Improve cit plugin exception handling (#961)

fox-it · Dec 3, 2024 · 4388f76 · 4388f76
1 parent f36ce59
commit 4388f76
Showing 1 changed file with 20 additions and 7 deletions.
diff --git a/dissect/target/plugins/os/windows/regf/cit.py b/dissect/target/plugins/os/windows/regf/cit.py
@@ -632,16 +632,16 @@ def local_wintimestamp(target, ts):
 class CITPlugin(Plugin):
     """Plugin that parses CIT data from the registry.
 
-    Reference:
-    - https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/
+    References:
+        - https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/
     """
 
     __namespace__ = "cit"
 
     KEY = "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT"
 
     def check_compatible(self) -> None:
-        if not len(list(self.target.registry.keys(self.KEY))) > 0:
+        if not list(self.target.registry.keys(self.KEY)):
             raise UnsupportedPluginError("No CIT registry key found")
 
     @export(record=get_args(CITRecords))
@@ -770,8 +770,9 @@ def cit(self) -> Iterator[CITRecords]:
                         yield from _yield_bitmap_records(
                             self.target, cit, entry.use_data.bitmaps.foreground, CITProgramBitmapForegroundRecord
                         )
-                except Exception:
-                    self.target.log.exception("Failed to parse CIT value: %s", value.name)
+                except Exception as e:
+                    self.target.log.warning("Failed to parse CIT value: %s", value.name)
+                    self.target.log.debug("", exc_info=e)
 
     @export(record=CITPostUpdateUseInfoRecord)
     def puu(self) -> Iterator[CITPostUpdateUseInfoRecord]:
@@ -788,10 +789,16 @@ def puu(self) -> Iterator[CITPostUpdateUseInfoRecord]:
         for reg_key in keys:
             for key in self.target.registry.keys(reg_key):
                 try:
-                    puu = c_cit.CIT_POST_UPDATE_USE_INFO(key.value("PUUActive").value)
+                    key_value = key.value("PUUActive").value
+                    puu = c_cit.CIT_POST_UPDATE_USE_INFO(key_value)
                 except RegistryValueNotFoundError:
                     continue
 
+                except EOFError as e:
+                    self.target.log.warning("Exception reading CIT structure in key %s", key.path)
+                    self.target.log.debug("Unable to parse value %s", key_value, exc_info=e)
+                    continue
+
                 yield CITPostUpdateUseInfoRecord(
                     log_time_start=wintimestamp(puu.LogTimeStart),
                     update_key=puu.UpdateKey,
@@ -852,10 +859,16 @@ def dp(self) -> Iterator[CITDPRecord | CITDPDurationRecord]:
         for reg_key in keys:
             for key in self.target.registry.keys(reg_key):
                 try:
-                    dp = c_cit.CIT_DP_DATA(key.value("DP").value)
+                    key_value = key.value("DP").value
+                    dp = c_cit.CIT_DP_DATA(key_value)
                 except RegistryValueNotFoundError:
                     continue
 
+                except EOFError as e:
+                    self.target.log.warning("Exception reading CIT structure in key %s", key.path)
+                    self.target.log.debug("Unable to parse value %s", key_value, exc_info=e)
+                    continue
+
                 user = self.target.registry.get_user(key)
                 log_time_start = wintimestamp(dp.LogTimeStart)