def vad_dump(cls, context: interfaces.context.ContextInterface, layer_name: str, vad: interfaces.objects.ObjectInterface) -> bytes: """Extracts the complete data for Vad as a FileInterface Args: context: the context to operate upon layer_name: the name of the layer that the VAD lives within vad: the virtual address descriptor to be dumped Returns: bytes containing the data from the vad """ tmp_data = b"" proc_layer = context.layers[layer_name] chunk_size = 1024 * 1024 * 10 offset = vad.get_start() out_of_range = vad.get_end() # print("walking from {:x} to {:x} | {:x}".format(offset, out_of_range, out_of_range-offset)) while offset < out_of_range: to_read = min(chunk_size, out_of_range - offset) data = proc_layer.read(offset, to_read, pad=True) if not data: break tmp_data += data offset += to_read return tmp_data
def vad_dump(cls, context: interfaces.context.ContextInterface, proc: interfaces.objects.ObjectInterface, vad: interfaces.objects.ObjectInterface, open_method: Type[ interfaces.plugins.FileHandlerInterface], maxsize: int = MAXSIZE_DEFAULT) -> Optional[interfaces.plugins.FileHandlerInterface]: """Extracts the complete data for Vad as a FileInterface. Args: context: The context to retrieve required elements (layers, symbol tables) from proc: an _EPROCESS instance vad: The suspected VAD to extract (ObjectInterface) open_method: class to provide context manager for opening the file maxsize: Max size of VAD section (default MAXSIZE_DEFAULT) Returns: An open FileInterface object containing the complete data for the process or None in the case of failure """ try: vad_start = vad.get_start() vad_end = vad.get_end() except AttributeError: vollog.debug("Unable to find the starting/ending VPN member") return if maxsize > 0 and (vad_end - vad_start) > maxsize: vollog.debug("Skip VAD dump {0:#x}-{1:#x} due to maxsize limit".format(vad_start, vad_end)) return proc_id = "Unknown" try: proc_id = proc.UniqueProcessId proc_layer_name = proc.add_process_layer() except exceptions.InvalidAddressException as excp: vollog.debug("Process {}: invalid address {} in layer {}".format(proc_id, excp.invalid_address, excp.layer_name)) return None proc_layer = context.layers[proc_layer_name] file_name = "pid.{0}.vad.{1:#x}-{2:#x}.dmp".format(proc_id, vad_start, vad_end) try: file_handle = open_method(file_name) chunk_size = 1024 * 1024 * 10 offset = vad_start while offset < vad_end: to_read = min(chunk_size, vad_end - offset) data = proc_layer.read(offset, to_read, pad = True) if not data: break file_handle.write(data) offset += to_read except Exception as excp: vollog.debug("Unable to dump VAD {}: {}".format(file_name, excp)) return return file_handle
def vad_dump(cls, context: interfaces.context.ContextInterface, layer_name: str, vad: interfaces.objects.ObjectInterface) -> bytes: """ Returns VAD content """ tmp_data = b"" proc_layer = context.layers[layer_name] chunk_size = 1024 * 1024 * 10 offset = vad.get_start() out_of_range = vad.get_start() + vad.get_end() # print("walking from {:x} to {:x} | {:x}".format(offset, out_of_range, out_of_range-offset)) while offset < out_of_range: to_read = min(chunk_size, out_of_range - offset) data = proc_layer.read(offset, to_read, pad=True) if not data: break tmp_data += data offset += to_read return tmp_data