Skip to content

[fix] Cannot open volume, operating string out of bounds #14

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
antwise wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[fix] Cannot open volume, operating string out of bounds #14

antwise wants to merge 1 commit into from

Conversation

@antwise
Copy link

@antwise antwise commented Nov 1, 2017

There is bug:

Unable to open volume \\?\Volume{88b8eb89-1df3-11e7-8bc2-000c29c41622} (libvshadow_store_descriptor_read_store_header: operating machine string size value out of bounds.
libvshadow_volume_open_read: unable to read store: 2 header.
libvshadow_volume_open_file_io_handle: unable to read from file IO handle.
libvshadow_volume_open_wide: unable to open volume: \\?\Volume{88b8eb89-1df3-11e7-8bc2-000c29c41622}.)

It appears because libvshadow wrong interpreterpath field with name unknown10
32233268-0d7cfe3c-be6b-11e7-9e55-d4ac5d758cad

Its null-terminated utf-16 string guid.

@joachimmetz
Copy link
Member

joachimmetz commented Nov 2, 2017
edited
Loading

@antwise could you describe your issue in a bit more detail.

Based on Unable to open volume \\?\Volume{88b8eb89-1df3-11e7-8bc2-000c29c41622} I assume you're running libvshadow on a live volume? What version of Windows? etc.

@antwise
Copy link
Author

antwise commented Nov 2, 2017
edited
Loading

@joachimmetz I running libvshadow on live volume in Windows 2008 R2.
There is partitions:
image-2017-10-31-11-56-25-299

\\?\Volume{88b8eb89-1df3-11e7-8bc2-000c29c41622 is H:

@joachimmetz
Copy link
Member

joachimmetz commented Nov 6, 2017

I'll need to double check if your proposed changes are really part of the format or maybe due to the fact you're running on a live volume and volsnap.sys is known to continuously update the VSS information.

@antwise
Copy link
Author

antwise commented Nov 7, 2017

@joachimmetz, Ok. What to do with the tests? For Travis Ci - there is https://gist.github.com/entropiae/a899d8a78dc8a38f505e#file-fix_git_sslread_9806-sh.

@joachimmetz
Copy link
Member

joachimmetz commented Nov 7, 2017

Let me have a look at the format changes first. I can look at the tests if/when I merge the changes if necessary.

@antwise
Copy link
Author

antwise commented Nov 9, 2017
edited
Loading

Hm.. Today I catch, that its path of mount of snapshot(Field "Exposed locally as..." in output of vshadow.exe)
exposed

@joachimmetz
Copy link
Member

joachimmetz commented Nov 9, 2017

@antwise interesting thanks, I'll try to confirm this as soon as time permits and work on integrating your changes

@joachimmetz
Copy link
Member

joachimmetz commented Nov 26, 2017

Some related info https://technet.microsoft.com/en-us/library/cc731098.aspx

@joachimmetz
Copy link
Member

joachimmetz commented Mar 2, 2018

Small update, did not have the time yet to create representative test data. Trying to get back to it soon

@joachimmetz
Copy link
Member

joachimmetz commented Feb 7, 2019
edited
Loading

Note to self still pending on creating representative test data

https://github.com/dfirlabs/vss-specimens

@joachimmetz joachimmetz self-assigned this Mar 24, 2019
@joachimmetz joachimmetz self-requested a review March 24, 2019 07:10
@joachimmetz joachimmetz changed the base branch from master to main January 19, 2021 12:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joachimmetz joachimmetz Awaiting requested review from joachimmetz

Assignees

@joachimmetz joachimmetz

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@antwise @joachimmetz @kgermanov