Permalink
Browse files

Added a try/except clause to winpmem.

This prevents crashes in some rare cases.

Review URL: https://codereview.appspot.com/321070043.
  • Loading branch information...
scudette committed May 31, 2017
1 parent dace693 commit a76abcf74f2652494c67d28a60bd141a138271f1
@@ -11,7 +11,7 @@
import _winreg
from rekall import obj
from rekall import utils
from rekall_lib import utils
from rekall.plugins.overlays import basic
from rekall.plugins.response import common
@@ -7,7 +7,7 @@
from rekall import plugin
from rekall import obj
from rekall import utils
from rekall_lib import utils
from rekall.plugins.common import address_resolver
from rekall.plugins.response import common
from rekall.plugins.windows import address_resolver as win_address_resolver
@@ -4,7 +4,7 @@
import ctypes
from ctypes import wintypes
from rekall import addrspace
from rekall import utils
from rekall_lib import utils
from rekall.plugins.overlays import basic
from rekall.plugins.response import common
from rekall.plugins.response import processes
@@ -124,7 +124,7 @@ PTE_MMAP_OBJ *pte_mmap_windows_new(void) {
PTE_MMAP_OBJ *self = NULL;
// Allocate the object
self = ExAllocatePoolWithTag(NonPagedPool, sizeof(PTE_MMAP_OBJ),
self = ExAllocatePoolWithTag(NonPagedPoolNx, sizeof(PTE_MMAP_OBJ),
PMEM_POOL_TAG);
if (!self) return NULL;
@@ -124,8 +124,15 @@ static LONG PTEMmapPartialRead(IN PDEVICE_EXTENSION extension,
extension->pte_mmapper->remap_page(extension->pte_mmapper,
offset.QuadPart - page_offset) ==
PTE_SUCCESS) {
RtlCopyMemory(buf, (char *)(extension->pte_mmapper->rogue_page.value +
page_offset), to_read);
char *source = extension->pte_mmapper->rogue_page.value + page_offset;
try {
// Be extra careful here to not produce a BSOD. We would rather
// return a page of zeros than BSOD.
RtlCopyMemory(buf, source, to_read);
} except(EXCEPTION_EXECUTE_HANDLER) {
WinDbgPrint("Unable to read from %p", source);
RtlZeroMemory(buf, to_read);
}
} else {
// Failed to map page, null fill the buffer.
RtlZeroMemory(buf, to_read);
@@ -167,7 +167,7 @@ NTSTATUS wddDispatchDeviceControl(IN PDEVICE_OBJECT DeviceObject,
// The old deprecated ioctrl interface for backwards
// compatibility. Do not use for new code.
case IOCTL_GET_INFO_DEPRECATED: {
char *buffer = ExAllocatePoolWithTag(PagedPool, 0x1000, PMEM_POOL_TAG);
char *buffer = ExAllocatePoolWithTag(NonPagedPoolNx, 0x1000, PMEM_POOL_TAG);
if (buffer) {
struct DeprecatedPmemMemoryInfo *info = (void *)IoBuffer;
@@ -88,6 +88,7 @@ struct PmemMemoryInfo {
LARGE_INTEGER KernBase; // The base of the kernel image.
// The following are deprecated and will not be set by the driver. It is safer
// to get these during analysis from NtBuildNumberAddr below.
LARGE_INTEGER KDBG; // The address of KDBG

0 comments on commit a76abcf

Please sign in to comment.