Fix: get VAD parent offset format for x64 tree structure.

[digitalisx]

Description

Hello, everyone in the community. 🙂
I discovered one peculiarity while implementing the VADWalk plugin and VADTree plugin (incomplete).
The offset of the VAD parent node (get_parent method) is returned in a different format in the x64 environment.
Below is an example.

Running on x86 memory dump

> python3 vol.py -f 32.vmem -r pretty windows.vadwalk --pid=4708
Volatility 3 Framework 2.1.0
Formatting...0.00               PDB scanning finished                        
  |  PID |      Process |     Offset |     Parent |       Left |      Right |      Start |        End |  Tag
* | 4708 | rundll32.exe | 0x9db10a00 |        0x0 | 0x9db10168 | 0x9db110e0 | 0x75df0000 | 0x76001fff | Vad 
* | 4708 | rundll32.exe | 0x9db10168 | 0x9db10a00 | 0x9db10110 | 0x9d0c14a0 |   0xa70000 |   0xa83fff | Vad 
* | 4708 | rundll32.exe | 0x9db10110 | 0x9db10168 | 0x9db10bb8 | 0x9654d6a0 |   0x890000 |   0x893fff | Vad 
* | 4708 | rundll32.exe | 0x9db10bb8 | 0x9db10110 | 0x9db10b08 | 0xa1ccaaf0 |   0x830000 |   0x84cfff | Vad 
* | 4708 | rundll32.exe | 0x9db10b08 | 0x9db10bb8 |        0x0 | 0xa1ccb0c0 |   0x810000 |   0x81ffff | Vad 
* | 4708 | rundll32.exe | 0xa1ccb0c0 | 0x9db10b08 |        0x0 |        0x0 |   0x820000 |   0x823fff | VadS
* | 4708 | rundll32.exe | 0xa1ccaaf0 | 0x9db10bb8 |        0x0 |        0x0 |   0x850000 |   0x88ffff | VadS

Running on x64 memory dump

> python3 vol.py -f 64.vmem -r pretty windows.vadwalk --pid=936
Volatility 3 Framework 2.1.0
Formatting...0.00               PDB scanning finished                        
  | PID |     Process |         Offset |             Parent |           Left |          Right |          Start |            End |  Tag
* | 936 | svchost.exe | 0x97065f37d6d0 |                0x0 | 0x97065f37e170 | 0x97065f37f6b0 | 0x7df52b8f0000 | 0x7df52b8f0fff | Vad 
* | 936 | svchost.exe | 0x97065f37e170 | 0xffff97065f37d6d0 | 0x97065f5df130 | 0x97065f5e0080 |  0x1e5bee50000 |  0x1e5bee50fff | Vad 
* | 936 | svchost.exe | 0x97065f5df130 | 0xffff97065f37e170 | 0x97065f3ca450 | 0x97065fe4cc40 |   0x59d2680000 |   0x59d26fffff | VadS
* | 936 | svchost.exe | 0x97065f3ca450 | 0xffff97065f5df130 | 0x97065f3c8420 | 0x97065f5debe0 |   0x59d1e00000 |   0x59d1efffff | VadS
* | 936 | svchost.exe | 0x97065f3c8420 | 0xffff97065f3ca450 | 0x97065f3c7ed0 | 0x97065f3c9190 |   0x59d1600000 |   0x59d17fffff | VadS
* | 936 | svchost.exe | 0x97065f3c7ed0 | 0xffff97065f3c8420 | 0x97065f3c82e0 | 0x97065f3c7de0 |     0x7ffe2000 |     0x7ffe2fff | VadS
* | 936 | svchost.exe | 0x97065f3c82e0 | 0xffff97065f3c7ed0 |            0x0 |            0x0 |     0x7ffe0000 |     0x7ffe0fff | VadS

In order to have the form of VADTree that we think and intuitively reach the user, we think it is necessary to match the output form of the address equally. So I added bitwise operation to satisfy both x86 and x64.

Fix result

> python3 vol.py -f 64.vmem -r pretty windows.vadwalk --pid=936
Volatility 3 Framework 2.1.0
Formatting...0.00               PDB scanning finished                        
  | PID |     Process |         Offset |         Parent |           Left |          Right |          Start |            End |  Tag
* | 936 | svchost.exe | 0x97065f37d6d0 |            0x0 | 0x97065f37e170 | 0x97065f37f6b0 | 0x7df52b8f0000 | 0x7df52b8f0fff | Vad 
* | 936 | svchost.exe | 0x97065f37e170 | 0x97065f37d6d0 | 0x97065f5df130 | 0x97065f5e0080 |  0x1e5bee50000 |  0x1e5bee50fff | Vad 
* | 936 | svchost.exe | 0x97065f5df130 | 0x97065f37e170 | 0x97065f3ca450 | 0x97065fe4cc40 |   0x59d2680000 |   0x59d26fffff | VadS
* | 936 | svchost.exe | 0x97065f3ca450 | 0x97065f5df130 | 0x97065f3c8420 | 0x97065f5debe0 |   0x59d1e00000 |   0x59d1efffff | VadS
* | 936 | svchost.exe | 0x97065f3c8420 | 0x97065f3ca450 | 0x97065f3c7ed0 | 0x97065f3c9190 |   0x59d1600000 |   0x59d17fffff | VadS
* | 936 | svchost.exe | 0x97065f3c7ed0 | 0x97065f3c8420 | 0x97065f3c82e0 | 0x97065f3c7de0 |     0x7ffe2000 |     0x7ffe2fff | VadS

Tree Example

Before fix (Invalid VAD Tree)
> python3 vol.py -f case.vmem -r pretty windows.vadtree --pid=936
Volatility 3 Framework 2.1.0
Formatting...0.00               PDB scanning finished                        
  | PID |     Process |         Offset |   Type |          Start |            End |  Tag
* | 936 | svchost.exe | 0x97065f37d6d0 |   File | 0x7df52b8f0000 | 0x7df52b8f0fff | Vad 
* | 936 | svchost.exe | 0x97065f37e170 |   File |  0x1e5bee50000 |  0x1e5bee50fff | Vad 
* | 936 | svchost.exe | 0x97065f5df130 |    N/A |   0x59d2680000 |   0x59d26fffff | VadS
* | 936 | svchost.exe | 0x97065f3ca450 |    N/A |   0x59d1e00000 |   0x59d1efffff | VadS

After fix (Valid VAD Tree)
> python3 vol.py -f 64.vmem -r pretty windows.vadtree --pid=936
Volatility 3 Framework 2.1.0
Formatting...0.00               PDB scanning finished                        
          | PID |     Process |         Offset |   Type |          Start |            End |  Tag
*         | 936 | svchost.exe | 0x97065f37d6d0 |   File | 0x7df52b8f0000 | 0x7df52b8f0fff | Vad 
**        | 936 | svchost.exe | 0x97065f37e170 |   File |  0x1e5bee50000 |  0x1e5bee50fff | Vad 
***       | 936 | svchost.exe | 0x97065f5df130 |    N/A |   0x59d2680000 |   0x59d26fffff | VadS
****      | 936 | svchost.exe | 0x97065f3ca450 |    N/A |   0x59d1e00000 |   0x59d1efffff | VadS
*****     | 936 | svchost.exe | 0x97065f3c8420 |    N/A |   0x59d1600000 |   0x59d17fffff | VadS
******    | 936 | svchost.exe | 0x97065f3c7ed0 |    N/A |     0x7ffe2000 |     0x7ffe2fff | VadS
*******   | 936 | svchost.exe | 0x97065f3c82e0 |    N/A |     0x7ffe0000 |     0x7ffe0fff | VadS
*******   | 936 | svchost.exe | 0x97065f3c7de0 |    N/A |   0x59d1480000 |   0x59d14fffff | VadS
********  | 936 | svchost.exe | 0x9706618347c0 |    N/A |   0x59d1500000 |   0x59d15fffff | VadS

[digitalisx]

This PR related to another PR #727

[paulkermann]

@digitalisx won't this be a problem for 32 bit systems if you just subtract 0xffff000000000000 regardless of architecture?

[digitalisx]

@digitalisx won't this be a problem for 32 bit systems if you just subtract 0xffff000000000000 regardless of architecture?

Hello @paulkermann, Thank you for interest in my PR.
I performed on both x86 and x64 architectures for verification of calculations. The example is as follows.

> python3 vol.py -f 32.vmem -r pretty windows.vadwalk --pid=4708
Volatility 3 Framework 2.1.1
Formatting...0.00		PDB scanning finished
  |  PID |      Process |     Offset |     Parent |       Left |      Right |      Start |        End |  Tag
* | 4708 | rundll32.exe | 0x9db10a00 |        0x0 | 0x9db10168 | 0x9db110e0 | 0x75df0000 | 0x76001fff | Vad
* | 4708 | rundll32.exe | 0x9db10168 | 0x9db10a00 | 0x9db10110 | 0x9d0c14a0 |   0xa70000 |   0xa83fff | Vad
* | 4708 | rundll32.exe | 0x9db10110 | 0x9db10168 | 0x9db10bb8 | 0x9654d6a0 |   0x890000 |   0x893fff | Vad
* | 4708 | rundll32.exe | 0x9db10bb8 | 0x9db10110 | 0x9db10b08 | 0xa1ccaaf0 |   0x830000 |   0x84cfff | Vad
* | 4708 | rundll32.exe | 0x9db10b08 | 0x9db10bb8 |        0x0 | 0xa1ccb0c0 |   0x810000 |   0x81ffff | Vad
* | 4708 | rundll32.exe | 0xa1ccb0c0 | 0x9db10b08 |        0x0 |        0x0 |   0x820000 |   0x823fff | VadS
* | 4708 | rundll32.exe | 0xa1ccaaf0 | 0x9db10bb8 |        0x0 |        0x0 |   0x850000 |   0x88ffff | VadS

Please let me know if you have any other good idea, I will check it!

[ikelos]

Could you please consider submitting the vadwalk and vadtree plugins please? I've looked at adding an equality method between pointers that will show them as the same as long as their layers and masked values match, however that seems to cause additional problems I haven't managed to pin down yet. I admit this is a gotcha for people to aware of, but removing a fixed value that isn't based on the layer's information about how long a valid pointer can be isn't the right way of fixing the problem. The easiest solution is making the plugins aware of how to correctly form the tree based on masking the pointers, but without the plugins you're using for testing it's difficult to advise on that.

[digitalisx]

@ikelos Thank you for your interest in this PR.
VADWalk has already been submitted (#727), but VADTree did not submit it because it did not completely migrate some logic. (Logic that separates Heap, Stack, and File)
However, the key is to print it out in the form of a tree, so I think there will be no problem with the actual use.
I'm so happy if you pay attention to my problems and think about them together.
VADTree will be submitted as a separate PR right away, and if you need anything, please leave a thread anytime.

[digitalisx]

VADTree plugin exists as Draft PR because it is not ready yet. (#753)

[digitalisx]

With the help of @ikelos, we can clearly use addresses without touching the core.
Address processing for the Address Mask will be handled by each plugin whenever necessary.

Thank you to all the contributors who commented and reviewed. 🙌

[ikelos]

PR #905 has been opened to allow converting between canonicalized and decanonicalized addresses, this doesn't shift the underlying means that some will rely on for how volatility works (notably address space scanning, etc), but will allow those that wish to work in a purely canonical space to do so.