Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package overlays :: Package windows :: Module windows
[frames] | no frames]

Source Code for Module rekall.plugins.overlays.windows.windows

  1  # Rekall Memory Forensics 
  2  # Copyright (C) 2012 Michael Cohen <scudette@users.sourceforge.net> 
  3  # Copyright (c) 2008 Volatile Systems 
  4  # Copyright (c) 2008 Brendan Dolan-Gavitt <bdolangavitt@wesleyan.edu> 
  5  # Copyright 2013 Google Inc. All Rights Reserved. 
  6  # 
  7  # This program is free software; you can redistribute it and/or modify 
  8  # it under the terms of the GNU General Public License as published by 
  9  # the Free Software Foundation; either version 2 of the License, or (at 
 10  # your option) any later version. 
 11  # 
 12  # This program is distributed in the hope that it will be useful, but 
 13  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 14  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 15  # General Public License for more details. 
 16  # 
 17  # You should have received a copy of the GNU General Public License 
 18  # along with this program; if not, write to the Free Software 
 19  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 20  # 
 21   
 22  # pylint: disable=protected-access 
 23   
 24  from rekall import obj 
 25   
 26  from rekall.plugins.overlays.windows import common 
 27  from rekall.plugins.overlays.windows import heap 
 28  from rekall.plugins.overlays.windows import pe_vtypes 
 29  from rekall.plugins.overlays.windows import tokens 
 30   
 31  from rekall.plugins.overlays.windows import xp 
 32  from rekall.plugins.overlays.windows import vista 
 33  from rekall.plugins.overlays.windows import win7 
 34  from rekall.plugins.overlays.windows import win8 
 35  from rekall.plugins.overlays.windows import win10 
 36  from rekall.plugins.overlays.windows import crashdump 
 37  from rekall.plugins.overlays.windows import undocumented 

 38   
 39   
 40   
 41 -class Ntoskrnl(pe_vtypes.BasicPEProfile): 

 42      """A profile for Windows.""" 
 43   
 44      @classmethod 

 45 -    def GuessVersion(cls, profile): 

 46          """Guess the windows version of a profile.""" 
 47          # If the version is provided, then just use it. 
 48          try: 
 49              major, minor = profile.metadatas("major", "minor") 
 50              version = major + minor / 10.0 
 51              profile.set_metadata("version", version) 
 52   
 53              return version 
 54          except TypeError: 
 55              pass 
 56   
 57          # Rekall is moving away from having features keyed by version, rather we 
 58          # use the profile to dictate the algorithms to use. In future we will 
 59          # remove all requirement to know the windows version, but for now we 
 60          # just guess the version based on structures which are known to exist in 
 61          # the profile. 
 62          version = 5.2 
 63   
 64          # Windows XP did not use a BalancedRoot for VADs. 
 65          if profile.get_obj_offset("_MM_AVL_TABLE", "BalancedRoot") == None: 
 66              version = 5.1 
 67   
 68          # Windows 7 introduces TypeIndex into the object header. 
 69          if profile.get_obj_offset("_OBJECT_HEADER", "TypeIndex") != None: 
 70              # Windows 10 introduces a cookie for object types. 
 71              if profile.get_constant("ObHeaderCookie"): 
 72                  version = 10.0 
 73   
 74              elif profile._EPROCESS().m( 
 75                      "VadRoot.BalancedRoot").obj_type == "_MMADDRESS_NODE": 
 76                  version = 6.1 
 77   
 78              elif profile._EPROCESS().m("VadRoot").obj_type == "_MM_AVL_TABLE": 
 79                  # Windows 8 uses _MM_AVL_NODE as the VAD traversor struct. 
 80                  version = 6.2 
 81   
 82              elif profile._EPROCESS().m("VadRoot").obj_type == "_RTL_AVL_TREE": 
 83                  # Windows 8.1 and on uses _RTL_AVL_TREE 
 84                  version = 6.3 
 85   
 86              else: 
 87                  raise RuntimeError("Unknown windows version") 
 88   
 89          profile.set_metadata("version", version) 
 90          major, minor = divmod(version, 1) 
 91          profile.set_metadata("minor", int(minor * 10)) 
 92          profile.set_metadata("major", major) 
 93   
 94          return version 

 95   
 96      @classmethod 

 97 -    def Initialize(cls, profile): 

 98          super(Ntoskrnl, cls).Initialize(profile) 
 99   
100          profile.add_enums(**undocumented.ENUMS) 
101          if profile.metadata("arch") == "AMD64": 
102              profile.add_overlay(undocumented.AMD64) 
103   
104          elif profile.metadata("arch") == "I386": 
105              profile.add_overlay(undocumented.I386) 
106   
107              # Detect if this is a PAE system. PAE systems have 64 bit PTEs: 
108              if profile.get_obj_size("_MMPTE") == 8: 
109                  profile.set_metadata("pae", True) 
110   
111          # Install the base windows support. 
112          common.InitializeWindowsProfile(profile) 
113          crashdump.InstallKDDebuggerProfile(profile) 
114          tokens.InitializeTokenProfiles(profile) 
115          heap.InitializeHeapProfile(profile) 
116   
117          # Get the windows version of this profile. 
118          version = cls.GuessVersion(profile) 
119          if 10 <= version: 
120              win10.InitializeWindows10Profile(profile) 
121   
122          elif 6.2 <= version < 10: 
123              win8.InitializeWindows8Profile(profile) 
124   
125          elif version == 6.1: 
126              win7.InitializeWindows7Profile(profile) 
127   
128          elif version == 6.0: 
129              vista.InitializeVistaProfile(profile) 
130   
131          elif 5.1 <= version <= 5.2: 
132              xp.InitializeXPProfile(profile) 

133   

134 -    def GetImageBase(self): 

135          if not self.image_base: 
136              self.image_base = obj.Pointer.integer_to_address( 
137                  self.session.GetParameter("kernel_base")) 
138   
139          return self.image_base 

140   

141   
142 -class Ntkrnlmp(Ntoskrnl): 

143      """Alias for the windows kernel class.""" 

144   

145   
146 -class Ntkrnlpa(Ntoskrnl): 

147      """Alias for the windows kernel class.""" 

148   

149   
150 -class Ntkrpamp(Ntoskrnl): 

151      """Alias for the windows kernel class.""" 

152   

153   
154 -class Nt(Ntoskrnl): 

155      """Alias for the windows kernel class.""" 

156

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:43 2017 http://epydoc.sourceforge.net