- Fix small bug in glob matching.

- Swallow exceptions in driver letter mapping algorithm in case the object tree is not fully paged - it is better to fail to map single filename to its drive than to crash the whole plugin. Review URL: https://codereview.appspot.com/306910043 .
c3r34lk1ll3r · Aug 9, 2016 · 7a9d563 · 7a9d563
1 parent 4c5ef16
commit 7a9d563
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 14 deletions.
diff --git a/rekall-core/rekall/plugins/response/files.py b/rekall-core/rekall/plugins/response/files.py
@@ -184,7 +184,7 @@ def __init__(self, *args):
     def filter(self, file_info):
         for child in file_info.list():
             basename = os.path.basename(child.filename.name)
-            if self.component_re.match(basename, re.I):
+            if self.component_re.match(basename):
                 yield child
 
 

diff --git a/rekall-core/rekall/plugins/windows/kernel.py b/rekall-core/rekall/plugins/windows/kernel.py
@@ -101,19 +101,26 @@ class DriveLetterDeviceHook(common.AbstractWindowsParameterHook):
 
     @core.MethodWithAddressSpace()
     def calculate(self):
-        result = {}
-        obj_tree_plugin = self.session.plugins.object_tree()
-        # The global path contains symlinks from the drive letter to the device
-        # name.
-        for global_obj in obj_tree_plugin.GetObjectByName(r"\GLOBAL??").Object:
-            name = global_obj.NameInfo.Name.v()
-            if (global_obj.get_object_type() == "SymbolicLink" and
-                    len(name) > 1 and name[1] == ":"):
-                target = global_obj.Object.LinkTarget.v()
-
-                result[target] = name
-
-        return result
+        try:
+            result = {}
+            obj_tree_plugin = self.session.plugins.object_tree()
+            # The global path contains symlinks from the drive letter to the
+            # device name.
+            for global_obj in obj_tree_plugin.GetObjectByName(
+                    r"\GLOBAL??").Object:
+                name = global_obj.NameInfo.Name.v()
+                if (global_obj.get_object_type() == "SymbolicLink" and
+                        len(name) > 1 and name[1] == ":"):
+                    target = global_obj.Object.LinkTarget.v()
+
+                    result[target] = name
+
+            return result
+
+        # If we fail to traverse the object tree we just return None which will
+        # fail to resolve this drive letter but will try again next time.
+        except KeyError:
+            return None
 
 
 class KernelBaseHook(common.AbstractWindowsParameterHook):