def vad_dump(cls, context: interfaces.context.ContextInterface,
layer_name: str,
vad: interfaces.objects.ObjectInterface) -> bytes:
"""Extracts the complete data for Vad as a FileInterface
Args:
context: the context to operate upon
layer_name: the name of the layer that the VAD lives within
vad: the virtual address descriptor to be dumped
Returns:
bytes containing the data from the vad
"""
tmp_data = b""
proc_layer = context.layers[layer_name]
chunk_size = 1024 * 1024 * 10
offset = vad.get_start()
out_of_range = vad.get_end()
# print("walking from {:x} to {:x} | {:x}".format(offset, out_of_range, out_of_range-offset))
while offset < out_of_range:
to_read = min(chunk_size, out_of_range - offset)
data = proc_layer.read(offset, to_read, pad=True)
if not data:
break
tmp_data += data
offset += to_read
return tmp_data
def vad_dump(cls,
context: interfaces.context.ContextInterface,
proc: interfaces.objects.ObjectInterface,
vad: interfaces.objects.ObjectInterface,
open_method: Type[
interfaces.plugins.FileHandlerInterface],
maxsize: int = MAXSIZE_DEFAULT) -> Optional[interfaces.plugins.FileHandlerInterface]:
"""Extracts the complete data for Vad as a FileInterface.
Args:
context: The context to retrieve required elements (layers, symbol tables) from
proc: an _EPROCESS instance
vad: The suspected VAD to extract (ObjectInterface)
open_method: class to provide context manager for opening the file
maxsize: Max size of VAD section (default MAXSIZE_DEFAULT)
Returns:
An open FileInterface object containing the complete data for the process or None in the case of failure
"""
try:
vad_start = vad.get_start()
vad_end = vad.get_end()
except AttributeError:
vollog.debug("Unable to find the starting/ending VPN member")
return
if maxsize > 0 and (vad_end - vad_start) > maxsize:
vollog.debug("Skip VAD dump {0:#x}-{1:#x} due to maxsize limit".format(vad_start, vad_end))
return
proc_id = "Unknown"
try:
proc_id = proc.UniqueProcessId
proc_layer_name = proc.add_process_layer()
except exceptions.InvalidAddressException as excp:
vollog.debug("Process {}: invalid address {} in layer {}".format(proc_id, excp.invalid_address,
excp.layer_name))
return None
proc_layer = context.layers[proc_layer_name]
file_name = "pid.{0}.vad.{1:#x}-{2:#x}.dmp".format(proc_id, vad_start, vad_end)
try:
file_handle = open_method(file_name)
chunk_size = 1024 * 1024 * 10
offset = vad_start
while offset < vad_end:
to_read = min(chunk_size, vad_end - offset)
data = proc_layer.read(offset, to_read, pad = True)
if not data:
break
file_handle.write(data)
offset += to_read
except Exception as excp:
vollog.debug("Unable to dump VAD {}: {}".format(file_name, excp))
return
return file_handle
def vad_dump(cls, context: interfaces.context.ContextInterface,
layer_name: str,
vad: interfaces.objects.ObjectInterface) -> bytes:
"""
Returns VAD content
"""
tmp_data = b""
proc_layer = context.layers[layer_name]
chunk_size = 1024 * 1024 * 10
offset = vad.get_start()
out_of_range = vad.get_start() + vad.get_end()
# print("walking from {:x} to {:x} | {:x}".format(offset, out_of_range, out_of_range-offset))
while offset < out_of_range:
to_read = min(chunk_size, out_of_range - offset)
data = proc_layer.read(offset, to_read, pad=True)
if not data:
break
tmp_data += data
offset += to_read
return tmp_data
def filter_function(x: interfaces.objects.ObjectInterface) -> bool:
return x.get_start() not in [self.config['address']]
