Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package overlays :: Package windows :: Module win10
[frames] | no frames]

Source Code for Module rekall.plugins.overlays.windows.win10

 1  from rekall.plugins.overlays.windows import win8 
 2   
 3  win10_undocumented_amd64 = { 
 4      # wi10.raw 18:05:45> dis "nt!MiSessionInsertImage" 
 5      #        call 0xf8014a9d4e80                      nt!memset 
 6      # ...    or rax, 3    <---- Base address is ORed with 3. 
 7      #        mov dword ptr [rbp + 0x3c], 1   <--- ImageCountInThisSession 
 8      #        mov qword ptr [rbp + 0x28], rax  <---- Address 
 9      '_IMAGE_ENTRY_IN_SESSION': [None, { 
10          'Address': [0x28, ["_EX_FAST_REF"]], 
11          }], 
12      } 
13   
14  win10_undocumented_i386 = { 
15      '_IMAGE_ENTRY_IN_SESSION': [None, { 
16          'Address': [0x14, ["Pointer"]], 
17          }], 
18      } 
19   
20  win10_overlays = { 
21      '_MM_SESSION_SPACE': [None, { 
22          # Specialized iterator to produce all the _IMAGE_ENTRY_IN_SESSION 
23          # records. In Win10 these are stored in an AVL tree instead. 
24          'ImageIterator': lambda x: x.ImageTree.Root.traverse( 
25              type="_IMAGE_ENTRY_IN_SESSION") 
26      }], 
27   
28      "_UNLOADED_DRIVERS": [None, { 
29          "CurrentTime": [None, ["WinFileTime"]], 
30      }], 
31   
32      "_MI_HARDWARE_STATE": [None, { 
33          "SystemNodeInformation": [None, ["Pointer", dict( 
34              target="Array", 
35              target_args=dict( 
36                  target="_MI_SYSTEM_NODE_INFORMATION", 
37                  count=lambda x: x.obj_profile.get_constant_object( 
38                      "KeNumberNodes", "unsigned int").v(), 
39              ) 
40          )]], 
41      }], 
42  } 
43   
44   

45 -def InitializeWindows10Profile(profile): 

46      """Initialize windows 10 profiles.""" 
47      win8.InitializeWindows8Profile(profile) 
48      profile.add_overlay(win10_overlays) 
49   
50      if profile.metadata("arch") == "AMD64": 
51          profile.add_overlay(win10_undocumented_amd64) 
52      else: 
53          profile.add_overlay(win10_undocumented_i386) 
54   
55      # Older Win10 releases include SystemNodeInformation inside 
56      # _MI_SYSTEM_INFORMATION 
57      if not profile.has_type("_MI_HARDWARE_STATE"): 
58          profile.add_overlay({ 
59              "_MI_SYSTEM_INFORMATION": [None, { 
60                  "SystemNodeInformation": [None, ["Pointer", dict( 
61                      target="Array", 
62                      target_args=dict( 
63                          target="_MI_SYSTEM_NODE_INFORMATION", 
64                          count=lambda x: x.obj_profile.get_constant_object( 
65                              "KeNumberNodes", "unsigned int").v(), 
66                      ) 
67                  )]], 
68              }], 
69          }) 

70

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:53 2017 http://epydoc.sourceforge.net