Merge pull request #1681 from volatilityfoundation/fix_dos_reconstruct_calls

ikelos · web-flow · commit d13cf7ae2205 · 2025-03-08T00:55:57.000Z
Fix error handling and reporting around PE reconstruction calls
diff --git a/volatility3/framework/plugins/windows/iat.py b/volatility3/framework/plugins/windows/iat.py
@@ -69,11 +69,23 @@ def _generator(self, procs):
                     layer_name=proc_layer_name,
                 )
 
-                for offset, data in dos_header.reconstruct():
-                    pe_data.seek(offset)
-                    pe_data.write(data)
+                try:
+                    for offset, data in dos_header.reconstruct():
+                        pe_data.seek(offset)
+                        pe_data.write(data)
+                except (exceptions.InvalidAddressException, ValueError) as excp:
+                    vollog.warning(
+                        f"Exception triggered when reconstructing PE file for process {proc.UniqueProcessId} at address {peb.ImageBaseAddress:#x} due to {excp}. Output file may be corrupt and/or truncated."
+                    )
+
+                try:
+                    pe_obj = pefile.PE(data=pe_data.getvalue(), fast_load=True)
+                except pefile.PEFormatError as excp:
+                    vollog.debug(
+                        f"Exception triggered when creating PE file object for process {proc.UniqueProcessId} at address {peb.ImageBaseAddress:#x} due to {excp}. Unable to extract file."
+                    )
+                    continue
 
-                pe_obj = pefile.PE(data=pe_data.getvalue(), fast_load=True)
                 pe_obj.parse_data_directories(
                     [pefile.DIRECTORY_ENTRY["IMAGE_DIRECTORY_ENTRY_IMPORT"]]
                 )
diff --git a/volatility3/framework/plugins/windows/pe_symbols.py b/volatility3/framework/plugins/windows/pe_symbols.py
@@ -327,7 +327,7 @@ def get_pefile_obj(
 
             pe_ret = pefile.PE(data=pe_data.getvalue(), fast_load=True)
 
-        except exceptions.InvalidAddressException:
+        except (exceptions.InvalidAddressException, ValueError):
             pe_ret = None
 
         return pe_ret
diff --git a/volatility3/framework/plugins/windows/verinfo.py b/volatility3/framework/plugins/windows/verinfo.py
@@ -176,7 +176,12 @@ def _generator(
                 (major, minor, product, build) = self.get_version_information(
                     self._context, pe_table_name, session_layer_name, mod.DllBase
                 )
-            except (exceptions.InvalidAddressException, TypeError, AttributeError):
+            except (
+                exceptions.InvalidAddressException,
+                ValueError,
+                TypeError,
+                AttributeError,
+            ):
                 (major, minor, product, build) = [renderers.UnreadableValue()] * 4
                 if (
                     not isinstance(BaseDllName, renderers.UnreadableValue)
