volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

When trying to parse windows combase.dll getting error: TypeError: Unhandled leaf_type: 4105

Open shenjashuk opened this issue 11 months ago • 2 comments

Os type: windows 11 (10.0.22631) Python version: 3.11 Dll version: 10.0.22621.2792 ( WinBuild.160101.0800 ) Dll link: https://drive.google.com/file/d/1t2D6lwl_cWUlpNPkyd-iBwNBsYGV8nJj/view Pdb link: https://drive.google.com/file/d/1ZnyVtX6l-QKrn2SLnbyc36MIZHSKiyYG/view?usp=drive_link

My code doesn't download pdb, because of the error issued here: https://github.com/volatilityfoundation/volatility3/issues/1588 My code:

from pathlib import Path
from pdbparse.peinfo import get_external_codeview
from volatility3.framework import contexts
from volatility3.framework.symbols.windows import pdbconv

pdb_url = 'file:///combase.pdb'

# Download PDB file.
pdb_reader = pdbconv.PdbReader(
    contexts.Context(), pdb_url, profile_name
)

pdb_profile = pdb_reader.get_json()

Error:

Traceback (most recent call last):
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\main.py", line 24, in <module>
    pdb_profile = pdb_reader.get_json()
                  ^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\symbols\windows\pdbconv.py", line 506, in get_json
    self.read_necessary_streams()
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\symbols\windows\pdbconv.py", line 217, in read_necessary_streams
    self.read_tpi_stream()
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\symbols\windows\pdbconv.py", line 225, in read_tpi_stream
    type_references = self._read_info_stream(2, "TPI", self.types)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\symbols\windows\pdbconv.py", line 286, in _read_info_stream
    output, consumed = self.consume_type(module, offset, length)
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\shenjashuk\PycharmProjects\pdb_file_worker\venv\Lib\site-packages\volatility3\framework\symbols\windows\pdbconv.py", line 822, in consume_type
    raise TypeError(f"Unhandled leaf_type: {leaf_type}")
TypeError: Unhandled leaf_type: 4105

shenjashuk avatar Jan 31 '25 12:01 shenjashuk

Volatility's pdb parser only works for C-based pdbs, not for things that were written in C++ (because the kernel only includes C structures). As such, not all leaf_types are handled, and you unfortunately hit one that isn't. You can find the parsers that this was based upon in the links of the docstring found here. The main issue for this can be found at #1210 if you'd like to keep on top of developments but I'm afraid it's fairly low priority since volatility is currently able to complete 99% of its tasks without needing support for C++ based PDB files...

ikelos avatar Jan 31 '25 14:01 ikelos

You can also try out #650 and see if that helps, but it's fairly stale code...

ikelos avatar Jan 31 '25 14:01 ikelos

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] avatar Aug 20 '25 02:08 github-actions[bot]

This issue was closed because it has been inactive for 60 days since being marked as stale.

github-actions[bot] avatar Oct 19 '25 02:10 github-actions[bot]