Skip to content

Commit c6e8c0d

Browse files
ikelosikelos
authored
Merge pull request #1783 from volatilityfoundation/bugfix/shimcache_tracebacks
Windows Shimcachemem: Fix tracebacks
2 parents 577747f + 2641e5f commit c6e8c0d

File tree

2 files changed

+46
-33
lines changed

2 files changed

+46
-33
lines changed

volatility3/framework/plugins/windows/shimcachemem.py

Lines changed: 13 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -582,13 +582,19 @@ def get_module_section_range(
582582
:return: The offset and size of the module, if found; Otherwise, returns `None`
583583
"""
584584

585-
try:
586-
krnl_mod = next(
587-
module
588-
for module in modules.Modules.list_modules(context, kernel_module_name)
589-
if module.BaseDllName.String in module_list
590-
)
591-
except StopIteration:
585+
krnl_mod = None
586+
for module in modules.Modules.list_modules(context, kernel_module_name):
587+
try:
588+
if module.BaseDllName.String in module_list:
589+
krnl_mod = module
590+
break
591+
except exceptions.InvalidAddressException as exc:
592+
vollog.warning(
593+
f"Failed to get kernel module due to {exc.__class__.__name__}: {exc.invalid_address:#x}"
594+
)
595+
596+
if krnl_mod is None:
597+
vollog.warning("Failed to find kernel module")
592598
return None
593599

594600
kernel = context.modules[kernel_module_name]

volatility3/framework/symbols/windows/extensions/shimcache.py

Lines changed: 33 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -39,37 +39,44 @@ def exec_flag(self) -> Union[bool, interfaces.renderers.BaseAbsentValue]:
3939
if self._exec_flag is not None:
4040
return self._exec_flag
4141

42-
if hasattr(self, "ListEntryDetail") and hasattr(
43-
self.ListEntryDetail, "InsertFlags"
44-
):
45-
self._exec_flag = self.ListEntryDetail.InsertFlags & 0x2 == 2
46-
47-
elif hasattr(self, "InsertFlags"):
48-
self._exec_flag = self.InsertFlags & 0x2 == 2
42+
try:
43+
if hasattr(self, "ListEntryDetail") and hasattr(
44+
self.ListEntryDetail, "InsertFlags"
45+
):
46+
self._exec_flag = self.ListEntryDetail.InsertFlags & 0x2 == 2
4947

50-
elif hasattr(self, "ListEntryDetail") and hasattr(
51-
self.ListEntryDetail, "BlobBuffer"
52-
):
53-
blob_offset = self.ListEntryDetail.BlobBuffer
54-
blob_size = self.ListEntryDetail.BlobSize
48+
elif hasattr(self, "InsertFlags"):
49+
self._exec_flag = self.InsertFlags & 0x2 == 2
5550

56-
if not self._context.layers[self.vol.native_layer_name].is_valid(
57-
blob_offset, blob_size
51+
elif hasattr(self, "ListEntryDetail") and hasattr(
52+
self.ListEntryDetail, "BlobBuffer"
5853
):
59-
self._exec_flag = renderers.UnparsableValue()
60-
return self._exec_flag
54+
blob_offset = self.ListEntryDetail.BlobBuffer
55+
blob_size = self.ListEntryDetail.BlobSize
6156

62-
raw_flag = self._context.layers[self.vol.native_layer_name].read(
63-
blob_offset, blob_size
57+
if not self._context.layers[self.vol.native_layer_name].is_valid(
58+
blob_offset, blob_size
59+
):
60+
self._exec_flag = renderers.UnreadableValue()
61+
return self._exec_flag
62+
63+
raw_flag = self._context.layers[self.vol.native_layer_name].read(
64+
blob_offset, blob_size
65+
)
66+
if not raw_flag:
67+
self._exec_flag = renderers.UnparsableValue()
68+
return self._exec_flag
69+
70+
try:
71+
self._exec_flag = bool(struct.unpack("<I", raw_flag)[0])
72+
except struct.error:
73+
self._exec_flag = renderers.UnparsableValue()
74+
75+
except exceptions.InvalidAddressException:
76+
vollog.debug(
77+
"Failed to read SHIMCACHE_ENTRY exec flag due to invalid address exception"
6478
)
65-
if not raw_flag:
66-
self._exec_flag = renderers.UnparsableValue()
67-
return self._exec_flag
68-
69-
try:
70-
self._exec_flag = bool(struct.unpack("<I", raw_flag)[0])
71-
except struct.error:
72-
self._exec_flag = renderers.UnparsableValue()
79+
self._exec_flag = renderers.UnreadableValue()
7380

7481
else:
7582
# Always set to true for XP/2K3

0 commit comments

Comments
 (0)