From 49dbb01c0f615493acaa25598c512eadf10139ca Mon Sep 17 00:00:00 2001
From: Andrew Case <andrew@dfir.org>
Date: Sat, 28 Dec 2024 22:25:46 +0000
Subject: [PATCH] Do not yield DRIVER_OBJECT instances found in scanning that
 are not actual instances #1481

---
 volatility3/framework/plugins/windows/driverscan.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/volatility3/framework/plugins/windows/driverscan.py b/volatility3/framework/plugins/windows/driverscan.py
index 24d81c3d59..086abd841b 100644
--- a/volatility3/framework/plugins/windows/driverscan.py
+++ b/volatility3/framework/plugins/windows/driverscan.py
@@ -55,6 +55,18 @@ def scan_drivers(
             context, layer_name, symbol_table, constraints
         ):
             _constraint, mem_object, _header = result
+
+            # *Many* _DRIVER_OBJECT instances were found at the end of a page
+            # leading to member access causing backtraces across several plugins
+            # when members were accessed as the next page was paged out.
+            # `DriverStart` is the first member from the beginning of the structure
+            #  of interest to plugins, so if it is not accessible then this instance
+            # is not useful or usable during analysis
+            try:
+                mem_object.DriverStart
+            except exceptions.InvalidAddressException:
+                continue
+
             yield mem_object
 
     @classmethod