Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package overlays :: Package windows :: Module vista
[frames] | no frames]

Source Code for Module rekall.plugins.overlays.windows.vista

  1  # Rekall Memory Forensics 
  2  # Copyright (c) 2008 Volatile Systems 
  3  # Copyright (c) 2008 Brendan Dolan-Gavitt <bdolangavitt@wesleyan.edu> 
  4  # 
  5  # This program is free software; you can redistribute it and/or modify 
  6  # it under the terms of the GNU General Public License as published by 
  7  # the Free Software Foundation; either version 2 of the License, or (at 
  8  # your option) any later version. 
  9  # 
 10  # This program is distributed in the hope that it will be useful, but 
 11  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 12  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 13  # General Public License for more details. 
 14  # 
 15  # You should have received a copy of the GNU General Public License 
 16  # along with this program; if not, write to the Free Software 
 17  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 18  # 
 19   
 20  """ 
 21  @author:       Bradley L Schatz 
 22  @license:      GNU General Public License 2.0 or later 
 23  @contact:      bradley@schatzforensic.com.au 
 24   
 25  This file provides support for windows Vista. 
 26  """ 
 27   
 28  # pylint: disable=protected-access 
 29   
 30  from rekall.plugins.overlays.windows import common 
 31   
 32   
 33  vista_overlays = { 
 34      '_EPROCESS': [None, { 
 35          # A symbolic link to the real vad root. 
 36          'RealVadRoot': lambda x: x.VadRoot.BalancedRoot 
 37      }], 
 38   
 39      '_MMADDRESS_NODE': [None, { 
 40          'Tag': [-4, ['String', dict(length=4)]], 
 41      }], 
 42   
 43      '_MMVAD_SHORT': [None, { 
 44          'Tag': [-4, ['String', dict(length=4)]], 
 45          'Start': lambda x: x.StartingVpn << 12, 
 46          'End': lambda x: ((x.EndingVpn + 1) << 12) - 1, 
 47          'Length': lambda x: x.End - x.Start + 1, 
 48          'CommitCharge': lambda x: x.u.VadFlags.CommitCharge, 
 49      }], 
 50   
 51      '_MMVAD': [None, { 
 52          'Tag': [-4, ['String', dict(length=4)]], 
 53          'ControlArea': lambda x: x.Subsection.ControlArea, 
 54          'Start': lambda x: x.StartingVpn << 12, 
 55          'End': lambda x: ((x.EndingVpn + 1) << 12) - 1, 
 56          'Length': lambda x: x.End - x.Start + 1, 
 57          'CommitCharge': lambda x: x.u.VadFlags.CommitCharge, 
 58      }], 
 59   
 60      '_MMVAD_LONG': [None, { 
 61          'Tag': [-4, ['String', dict(length=4)]], 
 62          'ControlArea': lambda x: x.Subsection.ControlArea, 
 63          'Start': lambda x: x.StartingVpn << 12, 
 64          'End': lambda x: ((x.EndingVpn + 1) << 12) - 1, 
 65          'Length': lambda x: x.End - x.Start + 1, 
 66          'CommitCharge': lambda x: x.u.VadFlags.CommitCharge, 
 67      }], 
 68   
 69      "_CONTROL_AREA": [None, { 
 70          'FilePointer': [None, ['_EX_FAST_REF', dict( 
 71              target="_FILE_OBJECT")]], 
 72      }], 
 73      '_MM_SESSION_SPACE': [None, { 
 74          # Specialized iterator to produce all the _IMAGE_ENTRY_IN_SESSION 
 75          # records. 
 76          'ImageIterator': lambda x: x.ImageList.list_of_type( 
 77              "_IMAGE_ENTRY_IN_SESSION", "Link") 
 78      }], 
 79   
 80      '_IMAGE_ENTRY_IN_SESSION': [None, { 
 81          'ImageBase': lambda x: x.Address.v() & ~7 
 82      }] 
 83  } 
 84   
 85   

 86 -class _MMADDRESS_NODE(common.VadTraverser): 

 87      """In win7 the base of all Vad objects in _MMADDRESS_NODE. 
 88   
 89      The Vad structures can be either _MMVAD_SHORT or _MMVAD or _MMVAD_LONG. At 
 90      the base of each struct there is an _MMADDRESS_NODE which contains the 
 91      LeftChild and RightChild members. In order to traverse the tree, we follow 
 92      the _MMADDRESS_NODE and create the required _MMVAD type at each point 
 93      depending on their tags. 
 94      """ 
 95   
 96      ## The actual type depends on this tag value. 
 97      tag_map = {'Vadl': '_MMVAD_LONG', 
 98                 'VadS': '_MMVAD_SHORT', 
 99                 'Vad ': '_MMVAD', 
100                 'VadF': '_MMVAD_SHORT', 
101                 'Vadm': '_MMVAD_LONG', 
102                } 

103   
104   

105 -class _ETHREAD(common._ETHREAD): 

106      """A class for Windows 7 ETHREAD objects""" 
107   

108 -    def owning_process(self): 

109          """Return the EPROCESS that owns this thread""" 
110          return self.Tcb.Process.dereference_as("_EPROCESS") 

111   
112   

113 -def InitializeVistaProfile(profile): 

114      if profile.metadata("arch") == "AMD64": 
115          profile.add_constants(dict(PoolAlignment=16)) 
116      else: 
117          profile.add_constants(dict(PoolAlignment=8)) 
118      profile.add_overlay(vista_overlays) 
119      profile.add_classes(dict( 
120          _ETHREAD=_ETHREAD, 
121          _MMADDRESS_NODE=_MMADDRESS_NODE 
122      )) 

123

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:44 2017 http://epydoc.sourceforge.net