Not properly handling NoneObjects in some output

[GoogleCodeExporter]

So I've been testing the latest branch and found something that has actually 
been around since at least r1296.  Basically on some of the scanning plugins we 
have output with NoneObjects:

$ !gr
grep NoneObj *
VistaSP2x86_modscan.txt:0x3d6cff38 <volatility.obj.NoneObject object at 
0x103718d50>  0x008e300000 0x009000 'TSDDD.\\u444e\\u6873\x01'
Win2K3SP0x86_driverscan.txt:0x0295db28    4    0 0xf7497000  61440 
'\x00\x00\x00\x00\x00\x00' '\\uffe1\\xff\\uffe1\\xff\x00\x00' 
<volatility.obj.NoneObject object at 0x1035ba290>
Win2K3SP0x86_modscan.txt:0x02a17850 <volatility.obj.NoneObject object at 
0x1035af9d0>  0x0000000000 0xf74e7000 'Dfs.sys'
Win2K3SP0x86_symlinkscan.txt:0x030f02f0    1    0 2010-09-26 20:12:47      ''   
                <volatility.obj.NoneObject object at 0x1035a5990>
Win2K3SP0x86_symlinkscan.txt:0x030f3950    1    0 2010-09-26 20:12:47      ''   
                <volatility.obj.NoneObject object at 0x1035a5c90>
Win2K3SP0x86_symlinkscan.txt:0x030f39f0    1    0 2010-09-26 20:12:47      ''   
                <volatility.obj.NoneObject object at 0x1035a5990>
Win2K3SP0x86_symlinkscan.txt:0x030f3a90    1    0 2010-09-26 20:12:47      ''   
                <volatility.obj.NoneObject object at 0x1035a5c50>
WinXPSP2x86_modscan.txt:0x019fc490 <volatility.obj.NoneObject object at 
0x1035a31d0>  0x0000790053 0x6d0065 <volatility.obj.NoneObject object at 
0x1035a3810>

MHL suggested the following patch:

$ svn diff
Index: volatility/plugins/overlays/windows/windows.py
===================================================================
--- volatility/plugins/overlays/windows/windows.py  (revision 1457)
+++ volatility/plugins/overlays/windows/windows.py  (working copy)
@@ -168,6 +168,8 @@
         return bool(self.Buffer)

     def __format__(self, formatspec):
+        if not self.v():
+            return format('', formatspec)
         return format(self.v(), formatspec)

     def __str__(self):

But that doesn't fix it, unfortunately.  I've attached another patch here that 
does fix it, but I'm not sure if there is something "better" that we should do 
here...

Original issue reported on code.google.com by jamie.l...@gmail.com on 21 Feb 2012 at 9:59

Attachments:

• vol-none-objects.patch

[GoogleCodeExporter]

Hmmmm, probably we shouldn't be using repr(), but something like str().  Either 
that or (worse) define a __repr__() function for NoneObjects.  Any thoughts on 
why we used repr() in the first place?

Original comment by mike.auty@gmail.com on 21 Feb 2012 at 10:04

[GoogleCodeExporter]

I'm not sure why we used it... I think maybe because there was an issue when 
some funky characters were printed in the terminal.

Original comment by jamie.l...@gmail.com on 21 Feb 2012 at 10:15

[GoogleCodeExporter]

Hmmmm, ok.  I'd prefer to work on resolving the funky characters some other 
way, and use str() if necessary.  If that proves too difficult we can fall back 
to a more descriptive repr(), but technically it's supposed to give a 
representation of the object, and that's exactly what it's done for the 
NoneObject...

Original comment by mike.auty@gmail.com on 21 Feb 2012 at 10:24

[GoogleCodeExporter]

I believe this change was introduced during the unicode discussion we
had... As i mentioned then str() is not really appropriate since the
value could be unicode. We should have a SmartStr() equivalent for
these kind of things.

Michael.

Original comment by scude...@gmail.com on 22 Feb 2012 at 8:53

[GoogleCodeExporter]

Original comment by mike.auty@gmail.com on 10 Mar 2012 at 11:35

• Added labels: Task-Unicode

[GoogleCodeExporter]

Ok, well r1563 changed the reprs back to strs, so we shouldn't be seeing 
<NoneObjects> again in those circumstances.  Feel free to reopen this if 
there's other situations where these occur.

Original comment by mike.auty@gmail.com on 21 Mar 2012 at 11:45

• Changed state: Fixed