Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

when trying to read pdb for combase.dll getting error InvalidAddressException: Offset outside of the buffer boundaries #1588

Open
shenjashuk opened this issue Jan 31, 2025 · 1 comment
Open

when trying to read pdb for combase.dll getting error InvalidAddressException: Offset outside of the buffer boundaries #1588

shenjashuk opened this issue Jan 31, 2025 · 1 comment

Comments

@shenjashuk
Copy link

Os type: windows 11 (10.0.22631)
Python version: 3.11
Dll version: 10.0.22621.2792 ( WinBuild.160101.0800 )
Dll link: https://drive.google.com/file/d/1t2D6lwl_cWUlpNPkyd-iBwNBsYGV8nJj/view
My code:

from pathlib import Path
from pdbparse.peinfo import get_external_codeview
from volatility3.framework import contexts
from volatility3.framework.symbols.windows import pdbconv

guid, profile_name = get_external_codeview(Path('combase.dll'))
pdb_retreiver = pdbconv.PdbRetreiver()
pdb_url = pdb_retreiver.retreive_pdb(
    guid=guid,
    file_name=profile_name,
)

# Download PDB file.
pdb_reader = pdbconv.PdbReader(
    contexts.Context(), pdb_url, profile_name
)

pdb_profile = pdb_reader.get_json()

Error:

Traceback (most recent call last):
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\main.py", line 20, in <module>
    pdb_reader = pdbconv.PdbReader(
                 ^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\symbols\windows\pdbconv.py", line 128, in __init__
    self._layer_name, self._context = self.load_pdb_layer(context, location)
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\symbols\windows\pdbconv.py", line 199, in load_pdb_layer
    msf_layer.read_streams()
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\layers\msf.py", line 84, in read_streams
    "root", self._header.StreamInfo.StreamInfoSize, [x for x in root_pages]
                                                    ^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\layers\msf.py", line 84, in <listcomp>
    "root", self._header.StreamInfo.StreamInfoSize, [x for x in root_pages]
                                                    ^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen _collections_abc>", line 993, in __iter__
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\objects\__init__.py", line 795, in __getitem__
    result += [self.vol.subtype(context=self._context, object_info=object_info)]
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\objects\templates.py", line 96, in __call__
    return self.vol.object_class(
           ^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\objects\__init__.py", line 168, in __new__
    value = cls._unmarshall(context, data_format, object_info)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\objects\__init__.py", line 202, in _unmarshall
    data = context.layers.read(
           ^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\interfaces\layers.py", line 635, in read
    return self[layer].read(offset, length, pad)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\layers\linear.py", line 63, in read
    self._context.layers.read(layer, mapped_offset, mapped_length, pad)
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\interfaces\layers.py", line 635, in read
    return self[layer].read(offset, length, pad)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\layers\linear.py", line 63, in read
    self._context.layers.read(layer, mapped_offset, mapped_length, pad)
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\interfaces\layers.py", line 635, in read
    return self[layer].read(offset, length, pad)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\layers\physical.py", line 161, in read
    raise exceptions.InvalidAddressException(
volatility3.framework.exceptions.InvalidAddressException: Offset outside of the buffer boundaries
@shenjashuk shenjashuk mentioned this issue Jan 31, 2025
Open
@ikelos
Copy link
Member

ikelos commented Jan 31, 2025

So this is either:

The easiest of those to deal with is to clear out the cache, which for you should be under one of the directories in your Temp folder called Volatility3 probably filled with data_<longhash>.cache. Get rid of all the data_*.cache files (the others can stay). Could you please try that, then test your command again and see if the same thing happens...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ikelos @shenjashuk