Пример #1
0
    def fix_image_base(self, raw_data: bytes,
                       nt_header: interfaces.objects.ObjectInterface) -> bytes:
        """Fix the _OPTIONAL_HEADER.ImageBase value (which is either an
        unsigned long for 32-bit PE's or unsigned long long for 64-bit PE's) to
        match the address where the PE file was carved out of memory.

        Args:
            raw_data: a bytes object of the PE's data
            nt_header: <_IMAGE_NT_HEADERS> or <_IMAGE_NT_HEADERS64> instance

        Returns:
             <bytes> patched with the correct address
        """

        image_base_offset = nt_header.OptionalHeader.ImageBase.vol.offset - self.vol.offset
        image_base_type = nt_header.OptionalHeader.ImageBase.vol.type_name
        member_size = self._context.symbol_space.get_type(image_base_type).size
        try:
            newval = objects.convert_value_to_data(
                self.vol.offset, int,
                nt_header.OptionalHeader.ImageBase.vol.data_format)
            new_pe = raw_data[:image_base_offset] + newval + raw_data[
                image_base_offset + member_size:]
        except OverflowError:
            vollog.warning("Volatility was unable to fix the image base for the PE file at base address {:#x}. " \
                        "This will cause issues with many static analysis tools if you do not inform the " \
                        "tool of the in-memory load address.".format(self.vol.offset))
            new_pe = raw_data

        return new_pe
Пример #2
0
    def replace_header_field(self, sect: interfaces.objects.ObjectInterface,
                             header: bytes,
                             item: interfaces.objects.ObjectInterface,
                             value: int) -> bytes:
        """Replaces a member in an _IMAGE_SECTION_HEADER structure.

        Args:
            sect: the section instance
            header: raw data for the section
            item: the member of the section to replace
            value: new value for the member

        Returns:
            The raw data with the replaced header field
        """

        member_size = self._context.symbol_space.get_type(
            item.vol.type_name).size
        start = item.vol.offset - sect.vol.offset
        newval = objects.convert_value_to_data(value, int,
                                               item.vol.data_format)
        result = header[:start] + newval + header[start + member_size:]
        return result
Пример #3
0
 def get_key(self) -> str:
     """Returns the Key value as a 4 character string"""
     tag_bytes = objects.convert_value_to_data(
         self.Key, int, objects.DataFormatInfo(4, "little", False))
     return "".join([chr(x) if 32 < x < 127 else '' for x in tag_bytes])