Skip to content

Commit

Permalink
Windows: Callbacks - fix breaking API change
Browse files Browse the repository at this point in the history
Moves as much of the `is_parseable` check as possible back into an
`is_valid` method to avoid breaking API changes.
  • Loading branch information
dgmcdona authored and eve-mem committed Oct 9, 2024
1 parent ccd8536 commit 35eee6a
Showing 1 changed file with 25 additions and 8 deletions.
33 changes: 25 additions & 8 deletions volatility3/framework/symbols/windows/extensions/callbacks.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ class _SHUTDOWN_PACKET(objects.StructType, pool.ExecutiveObject):
It exposes a function which sanity-checks structure members.
"""

def is_parseable(self, type_map: Dict[int, str]) -> bool:
def is_valid(self) -> bool:
"""
Perform some checks.
"""
Expand All @@ -30,20 +30,32 @@ def is_parseable(self, type_map: Dict[int, str]) -> bool:
)
return False

device = self.DeviceObject
if not device or not (device.DriverObject.DriverStart % 0x1000 == 0):
vollog.debug(
f"callback obj 0x{self.vol.offset:x} invalid due to invalid device object"
)
return False

except exceptions.InvalidAddressException:
vollog.debug(
f"callback obj 0x{self.vol.offset:x} invalid due to invalid address access"
)
return False

return True

def is_parseable(self, type_map: Dict[int, str]) -> bool:
"""
Determines whether or not this `_SHUTDOWN_PACKET` callback can be reliably parsed.
Requires a `type_map` that maps NT executive object type indices to string representations.
This type map can be acquired via the `handles.Handles.get_type_map` classmethod.
"""
if not self.is_valid():
return False

try:

device = self.DeviceObject
if not device or not (device.DriverObject.DriverStart % 0x1000 == 0):
vollog.debug(
f"callback obj 0x{self.vol.offset:x} invalid due to invalid device object"
)
return False

header = device.get_object_header()
object_type = header.get_object_type(type_map)
is_valid = object_type == "Device"
Expand All @@ -52,6 +64,11 @@ def is_parseable(self, type_map: Dict[int, str]) -> bool:
f"Callback obj 0x{self.vol.offset:x} invalid due to invalid device type: wanted 'Device', found '{object_type}'"
)
return is_valid
except exceptions.InvalidAddressException:
vollog.debug(
f"callback obj 0x{self.vol.offset:x} invalid due to invalid address access"
)
return False
except ValueError:
vollog.debug(
f"Could not get object type for object at 0x{self.vol.offset:x}"
Expand Down

0 comments on commit 35eee6a

Please sign in to comment.