Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pdbconv broke on NDIS PDB from Win10 x64 version 17763 #1210

Open
atcuno opened this issue Jul 23, 2024 · 1 comment
Open

pdbconv broke on NDIS PDB from Win10 x64 version 17763 #1210

atcuno opened this issue Jul 23, 2024 · 1 comment
Assignees
@ikelos

Comments

@atcuno
Copy link
Contributor

atcuno commented Jul 23, 2024

While working on a new plugin, I triggered this backtrace when the code was attempting to lookup a symbol in NDIS.sys (a kernel driver):

[snip]
File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbutil.py", line 411, in symbol_table_from_pdb
    _, symbol_table_name = cls._modtable_from_pdb(
                           ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbutil.py", line 454, in _modtable_from_pdb
    symbol_table_name = cls.load_windows_symbol_table(
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbutil.py", line 114, in load_windows_symbol_table
    cls.download_pdb_isf(
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbutil.py", line 277, in download_pdb_isf
    ).get_json()
      ^^^^^^^^^^
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 505, in get_json
    self.read_necessary_streams()
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 214, in read_necessary_streams
    self.read_tpi_stream()
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 222, in read_tpi_stream
    type_references = self._read_info_stream(2, "TPI", self.types)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 285, in _read_info_stream
    output, consumed = self.consume_type(module, offset, length)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 775, in consume_type
    subfield, sub_consumed = self.consume_type(
                             ^^^^^^^^^^^^^^^^^^
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 821, in consume_type
    raise TypeError(f"Unhandled leaf_type: {leaf_type}")
TypeError: Unhandled leaf_type: 5392

I then pulled the pdb file down directly:

http://msdl.microsoft.com/download/symbols/ndis.pdb/67635B4B9BD13A95BC64AD0F906827AC1/ndis.pdb

and ran pdbconv on it, and got another error but this time at a different leaf type:

$ PYTHONPATH=. python3 volatility3/framework/symbols/windows/pdbconv.py -f ../ndis.pdb -o ../t.txt
Traceback (most recent call last):ading TPI layer
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 1073, in <module>
    converted_json = convertor.get_json()
                     ^^^^^^^^^^^^^^^^^^^^
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 505, in get_json
    self.read_necessary_streams()
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 212, in read_necessary_streams
    self.read_pdb_info_stream()
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 447, in read_pdb_info_stream
    self.read_ipi_stream()
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 236, in read_ipi_stream
    type_references = self._read_info_stream(4, "IPI", ipi_list)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 285, in _read_info_stream
    output, consumed = self.consume_type(module, offset, length)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/rk/volatility3/volatility3/framework/symbols/windows/pdbconv.py", line 821, in consume_type
    raise TypeError(f"Unhandled leaf_type: {leaf_type}")
TypeError: Unhandled leaf_type: 5634

Looking at LVM: https://docs.hdoc.io/hdoc/llvm-project/e6DFC71D5E32DD199.html

5634 = MemberFuncId
5392 = NestedType

Are there plans to support these? Also, is there a way to specify not backtracing if types can't be parsed, since in this case I only care about symbols?
@ikelos
Copy link
Member

ikelos commented Jul 24, 2024

I suspect this is a C++ library, it's been known for a while that pdbconv doesn't support this (see #650 and #540 ) but the work somewhat stalled because the extra types require a bit of thought to integrate and there wasn't a great deal of interest in getting them sorted. I could probably use some support regarding exactly what needs doing, and we'll need to make a decision whether/how to unmunge C++ names for use in Volatility (theoretically there's support for having an alias, so we can record both, but which one takes precedence and how to we let people access them via the other, etc, etc).

@ikelos ikelos mentioned this issue Aug 4, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ikelos ikelos

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@atcuno @ikelos