volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

GetSIDs Issue

Open grook14 opened this issue 2 years ago • 9 comments

Describe the bug Running the plugin windows.getsids.GetSIDs causes the following error to show on the console. I have tried this plugin on multiple processes on the RAM image I am analyzing. Other plugins I have ran successfully, DllList, PsList, PsScan, CmdLine... This one is the only issue I am having so far. I have been able to also run this plugin on other images successfully.

Context Volatility Version: Volatility 3 Framework 2.0.1 Operating System: Linux Ubuntu "20.04 LTS (Focal Fossa)" Python Version: 3.8.10 Suspected Operating System: Windows 11 Command: vol.py -f <RAM IMAGE> -r pretty windows.getsids.GetSIDs --pid <#>

To Reproduce Steps to reproduce the behavior:

  1. Simply run thew above command.

Expected behavior Should receive which user on the system is responsible for that process as well as other group info from that user.

Example output PID Process SID Name 1000 BadProcess.exe s-1-1-0 Everyone

Text is preferred to screenshots for searching and to talk about specific parts of the output.

Additional information Appreciate all you do! VolError.txt

grook14 avatar Jul 06 '23 20:07 grook14

Hi, that's very interesting!

It looks like the symbols for your version of windows doesn't include some parts that this plugin is expecting. That's why the other plugins work, but you have issues with this one.

Do you know what version of windows it is exactly? If needed would it be possible to share the memory sample?

eve-mem avatar Jul 06 '23 21:07 eve-mem

Ah ok. That makes sense.

I can find that out. And no, I apologize, but that is not something I will be able to do.

grook14 avatar Jul 06 '23 21:07 grook14

That's perfectly understandable, re sharing, so don't worry.

The version information will be very useful in terms of being able to recreate the issue. If you generate a config file with vol (--save-config) it will include the exact symbols that are being used, i don't think any parts of the config are sensitive, apart from paths and file names if they are particularly revealing.

eve-mem avatar Jul 06 '23 21:07 eve-mem

Thank you!

Do you just attach the --save-config onto the command I listed above?

grook14 avatar Jul 06 '23 21:07 grook14

You can add it anywhere before* the plugin name, i normally do it first.

vol.py --save-config myconfigfile.json -f <RAM IMAGE> -r pretty windows.getsids.GetSIDs --pid <#>

*Arguments after the plugin name are used for the plugin, so all the generic arguments need to go before.

eve-mem avatar Jul 06 '23 21:07 eve-mem

Hi there, so the registry is a complex tree structure, that has many different types of nodes. The node type that can have child nodes (subkeys) is called a CM_KEY_NODE. When the registry code parses through this tree it reads the information from the registry to determine what type of node it is and casts it that way, so that the get_subkeys method would be present. In this instance it seems to be calling it on a _CELL_DATA type object, which is the default (often when it can't find or determine what type of node it is). This suggests either a problem with the data it's trying to interpret, or a case we haven't encountered in our registry handling code. Unfortunately, to figure out what's going on we'd probably need to take a closer look at the image, which I realize may not be possible if it contains sensitive information. Would be able to share the image with us so we could investigate it further?

If not then, you could try to use the registry.printkey plugin to check the Microsoft\\Windows NT\\CurrentVersion\\ProfileList key of the software hive to see if there's a particular key it fails on? This might also be a case where we just don't catch enough exceptions and this is expected and something we should skip past, but I'd prefer to verify what's going on before we go that far.

ikelos avatar Jul 09 '23 21:07 ikelos

@eve-mem - The save config command you gave me has not worked unfortunately. It tells me to pick an actual plugin. Maybe I am missing something, but I copied your command and filled in the blanks.

@ikelos - I was able to run the windows.registry.printkey plugin and it ran successfully. But the Microsoft\\Windows NT\\CurrentVersion\\ProfileList was not present in the results.

Apologies for the late replies as well!

grook14 avatar Jul 20 '23 22:07 grook14

@grook14 please could you attach the config so we can check it over. It's possible that the plugin you're trying either does or doesn't use the newer module requirement, in which case it might need tweaking to make it work. If the registry key wasn't present in the output, that might cause the issue you saw (it's the first key the plugin tries). It's not clear whether it's looking in the wrong hive or if there's some other issue. It's very difficult to debug this kind of problem remotely unfortunately. Would you be able to make the memory image available to us to investigate it further? If not, we can try and find further tests you can run to figure out what's going wrong?

ikelos avatar Jul 23 '23 20:07 ikelos

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] avatar Feb 09 '24 01:02 github-actions[bot]

This issue was closed because it has been inactive for 60 days since being marked as stale.

github-actions[bot] avatar Apr 09 '24 01:04 github-actions[bot]