Exemple #1
0
    def _check_header(cls,
                      base_layer: interfaces.layers.DataLayerInterface,
                      offset: int = 0) -> Tuple[int, int]:

        # Verify the Window's crash dump file magic
        try:
            header_data = base_layer.read(offset, cls._magic_struct.size)
        except exceptions.InvalidAddressException:
            raise WindowsCrashDump32FormatException(
                base_layer.name,
                "Crashdump header not found at offset {}".format(offset))
        (signature, validdump) = cls._magic_struct.unpack(header_data)

        if signature != cls.SIGNATURE:
            raise WindowsCrashDump32FormatException(
                base_layer.name,
                "Bad signature 0x{:x} at file offset 0x{:x}".format(
                    signature, offset))
        if validdump != cls.VALIDDUMP:
            raise WindowsCrashDump32FormatException(
                base_layer.name,
                "Invalid dump 0x{:x} at file offset 0x{:x}".format(
                    validdump, offset))

        return (signature, validdump)
Exemple #2
0
 def _check_header(cls,
                   base_layer: interfaces.layers.DataLayerInterface,
                   name: str = ''):
     header = base_layer.read(0, 8)
     if header[:4] != b'\x51\x45\x56\x4D':
         raise exceptions.LayerException(name, 'No QEMU magic bytes')
     if header[4:] != b'\x00\x00\x00\x03':
         raise exceptions.LayerException(name,
                                         'Unsupported QEMU version found')
Exemple #3
0
 def _read_configuration(self, base_layer: interfaces.layers.DataLayerInterface, name: str) -> Any:
     """Reads the JSON configuration from the end of the file"""
     chunk_size = 0x4096
     data = b''
     for i in range(base_layer.maximum_address, base_layer.minimum_address, -chunk_size):
         if i != base_layer.maximum_address:
             data = base_layer.read(i, chunk_size) + data
             if b'\x00' in data:
                 start = data.rfind(b'\x00')
                 data = data[data.find(b'{', start):]
                 return json.loads(data)
     raise exceptions.LayerException(name, "Could not load JSON configuration from the end of the file")
Exemple #4
0
 def _check_header(cls, base_layer: interfaces.layers.DataLayerInterface, offset: int = 0) -> Tuple[int, int]:
     try:
         header_data = base_layer.read(offset, cls._header_struct.size)
     except exceptions.InvalidAddressException:
         raise LimeFormatException(base_layer.name,
                                   "Offset 0x{:0x} does not exist within the base layer".format(offset))
     (magic, version, start, end, reserved) = cls._header_struct.unpack(header_data)
     if magic != cls.MAGIC:
         raise LimeFormatException(base_layer.name, "Bad magic 0x{:x} at file offset 0x{:x}".format(magic, offset))
     if version != cls.VERSION:
         raise LimeFormatException(base_layer.name,
                                   "Unexpected version {:d} at file offset 0x{:x}".format(version, offset))
     return start, end
 def _check_header(cls, base_layer: interfaces.layers.DataLayerInterface, offset: int = 0) -> bool:
     try:
         header_data = base_layer.read(offset, cls._header_struct.size)
     except exceptions.InvalidAddressException:
         raise ElfFormatException(base_layer.name,
                                  "Offset 0x{:0x} does not exist within the base layer".format(offset))
     (magic, elf_class, elf_data_encoding, elf_version) = cls._header_struct.unpack(header_data)
     if magic != cls.MAGIC:
         raise ElfFormatException(base_layer.name, "Bad magic 0x{:x} at file offset 0x{:x}".format(magic, offset))
     if elf_class != cls.ELF_CLASS:
         raise ElfFormatException(base_layer.name, "ELF class is not 64-bit (2): {:d}".format(elf_class))
     # Virtualbox uses an ELF version of 0, which isn't to specification, but is ok to deal with
     return True
Exemple #6
0
    def dump_file_producer(
        cls, file_object: interfaces.objects.ObjectInterface,
        memory_object: interfaces.objects.ObjectInterface,
        open_method: Type[interfaces.plugins.FileHandlerInterface],
        layer: interfaces.layers.DataLayerInterface, desired_file_name: str
    ) -> Optional[interfaces.plugins.FileHandlerInterface]:
        """Produce a file from the memory object's get_available_pages() interface.

        :param file_object: the parent _FILE_OBJECT
        :param memory_object: the _CONTROL_AREA or _SHARED_CACHE_MAP
        :param open_method: class for constructing output files
        :param layer: the memory layer to read from
        :param desired_file_name: name of the output file
        :return: result status
        """
        filedata = open_method(desired_file_name)
        try:
            # Description of these variables:
            #   memoffset: offset in the specified layer where the page begins
            #   fileoffset: write to this offset in the destination file
            #   datasize: size of the page

            # track number of bytes written so we don't write empty files to disk
            bytes_written = 0
            for memoffset, fileoffset, datasize in memory_object.get_available_pages(
            ):
                data = layer.read(memoffset, datasize, pad=True)
                bytes_written += len(data)
                filedata.seek(fileoffset)
                filedata.write(data)

            if not bytes_written:
                vollog.debug("No data is cached for the file at {0:#x}".format(
                    file_object.vol.offset))
                return None
            else:
                vollog.debug("Stored {}".format(filedata.preferred_filename))
                return filedata
        except exceptions.InvalidAddressException:
            vollog.debug("Unable to dump file at {0:#x}".format(
                file_object.vol.offset))
            return None