Re: [Vol-dev] [patch] Prevent crash when reading object values

Attached please find a patch to prevent the framework from crashing when attempting to read an Object's value from memory that cannot be accessed (e.g. marked invalid, paged out, etc). The patch prevents the code from crashing but adds the condition that the methods to read values (.v and .value) may return None. In my work I've encountered memory images where a unicode string in the ProcessParameters (i.e. Eprocess -> Peb -> ProcessParameters -> CommandLine) has been marked "in transition". Volatility 1.3 Beta does not read data from any page marked Invalid and read requests for those data are returned with None. The methods to read object values do not error check the read method's return value and always attempt to unpack the returned value. Attempting to unpack a None value results in an unhandled exception. Developers should be advised that the .v and .value methods can now legally return None and should error check the return values of those functions before attempting to use them. The plugin that generated these exceptions, a check for generally suspicious processes and TrueCrypt in particular, will be posted shortly to the Vol-users mailing list. cheers, -- Jesse jessek(a)speakeasy.net