Crashes across plugins due to _CELL_DATA vs _CM_KEY_NODE

[atcuno]

Many registry related plugins crash to due an error like this:

24-12-24 23:07:43 volatility3.cli DEBUG    Traceback (most recent call last):
  File "/home/ub/volatility3/volatility3/cli/__init__.py", line 501, in run
    renderer.render(grid)
  File "/home/ub/volatility3/volatility3/cli/text_renderer.py", line 232, in render
    grid.populate(visitor, outfd)
  File "/home/ub/volatility3/volatility3/framework/renderers/__init__.py", line 241, in populate
    for level, item in self._generator:
  File "/home/ub/volatility3/volatility3/framework/plugins/windows/registry/userassist.py", line 303, in _generator
    yield from self.list_userassist(hive)
  File "/home/ub/volatility3/volatility3/framework/plugins/windows/registry/userassist.py", line 170, in list_userassist
    userassist_node_path = hive.get_key(
                           ^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/layers/registry.py", line 177, in get_key
    raise RegistryFormatException(
volatility3.framework.layers.registry.RegistryFormatException: Encountered symbol_table_name1!_CELL_DATA instead of _CM_KEY_NODE

File "/home/ub/volatility3/volatility3/cli/__init__.py", line 501, in run
    renderer.render(grid)
  File "/home/ub/volatility3/volatility3/cli/text_renderer.py", line 232, in render
    grid.populate(visitor, outfd)
  File "/home/ub/volatility3/volatility3/framework/renderers/__init__.py", line 241, in populate
    for level, item in self._generator:
  File "/home/ub/volatility3/volatility3/plugins/windows/registry/certificates.py", line 86, in _generator
    node_path = hive.get_key(top_key, return_list=True)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ub/volatility3/volatility3/framework/layers/registry.py", line 177, in get_key
    raise RegistryFormatException(
volatility3.framework.layers.registry.RegistryFormatException: Encountered symbol_table_name1!_CELL_DATA instead of _CM_KEY_NODE

@superponible @dgmcdona - Are either of you familiar with _CELL_DATA? Is this a different data structure in certain versions of Windows? It crashes out any plugin that calls get_key when its present.

[atcuno]

Searching the code base, I see ikelos referenced the type here in a similar.

#982 (comment)

We at least need to leave this with a definitive answer to document it, but I assume our code is just broken/out dated due to how many samples had this issue in testing.

[ikelos]

So, if we've got known samples where we know which registry key it fails on, then we can break on the node creation bit and see which type of node it was expecting. It's possible we just don't implement a newer type that got added at some point? If we can add that, we may be able to solve a whole bunch of failures. It might be easier if we have a snapshot from a runnable system that we can trip this on, so we can interrogate the running registry to see which type of node the key actually points at...

[ikelos]

It looks like at full verbosity we already emit the faulty signature (if there is one) so we should see if it's always the same signature that turns up (and then research/implement that one) or if it's random/smeared and then figure out how best to deal with it...

volatility3/volatility3/framework/layers/registry.py

Line 165 in 4452aa6

f"Unknown Signature {signature} (0x{cell.u.KeyNode.Signature:x}) at offset {cell_offset}"

[atcuno]

Yes, we have quite a few samples where it happens. Dave is looking into it this coming week to run down the problem.

[superponible]

closing this as the errors will be handled with #1473

[ikelos]

It's probably better to leave issues open and add the PR that fixes them to the development list over to the right instead. That shows the link between them and will mean this automatically get closed once the PR gets merged...