Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crashes across plugins due to _CELL_DATA vs _CM_KEY_NODE #1472

Open
atcuno opened this issue Dec 27, 2024 · 1 comment
Open

Crashes across plugins due to _CELL_DATA vs _CM_KEY_NODE #1472

atcuno opened this issue Dec 27, 2024 · 1 comment
Assignees
@superponible
Labels
parity-release

Comments

@atcuno
Copy link
Contributor

atcuno commented Dec 27, 2024

Many registry related plugins crash to due an error like this:

24-12-24 23:07:43 volatility3.cli DEBUG    Traceback (most recent call last):
  File "/home/ub/volatility3/volatility3/cli/__init__.py", line 501, in run
    renderer.render(grid)
  File "/home/ub/volatility3/volatility3/cli/text_renderer.py", line 232, in render
    grid.populate(visitor, outfd)
  File "/home/ub/volatility3/volatility3/framework/renderers/__init__.py", line 241, in populate
    for level, item in self._generator:
  File "/home/ub/volatility3/volatility3/framework/plugins/windows/registry/userassist.py", line 303, in _generator
    yield from self.list_userassist(hive)
  File "/home/ub/volatility3/volatility3/framework/plugins/windows/registry/userassist.py", line 170, in list_userassist
    userassist_node_path = hive.get_key(
                           ^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/layers/registry.py", line 177, in get_key
    raise RegistryFormatException(
volatility3.framework.layers.registry.RegistryFormatException: Encountered symbol_table_name1!_CELL_DATA instead of _CM_KEY_NODE

File "/home/ub/volatility3/volatility3/cli/__init__.py", line 501, in run
    renderer.render(grid)
  File "/home/ub/volatility3/volatility3/cli/text_renderer.py", line 232, in render
    grid.populate(visitor, outfd)
  File "/home/ub/volatility3/volatility3/framework/renderers/__init__.py", line 241, in populate
    for level, item in self._generator:
  File "/home/ub/volatility3/volatility3/plugins/windows/registry/certificates.py", line 86, in _generator
    node_path = hive.get_key(top_key, return_list=True)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/layers/registry.py", line 177, in get_key
    raise RegistryFormatException(
volatility3.framework.layers.registry.RegistryFormatException: Encountered symbol_table_name1!_CELL_DATA instead of _CM_KEY_NODE

@superponible @dgmcdona - Are either of you familiar with _CELL_DATA? Is this a different data structure in certain versions of Windows? It crashes out any plugin that calls get_key when its present.
@atcuno atcuno mentioned this issue Dec 27, 2024
Open
@atcuno
Copy link
Contributor Author

atcuno commented Dec 27, 2024

Searching the code base, I see ikelos referenced the type here in a similar.

#982 (comment)

We at least need to leave this with a definitive answer to document it, but I assume our code is just broken/out dated due to how many samples had this issue in testing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@superponible superponible

Labels
parity-release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@atcuno @superponible