def list_vads(cls, proc: interfaces.objects.ObjectInterface, filter_func: Callable[[interfaces.objects.ObjectInterface], bool] = lambda _: False) -> \ Generator[interfaces.objects.ObjectInterface, None, None]: """Lists the Virtual Address Descriptors of a specific process. Args: proc: _EPROCESS object from which to list the VADs filter_func: Function to take a virtual address descriptor value and return True if it should be filtered out Returns: A list of virtual address descriptors based on the process and filtered based on the filter function """ for vad in proc.get_vad_root().traverse(): if not filter_func(vad): yield vad
def get_vad(task: interfaces.objects.ObjectInterface, address: int): # vad """Creates a map of start/end addresses within a virtual address descriptor tree. Args: task: The EPROCESS object of which to traverse the vad tree Returns: An iterable of tuples containing start and end addresses for each descriptor """ vad_root = task.get_vad_root() for vad in vad_root.traverse(): end = vad.get_end() start = vad.get_start() if end > address >= start: return vad, start, end return None, None, None
def list_injections( cls, context: interfaces.context.ContextInterface, kernel_layer_name: str, symbol_table: str, proc: interfaces.objects.ObjectInterface ) -> Iterable[Tuple[interfaces.objects.ObjectInterface, bytes]]: """Generate memory regions for a process that may contain injected code. Args: context: The context to retrieve required elements (layers, symbol tables) from kernel_layer_name: The name of the kernel layer from which to read the VAD protections symbol_table: The name of the table containing the kernel symbols proc: an _EPROCESS instance Returns: An iterable of VAD instances and the first 64 bytes of data containing in that region """ proc_id = "Unknown" try: proc_id = proc.UniqueProcessId proc_layer_name = proc.add_process_layer() except exceptions.InvalidAddressException as excp: vollog.debug("Process {}: invalid address {} in layer {}".format( proc_id, excp.invalid_address, excp.layer_name)) return proc_layer = context.layers[proc_layer_name] for vad in proc.get_vad_root().traverse(): protection_string = vad.get_protection( vadinfo.VadInfo.protect_values(context, kernel_layer_name, symbol_table), vadinfo.winnt_protections) write_exec = "EXECUTE" in protection_string and "WRITE" in protection_string # the write/exec check applies to everything if not write_exec: continue if (vad.get_private_memory() == 1 and vad.get_tag() == "VadS") or ( vad.get_private_memory() == 0 and protection_string != "PAGE_EXECUTE_WRITECOPY"): if cls.is_vad_empty(proc_layer, vad): continue data = proc_layer.read(vad.get_start(), 64, pad=True) yield vad, data
def get_vad_maps( task: interfaces.objects.ObjectInterface ) -> Iterable[Tuple[int, int]]: """Creates a map of start/end addresses within a virtual address descriptor tree. Args: task: The EPROCESS object of which to traverse the vad tree Returns: An iterable of tuples containing start and end addresses for each descriptor """ vad_root = task.get_vad_root() for vad in vad_root.traverse(): end = vad.get_end() start = vad.get_start() yield (start, end - start)