugin works on all memory dumps..
Understandable.
Could you share the full log, I'd like to see exactly where the bash plugin is failing.
To me it looks like the is_valid check for the hist_entry extension checks for InvalidAddressException and would return false.
The address isn't a high one so I'm guessing that it's past get_process_memory_sections and it's an error trying to read within the heap of a bash process.
My assumption is it'll be happening here: https://github.com/volatilityfoundation/volatility3/blob/63f7cbd44716d66cac84f67987ef355885fe0cc8/volatility3/framework/plugins/linux/bash.py#L124-L128
Given it sounds like no results at all are being generated I think it's probably get_time_as_integer.
The full logs will really help!
@Anonymous218798721 if you wanted to give this branch a try it might fix your problem - https://github.com/eve-mem/volatility3/tree/linux_bash_issue_1782 - but only if my assumptions are right.
I would really love to see the full log with the current bash plugin as is to really understand.
Here's the diff if that's easier:
diff --git a/volatility3/framework/plugins/linux/bash.py b/volatility3/framework/plugins/linux/bash.py
index 18d9f3bf..56fad6da 100644
--- a/volatility3/framework/plugins/linux/bash.py
+++ b/volatility3/framework/plugins/linux/bash.py
@@ -8,7 +8,7 @@ import datetime
import struct
from typing import List
-from volatility3.framework import constants, renderers, symbols, interfaces
+from volatility3.framework import constants, renderers, symbols, interfaces, exceptions
from volatility3.framework.configuration import requirements
from volatility3.framework.interfaces import plugins
from volatility3.framework.layers import scanners
@@ -22,7 +22,7 @@ class Bash(plugins.PluginInterface, timeliner.TimeLinerInterface):
"""Recovers bash command history from memory."""
_required_framework_version = (2, 0, 0)
- _version = (1, 0, 2)
+ _version = (1, 0, 3)
@classmethod
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -121,10 +121,26 @@ class Bash(plugins.PluginInterface, timeliner.TimeLinerInterface):
if hist.is_valid():
history_entries.append(hist)
- for hist in sorted(history_entries, key=lambda x: x.get_time_as_integer()):
+ # TODO: Ensure list of history_entries is sorted by time before merging
+ for hist in history_entries:
+ try:
+ pid = task.pid
+ except exceptions.InvalidAddressException:
+ pid = renderers.NotAvailableValue()
+
+ try:
+ time_object = hist.get_time_object()
+ except exceptions.InvalidAddressException:
+ time_object = renderers.NotAvailableValue()
+
+ try:
+ command = hist.get_command()
+ except exceptions.InvalidAddressException:
+ command = renderers.NotAvailableValue()
+
yield (
0,
- (task.pid, task_name, hist.get_time_object(), hist.get_command()),
+ (pid, task_name, time_object, command),
)
def run(self):
the error is: DEBUG volatility.cli: Traceback (most recent call last): File:/Volatility3-2.11.0/volatility3/cli/init.py, line 502, in run renderer.render(grid) File /Volatility3-2.11.0/volatility3/cli/text_renderer.py , line 230, in render grid.populate(visitor, outfd) File /Volatility3-2.11.0/volatility3/framework/renderers/init.py, line 245, in populate for level, item in self.generator: File /Volatility3-2.11.0/volatility3/framework/plugins/linux/bash.py, line 66, in_generator task_name = utility.array_to_string(task.comm) File /Volatility3-2.11.0/volatility3/framework/objects/utility.py, line 41, in array_to_string return array.cast("string", max_length=count, errors=errors) File /Volatility3-2.11.0/volatility3/framework/interfaces/objects.py, line 89, in casst return object_template(context=elf.context, info=object_info) File /Volatility3-2.11.0/volatility3/framework/objects/templates.py, line 96, in_call return self.vol.object_class) File /Volatility3-2.11.0/volatility3/framework/objects/init.py . line 352, in new cls.unmarshall) File /Volatility3-2.11.0/volatility3/framework/objects/init.py, line 202, in unmarshall data=context.layers.read) File /Volatility3-2.11.0/volatility3/framework/interfaces/layers.py , line 638, in read return self[layers].read(offset,length,pad) File /Volatility3-2.11.0/volatility3/framework/layers/linear.py , line 45 in read for offset,, mapped_offset, mapped_length, layer in self.mapping) File /Volatility3-2.11.0/volatility3/framework/layers/intel.py, line 351, in_mapping chunk_offset, page_size, layer_name = self._translate(offset) File /Volatility3-2.11.0/volatility3/framework/layers/intel.py, line 155, in_translate entry, position = self._translte_entry(offset) File /Volatility3-2.11.0/volatility3/framework/layers/intel.py, line 223, in _translate_entry table= self._get_valid_table(base_address) File /Volatility3-2.11.0/volatility3/framework/layers/intel.py, line 258, in _get_valid_table table = self._context.layers.read File /Volatility3-2.11.0/volatility3/framework/interfaces/layers.py , line 638, in read return self[layer].read(offset, length, pad) File /Volatility3-2.11.0/volatility3/framework/layers/linear.py, line 45 in read for offset, _, mapped_offset, mapped_length, layer in self.mapping) File /Volatility3-2.11.0/volatility3/framework/layers/segmented.py, line 178 in mapping for offset,length, mapped_offset, size, mapped_length,layer in super().mapping) File /Volatility3-2.11.0/volatility3/framework/layers/segmented.py, line 101 in mapping logic_offset, mapped_offset, size, mapped_size = self,_find_segment) File /Volatility3-2.11.0/volatility3/framework/layers/segmented.py, line 83 in _find_segment raise exceptions.InvalidAddressException) Voltility3.framework.exception.InvalidAddressException: invalid address at 23ffff000
If the rest of the output (the beggining) of running the plugin with -vvvvv will help please note which part because its a lot to copy:)
Hello,
Please update to the develop branch where this bug is fixed. Then the issue should go away.
A great example of why the logs are so helpful. Hope that fixes your problem @Anonymous218798721
Hi, so I tried the changes in the bash plugin and it still throws the same InvalidAddressError. I noticed that the bash plugin is based on pslist and saw that when Im running linux.pslist plugin with -vvv I also get InvalidAddressError. when I ran pslist alone, without -vvv, I didnt saw this error or any other error. In pslist output, there is no bash in the procceses, suggesting its not the full output of the plugin, because of the error.
The error from running volatility linux.pslist plugin with -vvvv starts with:
DEBUG volatility.cli: Traceback (most recent call last): File:/Volatility3-2.11.0/volatility3/cli/init.py, line 502, in run renderer.render(grid) File /Volatility3-2.11.0/volatility3/cli/text_renderer.py , line 230, in render grid.populate(visitor, outfd) File /Volatility3-2.11.0/volatility3/framework/renderers/init.py, line 245, in populate for level, item in self.generator: File /plugins/linux/pslist.py line 183 in _generator offset, pid, tid, ppidname, creation_time = self.get_task_fields) File /plugins/linux/pslist.py line 97 in get_task_fields pid = task.tgid ....... File /Volatility3-2.11.0/volatility3/framework/layers/segmented.py, line 83 in _find_segment raise exceptions.InvalidAddressException) Voltility3.framework.exception.InvalidAddressException: invalid address at 13ffff000
When Im running pslist and bash plugins on the memory dump from the server Ive created the profile from, there are no errors at all.
@Anonymous218798721 just to confirm my understanding, on the sample with the invalid address at 13ffff000 error you have issues with both the pslist and the bash plugins?
Could you please try the most recent develop branch as suggested by @atcuno, it looks like you're using 2.11 at the moment.
it should start with a line like this:
Volatility 3 Framework 2.26.2
You can get the most up to date code either downloading a zip file: https://github.com/volatilityfoundation/volatility3/archive/refs/heads/develop.zip
or git cloning the repo:
git clone https://github.com/volatilityfoundation/volatility3.git
Hi, unfortunately it still not working. now pslist and bash plugins don't return any errors. pslist returns 4 extra processes that were not in the output of Volatility3-2.11.0 and bash plugin returns blank output.
there is no bash or sh in the pslist output so the bash output is empty probably because of that. but it doesnt make sense that wont be bash in pslist.
Two questions:
-
Can you make sure you are on the latest github develop commit? A commit recently went in to walk the list in both directions, to help account for this situation.
-
Does linux.pidhashtable show the shell process?
- I use the latest version of the development
- linux.pidhashtable indeed shows the sh process