Skip to content

[fix] Cannot open volume, operating string out of bounds#14

Open
antwise wants to merge 1 commit into
libyal:mainfrom
antwise:FailedOpenVolumeForOrigin
Open

[fix] Cannot open volume, operating string out of bounds#14
antwise wants to merge 1 commit into
libyal:mainfrom
antwise:FailedOpenVolumeForOrigin

Conversation

@antwise

@antwise antwise commented Nov 1, 2017

Copy link
Copy Markdown

There is bug:

Unable to open volume \\?\Volume{88b8eb89-1df3-11e7-8bc2-000c29c41622} (libvshadow_store_descriptor_read_store_header: operating machine string size value out of bounds.
libvshadow_volume_open_read: unable to read store: 2 header.
libvshadow_volume_open_file_io_handle: unable to read from file IO handle.
libvshadow_volume_open_wide: unable to open volume: \\?\Volume{88b8eb89-1df3-11e7-8bc2-000c29c41622}.)

It appears because libvshadow wrong interpreterpath field with name unknown10
32233268-0d7cfe3c-be6b-11e7-9e55-d4ac5d758cad

Its null-terminated utf-16 string guid.

@joachimmetz

joachimmetz commented Nov 2, 2017
edited
Loading

Copy link
Copy Markdown
Member

@antwise could you describe your issue in a bit more detail.

Based on Unable to open volume \\?\Volume{88b8eb89-1df3-11e7-8bc2-000c29c41622} I assume you're running libvshadow on a live volume? What version of Windows? etc.

@antwise

antwise commented Nov 2, 2017
edited
Loading

Copy link
Copy Markdown
Author

@joachimmetz I running libvshadow on live volume in Windows 2008 R2.
There is partitions:
image-2017-10-31-11-56-25-299

\\?\Volume{88b8eb89-1df3-11e7-8bc2-000c29c41622 is H:

@joachimmetz

joachimmetz commented Nov 6, 2017

Copy link
Copy Markdown
Member

I'll need to double check if your proposed changes are really part of the format or maybe due to the fact you're running on a live volume and volsnap.sys is known to continuously update the VSS information.

@antwise

antwise commented Nov 7, 2017

Copy link
Copy Markdown
Author

@joachimmetz, Ok. What to do with the tests? For Travis Ci - there is https://gist.github.com/entropiae/a899d8a78dc8a38f505e#file-fix_git_sslread_9806-sh.

@joachimmetz

joachimmetz commented Nov 7, 2017

Copy link
Copy Markdown
Member

Let me have a look at the format changes first. I can look at the tests if/when I merge the changes if necessary.

@antwise

antwise commented Nov 9, 2017
edited
Loading

Copy link
Copy Markdown
Author

Hm.. Today I catch, that its path of mount of snapshot(Field "Exposed locally as..." in output of vshadow.exe)
exposed

@joachimmetz

joachimmetz commented Nov 9, 2017

Copy link
Copy Markdown
Member

@antwise interesting thanks, I'll try to confirm this as soon as time permits and work on integrating your changes

@joachimmetz

joachimmetz commented Nov 26, 2017

Copy link
Copy Markdown
Member

Some related info https://technet.microsoft.com/en-us/library/cc731098.aspx

@joachimmetz

joachimmetz commented Mar 2, 2018

Copy link
Copy Markdown
Member

Small update, did not have the time yet to create representative test data. Trying to get back to it soon

@joachimmetz

joachimmetz commented Feb 7, 2019
edited
Loading

Copy link
Copy Markdown
Member

Note to self still pending on creating representative test data

https://github.com/dfirlabs/vss-specimens

@joachimmetz joachimmetz self-assigned this Mar 24, 2019
@joachimmetz joachimmetz self-requested a review March 24, 2019 07:10
@joachimmetz joachimmetz changed the base branch from master to main January 19, 2021 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joachimmetz joachimmetz Awaiting requested review from joachimmetz

Assignees

@joachimmetz joachimmetz

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@antwise @joachimmetz @kgermanov