def _get_pool_header_module(cls, context, layer_name, symbol_table): # Setup the pool header and offset differential try: module = context.module(symbol_table, layer_name, offset=0) module.get_type("_POOL_HEADER") except exceptions.SymbolError: # We have to manually load a symbol table if symbols.symbol_table_is_64bit(context, symbol_table): is_win_7 = cls.is_windows_7(context, symbol_table) if is_win_7: pool_header_json_filename = "poolheader-x64-win7" else: pool_header_json_filename = "poolheader-x64" else: pool_header_json_filename = "poolheader-x86" new_table_name = intermed.IntermediateSymbolTable.create( context=context, config_path=configuration.path_join( context.symbol_space[symbol_table].config_path, "poolheader"), sub_path="windows", filename=pool_header_json_filename, table_mapping={'nt_symbols': symbol_table}, class_types={'_POOL_HEADER': extensions.pool.POOL_HEADER}) module = context.module(new_table_name, layer_name, offset=0) return module
def configure_plugin(self, plugin_name, **kwargs): """Configure and return a plugin Args: plugin_name: name of the plugin to configure, as a string. **kwargs: configuration options passed to the plugin Returns: The instantiated and configure volatility plugin. """ plugin = self.plugins[plugin_name] # Set arguments for key, value in kwargs.items(): config_path = path_join("plugins", plugin.__name__, key) self.vol_ctx.config[config_path] = value # Filter automagics available_automagics = automagic.available(self.vol_ctx) automagics = automagic.choose_automagic(available_automagics, plugin) # Instantiate the plugin return volplugins.construct_plugin( self.vol_ctx, automagics, plugin, "plugins", MuteProgress(), FileHandlerInterface, )
def get_pool_header_table(cls, context: interfaces.context.ContextInterface, symbol_table: str) -> str: """Returns the appropriate symbol_table containing a _POOL_HEADER type, even if the original symbol table doesn't contain one. Args: context: The context that the symbol tables does (or will) reside in symbol_table: The expected symbol_table to contain the _POOL_HEADER type """ # Setup the pool header and offset differential try: context.symbol_space.get_type(symbol_table + constants.BANG + "_POOL_HEADER") table_name = symbol_table except exceptions.SymbolError: # We have to manually load a symbol table if symbols.symbol_table_is_64bit(context, symbol_table): is_win_7 = versions.is_windows_7(context, symbol_table) if is_win_7: pool_header_json_filename = "poolheader-x64-win7" else: pool_header_json_filename = "poolheader-x64" else: pool_header_json_filename = "poolheader-x86" # set the class_type to match the normal WindowsKernelIntermedSymbols is_vista_or_later = versions.is_vista_or_later( context, symbol_table) if is_vista_or_later: class_type = extensions.pool.POOL_HEADER_VISTA else: class_type = extensions.pool.POOL_HEADER table_name = intermed.IntermediateSymbolTable.create( context=context, config_path=configuration.path_join( context.symbol_space[symbol_table].config_path, "poolheader"), sub_path="windows", filename=pool_header_json_filename, table_mapping={'nt_symbols': symbol_table}, class_types={'_POOL_HEADER': class_type}) return table_name
def list_big_pools(cls, context: interfaces.context.ContextInterface, layer_name: str, symbol_table: str, tags: Optional[list] = None): """Returns the big page pool objects from the kernel PoolBigPageTable array. Args: context: The context to retrieve required elements (layers, symbol tables) from layer_name: The name of the layer on which to operate symbol_table: The name of the table containing the kernel symbols tags: An optional list of pool tags to filter big page pool tags by Yields: A big page pool object """ kvo = context.layers[layer_name].config['kernel_virtual_offset'] ntkrnlmp = context.module(symbol_table, layer_name = layer_name, offset = kvo) big_page_table_offset = ntkrnlmp.get_symbol("PoolBigPageTable").address big_page_table = ntkrnlmp.object(object_type = "unsigned long long", offset = big_page_table_offset) big_page_table_size_offset = ntkrnlmp.get_symbol("PoolBigPageTableSize").address big_page_table_size = ntkrnlmp.object(object_type = "unsigned long", offset = big_page_table_size_offset) try: big_page_table_type = ntkrnlmp.get_type("_POOL_TRACKER_BIG_PAGES") except exceptions.SymbolError: # We have to manually load a symbol table is_vista_or_later = versions.is_vista_or_later(context, symbol_table) is_win10 = versions.is_win10(context, symbol_table) if is_win10: big_pools_json_filename = "bigpools-win10" elif is_vista_or_later: big_pools_json_filename = "bigpools-vista" else: big_pools_json_filename = "bigpools" if symbols.symbol_table_is_64bit(context, symbol_table): big_pools_json_filename += "-x64" else: big_pools_json_filename += "-x86" new_table_name = intermed.IntermediateSymbolTable.create( context = context, config_path = configuration.path_join(context.symbol_space[symbol_table].config_path, "bigpools"), sub_path = "windows", filename = big_pools_json_filename, table_mapping = {'nt_symbols': symbol_table}, class_types = {'_POOL_TRACKER_BIG_PAGES': extensions.pool.POOL_TRACKER_BIG_PAGES}) module = context.module(new_table_name, layer_name, offset = 0) big_page_table_type = module.get_type("_POOL_TRACKER_BIG_PAGES") big_pools = ntkrnlmp.object(object_type = "array", offset = big_page_table, subtype = big_page_table_type, count = big_page_table_size, absolute = True) for big_pool in big_pools: if big_pool.is_valid(): if tags is None or big_pool.get_key() in tags: yield big_pool