def create_service_table(context: interfaces.context.ContextInterface,
symbol_table: str, config_path: str) -> str:
"""Constructs a symbol table containing the symbols for services
depending upon the operating system in use.
Args:
context: The context to retrieve required elements (layers, symbol tables) from
symbol_table: The name of the table containing the kernel symbols
config_path: The configuration path for any settings required by the new table
Returns:
A symbol table containing the symbols necessary for services
"""
native_types = context.symbol_space[symbol_table].natives
is_64bit = symbols.symbol_table_is_64bit(context, symbol_table)
if versions.is_windows_xp(context=context,
symbol_table=symbol_table) and not is_64bit:
symbol_filename = "services-xp-x86"
elif versions.is_xp_or_2003(context=context,
symbol_table=symbol_table) and is_64bit:
symbol_filename = "services-xp-2003-x64"
elif versions.is_win10_16299_or_later(
context=context, symbol_table=symbol_table) and is_64bit:
symbol_filename = "services-win10-16299-x64"
elif versions.is_win10_16299_or_later(
context=context, symbol_table=symbol_table) and not is_64bit:
symbol_filename = "services-win10-16299-x86"
elif versions.is_win10_up_to_15063(
context=context, symbol_table=symbol_table) and is_64bit:
symbol_filename = "services-win8-x64"
elif versions.is_win10_up_to_15063(
context=context, symbol_table=symbol_table) and not is_64bit:
symbol_filename = "services-win8-x86"
elif versions.is_win10_15063(context=context,
symbol_table=symbol_table) and is_64bit:
symbol_filename = "services-win10-15063-x64"
elif versions.is_win10_15063(
context=context, symbol_table=symbol_table) and not is_64bit:
symbol_filename = "services-win10-15063-x86"
elif versions.is_windows_8_or_later(
context=context, symbol_table=symbol_table) and is_64bit:
symbol_filename = "services-win8-x64"
elif versions.is_windows_8_or_later(
context=context, symbol_table=symbol_table) and not is_64bit:
symbol_filename = "services-win8-x86"
elif versions.is_vista_or_later(
context=context, symbol_table=symbol_table) and is_64bit:
symbol_filename = "services-vista-x64"
elif versions.is_vista_or_later(
context=context, symbol_table=symbol_table) and not is_64bit:
symbol_filename = "services-vista-x86"
else:
raise NotImplementedError(
"This version of Windows is not supported!")
return intermed.IntermediateSymbolTable.create(
context,
config_path,
os.path.join("windows", "services"),
symbol_filename,
class_types=services.class_types,
native_types=native_types)
def generate_pool_scan(cls,
context: interfaces.context.ContextInterface,
layer_name: str,
symbol_table: str,
constraints: List[PoolConstraint]) \
-> Generator[Tuple[
PoolConstraint, interfaces.objects.ObjectInterface, interfaces.objects.ObjectInterface], None, None]:
"""
Args:
context: The context to retrieve required elements (layers, symbol tables) from
layer_name: The name of the layer on which to operate
symbol_table: The name of the table containing the kernel symbols
constraints: List of pool constraints used to limit the scan results
Returns:
Iterable of tuples, containing the constraint that matched, the object from memory, the object header used to determine the object
"""
# get the object type map
type_map = handles.Handles.get_type_map(context = context, layer_name = layer_name, symbol_table = symbol_table)
cookie = handles.Handles.find_cookie(context = context, layer_name = layer_name, symbol_table = symbol_table)
is_windows_10 = versions.is_windows_10(context, symbol_table)
is_windows_8_or_later = versions.is_windows_8_or_later(context, symbol_table)
# start off with the primary virtual layer
scan_layer = layer_name
# switch to a non-virtual layer if necessary
if not is_windows_10:
scan_layer = context.layers[scan_layer].config['memory_layer']
if symbols.symbol_table_is_64bit(context, symbol_table):
alignment = 0x10
else:
alignment = 8
for constraint, header in cls.pool_scan(context, scan_layer, symbol_table, constraints, alignment = alignment):
mem_objects = header.get_object(constraint = constraint,
use_top_down = is_windows_8_or_later,
native_layer_name = layer_name,
kernel_symbol_table = symbol_table)
for mem_object in mem_objects:
if mem_object is None:
vollog.log(constants.LOGLEVEL_VVV, f"Cannot create an instance of {constraint.type_name}")
continue
if constraint.object_type is not None and not constraint.skip_type_test:
try:
if mem_object.get_object_header().get_object_type(type_map, cookie) != constraint.object_type:
continue
except exceptions.InvalidAddressException:
vollog.log(constants.LOGLEVEL_VVV,
f"Cannot test instance type check for {constraint.type_name}")
continue
yield constraint, mem_object, header