Windows: Callbacks - fix breaking API change

dgmcdona · dgmcdona · commit db55f23070b1 · 2024-09-30T17:03:12.000-05:00
Moves as much of the `is_parseable` check as possible back into an
`is_valid` method to avoid breaking API changes.
diff --git a/volatility3/framework/symbols/windows/extensions/callbacks.py b/volatility3/framework/symbols/windows/extensions/callbacks.py
@@ -15,7 +15,7 @@ class _SHUTDOWN_PACKET(objects.StructType, pool.ExecutiveObject):
     It exposes a function which sanity-checks structure members.
     """
 
-    def is_parseable(self, type_map: Dict[int, str]) -> bool:
+    def is_valid(self) -> bool:
         """
         Perform some checks.
         """
@@ -30,20 +30,32 @@ def is_parseable(self, type_map: Dict[int, str]) -> bool:
                 )
                 return False
 
-            device = self.DeviceObject
-            if not device or not (device.DriverObject.DriverStart % 0x1000 == 0):
-                vollog.debug(
-                    f"callback obj 0x{self.vol.offset:x} invalid due to invalid device object"
-                )
-                return False
-
         except exceptions.InvalidAddressException:
             vollog.debug(
                 f"callback obj 0x{self.vol.offset:x} invalid due to invalid address access"
             )
             return False
 
+        return True
+
+    def is_parseable(self, type_map: Dict[int, str]) -> bool:
+        """
+        Determines whether or not this `_SHUTDOWN_PACKET` callback can be reliably parsed.
+        Requires a `type_map` that maps NT executive object type indices to string representations.
+        This type map can be acquired via the `handles.Handles.get_type_map` classmethod.
+        """
+        if not self.is_valid():
+            return False
+
         try:
+
+            device = self.DeviceObject
+            if not device or not (device.DriverObject.DriverStart % 0x1000 == 0):
+                vollog.debug(
+                    f"callback obj 0x{self.vol.offset:x} invalid due to invalid device object"
+                )
+                return False
+
             header = device.get_object_header()
             object_type = header.get_object_type(type_map)
             is_valid = object_type == "Device"
@@ -52,6 +64,11 @@ def is_parseable(self, type_map: Dict[int, str]) -> bool:
                     f"Callback obj 0x{self.vol.offset:x} invalid due to invalid device type: wanted 'Device', found '{object_type}'"
                 )
             return is_valid
+        except exceptions.InvalidAddressException:
+            vollog.debug(
+                f"callback obj 0x{self.vol.offset:x} invalid due to invalid address access"
+            )
+            return False
         except ValueError:
             vollog.debug(
                 f"Could not get object type for object at 0x{self.vol.offset:x}"
