def check_header(cls,
base_layer: interfaces.layers.DataLayerInterface,
offset: int = 0) -> Tuple[int, int]:
# Verify the Window's crash dump file magic
try:
header_data = base_layer.read(offset, cls._magic_struct.size)
except exceptions.InvalidAddressException:
raise WindowsCrashDumpFormatException(
base_layer.name,
"Crashdump header not found at offset {}".format(offset))
(signature, validdump) = cls._magic_struct.unpack(header_data)
if signature != cls.SIGNATURE:
raise WindowsCrashDumpFormatException(
base_layer.name,
"Bad signature 0x{:x} at file offset 0x{:x}".format(
signature, offset))
if validdump != cls.VALIDDUMP:
raise WindowsCrashDumpFormatException(
base_layer.name,
"Invalid dump 0x{:x} at file offset 0x{:x}".format(
validdump, offset))
return signature, validdump
def _check_header(cls,
base_layer: interfaces.layers.DataLayerInterface,
name: str = ''):
header = base_layer.read(0, 8)
if header[:4] != b'\x51\x45\x56\x4D':
raise exceptions.LayerException(name, 'No QEMU magic bytes')
if header[4:] != b'\x00\x00\x00\x03':
raise exceptions.LayerException(name,
'Unsupported QEMU version found')
def _read_configuration(self, base_layer: interfaces.layers.DataLayerInterface, name: str) -> Any:
"""Reads the JSON configuration from the end of the file"""
chunk_size = 0x4096
data = b''
for i in range(base_layer.maximum_address, base_layer.minimum_address, -chunk_size):
if i != base_layer.maximum_address:
data = base_layer.read(i, chunk_size) + data
if b'\x00' in data:
start = data.rfind(b'\x00')
data = data[data.find(b'{', start):]
return json.loads(data)
raise exceptions.LayerException(name, "Could not load JSON configuration from the end of the file")
def _check_header(cls, base_layer: interfaces.layers.DataLayerInterface, offset: int = 0) -> bool:
try:
header_data = base_layer.read(offset, cls._header_struct.size)
except exceptions.InvalidAddressException:
raise ElfFormatException(base_layer.name,
"Offset 0x{:0x} does not exist within the base layer".format(offset))
(magic, elf_class, elf_data_encoding, elf_version) = cls._header_struct.unpack(header_data)
if magic != cls.MAGIC:
raise ElfFormatException(base_layer.name, "Bad magic 0x{:x} at file offset 0x{:x}".format(magic, offset))
if elf_class != cls.ELF_CLASS:
raise ElfFormatException(base_layer.name, "ELF class is not 64-bit (2): {:d}".format(elf_class))
# Virtualbox uses an ELF version of 0, which isn't to specification, but is ok to deal with
return True
def _read_configuration(self,
base_layer: interfaces.layers.DataLayerInterface,
name: str) -> Any:
"""Reads the JSON configuration from the end of the file"""
chunk_size = 0x4096
data = b''
for i in range(base_layer.maximum_address, base_layer.minimum_address,
-chunk_size):
if i != base_layer.maximum_address:
data = (base_layer.read(i, chunk_size) + data).rstrip(b'\x00')
if b'\x00' in data:
last_null_byte = data.rfind(b'\x00')
start_of_json = data.find(b'{', last_null_byte)
if start_of_json >= 0:
data = data[start_of_json:]
return json.loads(data)
return dict()
raise exceptions.LayerException(
name, "Invalid JSON configuration at the end of the file")
def dump_file_producer(
cls, file_object: interfaces.objects.ObjectInterface,
memory_object: interfaces.objects.ObjectInterface,
open_method: Type[interfaces.plugins.FileHandlerInterface],
layer: interfaces.layers.DataLayerInterface, desired_file_name: str
) -> Optional[interfaces.plugins.FileHandlerInterface]:
"""Produce a file from the memory object's get_available_pages() interface.
:param file_object: the parent _FILE_OBJECT
:param memory_object: the _CONTROL_AREA or _SHARED_CACHE_MAP
:param open_method: class for constructing output files
:param layer: the memory layer to read from
:param desired_file_name: name of the output file
:return: result status
"""
filedata = open_method(desired_file_name)
try:
# Description of these variables:
# memoffset: offset in the specified layer where the page begins
# fileoffset: write to this offset in the destination file
# datasize: size of the page
# track number of bytes written so we don't write empty files to disk
bytes_written = 0
for memoffset, fileoffset, datasize in memory_object.get_available_pages(
):
data = layer.read(memoffset, datasize, pad=True)
bytes_written += len(data)
filedata.seek(fileoffset)
filedata.write(data)
if not bytes_written:
vollog.debug(
f"No data is cached for the file at {file_object.vol.offset:#x}"
)
return None
else:
vollog.debug(f"Stored {filedata.preferred_filename}")
return filedata
except exceptions.InvalidAddressException:
vollog.debug(f"Unable to dump file at {file_object.vol.offset:#x}")
return None
def _check_header(cls,
base_layer: interfaces.layers.DataLayerInterface,
offset: int = 0) -> Tuple[int, int]:
try:
header_data = base_layer.read(offset, cls._header_struct.size)
except exceptions.InvalidAddressException:
raise LimeFormatException(
base_layer.name,
f"Offset 0x{offset:0x} does not exist within the base layer")
(magic, version, start, end,
reserved) = cls._header_struct.unpack(header_data)
if magic != cls.MAGIC:
raise LimeFormatException(
base_layer.name,
f"Bad magic 0x{magic:x} at file offset 0x{offset:x}")
if version != cls.VERSION:
raise LimeFormatException(
base_layer.name,
f"Unexpected version {version:d} at file offset 0x{offset:x}")
return start, end