volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

debugregisters plugin breaks on internal Integer type vs int

Open atcuno opened this issue 6 months ago • 4 comments

@ikelos I am very confused by this. I was using the debugregisters plugin and ran into the following traceback. In all the testing I have done with Vol3, I have never seen an error like this..

My first thought was that "shouldn't this be an int after being read?" as we try to avoid int() calls on members.. so I really don't understand whats going on or what the fix would be (should the validator code throwing the error accept Vol3's Integer instances??)

$ python3 vol.py -f data.lime windows.debugregisters
Volatility 3 Framework 2.26.2
Process	PID	TID	State	Dr7	Dr0	Range0	Symbol0	Dr1	Range1	Symbol1	Dr2	Range2	Symbol2	Dr3	Range3	Symbol3
Traceback (most recent call last):
  File "vol.py", line 11, in <module>
    volatility3.cli.main()
  File "/home/fs/volatility3/volatility3/cli/__init__.py", line 927, in main
    CommandLine().run()
  File "/home/fs/volatility3/volatility3/cli/__init__.py", line 515, in run
    renderer.render(grid)
  File "/home/fs/volatility3/volatility3/cli/text_renderer.py", line 330, in render
    grid.populate(visitor, outfd)
  File "/home/fs/volatility3/volatility3/framework/renderers/__init__.py", line 317, in populate
    for level, item in self._generator:
  File "/home/fs/volatility3/volatility3/framework/plugins/windows/debugregisters.py", line 150, in _generator
    file0, sym0 = path_and_symbol(vads, dr0)
  File "/home/fs/volatility3/volatility3/framework/plugins/windows/pe_symbols.py", line 459, in path_and_symbol_for_address
    found_symbols, _missing_symbols = PESymbols.find_symbols(
  File "/home/fs/volatility3/volatility3/framework/plugins/windows/pe_symbols.py", line 836, in find_symbols
    ) = PESymbols._resolve_symbols_through_methods(
  File "/home/fs/volatility3/volatility3/framework/plugins/windows/pe_symbols.py", line 762, in _resolve_symbols_through_methods
    remaining = PESymbols._validate_wanted_modules(wanted)
  File "/home/fs/volatility3/volatility3/framework/plugins/windows/pe_symbols.py", line 724, in _validate_wanted_modules
    raise ValueError(
ValueError: The requested address has a type of <class 'volatility3.framework.objects.Integer'> which is not in the allowed set of [<class 'int'>, <class 'volatility3.framework.objects.Pointer'>]

atcuno avatar Jun 10 '25 14:06 atcuno

It looks like it's because we're explicitly checking the type with type(thing) == .... The should be isinstance which can take a tuple/list

ikelos avatar Jun 10 '25 14:06 ikelos

So instead of and type(symbol_info) not in valid_address_types we probably want and not isinstance(symbol_info, valid_address_types)

ikelos avatar Jun 10 '25 14:06 ikelos

(Same for valid_name_types just above it)

ikelos avatar Jun 10 '25 14:06 ikelos

The may not work if the types passed in are strings rather than the actual types, but I wouldn't expect the error message to list calsses if they were just string representations.

ikelos avatar Jun 10 '25 14:06 ikelos