Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better page faulting with swap file support #772

Closed
wants to merge 212 commits into from
Closed

Better page faulting with swap file support #772

wants to merge 212 commits into from

Conversation

paulkermann
Copy link
Contributor

Handle swap entries more correctly.
I have removed the # Handle transition page thing because transition is handle via _page_is_valid which is overrided by the WindowsMixin anyways.
@f-block - I hope you can test this PR to see if it works for you. I have tested it using the dump you have provided me and it seems to work. I hope you have a better setup for this.

gcmoreira and others added 30 commits December 2, 2021 17:38
@gcmoreira
Fixed exceptions.elf reference
ccd4c1b
@gcmoreira
Add the Linux mountinfo module.
e8fa6e1
@gcmoreira
Cleaning space issues
a1d145c
@gcmoreira
Removed --all-process and added --mntns.
fcf9983
@gcmoreira
Bump framework and plugin required minor version
f23b288
@gcmoreira
Added changes to the Linux pslist and pstree plugins to be able to sh…
16cb449 
…ow user threads.
@gcmoreira
Fixing constant module and reference comment
86d3785
@gcmoreira
Moving thread type check methods to the task object
39c97b8
@atcuno
Add the psaux plugin for Linux command line argument listing
338fcdd
@cpuu
Add offset information in pslist plugin for Linux
8bcb7b4
@digitalisx
Initialize MBR Parser
06961ce
@digitalisx
Configuration Yara Rules
7570e82
@samuelzurowski
Added task_struct function to get each task_struct from the thread_no…
68903c6 
…des structure
@samuelzurowski
Changed named and used thread_group instead to ensure all threads are…
4087236 
… grabbed
@digitalisx
Merge branch 'volatilityfoundation:develop' into feature/mbr-parser
9eb93bb
@digitalisx
Update Symbol Table, Load Physical Layer
acc3f6f
@digitalisx
Merge branch 'feature/mbr-parser' of https://github.com/Digitalisx/vo…
7ff2572 
…latility3 into feature/mbr-parser
@digitalisx
Update MBR Partition Entry Object Function
eda765d
@digitalisx
Add EOF of MBR Symbol
e0a512e
@digitalisx
__str__ Formatting
b013331
@digitalisx
Restore mft.json
5de6462
@digitalisx
Add Symbol code comment, hash
b6a14e6
@digitalisx
Add Code Comment, Hash Funtion, Exception
7c00b2f
@digitalisx
Update BootableFlag Symbol
a35fa04
@digitalisx
Update BootableFlag Symbol
1b71aad
@digitalisx
Merge branch 'feature/mbr-parser' of https://github.com/Digitalisx/vo…
4e41432 
…latility3 into feature/mbr-parser
@digitalisx
Merge branch 'volatilityfoundation:develop' into feature/mbr-parser
54a93a1
@digitalisx
Define 'all_zero' default value, Update output column name
f973486
@digitalisx
Merge branch 'volatilityfoundation:develop' into feature/mbr-parser
8aeaa83
@ikelos
CLI: Implement specifying a config name to write
fa723ec
digitalisx and others added 2 commits June 16, 2022 05:40
@digitalisx
Remove: unreachable code
dd92955
@ikelos
Merge pull request volatilityfoundation#771 from digitalisx/fix/volsh…
2c3cc19 
…ell-excp

Remove: unreachable code (`UnsatisfiedExceptions` Message) of `volshell`.
@digitalisx
Copy link
Contributor

Hello @paulkermann, This PR related to #581 ?

@f-block
Copy link
Contributor

f-block commented Jun 17, 2022

Hi,

yes, this PR looks/works great! Thx @paulkermann.

@paulkermann
Copy link
Contributor Author

@digitalisx yes this PR is into #581

@f-block
Copy link
Contributor

f-block commented Jun 22, 2022

Hi,

just had another look: Why do you make the PageFileLow shift in _get_PageFileLow_shift dependent on the existence of the SwizzleBit ? If in a newer Windows version the PageFileLow field get moved around again, this won't work anymore. I think the best way to do it would be to get the field start from the PageFileLow field directly. Something like this (didn't test it yet):

return mmpte_software_type.vol.members.get("PageFileLow")[1].vol.start_bit

Cheers,
Frank

@paulkermann
Copy link
Contributor Author

paulkermann commented Jun 23, 2022
edited
Loading

@f-block thanks'. Did not know the start_bit was accessible this way.

ikelos
ikelos reviewed Jun 23, 2022
View reviewed changes
volatility3/framework/layers/intel.py

return 12 # The new shift
return mmpte_software_type.vol.members["PageFileLow"][1].start_bit
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a pretty nasty way of doing it, and tinkers with the internal state of volatility. I've now added #777 which gives the child_template call, so you can do mmpte_software_type.child_template('PageFileLow').start_bit instead. Should be much cleaner and make it easier for us if we ever need to mess with the members mechanism.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When are you planning on merging this in?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After that standard review process, so I'm hoping a week but it could be longer.

ikelos
ikelos reviewed Jun 23, 2022
View reviewed changes
Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still concerned about bringing a requirement on the kernel into the windows mixin. This will need some thinking about and a lot of testing.

volatility3/framework/layers/intel.py Outdated Show resolved Hide resolved
volatility3/framework/layers/intel.py Outdated Show resolved Hide resolved
volatility3/framework/layers/intel.py Show resolved Hide resolved
@ikelos
Copy link
Member

ikelos commented Jun 23, 2022

The PR's become a bit of a message, please could you rebase it.

ikelos and others added 6 commits June 23, 2022 14:32
@ikelos @paulkermann
Layers: Rework Intel layer to be more accurate
60d4c86 
This shifts the transition page handling into the windows fault handler.
It makes the table traversal from a loop into a recursive call so that
handlers can jump back into the traversal directly.
@ikelos @paulkermann
Layers: Convert to a recursive page fault handler
163be37
@ikelos @paulkermann
Layers: Comment out debugging statement in intel layer
583ff9f
@paulkermann
handle invalid pte mask
27096d9
@paulkermann
get PageFileLow shift via start_bit
e338b16
@paulkermann
code review changes
34e9038
@paulkermann paulkermann force-pushed the feature/swap-better-pagefault branch from 390dc6e to 34e9038 Compare June 23, 2022 11:33
@paulkermann
Copy link
Contributor Author

@ikelos the problem is better-page-faulting is behind develop. My branch (this) is ahead of develop and not behind

@ikelos
Copy link
Member

ikelos commented Jun 23, 2022

Hmmm, ok. Either you can roll in the changes from better-page-faulting, rebase it all, and we abandon that PR/branch in favour of this one, or we'll have to wait for it to get merged at some point...

@paulkermann paulkermann mentioned this pull request Jun 23, 2022
Open
@paulkermann
Copy link
Contributor Author

moved this PR to #778.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ikelos ikelos ikelos left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@paulkermann @digitalisx @f-block @ikelos @gcmoreira @atcuno @cpuu @samuelzurowski