def column_types(self):
return dict(offset_v=self.session.profile._OBJECT_HEADER(),
_EPROCESS=self.session.profile._EPROCESS(),
handle=utils.HexInteger(0),
access=utils.HexInteger(0),
obj_type="",
details="")
def column_types(self):
task = self.session.profile.task_struct()
return dict(proc=task,
ppid=0,
uid=utils.HexInteger(0),
gid=utils.HexInteger(0),
dtb=utils.HexInteger(0),
start_time=task.task_start_time,
name="")
def collect(self):
for task in self.filter_processes():
for count, (handle, object_type,
name) in enumerate(self.enumerate_handles(task)):
self.session.report_progress("%s: %s handles" %
(task.ImageFileName, count))
yield (handle, task, utils.HexInteger(handle.HandleValue),
utils.HexInteger(handle.GrantedAccess), object_type,
utils.SmartUnicode(name))
def collect(self):
for task in self.filter_processes():
for count, (handle, object_type,
name) in enumerate(self.enumerate_handles(task)):
self.session.report_progress("%s: %s handles" %
(task.ImageFileName, count))
yield dict(_OBJECT_HEADER=handle,
_EPROCESS=task,
handle=utils.HexInteger(handle.HandleValue),
access=utils.HexInteger(handle.GrantedAccess),
obj_type=object_type,
details=utils.SmartUnicode(name))
def collect(self):
"""Renders the KPCR values as text"""
for kdbg in self.hits():
yield "Offset (V)", utils.HexInteger(kdbg.obj_offset)
yield "Offset (P)", utils.HexInteger(
kdbg.obj_vm.vtop(kdbg.obj_offset))
# These fields can be gathered without dereferencing
# any pointers, thus they're available always
yield "KDBG owner tag check", kdbg.is_valid()
verinfo = kdbg.dbgkd_version64()
if verinfo:
yield "Version64", "{0:#x} (Major: {1}, Minor: {2})\n".format(
verinfo.obj_offset, verinfo.MajorVersion,
verinfo.MinorVersion)
yield "Service Pack (CmNtCSDVersion)", kdbg.ServicePack
yield "Build string (NtBuildLab)", kdbg.NtBuildLab.dereference()
# Count the total number of tasks from PsActiveProcessHead.
try:
pslist = kdbg.PsActiveProcessHead.list_of_type(
"_EPROCESS", "ActiveProcessLinks")
num_tasks = len([x for x in pslist if x.pid > 0])
except AttributeError:
num_tasks = 0
try:
modules = self.session.plugins.modules(session=self.session)
num_modules = len(list(modules.lsmod()))
except AttributeError:
num_modules = 0
yield "PsActiveProcessHead", "{0:#x} ({1} processes)".format(
kdbg.PsActiveProcessHead, num_tasks)
yield "PsLoadedModuleList", "{0:#x} ({1} modules)".format(
kdbg.PsLoadedModuleList, num_modules)
yield "KernelBase", "{0:#x} (Matches MZ: {1})".format(
kdbg.KernBase,
kdbg.obj_vm.read(kdbg.KernBase, 2) == "MZ")
# Parse the PE header of the kernel.
pe_profile = self.session.LoadProfile("pe")
dos_header = pe_profile._IMAGE_DOS_HEADER(offset=kdbg.KernBase,
vm=kdbg.obj_vm)
nt_header = dos_header.NTHeader
if nt_header:
yield ("Major (OptionalHeader)",
nt_header.OptionalHeader.MajorOperatingSystemVersion)
yield ("Minor (OptionalHeader)",
nt_header.OptionalHeader.MinorOperatingSystemVersion)
# The CPU block.
for kpcr in kdbg.kpcrs():
yield "KPCR", "{0:#x} (CPU {1})".format(
kpcr.obj_offset, kpcr.ProcessorBlock.Number)