def get_pool_header_table(cls, context: interfaces.context.ContextInterface, symbol_table: str) -> str:
"""Returns the appropriate symbol_table containing a _POOL_HEADER type, even if the original symbol table
doesn't contain one.
Args:
context: The context that the symbol tables does (or will) reside in
symbol_table: The expected symbol_table to contain the _POOL_HEADER type
"""
# Setup the pool header and offset differential
try:
context.symbol_space.get_type(symbol_table + constants.BANG + "_POOL_HEADER")
table_name = symbol_table
except exceptions.SymbolError:
# We have to manually load a symbol table
if symbols.symbol_table_is_64bit(context, symbol_table):
is_win_7 = versions.is_windows_7(context, symbol_table)
if is_win_7:
pool_header_json_filename = "poolheader-x64-win7"
else:
pool_header_json_filename = "poolheader-x64"
else:
pool_header_json_filename = "poolheader-x86"
# set the class_type to match the normal WindowsKernelIntermedSymbols
is_vista_or_later = versions.is_vista_or_later(context, symbol_table)
if is_vista_or_later:
class_type = extensions.pool.POOL_HEADER_VISTA
else:
class_type = extensions.pool.POOL_HEADER
table_name = intermed.IntermediateSymbolTable.create(context = context,
config_path = configuration.path_join(
context.symbol_space[symbol_table].config_path,
"poolheader"),
sub_path = "windows",
filename = pool_header_json_filename,
table_mapping = {'nt_symbols': symbol_table},
class_types = {'_POOL_HEADER': class_type})
return table_name
def list_big_pools(cls,
context: interfaces.context.ContextInterface,
layer_name: str,
symbol_table: str,
tags: Optional[list] = None):
"""Returns the big page pool objects from the kernel PoolBigPageTable array.
Args:
context: The context to retrieve required elements (layers, symbol tables) from
layer_name: The name of the layer on which to operate
symbol_table: The name of the table containing the kernel symbols
tags: An optional list of pool tags to filter big page pool tags by
Yields:
A big page pool object
"""
kvo = context.layers[layer_name].config['kernel_virtual_offset']
ntkrnlmp = context.module(symbol_table,
layer_name=layer_name,
offset=kvo)
big_page_table_offset = ntkrnlmp.get_symbol("PoolBigPageTable").address
big_page_table = ntkrnlmp.object(object_type="unsigned long long",
offset=big_page_table_offset)
big_page_table_size_offset = ntkrnlmp.get_symbol(
"PoolBigPageTableSize").address
big_page_table_size = ntkrnlmp.object(
object_type="unsigned long", offset=big_page_table_size_offset)
try:
big_page_table_type = ntkrnlmp.get_type("_POOL_TRACKER_BIG_PAGES")
except exceptions.SymbolError:
# We have to manually load a symbol table
is_vista_or_later = versions.is_vista_or_later(
context, symbol_table)
is_win10 = versions.is_win10(context, symbol_table)
if is_win10:
big_pools_json_filename = "bigpools-win10"
elif is_vista_or_later:
big_pools_json_filename = "bigpools-vista"
else:
big_pools_json_filename = "bigpools"
if symbols.symbol_table_is_64bit(context, symbol_table):
big_pools_json_filename += "-x64"
else:
big_pools_json_filename += "-x86"
new_table_name = intermed.IntermediateSymbolTable.create(
context=context,
config_path=configuration.path_join(
context.symbol_space[symbol_table].config_path,
"bigpools"),
sub_path=os.path.join("windows", "bigpools"),
filename=big_pools_json_filename,
table_mapping={'nt_symbols': symbol_table},
class_types={
'_POOL_TRACKER_BIG_PAGES':
extensions.pool.POOL_TRACKER_BIG_PAGES
})
module = context.module(new_table_name, layer_name, offset=0)
big_page_table_type = module.get_type("_POOL_TRACKER_BIG_PAGES")
big_pools = ntkrnlmp.object(object_type="array",
offset=big_page_table,
subtype=big_page_table_type,
count=big_page_table_size,
absolute=True)
for big_pool in big_pools:
if big_pool.is_valid():
if tags is None or big_pool.get_key() in tags:
yield big_pool