Windows.handle plugin bug about volatility3 HOT 7 CLOSED

Thanks for reporting this. Since the output's already been posted to slack, I'll post a copy here too to keep everything together:

handles.txt

From the error message and the output it looks like a runaway string

Traceback (most recent call last):anning primary2 using PdbSignatureScanner
  File "vol.py", line 10, in <module>
    volatility.cli.main()
  File "C:\Users\admin\Desktop\volatility3-master\volatility\cli\__init__.py", line 523, in main
    CommandLine().run()
  File "C:\Users\admin\Desktop\volatility3-master\volatility\cli\__init__.py", line 281, in run
    renderers[args.renderer]().render(constructed.run())
  File "C:\Users\admin\Desktop\volatility3-master\volatility\cli\text_renderer.py", line 161, in render
    grid.populate(visitor, outfd)
  File "C:\Users\admin\Desktop\volatility3-master\volatility\framework\renderers\__init__.py", line 202, in populate
    accumulator = function(treenode, accumulator)
  File "C:\Users\admin\Desktop\volatility3-master\volatility\cli\text_renderer.py", line 156, in visitor
    accumulator.write("{}".format("\t".join(line)))
  File "C:\Users\admin\AppData\Local\Programs\Python\Python37\lib\encodings\cp1252.py", line 19, in encode
    return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode character '\u03e5' in position 68: character maps to <undefined>

All the code paths seem to return unicode strings (which should therefore already have been converted with the replace error strategy), apart from the process_name variable which uses utility.array_to_string which may be unbounded, although that should be bounded by the array size, which I think is always 16? We might want to push an explicit limit on the string at that point?

from volatility3.

@yehias Sorry for the delay. Do you still have access to this memory sample? If we produce a debug branch of Volatility, would you be able to run a couple additional commands and share the output?

from volatility3.

Also, interestingly, using iconv on linux to convert UTF-16 to ASCII works just fine on the handles.txt file and displays the entire thing without errors? Opening the original handles.txt causes gedit to throw an error somewhere in the middle (at almost exactly 0x3a000, which may therefore just be some kind of buffer limit?). It would be really good to get the direct and complete output of running the command too, so by adding something like > output.txt on the end.

from volatility3.

@iMHLv2 sorry for late reply i've been busy with some cases actually I don't have it anymore but I can replicate it again I was using it on windows 10 lab still have the machine so let me know which commands you need me to run and I will memory sample per command for reference

from volatility3.

@yehias If you're able to reproduce this again within your lab, would you be able to share that clean/non-sensitive memory dump? Unfortunately its not as easy as sending you some commands to run like I initially hoped. If that's definitely not going to be possible, can you tell us what install media you used to build the VM and if there's any customizations needed to produce the issue (i.e., any special language packs installed)?

from volatility3.

We haven't heard back in a while, if you're still encountering this issue please feel free to reopen it. 5:)

from volatility3.

from volatility3.