Python volatility.obj.Pointer() Examples

The following are 27 code examples of volatility.obj.Pointer(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module volatility.obj , or try the search function .
Example #1
Source File: pidhashtable.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def _walk_upid(self, upid):

        while upid:

            pid = self.get_obj(upid.obj_offset, "pid", "numbers")

            for task in self._task_for_pid(upid, pid):
                yield task

            if type(upid.pid_chain) == obj.Pointer:
                pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
            else:
                pid_chain = upid.pid_chain

            if not pid_chain:
                break

            upid = self.get_obj(pid_chain.next, "upid", "pid_chain") 
Example #2
Source File: pidhashtable.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def _walk_upid(self, upid):

        while upid:

            pid = self.get_obj(upid.obj_offset, "pid", "numbers")

            for task in self._task_for_pid(upid, pid):
                yield task

            if type(upid.pid_chain) == obj.Pointer:
                pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
            else:
                pid_chain = upid.pid_chain

            if not pid_chain:
                break

            upid = self.get_obj(pid_chain.next, "upid", "pid_chain") 
Example #3
Source File: pidhashtable.py    From DAMM with GNU General Public License v2.0 6 votes vote down vote up
def _walk_upid(self, upid):

        while upid:

            pid = self.get_obj(upid.obj_offset, "pid", "numbers")

            for task in self._task_for_pid(upid, pid):
                yield task

            if type(upid.pid_chain) == obj.Pointer:
                pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
            else:
                pid_chain = upid.pid_chain

            if not pid_chain:
                break

            upid = self.get_obj(pid_chain.next, "upid", "pid_chain") 
Example #4
Source File: pidhashtable.py    From vortessence with GNU General Public License v2.0 6 votes vote down vote up
def _walk_upid(self, upid):

        while upid:

            pid = self.get_obj(upid.obj_offset, "pid", "numbers")

            for task in self._task_for_pid(upid, pid):
                yield task

            if type(upid.pid_chain) == obj.Pointer:
                pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
            else:
                pid_chain = upid.pid_chain

            if not pid_chain:
                break

            upid = self.get_obj(pid_chain.next, "upid", "pid_chain") 
Example #5
Source File: pidhashtable.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def _walk_upid(self, upid):
        seen = set()
        while upid and upid.is_valid() and upid.v() not in seen:
            seen.add(upid.v())

            pid = self.get_obj(upid.obj_offset, "pid", "numbers")

            for task in self._task_for_pid(upid, pid):
                yield task

            if type(upid.pid_chain) == obj.Pointer:
                pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
            else:
                pid_chain = upid.pid_chain

            if not pid_chain:
                break

            upid = self.get_obj(pid_chain.next, "upid", "pid_chain") 
Example #6
Source File: check_sysctl.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def _process_sysctl_list(self, sysctl_list, r = 0):

        if type(sysctl_list) == obj.Pointer:
            sysctl_list = sysctl_list.dereference_as("sysctl_oid_list")

        sysctl = sysctl_list.slh_first
        
        # skip the head entry if new list (recursive call)
        if r:
            sysctl = sysctl.oid_link.sle_next

        while sysctl and sysctl.is_valid():
            name = sysctl.oid_name.dereference()

            if len(name) == 0:
                break

            name = str(name)

            ctltype = sysctl.get_ctltype()

            if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid():
                val = self._parse_global_variable_sysctls(name)
            elif ctltype == 'CTLTYPE_NODE':
                if sysctl.oid_handler == 0:
                    for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1):
                        yield info 
                val = "Node"
            elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']:
                val = sysctl.oid_arg1.dereference()
            elif ctltype == 'CTLTYPE_STRING':
                ## FIXME: can we do this without get_string?
                val = common.get_string(sysctl.oid_arg1, self.addr_space)
            else:
                val = ctltype

            yield (sysctl, name, val)

            sysctl = sysctl.oid_link.sle_next 
Example #7
Source File: check_sysctl.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def _process_sysctl_list(self, sysctl_list, r = 0):

        if type(sysctl_list) == obj.Pointer:
            sysctl_list = sysctl_list.dereference_as("sysctl_oid_list")

        sysctl = sysctl_list.slh_first
        
        # skip the head entry if new list (recursive call)
        if r:
            sysctl = sysctl.oid_link.sle_next

        while sysctl and sysctl.is_valid():
            name = sysctl.oid_name.dereference()

            if len(name) == 0:
                break

            name = str(name)

            ctltype = sysctl.get_ctltype()

            if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid():
                val = self._parse_global_variable_sysctls(name)
            elif ctltype == 'CTLTYPE_NODE':
                if sysctl.oid_handler == 0:
                    for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1):
                        yield info 
                val = "Node"
            elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']:
                val = sysctl.oid_arg1.dereference()
            elif ctltype == 'CTLTYPE_STRING':
                ## FIXME: can we do this without get_string?
                val = common.get_string(sysctl.oid_arg1, self.addr_space)
            else:
                val = ctltype

            yield (sysctl, name, val)

            sysctl = sysctl.oid_link.sle_next 
Example #8
Source File: windows64.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def modification(self, profile):
        profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, {
                                    'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ],
                                    'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]],
                                                           }
                                                    ]})
        profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"]

        profile.merge_overlay({'_DBGKD_GET_VERSION64' : [  None, {
            'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]],
            }]})

        # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs 
        # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay
        # in windows.windows_overlay which sets the DTB to a single unsigned long,
        # but we do not want that bleeding through to the x64 profiles. Instead we 
        # want the x64 DTB to be a single unsigned long long. 
        profile.merge_overlay({'_KPROCESS' : [ None, {
            'DirectoryTableBase' : [ None, ['unsigned long long']],
            }]})

        # Note: the following method of profile modification is strongly discouraged
        #
        # Nasty hack because pointer64 has a special structure,
        # and therefore can't just be instantiated in object_classes
        # using profile.object_classes.update({'pointer64': obj.Pointer})
        profile._list_to_type = Pointer64Decorator(profile._list_to_type) 
Example #9
Source File: pidhashtable.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def calculate_v3(self):
        self.seen_tasks = {}

        pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
        pidhash_size = 1 << pidhash_shift

        pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
        pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)

        # pidhash is an array of hlist_heads
        pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)

        for hlist in pidhash:

            # each entry in the hlist is a upid which is wrapped in a pid
            ent = hlist.first

            while ent.v():
                upid = self.get_obj(ent.obj_offset, "upid", "pid_chain")

                for task in self._walk_upid(upid):
                    if not task.obj_offset in self.seen_tasks:
                        self.seen_tasks[task.obj_offset] = 1
                        if task.is_valid_task():
                            yield task

                ent = ent.m("next")

    # the following functions exist because crash has handlers for them
    # but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel
    # if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again 
Example #10
Source File: slab_info.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def _get_nodelist(self):
        ent = self.nodelists

        if type(ent) == obj.Pointer:
            ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)

        elif type(ent) == obj.Array:
            ret = ent[0]
        else:
            debug.error("Unknown nodelists types. %s" % type(ent))

        return ret 
Example #11
Source File: slab_info.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def _get_nodelist(self):
        ent = self.nodelists

        if type(ent) == obj.Pointer:
            ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)

        elif type(ent) == obj.Array:
            ret = ent[0]
        else:
            debug.error("Unknown nodelists types. %s" % type(ent))

        return ret 
Example #12
Source File: check_sysctl.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def _process_sysctl_list(self, sysctl_list, r = 0):

        if type(sysctl_list) == obj.Pointer:
            sysctl_list = sysctl_list.dereference_as("sysctl_oid_list")

        sysctl = sysctl_list.slh_first
        
        # skip the head entry if new list (recursive call)
        if r:
            sysctl = sysctl.oid_link.sle_next

        while sysctl and sysctl.is_valid():
            name = sysctl.oid_name.dereference()

            if len(name) == 0:
                break

            name = str(name)

            ctltype = sysctl.get_ctltype()

            if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid():
                val = self._parse_global_variable_sysctls(name)
            elif ctltype == 'CTLTYPE_NODE':
                if sysctl.oid_handler == 0:
                    for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1):
                        yield info 
                val = "Node"
            elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']:
                val = sysctl.oid_arg1.dereference()
            elif ctltype == 'CTLTYPE_STRING':
                ## FIXME: can we do this without get_string?
                val = common.get_string(sysctl.oid_arg1, self.addr_space)
            else:
                val = ctltype

            yield (sysctl, name, val)

            sysctl = sysctl.oid_link.sle_next 
Example #13
Source File: windows64.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def modification(self, profile):
        profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, {
                                    'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ],
                                    'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]],
                                                           }
                                                    ]})
        profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"]

        profile.merge_overlay({'_DBGKD_GET_VERSION64' : [  None, {
            'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]],
            }]})

        # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs 
        # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay
        # in windows.windows_overlay which sets the DTB to a single unsigned long,
        # but we do not want that bleeding through to the x64 profiles. Instead we 
        # want the x64 DTB to be a single unsigned long long. 
        profile.merge_overlay({'_KPROCESS' : [ None, {
            'DirectoryTableBase' : [ None, ['unsigned long long']],
            }]})

        # Note: the following method of profile modification is strongly discouraged
        #
        # Nasty hack because pointer64 has a special structure,
        # and therefore can't just be instantiated in object_classes
        # using profile.object_classes.update({'pointer64': obj.Pointer})
        profile._list_to_type = Pointer64Decorator(profile._list_to_type) 
Example #14
Source File: pidhashtable.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def calculate_v3(self):
        self.seen_tasks = {}

        pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
        pidhash_size = 1 << pidhash_shift

        pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
        pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)

        # pidhash is an array of hlist_heads
        pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)

        for hlist in pidhash:

            # each entry in the hlist is a upid which is wrapped in a pid
            ent = hlist.first

            while ent.v():
                upid = self.get_obj(ent.obj_offset, "upid", "pid_chain")

                for task in self._walk_upid(upid):
                    if not task.obj_offset in self.seen_tasks:
                        self.seen_tasks[task.obj_offset] = 1
                        if task.is_valid_task():
                            yield task

                ent = ent.m("next")

    # the following functions exist because crash has handlers for them
    # but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel
    # if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again 
Example #15
Source File: pidhashtable.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def _get_pidhash_array(self):
        pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
        pidhash_size = 1 << pidhash_shift

        pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
        pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)

        # pidhash is an array of hlist_heads
        pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)

        return pidhash 
Example #16
Source File: slab_info.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def _get_nodelist(self):
        ent = self.nodelists

        if type(ent) == obj.Pointer:
            ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)

        elif type(ent) == obj.Array:
            ret = ent[0]
        else:
            debug.error("Unknown nodelists types. %s" % type(ent))

        return ret 
Example #17
Source File: slab_info.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def _get_nodelist(self):
        ent = self.nodelists

        if type(ent) == obj.Pointer:
            ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)

        elif type(ent) == obj.Array:
            ret = ent[0]
        else:
            debug.error("Unknown nodelists types. %s" % type(ent))

        return ret 
Example #18
Source File: windows64.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def modification(self, profile):
        profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, {
                                    'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ],
                                    'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]],
                                                           }
                                                    ]})
        profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"]

        profile.merge_overlay({'_DBGKD_GET_VERSION64' : [  None, {
            'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]],
            }]})

        # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs 
        # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay
        # in windows.windows_overlay which sets the DTB to a single unsigned long,
        # but we do not want that bleeding through to the x64 profiles. Instead we 
        # want the x64 DTB to be a single unsigned long long. 
        profile.merge_overlay({'_KPROCESS' : [ None, {
            'DirectoryTableBase' : [ None, ['unsigned long long']],
            }]})

        # Note: the following method of profile modification is strongly discouraged
        #
        # Nasty hack because pointer64 has a special structure,
        # and therefore can't just be instantiated in object_classes
        # using profile.object_classes.update({'pointer64': obj.Pointer})
        profile._list_to_type = Pointer64Decorator(profile._list_to_type) 
Example #19
Source File: pidhashtable.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def calculate_v3(self):
        self.seen_tasks = {}

        pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
        pidhash_size = 1 << pidhash_shift

        pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
        pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)

        # pidhash is an array of hlist_heads
        pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)

        for hlist in pidhash:

            # each entry in the hlist is a upid which is wrapped in a pid
            ent = hlist.first

            while ent.v():
                upid = self.get_obj(ent.obj_offset, "upid", "pid_chain")

                for task in self._walk_upid(upid):
                    if not task.obj_offset in self.seen_tasks:
                        self.seen_tasks[task.obj_offset] = 1
                        if task.is_valid_task():
                            yield task

                ent = ent.m("next")

    # the following functions exist because crash has handlers for them
    # but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel
    # if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again 
Example #20
Source File: pidhashtable.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def calculate_v2(self):
        poff = self.addr_space.profile.get_obj_offset("task_struct", "pids") 

        pidhash    = self._get_pidhash_array()

        for p  in pidhash:
            if p.v() == 0:
                continue
            
            ptr = obj.Object("Pointer", offset = p.v(), vm = self.addr_space)
    
            if ptr.v() == 0:
                continue

            pidl = obj.Object("pid_link", offset = ptr.v(), vm = self.addr_space)

            nexth = pidl.pid

            if not nexth.is_valid():
                continue
         
            nexth = obj.Object("task_struct", offset = nexth - poff, vm = self.addr_space)

            while 1:
                if not pidl:
                    break

                yield nexth
               
                pidl = pidl.node.m("next").dereference_as("pid_link")    
                
                nexth = pidl.pid

                if not nexth.is_valid():
                    break
 
                nexth = obj.Object("task_struct", offset = nexth - poff, vm = self.addr_space) 
Example #21
Source File: slab_info.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def _get_nodelist(self):
        ent = self.nodelists

        if type(ent) == obj.Pointer:
            ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)

        elif type(ent) == obj.Array:
            ret = ent[0]
        else:
            debug.error("Unknown nodelists types. %s" % type(ent))

        return ret 
Example #22
Source File: check_sysctl.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def _process_sysctl_list(self, sysctl_list, r = 0):

        if type(sysctl_list) == obj.Pointer:
            sysctl_list = sysctl_list.dereference_as("sysctl_oid_list")

        sysctl = sysctl_list.slh_first
        
        # skip the head entry if new list (recursive call)
        if r:
            sysctl = sysctl.oid_link.sle_next

        while sysctl and sysctl.is_valid():
            name = sysctl.oid_name.dereference()

            if len(name) == 0:
                break

            name = str(name)

            ctltype = sysctl.get_ctltype()

            if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid():
                val = self._parse_global_variable_sysctls(name)
            elif ctltype == 'CTLTYPE_NODE':
                if sysctl.oid_handler == 0:
                    for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1):
                        yield info 
                val = "Node"
            elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']:
                val = sysctl.oid_arg1.dereference()
            elif ctltype == 'CTLTYPE_STRING':
                ## FIXME: can we do this without get_string?
                val = common.get_string(sysctl.oid_arg1, self.addr_space)
            else:
                val = ctltype

            yield (sysctl, name, val)

            sysctl = sysctl.oid_link.sle_next 
Example #23
Source File: windows64.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def modification(self, profile):
        profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, {
                                    'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ],
                                    'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]],
                                                           }
                                                    ]})
        profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"]

        profile.merge_overlay({'_DBGKD_GET_VERSION64' : [  None, {
            'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]],
            }]})

        # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs 
        # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay
        # in windows.windows_overlay which sets the DTB to a single unsigned long,
        # but we do not want that bleeding through to the x64 profiles. Instead we 
        # want the x64 DTB to be a single unsigned long long. 
        profile.merge_overlay({'_KPROCESS' : [ None, {
            'DirectoryTableBase' : [ None, ['unsigned long long']],
            }]})

        # Note: the following method of profile modification is strongly discouraged
        #
        # Nasty hack because pointer64 has a special structure,
        # and therefore can't just be instantiated in object_classes
        # using profile.object_classes.update({'pointer64': obj.Pointer})
        profile._list_to_type = Pointer64Decorator(profile._list_to_type) 
Example #24
Source File: pidhashtable.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def _get_pidhash_array(self):
        pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
        pidhash_size = 1 << pidhash_shift

        pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
        pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)

        # pidhash is an array of hlist_heads
        pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)

        return pidhash 
Example #25
Source File: windows64.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def modification(self, profile):
        profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, {
                                    'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ],
                                    'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]],
                                                           }
                                                    ]})
        profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"]

        profile.merge_overlay({'_DBGKD_GET_VERSION64' : [  None, {
            'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]],
            }]})

        # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs 
        # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay
        # in windows.windows_overlay which sets the DTB to a single unsigned long,
        # but we do not want that bleeding through to the x64 profiles. Instead we 
        # want the x64 DTB to be a single unsigned long long. 
        profile.merge_overlay({'_KPROCESS' : [ None, {
            'DirectoryTableBase' : [ None, ['unsigned long long']],
            }]})

        # Note: the following method of profile modification is strongly discouraged
        #
        # Nasty hack because pointer64 has a special structure,
        # and therefore can't just be instantiated in object_classes
        # using profile.object_classes.update({'pointer64': obj.Pointer})
        profile._list_to_type = Pointer64Decorator(profile._list_to_type) 
Example #26
Source File: check_fops.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def _get_name(self, pde, parent):
        if type(pde.name) == obj.Pointer:
            s = pde.name.dereference_as("String", length = 255)
        else:
            s = pde.obj_vm.read(pde.name.obj_offset, pde.namelen)
        
        return str(parent + "/" + str(s)) 
Example #27
Source File: check_fops.py    From volatility with GNU General Public License v2.0 4 votes vote down vote up
def check_proc_fop(self, f_op_members, modules):
        proc_mnt_addr = self.addr_space.profile.get_symbol("proc_mnt")
        
        if proc_mnt_addr:
            proc_mnt_ptr = obj.Object("Pointer", offset = proc_mnt_addr, vm = self.addr_space)
            proc_mnts    = [proc_mnt_ptr.dereference_as("vfsmount")]
        else:
            proc_mnts = []
            seen_pids = {}
                
            if self.addr_space.profile.obj_has_member("nsproxy", "pid_ns"):
                ns_member = "pid_ns"
            else:
                ns_member = "pid_ns_for_children"

            for task in self.tasks:
                nsp = task.nsproxy
                pidns = nsp.m(ns_member)

                if pidns.v() in seen_pids:
                    continue

                seen_pids[pidns.v()] = 1

                proc_mnts.append(pidns.proc_mnt)

        for proc_mnt in proc_mnts:
            root = proc_mnt.mnt_root

            for (hooked_member, hook_address) in self.verify_ops(root.d_inode.i_fop, f_op_members, modules):
                yield ("proc_mnt: root: %x" % root.v(), hooked_member, hook_address)

            # only check the root directory
            if self.addr_space.profile.obj_has_member("dentry", "d_child"):
                walk_member = "d_child"
            else:
                walk_member = "d_u"

            for dentry in root.d_subdirs.list_of_type("dentry", walk_member):
                name = dentry.d_name.name.dereference_as("String", length = 255)

                for (hooked_member, hook_address) in self.verify_ops(dentry.d_inode.i_fop, f_op_members, modules): 
                    yield("proc_mnt: {0:x}:{1}".format(root.v(), name), hooked_member, hook_address)