From bcbfc27d4fc9364fe925abc57fa667e1bfb721ec Mon Sep 17 00:00:00 2001 From: David McDonald Date: Wed, 12 Feb 2025 10:11:23 -0600 Subject: [PATCH] Windows Cmdline: Clean up output The strings being used as return values here would (IMO) be better as debug statements, with the plugin returning `renderers.UnreadableValue()` for any of the `InvalidAddressException` code paths. --- volatility3/framework/plugins/windows/cmdline.py | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/volatility3/framework/plugins/windows/cmdline.py b/volatility3/framework/plugins/windows/cmdline.py index 9bd9eda0e5..bad333a4c9 100644 --- a/volatility3/framework/plugins/windows/cmdline.py +++ b/volatility3/framework/plugins/windows/cmdline.py @@ -70,6 +70,7 @@ def _generator(self, procs): for proc in procs: process_name = utility.array_to_string(proc.ImageFileName) proc_id = "Unknown" + result_text = None try: proc_id = proc.UniqueProcessId @@ -78,13 +79,22 @@ def _generator(self, procs): ) except exceptions.SwappedInvalidAddressException as exp: - result_text = f"Required memory at {exp.invalid_address:#x} is inaccessible (swapped)" + vollog.debug( + f"Required memory at {exp.invalid_address:#x} is inaccessible (swapped)" + ) except exceptions.PagedInvalidAddressException as exp: - result_text = f"Required memory at {exp.invalid_address:#x} is not valid (process exited?)" + vollog.debug( + f"Required memory at {exp.invalid_address:#x} is not valid (process exited?)" + ) except exceptions.InvalidAddressException as exp: - result_text = f"Process {proc_id}: Required memory at {exp.invalid_address:#x} is not valid (incomplete layer {exp.layer_name}?)" + vollog.debug( + f"Process {proc_id}: Required memory at {exp.invalid_address:#x} is not valid (incomplete layer {exp.layer_name}?)" + ) + + if not result_text: + result_text = renderers.UnreadableValue() yield (0, (proc.UniqueProcessId, process_name, result_text))