def get_file_address_space(self, filename): """Return an address space for filename.""" subject = utils.CaseInsensitiveDictLookup(filename, self.filenames) if subject: return AFF4StreamWrapper(self.resolver.AFF4FactoryOpen(subject)) return
def get_mapped_offset(self, filename, file_offset=0): """Map the filename into the address space. If the filename is found in the AFF4 image, we return the offset in this address space corresponding to file_offset in the mapped file. If the file is not mapped, return None. """ mapped_offset = None filename = self._normalize_filename(filename) mapped_offset = utils.CaseInsensitiveDictLookup( filename, self.mapped_files) if mapped_offset is None: # Try to map the file. subject = utils.CaseInsensitiveDictLookup( filename, self.filenames) # Fall back to looking up the sysnative path in case the # image was acquired by a 32 bit imager. if not subject: # The 32 bit WinPmem imager access native files via # SysNative but they are really located in System32. subject = utils.CaseInsensitiveDictLookup( filename.replace("SysNative", "System32"), self.filenames) if subject: stream = self.resolver.AFF4FactoryOpen(subject) mapped_offset = self.file_mapping_offset(filename) self.add_run(mapped_offset, 0, stream.Size(), AFF4StreamWrapper(stream)) self.session.logging.info( "Mapped %s into address %#x", stream.urn, mapped_offset) else: # Cache failures too. mapped_offset = -1 # Cache for next time. self.mapped_files[filename] = mapped_offset if mapped_offset > 0: return mapped_offset + file_offset
def file_mapping_offset(self, filename): """Returns the offset where the filename should be mapped. This function manages the session cache. By storing the file mappings in the session cache we can guarantee repeatable mappings. """ mapped_files = self.session.GetParameter("file_mappings", {}) if filename in mapped_files: return utils.CaseInsensitiveDictLookup(filename, mapped_files) # Give a bit of space for the mapping and page align it. mapped_offset = (self.end() + 0x10000) & 0xFFFFFFFFFFFFF000 mapped_files[filename] = mapped_offset self.session.SetCache("file_mappings", mapped_files) return mapped_offset
def _parse_path_components(self, components): node = self.session.GetParameter("object_tree") new_components = [] for i, component in enumerate(components): if not component: continue if component == "??": component = "GLOBAL??" next_node = utils.CaseInsensitiveDictLookup( component, node["Children"]) # If the first component is not found, search for it in the global # namespace. if next_node is None and i == 0 and component != "GLOBAL??": return self._parse_path_components(["GLOBAL??"] + components) if next_node is None: raise KeyError( "component %r not found at %s" % ( component, "\\".join(new_components))) elif next_node["type"] == "SymbolicLink": object_header = self.session.profile._OBJECT_HEADER( next_node["offset"]) target = object_header.Object.LinkTarget.v() # Append the next components to the target and re-parse return self._parse_path_components( target.split("\\") + components[i+1:]) elif next_node["type"] != "Directory": return new_components + components[i:] new_components.append(component) node = next_node return new_components