ShimcacheMem: Fix traceback in extension method

dgmcdona · dgmcdona · commit 4ce173e87a86 · 2025-04-15T15:52:54.000-05:00
When performing the attribute checks for ListFlags.BlobBuffer, a pointer
dereference occurs implicitly that can trigger an
`exceptions.InvalidAddressException`. This wraps the checks in a
try/except block, and sets the value of `_exec_flag` to
`renderers.UnreadableValue` if one occurs.
diff --git a/volatility3/framework/symbols/windows/extensions/shimcache.py b/volatility3/framework/symbols/windows/extensions/shimcache.py
@@ -39,37 +39,44 @@ def exec_flag(self) -> Union[bool, interfaces.renderers.BaseAbsentValue]:
         if self._exec_flag is not None:
             return self._exec_flag
 
-        if hasattr(self, "ListEntryDetail") and hasattr(
-            self.ListEntryDetail, "InsertFlags"
-        ):
-            self._exec_flag = self.ListEntryDetail.InsertFlags & 0x2 == 2
-
-        elif hasattr(self, "InsertFlags"):
-            self._exec_flag = self.InsertFlags & 0x2 == 2
+        try:
+            if hasattr(self, "ListEntryDetail") and hasattr(
+                self.ListEntryDetail, "InsertFlags"
+            ):
+                self._exec_flag = self.ListEntryDetail.InsertFlags & 0x2 == 2
 
-        elif hasattr(self, "ListEntryDetail") and hasattr(
-            self.ListEntryDetail, "BlobBuffer"
-        ):
-            blob_offset = self.ListEntryDetail.BlobBuffer
-            blob_size = self.ListEntryDetail.BlobSize
+            elif hasattr(self, "InsertFlags"):
+                self._exec_flag = self.InsertFlags & 0x2 == 2
 
-            if not self._context.layers[self.vol.native_layer_name].is_valid(
-                blob_offset, blob_size
+            elif hasattr(self, "ListEntryDetail") and hasattr(
+                self.ListEntryDetail, "BlobBuffer"
             ):
-                self._exec_flag = renderers.UnparsableValue()
-                return self._exec_flag
+                blob_offset = self.ListEntryDetail.BlobBuffer
+                blob_size = self.ListEntryDetail.BlobSize
 
-            raw_flag = self._context.layers[self.vol.native_layer_name].read(
-                blob_offset, blob_size
+                if not self._context.layers[self.vol.native_layer_name].is_valid(
+                    blob_offset, blob_size
+                ):
+                    self._exec_flag = renderers.UnparsableValue()
+                    return self._exec_flag
+
+                raw_flag = self._context.layers[self.vol.native_layer_name].read(
+                    blob_offset, blob_size
+                )
+                if not raw_flag:
+                    self._exec_flag = renderers.UnparsableValue()
+                    return self._exec_flag
+
+                try:
+                    self._exec_flag = bool(struct.unpack("<I", raw_flag)[0])
+                except struct.error:
+                    self._exec_flag = renderers.UnparsableValue()
+
+        except exceptions.InvalidAddressException:
+            vollog.debug(
+                "Failed to read SHIMCACHE_ENTRY exec flag due to invalid address exception"
             )
-            if not raw_flag:
-                self._exec_flag = renderers.UnparsableValue()
-                return self._exec_flag
-
-            try:
-                self._exec_flag = bool(struct.unpack("<I", raw_flag)[0])
-            except struct.error:
-                self._exec_flag = renderers.UnparsableValue()
+            self._exec_flag = renderers.UnreadableValue()
 
         else:
             # Always set to true for XP/2K3
