| Trees | Indices | Help |
|
|---|
|
|
1 # Rekall Memory Forensics
2 # Copyright (C) 2007,2008 Volatile Systems
3 # Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.ligh@mnin.org>
4 # Copyright 2013 Google Inc. All Rights Reserved.
5 #
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 2 of the License, or (at
9 # your option) any later version.
10 #
11 # This program is distributed in the hope that it will be useful, but
12 # WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 # General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License
17 # along with this program; if not, write to the Free Software
18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
19 #
20
21 """This file contains all the undocumented structs that were derived by
22 reversing. We try to also include references to the original reverser.
23
24 """
25
26 AMD64 = {
27 # Reference:
28 # http://gate.upm.ro/os/LABs/Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC/WindowsResearchKernel-WRK/WRK-v1.2/base/ntos/mm/wrtfault.c
29
30 # From http://www.cnblogs.com/kkindof/articles/2571227.html
31 # Reversed from MiSessionInsertImage
32
33 # win8.1.raw 18:05:45> dis "nt!MiSessionInsertImage"
34 # 0xf802d314344a 4E e871030300 CALL 0xf802d31737c0 nt!memset
35 # ...
36 # 0xf802d314345a 5E 48897b20 MOV [RBX+0x20], RDI
37
38 # typedef struct _IMAGE_ENTRY_IN_SESSION {
39 # LIST_ENTRY Link;
40 # PVOID Address;
41 # PVOID LastAddress;
42 # ULONG ImageCountInThisSession;
43 # LOGICAL ImageLoading;
44 # PMMPTE PrototypePtes;
45 # PKLDR_DATA_TABLE_ENTRY DataTableEntry;
46 # PSESSION_GLOBAL_SUBSECTION_INFO GlobalSubs;
47 # } IMAGE_ENTRY_IN_SESSION, * PIMAGE_ENTRY_IN_SESSION;
48 '_IMAGE_ENTRY_IN_SESSION': [None, {
49 'Link': [0, ['_LIST_ENTRY']],
50 'Address': [0x10, ['Pointer']],
51 'LastAddress': [0x18, ['Pointer']],
52 }],
53
54 # Reversed from tcpip.sys!TcpStartPartitionModule
55 "PARTITION_TABLE": [None, {
56 "Partitions": [8, ["Array", dict(
57 target="Pointer",
58
59 count=lambda x: x.obj_profile.get_constant_object(
60 "PartitionCount", "unsigned int"),
61
62 target_args=dict(
63 target="Array",
64 target_args=dict(
65 count=4,
66 target="FIRST_LEVEL_DIR"
67 )
68 )
69 )]],
70 }],
71
72 # ntoskrnl.exe!RtlCreateHashTable (PoolTag:HTab)
73 "FIRST_LEVEL_DIR": [0x24, {
74 "SizeOfSecondLevel": [0x8, ["unsigned int"]],
75
76 "Mask": [0x10, ["unsigned int"]],
77
78 # Reversed from ntoskrnl.exe!RtlpAllocateSecondLevelDir
79 "SecondLevel": [0x20, ["Pointer", dict(
80 target="Array",
81 # Actual hash table (PoolTag:HTab)
82 target_args=dict(
83 count=lambda x: x.SizeOfSecondLevel,
84 target="_LIST_ENTRY"
85 )
86 )]],
87 }],
88
89 '_SERVICE_DESCRIPTOR_TABLE' : [0x40, {
90 'Descriptors' : [0x0, ['Array', dict(
91 target='_SERVICE_DESCRIPTOR_ENTRY',
92 count=2
93 )]],
94 }],
95
96 # In 64 bit the KiServiceTable is a list of RVAs based off the table base to
97 # the destination pointers.
98 # Ref:
99 # http://forum.sysinternals.com/keservicedescriptortableshadow-address_topic14093.html
100 '_SERVICE_DESCRIPTOR_ENTRY' : [0x20, {
101 'KiServiceTable' : [0x0, ['Pointer', dict(
102 target="Array",
103 target_args=dict(
104 count=lambda x: x.ServiceLimit,
105 target="int",
106 )
107 )]],
108 'CounterBaseTable' : [0x8, ['Pointer']],
109 'ServiceLimit' : [0x10, ['unsigned long long']],
110 'ArgumentTable' : [0x18, ['Pointer']],
111 }],
112
113 # Documented in ./base/ntos/inc/mm.h WRK-v1.2.
114 "_UNLOADED_DRIVER": [0x28, {
115 "Name": [0, ["_UNICODE_STRING"]],
116 "StartAddress": [0x10, ["Pointer"]],
117 "EndAddress": [0x18, ["Pointer"]],
118 "CurrentTime": [0x20, ["WinFileTime"]],
119 }],
120 }
121
122
123 I386 = {
124 '_IMAGE_ENTRY_IN_SESSION': [None, {
125 'Link': [0x00, ['_LIST_ENTRY']],
126 'Address': [0x08, ['pointer', ['address']]],
127 'LastAddress': [0x0b, ['pointer', ['address']]],
128 }],
129
130 # Reversed from tcpip.sys!TcpStartPartitionModule
131 "PARTITION_TABLE": [None, {
132 "Partitions": [4, ["Array", dict(
133 target="Pointer",
134
135 count=lambda x: x.obj_profile.get_constant_object(
136 "PartitionCount", "unsigned int"),
137
138 target_args=dict(
139 target="Array",
140 target_args=dict(
141 count=4,
142 target="FIRST_LEVEL_DIR"
143 )
144 )
145 )]],
146 }],
147
148 # ntoskrnl.exe!RtlCreateHashTable
149 "FIRST_LEVEL_DIR": [0x24, {
150 "SizeOfSecondLevel": [0x8, ["unsigned int"]],
151
152 "Mask": [0x10, ["unsigned int"]],
153
154 # Reversed from ntoskrnl.exe!RtlpAllocateSecondLevelDir
155 "SecondLevel": [0x20, ["Pointer", dict(
156 target="Array",
157 target_args=dict(
158 count=lambda x: x.SizeOfSecondLevel,
159 target="_LIST_ENTRY"
160 )
161 )]],
162 }],
163
164 '_SERVICE_DESCRIPTOR_TABLE' : [0x20, {
165 'Descriptors' : [0x0, ['Array', dict(
166 target='_SERVICE_DESCRIPTOR_ENTRY',
167 count=2
168 )]],
169 }],
170
171 '_SERVICE_DESCRIPTOR_ENTRY' : [0x10, {
172 'KiServiceTable' : [0x0, ['Pointer', dict(
173 target="Array",
174 target_args=dict(
175 count=lambda x: x.ServiceLimit,
176 target="unsigned int",
177 )
178 )]],
179 'CounterBaseTable' : [0x4, ['Pointer']],
180 'ServiceLimit' : [0x8, ['unsigned long']],
181 'ArgumentTable' : [0xc, ['Pointer']],
182 }],
183
184 # Documented in ./base/ntos/inc/mm.h WRK-v1.2.
185 "_UNLOADED_DRIVER": [24, {
186 "Name": [0, ["_UNICODE_STRING"]],
187 "StartAddress": [8, ["Pointer"]],
188 "EndAddress": [12, ["Pointer"]],
189 "CurrentTime": [16, ["WinFileTime"]],
190 }],
191 }
192
193 # TODO: Move to their own profile.
194 # These come from the reactos ndk project.
195 ENUMS = {
196 "_KOBJECTS": {
197 "0": "EventNotificationObject",
198 "1": "EventSynchronizationObject",
199 "2": "MutantObject",
200 "3": "ProcessObject",
201 "4": "QueueObject",
202 "5": "SemaphoreObject",
203 "6": "ThreadObject",
204 "7": "GateObject",
205 "8": "TimerNotificationObject",
206 "9": "TimerSynchronizationObject",
207 "10": "Spare2Object",
208 "11": "Spare3Object",
209 "12": "Spare4Object",
210 "13": "Spare5Object",
211 "14": "Spare6Object",
212 "15": "Spare7Object",
213 "16": "Spare8Object",
214 "17": "Spare9Object",
215 "18": "ApcObject",
216 "19": "DpcObject",
217 "20": "DeviceQueueObject",
218 "21": "EventPairObject",
219 "22": "InterruptObject",
220 "23": "ProfileObject",
221 "24": "ThreadedDpcObject",
222 "25": "MaximumKernelObject"
223 },
224 }
225
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:49 2017 | http://epydoc.sourceforge.net |