rekall.plugins.windows.gui.clipboard

29 """Extract the contents of the windows clipboard""" 30 31 __name = "clipboard" 32 33 table_header = [ 34 dict(name="session", width=10), 35 dict(name="window_station", width=12), 36 dict(name="format", width=18), 37 dict(name="handle", style="address"), 38 dict(name="object", style="address"), 39 dict(name="data", width=50), 40 dict(name="hexdump", hidden=True), 41 ] 42

43 - def calculate(self):

44 session_plugin = self.session.plugins.sessions() 45 46 # Dictionary of MM_SESSION_SPACEs by ID 47 sessions = dict((int(session.SessionId), session) 48 for session in session_plugin.session_spaces()) 49 50 # Dictionary of session USER objects by handle 51 session_handles = {} 52 53 # If various objects cannot be found or associated, 54 # we'll return none objects 55 e0 = obj.NoneObject("Unknown tagCLIPDATA") 56 e1 = obj.NoneObject("Unknown tagWINDOWSTATION") 57 e2 = obj.NoneObject("Unknown tagCLIP") 58 59 # Load tagCLIPDATA handles from all sessions 60 for sid, session in sessions.items(): 61 handles = {} 62 shared_info = self.win32k_profile.get_constant_object( 63 "gSharedInfo", 64 target="tagSHAREDINFO", 65 vm=session.obj_vm) 66 if not shared_info: 67 self.session.logging.debug( 68 "No shared info for session {0}".format(sid)) 69 continue 70 71 for handle in shared_info.aheList: 72 if handle.bType != "TYPE_CLIPDATA": 73 continue 74 75 handles[int(handle.phead.h)] = handle 76 77 session_handles[sid] = handles 78 79 # Scan for Each WindowStation 80 windowstations_plugin = self.session.plugins.wndscan() 81 82 for wndsta, station_as in windowstations_plugin.generate_hits(): 83 session = sessions.get(int(wndsta.dwSessionId), None) 84 # The session is unknown 85 if not session: 86 continue 87 88 handles = session_handles.get(int(session.SessionId), None) 89 # No handles in the session 90 if not handles: 91 continue 92 93 clip_array = wndsta.pClipBase.dereference(vm=station_as) 94 # The tagCLIP array is empty or the pointer is invalid 95 if not clip_array: 96 continue 97 98 # Resolve tagCLIPDATA from tagCLIP.hData 99 for clip in clip_array: 100 handle = handles.get(int(clip.hData), e0) 101 # Remove this handle from the list 102 if handle: 103 handles.pop(int(clip.hData)) 104 105 yield session, wndsta, clip, handle 106 107 # Any remaining tagCLIPDATA not matched. This allows us 108 # to still find clipboard data if a window station is not 109 # found or if pClipData or cNumClipFormats were corrupt 110 for sid in sessions.keys(): 111 handles = session_handles.get(sid, None) 112 # No handles in the session 113 if not handles: 114 continue 115 116 for handle in handles.values(): 117 yield sessions[sid], e1, e2, handle

118

119 - def collect(self):

120 for session, wndsta, clip, handle in self.calculate(): 121 # If no tagCLIP is provided, we do not know the format 122 if not clip: 123 fmt = obj.NoneObject("Format unknown") 124 else: 125 # Try to get the format name, but failing that, print 126 # the format number in hex instead. 127 if clip.fmt.v() in constants.CLIPBOARD_FORMAT_ENUM: 128 fmt = str(clip.fmt) 129 else: 130 fmt = hex(clip.fmt.v()) 131 132 # Try to get the handle from tagCLIP first, but 133 # fall back to using _HANDLEENTRY.phead. Note: this can 134 # be a value like DUMMY_TEXT_HANDLE (1) etc. 135 handle_value = clip.hData or handle.phead.h 136 137 clip_data = "" 138 if handle and "TEXT" in fmt: 139 clip_data = handle.reference_object().as_string(fmt) 140 141 print handle 142 143 yield dict(session=session.SessionId, 144 window_station=wndsta.Name, 145 format=fmt, 146 handle=handle_value, 147 object=handle.phead.v(), 148 data=clip_data, 149 hexdump=handle.reference_object().as_hex())

Source Code for Module rekall.plugins.windows.gui.clipboard