Merge pull request #1770 from volatilityfoundation/shimcachemem/bugfixes

ShimcacheMem: Various bugfixes

Author: ikelos

volatility3/framework/plugins/windows/shimcachemem.py

@@ -174,6 +174,8 @@ def find_shimcache_win_xp(
                     vad.get_start() + SHIM_NUM_ENTRIES_OFFSET,
                 )
 
+                vollog.debug(f"Found {num_entries} shimcache entries")
+
                 if num_entries > SHIM_MAX_ENTRIES:
                     continue
 
@@ -204,7 +206,6 @@ def find_shimcache_win_xp(
 
                     if physical_addr in seen:
                         continue
-                    seen.add(physical_addr)
 
                     shim_entry = proc_layer.context.object(
                         shimcache_symbol_table + constants.BANG + "SHIM_CACHE_ENTRY",
@@ -216,6 +217,8 @@ def find_shimcache_win_xp(
                     if not shim_entry.is_valid():
                         continue
 
+                    seen.add(physical_addr)
+
                     yield shim_entry
 
     @classmethod

volatility3/framework/symbols/windows/extensions/shimcache.py

@@ -8,6 +8,7 @@
 from typing import Dict, Optional, Tuple, Union
 
 from volatility3.framework import constants, exceptions, interfaces, objects, renderers
+from volatility3.framework.objects.utility import address_to_string
 from volatility3.framework.symbols.windows.extensions import conversion
 
 vollog = logging.getLogger(__name__)
@@ -56,12 +57,14 @@ def exec_flag(self) -> Union[bool, interfaces.renderers.BaseAbsentValue]:
                 blob_offset, blob_size
             ):
                 self._exec_flag = renderers.UnparsableValue()
+                return self._exec_flag
 
             raw_flag = self._context.layers[self.vol.native_layer_name].read(
                 blob_offset, blob_size
             )
             if not raw_flag:
                 self._exec_flag = renderers.UnparsableValue()
+                return self._exec_flag
 
             try:
                 self._exec_flag = bool(struct.unpack("<I", raw_flag)[0])
@@ -71,6 +74,7 @@ def exec_flag(self) -> Union[bool, interfaces.renderers.BaseAbsentValue]:
         else:
             # Always set to true for XP/2K3
             self._exec_flag = renderers.NotApplicableValue()
+
         return self._exec_flag
 
     @property
@@ -117,6 +121,8 @@ def last_update(self) -> Union[datetime, interfaces.renderers.BaseAbsentValue]:
             )
         except AttributeError:
             self._last_updated = renderers.NotApplicableValue()
+        except exceptions.InvalidAddressException:
+            self._last_updated = renderers.UnreadableValue()
 
         return self._last_updated
 
@@ -126,8 +132,12 @@ def file_path(self) -> Union[str, interfaces.renderers.BaseAbsentValue]:
             return self._file_path
 
         if not hasattr(self.Path, "Buffer"):
-            return self.Path.cast(
-                "string", max_length=self.Path.vol.count, encoding="utf-16le"
+            return address_to_string(
+                self._context,
+                self.Path.vol.layer_name,
+                self.Path.vol.offset,
+                self.Path.vol.count,
+                encoding="utf-16le",
             )
 
         try:

volatility3/framework/symbols/windows/shimcache/shimcache-xp-sp2-x86.json

@@ -331,23 +331,23 @@
                 "LastModified": {
                     "type": {
                         "kind": "union",
-                        "name": "LARGE_INTEGER"
+                        "name": "_LARGE_INTEGER"
                     },
-                    "offset": 4
+                    "offset": 528
                 },
                 "FileSize": {
                     "type": {
                         "kind": "base",
                         "name": "long long"
                     },
-                    "offset": 8
+                    "offset": 536
                 },
                 "LastUpdate": {
                     "type": {
                         "kind": "union",
-                        "name": "LARGE_INTEGER"
+                        "name": "_LARGE_INTEGER"
                     },
-                    "offset": 12
+                    "offset": 544
                 }
             },
             "kind": "struct",