def DetectFromHit(self, hit, _, address_space): for potential_path in self.KERNEL_PATHS: # Try to make the kernel image into the address_space. image_offset = address_space.get_mapped_offset(potential_path, 0) if image_offset is not None: file_as = addrspace.RunBasedAddressSpace( base=address_space, session=self.session) file_as.add_run(0, image_offset, 2**63) pe_file_as = pe_vtypes.PEFileAddressSpace( base=file_as, session=self.session) pe_helper = pe_vtypes.PE( session=self.session, address_space=pe_file_as, image_base=pe_file_as.image_base) rsds = pe_helper.RSDS self.session.logging.info( "Found RSDS in kernel image: %s (%s)", rsds.GUID_AGE, rsds.Filename) result = self._test_rsds(rsds) if result: return result
def detect_guid_from_mapped_file(self): """Guess the guid for the PE file.""" # Try to load the file from the physical address space. if self.session.physical_address_space.metadata("can_map_files"): phys_as = self.session.physical_address_space if self.filename: image_offset = phys_as.get_mapped_offset(self.filename, 0) if image_offset: try: file_as = addrspace.RunBasedAddressSpace( base=phys_as, session=self.session) file_as.add_run(0, image_offset, 2**63) pe_file_as = pe_vtypes.PEFileAddressSpace( base=file_as, session=self.session) pe_helper = pe_vtypes.PE( address_space=pe_file_as, image_base=pe_file_as.image_base, session=self.session) return pe_helper.RSDS.GUID_AGE except IOError: pass
def DetectFromHit(self, hit, _, address_space): # Try to make the kernel image into the address_space. image_offset = address_space.get_mapped_offset(self.KERNEL_PATH, 0) if image_offset is not None: file_as = addrspace.RunBasedAddressSpace(base=address_space, session=self.session) file_as.add_run(0, image_offset, 2**63) pe_file_as = pe_vtypes.PEFileAddressSpace(base=file_as, session=self.session) pe_helper = pe_vtypes.PE(session=self.session, address_space=pe_file_as, image_base=pe_file_as.image_base) return self._test_rsds(pe_helper.RSDS)