def DetectFromHit(self, hit, _, address_space):
for potential_path in self.KERNEL_PATHS:
# Try to make the kernel image into the address_space.
image_offset = address_space.get_mapped_offset(potential_path, 0)
if image_offset is not None:
file_as = addrspace.RunBasedAddressSpace(
base=address_space, session=self.session)
file_as.add_run(0, image_offset, 2**63)
pe_file_as = pe_vtypes.PEFileAddressSpace(
base=file_as, session=self.session)
pe_helper = pe_vtypes.PE(
session=self.session,
address_space=pe_file_as,
image_base=pe_file_as.image_base)
rsds = pe_helper.RSDS
self.session.logging.info(
"Found RSDS in kernel image: %s (%s)",
rsds.GUID_AGE, rsds.Filename)
result = self._test_rsds(rsds)
if result:
return result
def detect_guid_from_mapped_file(self):
"""Guess the guid for the PE file."""
# Try to load the file from the physical address space.
if self.session.physical_address_space.metadata("can_map_files"):
phys_as = self.session.physical_address_space
if self.filename:
image_offset = phys_as.get_mapped_offset(self.filename, 0)
if image_offset:
try:
file_as = addrspace.RunBasedAddressSpace(
base=phys_as, session=self.session)
file_as.add_run(0, image_offset, 2**63)
pe_file_as = pe_vtypes.PEFileAddressSpace(
base=file_as, session=self.session)
pe_helper = pe_vtypes.PE(
address_space=pe_file_as,
image_base=pe_file_as.image_base,
session=self.session)
return pe_helper.RSDS.GUID_AGE
except IOError:
pass
def DetectFromHit(self, hit, _, address_space):
# Try to make the kernel image into the address_space.
image_offset = address_space.get_mapped_offset(self.KERNEL_PATH, 0)
if image_offset is not None:
file_as = addrspace.RunBasedAddressSpace(base=address_space,
session=self.session)
file_as.add_run(0, image_offset, 2**63)
pe_file_as = pe_vtypes.PEFileAddressSpace(base=file_as,
session=self.session)
pe_helper = pe_vtypes.PE(session=self.session,
address_space=pe_file_as,
image_base=pe_file_as.image_base)
return self._test_rsds(pe_helper.RSDS)