From df55b7890dca4a73f6c8e6dd10b6994fc3264276 Mon Sep 17 00:00:00 2001
From: Andrew Case <andrew@dfir.org>
Date: Fri, 7 Feb 2025 18:05:16 -0600
Subject: [PATCH] Prevent yielding smeared/broken modules from the unloaded
 module list

---
 .../framework/plugins/windows/unloadedmodules.py    | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/volatility3/framework/plugins/windows/unloadedmodules.py b/volatility3/framework/plugins/windows/unloadedmodules.py
index d9f104ae88..a579ac7e8c 100644
--- a/volatility3/framework/plugins/windows/unloadedmodules.py
+++ b/volatility3/framework/plugins/windows/unloadedmodules.py
@@ -117,7 +117,18 @@ def list_unloadedmodules(
         )
         unloadedmodules_array.UnloadedDrivers.count = unloaded_count
 
-        yield from unloadedmodules_array.UnloadedDrivers
+        for driver in unloadedmodules_array.UnloadedDrivers:
+            # Mass testing led to dozens of samples backtracing on this plugin when
+            # accessing members of modules coming out this list
+            # Given how often temporary drivers load and unload on Win10+, I
+            # assume the chance for smear is very high
+            try:
+                driver.StartAddress
+                driver.EndAddress
+                driver.CurrentTime
+                yield driver
+            except exceptions.InvalidAddressException:
+                continue
 
     def _generator(self):
         kernel = self.context.modules[self.config["kernel"]]