Skip to content

Commit

Permalink
Merge pull request volatilityfoundation#1459 from Abyss-W4tcher/malfi…
Browse files Browse the repository at this point in the history 
…nd_incorrect_ref_fix

Windows malfind: fix unbound page variable access
  • Loading branch information
@ikelos
ikelos authored Dec 20, 2024
2 parents 812af0b + 15eb80b commit 6262fcf
Showing 1 changed file with 5 additions and 6 deletions.
11 changes: 5 additions & 6 deletions volatility3/framework/plugins/windows/malfind.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,8 +120,7 @@ def list_injections(
vadinfo.winnt_protections,
)
write_exec = "EXECUTE" in protection_string and "WRITE" in protection_string
dirty_page_check = False

dirty_page = None
if not write_exec:
"""
# Inspect "PAGE_EXECUTE_READ" VAD pages to detect
Expand All @@ -135,12 +134,12 @@ def list_injections(
try:
# If we have a dirty page in a non writable "EXECUTE" region, it is suspicious.
if proc_layer.is_dirty(page):
dirty_page_check = True
dirty_page = page
break
except exceptions.InvalidAddressException:
# Abort as it is likely that other addresses in the same range will also fail.
break
if not dirty_page_check:
if dirty_page is None:
continue
else:
continue
Expand All @@ -152,10 +151,10 @@ def list_injections(
if cls.is_vad_empty(proc_layer, vad):
continue

if dirty_page_check:
if dirty_page is not None:
# Useful information to investigate the page content with volshell afterwards.
vollog.warning(
f"[proc_id {proc_id}] Found suspicious DIRTY + {protection_string} page at {hex(page)}",
f"[proc_id {proc_id}] Found suspicious DIRTY + {protection_string} page at {hex(dirty_page)}",
)
data = proc_layer.read(vad.get_start(), 64, pad=True)
yield vad, data
Expand Down

0 comments on commit 6262fcf

Please sign in to comment.