Do not yield DRIVER_OBJECT instances found in scanning that are not a…

…ctual instances #1481
volatilityfoundation · Dec 28, 2024 · 49dbb01 · 49dbb01
1 parent b1a42d9
commit 49dbb01
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/volatility3/framework/plugins/windows/driverscan.py b/volatility3/framework/plugins/windows/driverscan.py
@@ -55,6 +55,18 @@ def scan_drivers(
             context, layer_name, symbol_table, constraints
         ):
             _constraint, mem_object, _header = result
+
+            # *Many* _DRIVER_OBJECT instances were found at the end of a page
+            # leading to member access causing backtraces across several plugins
+            # when members were accessed as the next page was paged out.
+            # `DriverStart` is the first member from the beginning of the structure
+            #  of interest to plugins, so if it is not accessible then this instance
+            # is not useful or usable during analysis
+            try:
+                mem_object.DriverStart
+            except exceptions.InvalidAddressException:
+                continue
+
             yield mem_object
 
     @classmethod