Skip to content

Commit

Permalink
Merge pull request #1625 from volatilityfoundation/issues/issue1435
Browse files Browse the repository at this point in the history 
Windows: Fix console potentially unbound variables
  • Loading branch information
@ikelos
ikelos authored Feb 25, 2025
2 parents 1f3c4f2 + 8106a16 commit d8b8b20
Showing 1 changed file with 26 additions and 10 deletions.
36 changes: 26 additions & 10 deletions volatility3/framework/plugins/windows/consoles.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
import logging
import os
import struct
from typing import Tuple, Generator, Set, Dict, Any, Type
from typing import Tuple, Optional, Generator, Set, Dict, Any, Type, List

from volatility3.framework import interfaces, symbols, exceptions
from volatility3.framework import renderers
Expand Down Expand Up @@ -74,7 +74,7 @@ def get_requirements(cls):
@classmethod
def find_conhost_proc(
cls, proc_list: Generator[interfaces.objects.ObjectInterface, None, None]
) -> Tuple[interfaces.context.ContextInterface, str]:
) -> Generator[Tuple[interfaces.objects.ObjectInterface, str], None, None]:
"""
Walks the process list and returns the conhost instances.
Expand All @@ -87,6 +87,7 @@ def find_conhost_proc(

for proc in proc_list:
if utility.array_to_string(proc.ImageFileName).lower() == "conhost.exe":
proc_id = "Unknown"
try:
proc_id = proc.UniqueProcessId
proc_layer_name = proc.add_process_layer()
Expand All @@ -100,8 +101,8 @@ def find_conhost_proc(

@classmethod
def find_conhostexe(
cls, conhost_proc: interfaces.context.ContextInterface
) -> Tuple[int, int]:
cls, conhost_proc: interfaces.objects.ObjectInterface
) -> Tuple[Optional[int], Optional[int]]:
"""
Finds the base address of conhost.exe
Expand Down Expand Up @@ -130,7 +131,7 @@ def determine_conhost_version(
config_path: str,
conhost_layer_name: str,
conhost_base: int,
) -> Tuple[str, Type]:
) -> Tuple[Optional[str], Dict[str, Type]]:
"""Tries to determine which symbol filename to use for the image's console information. This is similar to the
netstat plugin.
Expand Down Expand Up @@ -341,6 +342,11 @@ def create_conhost_symbol_table(
conhost_base,
)

if symbol_filename is None:
raise ValueError(
"Symbol filename could not be determined for conhost version"
)

vollog.debug(f"Using symbol file '{symbol_filename}' and types {class_types}")

return intermed.IntermediateSymbolTable.create(
Expand All @@ -362,10 +368,14 @@ def get_console_info(
procs: Generator[interfaces.objects.ObjectInterface, None, None],
max_history: Set[int],
max_buffers: Set[int],
) -> Tuple[
interfaces.context.ContextInterface,
interfaces.context.ContextInterface,
Dict[str, Any],
) -> Generator[
Tuple[
interfaces.objects.ObjectInterface,
Optional[interfaces.objects.ObjectInterface],
List[Any],
],
None,
None,
]:
"""Gets the Console Information structure and its related properties for each conhost process
Expand Down Expand Up @@ -401,6 +411,11 @@ def get_console_info(
"Unable to find the location of conhost.exe. Analysis cannot proceed."
)
continue
if conhostexe_size is None:
vollog.info(
"Unable to determine the size of conhost.exe. Analysis cannot proceed."
)
continue
vollog.debug(f"Found conhost.exe base at {conhostexe_base:#x}")

proc_layer = context.layers[proc_layer_name]
Expand All @@ -420,6 +435,7 @@ def get_console_info(
)

found_console_info_for_proc = False
console_info = None
# scan for potential _CONSOLE_INFORMATION structures by using the CommandHistorySize
for max_history_value in max_history:
max_history_bytes = struct.pack("H", max_history_value)
Expand All @@ -431,7 +447,7 @@ def get_console_info(
scanners.BytesScanner(max_history_bytes),
sections=[(conhostexe_base, conhostexe_size)],
):

console_info = None
console_properties = []

try:
Expand Down

0 comments on commit d8b8b20

Please sign in to comment.