From 718d439a63ca272e5f884e31625f3f1fd1bd29d2 Mon Sep 17 00:00:00 2001 From: David McDonald Date: Fri, 31 Jan 2025 17:26:36 -0600 Subject: [PATCH] Windows: Handles - catch exception in handle iteration An `InvalidAddressException` can occur inside of `__iter__` when iterating over the handle table (the exact exception occurs when creating the subtype in `objects.Array.__getitem__`. This changes the handle code to do a manual iteration over the sequence using the array length and indexes, catching the exception, logging the index, and continuing. In the test sample that prompted this change, the exception occurred on the access of the very last item in the array. closes #1573 --- volatility3/framework/plugins/windows/handles.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/volatility3/framework/plugins/windows/handles.py b/volatility3/framework/plugins/windows/handles.py index 6a391fe35a..3aba153c10 100644 --- a/volatility3/framework/plugins/windows/handles.py +++ b/volatility3/framework/plugins/windows/handles.py @@ -243,7 +243,12 @@ def _make_handle_array(self, offset, level, depth=0): layer_object = self.context.layers[virtual] masked_offset = offset & layer_object.maximum_address - for entry in table: + for i in range(len(table)): + try: + entry = table[i] + except exceptions.InvalidAddressException: + vollog.debug("Failed to get handle table entry at index {i}") + continue # This triggered a backtrace in many testing samples # in the level == 0 path # The code above this calls `is_valid` on the `offset`