def _get_pool_header_module(cls, context, layer_name, symbol_table):
# Setup the pool header and offset differential
try:
module = context.module(symbol_table, layer_name, offset=0)
module.get_type("_POOL_HEADER")
except exceptions.SymbolError:
# We have to manually load a symbol table
if symbols.symbol_table_is_64bit(context, symbol_table):
is_win_7 = cls.is_windows_7(context, symbol_table)
if is_win_7:
pool_header_json_filename = "poolheader-x64-win7"
else:
pool_header_json_filename = "poolheader-x64"
else:
pool_header_json_filename = "poolheader-x86"
new_table_name = intermed.IntermediateSymbolTable.create(
context=context,
config_path=configuration.path_join(
context.symbol_space[symbol_table].config_path,
"poolheader"),
sub_path="windows",
filename=pool_header_json_filename,
table_mapping={'nt_symbols': symbol_table},
class_types={'_POOL_HEADER': extensions.pool.POOL_HEADER})
module = context.module(new_table_name, layer_name, offset=0)
return module
def configure_plugin(self, plugin_name, **kwargs):
"""Configure and return a plugin
Args:
plugin_name: name of the plugin to configure, as a string.
**kwargs: configuration options passed to the plugin
Returns:
The instantiated and configure volatility plugin.
"""
plugin = self.plugins[plugin_name]
# Set arguments
for key, value in kwargs.items():
config_path = path_join("plugins", plugin.__name__, key)
self.vol_ctx.config[config_path] = value
# Filter automagics
available_automagics = automagic.available(self.vol_ctx)
automagics = automagic.choose_automagic(available_automagics, plugin)
# Instantiate the plugin
return volplugins.construct_plugin(
self.vol_ctx,
automagics,
plugin,
"plugins",
MuteProgress(),
FileHandlerInterface,
)
def get_pool_header_table(cls,
context: interfaces.context.ContextInterface,
symbol_table: str) -> str:
"""Returns the appropriate symbol_table containing a _POOL_HEADER type, even if the original symbol table
doesn't contain one.
Args:
context: The context that the symbol tables does (or will) reside in
symbol_table: The expected symbol_table to contain the _POOL_HEADER type
"""
# Setup the pool header and offset differential
try:
context.symbol_space.get_type(symbol_table + constants.BANG +
"_POOL_HEADER")
table_name = symbol_table
except exceptions.SymbolError:
# We have to manually load a symbol table
if symbols.symbol_table_is_64bit(context, symbol_table):
is_win_7 = versions.is_windows_7(context, symbol_table)
if is_win_7:
pool_header_json_filename = "poolheader-x64-win7"
else:
pool_header_json_filename = "poolheader-x64"
else:
pool_header_json_filename = "poolheader-x86"
# set the class_type to match the normal WindowsKernelIntermedSymbols
is_vista_or_later = versions.is_vista_or_later(
context, symbol_table)
if is_vista_or_later:
class_type = extensions.pool.POOL_HEADER_VISTA
else:
class_type = extensions.pool.POOL_HEADER
table_name = intermed.IntermediateSymbolTable.create(
context=context,
config_path=configuration.path_join(
context.symbol_space[symbol_table].config_path,
"poolheader"),
sub_path="windows",
filename=pool_header_json_filename,
table_mapping={'nt_symbols': symbol_table},
class_types={'_POOL_HEADER': class_type})
return table_name
def list_big_pools(cls,
context: interfaces.context.ContextInterface,
layer_name: str,
symbol_table: str,
tags: Optional[list] = None):
"""Returns the big page pool objects from the kernel PoolBigPageTable array.
Args:
context: The context to retrieve required elements (layers, symbol tables) from
layer_name: The name of the layer on which to operate
symbol_table: The name of the table containing the kernel symbols
tags: An optional list of pool tags to filter big page pool tags by
Yields:
A big page pool object
"""
kvo = context.layers[layer_name].config['kernel_virtual_offset']
ntkrnlmp = context.module(symbol_table, layer_name = layer_name, offset = kvo)
big_page_table_offset = ntkrnlmp.get_symbol("PoolBigPageTable").address
big_page_table = ntkrnlmp.object(object_type = "unsigned long long", offset = big_page_table_offset)
big_page_table_size_offset = ntkrnlmp.get_symbol("PoolBigPageTableSize").address
big_page_table_size = ntkrnlmp.object(object_type = "unsigned long", offset = big_page_table_size_offset)
try:
big_page_table_type = ntkrnlmp.get_type("_POOL_TRACKER_BIG_PAGES")
except exceptions.SymbolError:
# We have to manually load a symbol table
is_vista_or_later = versions.is_vista_or_later(context, symbol_table)
is_win10 = versions.is_win10(context, symbol_table)
if is_win10:
big_pools_json_filename = "bigpools-win10"
elif is_vista_or_later:
big_pools_json_filename = "bigpools-vista"
else:
big_pools_json_filename = "bigpools"
if symbols.symbol_table_is_64bit(context, symbol_table):
big_pools_json_filename += "-x64"
else:
big_pools_json_filename += "-x86"
new_table_name = intermed.IntermediateSymbolTable.create(
context = context,
config_path = configuration.path_join(context.symbol_space[symbol_table].config_path, "bigpools"),
sub_path = "windows",
filename = big_pools_json_filename,
table_mapping = {'nt_symbols': symbol_table},
class_types = {'_POOL_TRACKER_BIG_PAGES': extensions.pool.POOL_TRACKER_BIG_PAGES})
module = context.module(new_table_name, layer_name, offset = 0)
big_page_table_type = module.get_type("_POOL_TRACKER_BIG_PAGES")
big_pools = ntkrnlmp.object(object_type = "array",
offset = big_page_table,
subtype = big_page_table_type,
count = big_page_table_size,
absolute = True)
for big_pool in big_pools:
if big_pool.is_valid():
if tags is None or big_pool.get_key() in tags:
yield big_pool