rekall.plugins.overlays.windows.xp

Source Code for Module rekall.plugins.overlays.windows.xp

1 # Rekall Memory Forensics 2 # Copyright (c) 2008 Volatile Systems 3 # Copyright (c) 2008 Brendan Dolan-Gavitt <bdolangavitt@wesleyan.edu> 4 # Copyright 2013 Google Inc. All Rights Reserved. 5 # 6 # This program is free software; you can redistribute it and/or modify 7 # it under the terms of the GNU General Public License as published by 8 # the Free Software Foundation; either version 2 of the License, or (at 9 # your option) any later version. 10 # 11 # This program is distributed in the hope that it will be useful, but 12 # WITHOUT ANY WARRANTY; without even the implied warranty of 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 # General Public License for more details. 15 # 16 # You should have received a copy of the GNU General Public License 17 # along with this program; if not, write to the Free Software 18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 # 20 21 """ 22 @author: Brendan Dolan-Gavitt 23 @license: GNU General Public License 2.0 or later 24 @contact: bdolangavitt@wesleyan.edu 25 26 This file provides support for windows XP SP2. We provide a profile 27 for SP2. 28 """ 29 30 from rekall.plugins.overlays.windows import common 31 32 33 # Windows XP specific overlays. 34 win_xp_overlays = { 35 '_EPROCESS' : [None, { 36 'VadRoot': [None, ['pointer', ['_MMVAD']]], 37 'RealVadRoot': lambda x: x.VadRoot.dereference(), 38 }], 39 40 '_MMVAD_SHORT': [None, { 41 'Tag': [-4, ['String', dict(length=4)]], 42 'Start': lambda x: x.StartingVpn << 12, 43 'End': lambda x: ((x.EndingVpn + 1) << 12) - 1, 44 'Length': lambda x: x.End - x.Start + 1, 45 'CommitCharge': lambda x: x.u.VadFlags.CommitCharge, 46 }], 47 48 '_MMVAD': [None, { 49 'Tag': [-4, ['String', dict(length=4)]], 50 'Start': lambda x: x.StartingVpn << 12, 51 'End': lambda x: ((x.EndingVpn + 1) << 12) - 1, 52 'Length': lambda x: x.End - x.Start + 1, 53 'CommitCharge': lambda x: x.u.VadFlags.CommitCharge, 54 }], 55 56 '_MMVAD_LONG': [None, { 57 'Tag': [-4, ['String', dict(length=4)]], 58 'Start': lambda x: x.StartingVpn << 12, 59 'End': lambda x: ((x.EndingVpn + 1) << 12) - 1, 60 'Length': lambda x: x.End - x.Start + 1, 61 'CommitCharge': lambda x: x.u.VadFlags.CommitCharge, 62 }], 63 64 # This is not documented in Windows XP but is in Windows 7. 65 "_OBJECT_HEADER_HANDLE_INFO": [16, { 66 "HandleCountDataBase": [0, ["Pointer", { 67 "target": "_OBJECT_HANDLE_COUNT_DATABASE" 68 }]], 69 "SingleEntry": [0, ["_OBJECT_HANDLE_COUNT_ENTRY", {}]] 70 }], 71 72 "_OBJECT_HANDLE_COUNT_ENTRY": [16, { 73 "HandleCount": [8, ["BitField", { 74 "end_bit": 24, 75 "target": "unsigned long" 76 }]], 77 "LockCount": [8, ["BitField", { 78 "end_bit": 32, 79 "start_bit": 24, 80 "target": "unsigned long" 81 }]], 82 "Process": [0, ["Pointer", { 83 "target": "_EPROCESS" 84 }]] 85 }], 86 87 '_MM_SESSION_SPACE': [None, { 88 # Specialized iterator to produce all the _IMAGE_ENTRY_IN_SESSION 89 # records. 90 'ImageIterator': lambda x: x.ImageList.list_of_type( 91 "_IMAGE_ENTRY_IN_SESSION", "Link") 92 }], 93 94 '_IMAGE_ENTRY_IN_SESSION': [None, { 95 'ImageBase': lambda x: x.Address.v() 96 }], 97 98 "_SECTION_OBJECT": [None, { 99 "Segment": [None, ["Pointer", dict(target="_SEGMENT")]] 100 }], 101 } 102 103

104 -class _MMVAD(common.VadTraverser):

105 """Windows XP uses the _MMVAD struct itself as a traversor. 106 107 i.e. The _MMVAD contains the LeftChild and RightChild. 108 """

109 110

111 -def InitializeXPProfile(profile):

112 if profile.metadata("arch") == "AMD64": 113 profile.add_constants(dict(PoolAlignment=16)) 114 else: 115 profile.add_constants(dict(PoolAlignment=8)) 116 profile.add_overlay(win_xp_overlays) 117 profile.add_classes(dict(_MMVAD=_MMVAD))

118