Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Package gui :: Module constants
[frames] | no frames]

Source Code for Module rekall.plugins.windows.gui.constants

  1  # Rekall Memory Forensics 
  2  # Copyright (C) 2007,2008 Volatile Systems 
  3  # Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.ligh@mnin.org> 
  4  # Copyright (C) 2009 Brendan Dolan-Gavitt 
  5  # 
  6  # This program is free software; you can redistribute it and/or modify 
  7  # it under the terms of the GNU General Public License as published by 
  8  # the Free Software Foundation; either version 2 of the License, or (at 
  9  # your option) any later version. 
 10  # 
 11  # This program is distributed in the hope that it will be useful, but 
 12  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 13  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 14  # General Public License for more details. 
 15  # 
 16  # You should have received a copy of the GNU General Public License 
 17  # along with this program; if not, write to the Free Software 
 18  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 19  # 
 20   
 21  import copy 
 22   
 23  from rekall_lib import utils 
 24   
 25  # Windows assigns several atom IDs by default, but doesn't include 
 26  # them in the local or global atom tables. Thus when we perform a 
 27  # lookup, we don't want to exclude these default atoms, so we create 
 28  # a fake atom structure and assign the values as needed. The search 
 29  # algorithm will then check the default atoms before moving onto the 
 30  # atoms found in local/global tables. 

 31 -class FakeAtom(object): 

 32 -    def __init__(self, name): 

 33          self.Name = name 

 34   
 35  DEFAULT_ATOMS = { 
 36    0x8000: FakeAtom("PopupMenu (Default)"), 
 37    0x8001: FakeAtom("Desktop (Default)"), 
 38    0x8002: FakeAtom("Dialog (Default)"), 
 39    0x8003: FakeAtom("WinSwitch (Default)"), 
 40    0x8004: FakeAtom("IconTitle (Default)"), 
 41    0x8006: FakeAtom("ToolTip (Default)"), 
 42  } 
 43   
 44  WINDOW_STYLES = dict( 
 45      WS_OVERLAPPED=0x00000000L, 
 46      WS_POPUP=0x80000000L, 
 47      WS_CHILD=0x40000000L, 
 48      WS_MINIMIZE=0x20000000L, 
 49      WS_VISIBLE=0x10000000L, 
 50      WS_DISABLED=0x08000000L, 
 51      WS_CLIPSIBLINGS=0x04000000L, 
 52      WS_CLIPCHILDREN=0x02000000L, 
 53      WS_MAXIMIZE=0x01000000L, 
 54      WS_CAPTION=0x00C00000L, 
 55      WS_BORDER=0x00800000L, 
 56      WS_DLGFRAME=0x00400000L, 
 57      WS_VSCROLL=0x00200000L, 
 58      WS_HSCROLL=0x00100000L, 
 59      WS_SYSMENU=0x00080000L, 
 60      WS_THICKFRAME=0x00040000L, 
 61      WS_GROUP=0x00020000L, 
 62      WS_TABSTOP=0x00010000L, 
 63      WS_MINIMIZEBOX=0x00020000L, 
 64      WS_MAXIMIZEBOX=0x00010000L, 
 65      ) 
 66   
 67  WINDOW_STYLES_EX = dict( 
 68      WS_EX_DLGMODALFRAME=0x00000001L, 
 69      WS_EX_NOPARENTNOTIFY=0x00000004L, 
 70      WS_EX_TOPMOST=0x00000008L, 
 71      WS_EX_ACCEPTFILES=0x00000010L, 
 72      WS_EX_TRANSPARENT=0x00000020L, 
 73      WS_EX_MDICHILD=0x00000040L, 
 74      WS_EX_TOOLWINDOW=0x00000080L, 
 75      WS_EX_WINDOWEDGE=0x00000100L, 
 76      WS_EX_CLIENTEDGE=0x00000200L, 
 77      WS_EX_CONTEXTHELP=0x00000400L, 
 78      WS_EX_RIGHT=0x00001000L, 
 79      WS_EX_LEFT=0x00000000L, 
 80      WS_EX_RTLREADING=0x00002000L, 
 81      WS_EX_LTRREADING=0x00000000L, 
 82      WS_EX_LEFTSCROLLBAR=0x00004000L, 
 83      WS_EX_RIGHTSCROLLBAR=0x00000000L, 
 84      WS_EX_CONTROLPARENT=0x00010000L, 
 85      WS_EX_STATICEDGE=0x00020000L, 
 86      WS_EX_APPWINDOW=0x00040000L, 
 87      ) 
 88   
 89  # These are message types in the order that they appear in the aphkStart array. 
 90  MESSAGE_TYPES = [ 
 91      ('WH_MSGFILTER', -1), 
 92      ('WH_JOURNALRECORD', 0), 
 93      ('WH_JOURNALPLAYBACK', 1), 
 94      ('WH_KEYBOARD', 2), 
 95      ('WH_GETMESSAGE', 3), 
 96      ('WH_CALLWNDPROC', 4), 
 97      ('WH_CBT', 5), 
 98      ('WH_SYSMSGFILTER', 6), 
 99      ('WH_MOUSE', 7), 
100      ('WH_HARDWARE', 8), 
101      ('WH_DEBUG', 9), 
102      ('WH_SHELL', 10), 
103      ('WH_FOREGROUNDIDLE', 11), 
104      ('WH_CALLWNDPROCRET', 12), 
105      ('WH_KEYBOARD_LL', 13), 
106      ('WH_MOUSE_LL', 14), 
107      ] 
108   
109  # See http://forum.sysinternals.com/enumerate-windows-hooks_topic23877_post124845.html 
110  HOOK_FLAGS = dict( 
111      HF_GLOBAL=0, #0x0001, # Global hooks (for all threads on desktop) 
112      HF_ANSI=1, #0x0002, # Uses Ansi strings instead of Unicode 
113      HF_HUNG=3, #0x0008, # The hook procedure is hung 
114      HF_HOOKFAULTED=4, #0x0010, # The hook procedure caused some fault 
115      HF_WX86KNOWNDLL=6, #0x0040, # Hook Module is x86 machine type 
116      HF_DESTROYED=7, #0x0080, # The object is destroyed (set by FreeHook) 
117      HF_INCHECKWHF=8, #0x0100, # The fsHooks is currently being updated 
118      HF_FREED=9, #0x0200, # The object is freed 
119      ) 
120   
121  # dwflags parameter to SetWinEventHook 
122  EVENT_FLAGS = { 
123      #0x0000 : 'WINEVENT_OUTOFCONTEXT', 
124      0x0001 : 'WINEVENT_SKIPOWNTHREAD', 
125      0x0002 : 'WINEVENT_SKIPOWNPROCESS', 
126      0x0004 : 'WINEVENT_INCONTEXT', 
127  } 
128   
129  # The eventMin and eventMax parameters to SetWinEventHook. 
130  EVENT_ID_ENUM = { 
131      0x00000001: 'EVENT_MIN', 
132      0x7FFFFFFF: 'EVENT_MAX', 
133      #0x0001: 'EVENT_SYSTEM_SOUND', 
134      0x0002: 'EVENT_SYSTEM_ALERT', 
135      0x0003: 'EVENT_SYSTEM_FOREGROUND', 
136      0x0004: 'EVENT_SYSTEM_MENUSTART', 
137      0x0005: 'EVENT_SYSTEM_MENUEND', 
138      0x0006: 'EVENT_SYSTEM_MENUPOPUPSTART', 
139      0x0007: 'EVENT_SYSTEM_MENUPOPUPEND', 
140      0x0008: 'EVENT_SYSTEM_CAPTURESTART', 
141      0x0009: 'EVENT_SYSTEM_CAPTUREEND', 
142      0x000A: 'EVENT_SYSTEM_MOVESIZESTART', 
143      0x000B: 'EVENT_SYSTEM_MOVESIZEEND', 
144      0x000C: 'EVENT_SYSTEM_CONTEXTHELPSTART', 
145      0x000D: 'EVENT_SYSTEM_CONTEXTHELPEND', 
146      0x000E: 'EVENT_SYSTEM_DRAGDROPSTART', 
147      0x000F: 'EVENT_SYSTEM_DRAGDROPEND', 
148      0x0010: 'EVENT_SYSTEM_DIALOGSTART', 
149      0x0011: 'EVENT_SYSTEM_DIALOGEND', 
150      0x0012: 'EVENT_SYSTEM_SCROLLINGSTART', 
151      0x0013: 'EVENT_SYSTEM_SCROLLINGEND', 
152      0x0014: 'EVENT_SYSTEM_SWITCHSTART', 
153      0x0015: 'EVENT_SYSTEM_SWITCHEND', 
154      0x0016: 'EVENT_SYSTEM_MINIMIZESTART', 
155      0x0017: 'EVENT_SYSTEM_MINIMIZEEND', 
156      0x0020: 'EVENT_SYSTEM_DESKTOPSWITCH', 
157      0x00FF: 'EVENT_SYSTEM_END', 
158      0x0101: 'EVENT_OEM_DEFINED_START', 
159      0x01FF: 'EVENT_OEM_DEFINED_END', 
160      0x4E00: 'EVENT_UIA_EVENTID_START', 
161      0x4EFF: 'EVENT_UIA_EVENTID_END', 
162      0x7500: 'EVENT_UIA_PROPID_START', 
163      0x75FF: 'EVENT_UIA_PROPID_END', 
164      0x4001: 'EVENT_CONSOLE_CARET', 
165      0x4002: 'EVENT_CONSOLE_UPDATE_REGION', 
166      0x4003: 'EVENT_CONSOLE_UPDATE_SIMPLE', 
167      0x4004: 'EVENT_CONSOLE_UPDATE_SCROLL', 
168      0x4005: 'EVENT_CONSOLE_LAYOUT', 
169      0x4006: 'EVENT_CONSOLE_START_APPLICATION', 
170      0x4007: 'EVENT_CONSOLE_END_APPLICATION', 
171      0x40FF: 'EVENT_CONSOLE_END', 
172      0x8000: 'EVENT_OBJECT_CREATE', 
173      0x8001: 'EVENT_OBJECT_DESTROY', 
174      0x8002: 'EVENT_OBJECT_SHOW', 
175      0x8003: 'EVENT_OBJECT_HIDE', 
176      0x8004: 'EVENT_OBJECT_REORDER', 
177      0x8005: 'EVENT_OBJECT_FOCUS', 
178      0x8006: 'EVENT_OBJECT_SELECTION', 
179      0x8007: 'EVENT_OBJECT_SELECTIONADD', 
180      0x8008: 'EVENT_OBJECT_SELECTIONREMOVE', 
181      0x8009: 'EVENT_OBJECT_SELECTIONWITHIN', 
182      0x800A: 'EVENT_OBJECT_STATECHANGE', 
183      0x800B: 'EVENT_OBJECT_LOCATIONCHANGE', 
184      0x800C: 'EVENT_OBJECT_NAMECHANGE', 
185      0x800D: 'EVENT_OBJECT_DESCRIPTIONCHANGE', 
186      0x800E: 'EVENT_OBJECT_VALUECHANGE', 
187      0x800F: 'EVENT_OBJECT_PARENTCHANGE', 
188      0x8010: 'EVENT_OBJECT_HELPCHANGE', 
189      0x8011: 'EVENT_OBJECT_DEFACTIONCHANGE', 
190      0x8012: 'EVENT_OBJECT_ACCELERATORCHANGE', 
191      0x8013: 'EVENT_OBJECT_INVOKED', 
192      0x8014: 'EVENT_OBJECT_TEXTSELECTIONCHANGED', 
193  } 
194   
195  # USER objects on XP/2003/Vista/2008 
196  HANDLE_TYPE_ENUM = utils.Invert(dict( 
197      # 8/17/2011 
198      # http:#www.reactos.org/wiki/Techwiki:Win32k/HANDLEENTRY 
199      # HANDLEENTRY.bType 
200      TYPE_FREE=0,         # 'must be zero! 
201      TYPE_WINDOW=1,       # 'in order of use for C code lookups 
202      TYPE_MENU=2,         # 
203      TYPE_CURSOR=3,       # 
204      TYPE_SETWINDOWPOS=4, # HDWP 
205      TYPE_HOOK=5,         # 
206      TYPE_CLIPDATA=6,     # 'clipboard data 
207      TYPE_CALLPROC=7,     # 
208      TYPE_ACCELTABLE=8,   # 
209      TYPE_DDEACCESS=9,    #  tagSVR_INSTANCE_INFO 
210      TYPE_DDECONV=10,     # 
211      TYPE_DDEXACT=11,     # 'DDE transaction tracking info. 
212      TYPE_MONITOR=12,     # 
213      TYPE_KBDLAYOUT=13,   # 'Keyboard Layout handle (HKL) object. 
214      TYPE_KBDFILE=14,     # 'Keyboard Layout file object. 
215      TYPE_WINEVENTHOOK=15,# 'WinEvent hook (EVENTHOOK) 
216      TYPE_TIMER=16,       # 
217      TYPE_INPUTCONTEXT=17,# 'Input Context info structure 
218      TYPE_HIDDATA=18,     # 
219      TYPE_DEVICEINFO=19,  # 
220      TYPE_TOUCHINPUT=20,  # 'Ustz' W7U sym tagTOUCHINPUTINFO 
221      TYPE_GESTUREINFO=21, # 'Usgi' 
222      TYPE_CTYPES=22,      # 'Count of TYPEs; Must be LAST  1 
223      TYPE_GENERIC=255     # 'used for generic handle validation 
224      )) 
225   
226  # Ref: https://www.reactos.org/wiki/Techwiki:Win32k/HANDLEENTRY 
227  HANDLE_TYPE_ENUM = utils.Invert(dict( 
228     TYPE_FREE=0,         # 'must be zero! 
229     TYPE_WINDOW=1,       # 'in order of use for C code lookups 
230     TYPE_MENU=2,         # 
231     TYPE_CURSOR=3,       # 
232     TYPE_SETWINDOWPOS=4, # HDWP 
233     TYPE_HOOK=5,         # 
234     TYPE_CLIPDATA=6,     # 'clipboard data 
235     TYPE_CALLPROC=7,     # 
236     TYPE_ACCELTABLE=8,   # 
237     TYPE_DDEACCESS=9,    #  tagSVR_INSTANCE_INFO 
238     TYPE_DDECONV=10,     # 
239     TYPE_DDEXACT=11,     # 'DDE transaction tracking info. 
240     TYPE_MONITOR=12,     # 
241     TYPE_KBDLAYOUT=13,   # 'Keyboard Layout handle (HKL) object. 
242     TYPE_KBDFILE=14,     # 'Keyboard Layout file object. 
243     TYPE_WINEVENTHOOK=15,# 'WinEvent hook (EVENTHOOK) 
244     TYPE_TIMER=16,       # 
245     TYPE_INPUTCONTEXT=17,# 'Input Context info structure 
246     TYPE_HIDDATA=18,     # 
247     TYPE_DEVICEINFO=19,  # 
248     TYPE_TOUCHINPUT=20,  # 'Ustz' W7U sym tagTOUCHINPUTINFO 
249     TYPE_GESTUREINFO=21, # 'Usgi' 
250     TYPE_CTYPES=22,      # 'Count of TYPEs; Must be LAST + 1 
251     TYPE_GENERIC=255     # 'used for generic handle validation 
252  )) 
253   
254  # USER objects for Windows 7 
255  HANDLE_TYPE_ENUM_SEVEN = copy.copy(HANDLE_TYPE_ENUM) 
256  HANDLE_TYPE_ENUM_SEVEN[20] = 'TYPE_TOUCH' 
257  HANDLE_TYPE_ENUM_SEVEN[21] = 'TYPE_GESTURE' 
258   
259  # Clipboard format types 
260  CLIPBOARD_FORMAT_ENUM = { 
261      1: 'CF_TEXT', 
262      2: 'CF_BITMAP', 
263      3: 'CF_METAFILEPICT', 
264      4: 'CF_SYLK', 
265      5: 'CF_DIF', 
266      6: 'CF_TIFF', 
267      7: 'CF_OEMTEXT', 
268      8: 'CF_DIB', 
269      9: 'CF_PALETTE', 
270      10: 'CF_PENDATA', 
271      11: 'CF_RIFF', 
272      12: 'CF_WAVE', 
273      13: 'CF_UNICODETEXT', 
274      14: 'CF_ENHMETAFILE', 
275      15: 'CF_HDROP', 
276      16: 'CF_LOCALE', 
277      17: 'CF_DIBV5', 
278      0x80: 'CF_OWNERDISPLAY', 
279      0x81: 'CF_DSPTEXT', 
280      0x82: 'CF_DSPBITMAP', 
281      0x83: 'CF_DSPMETAFILEPICT', 
282      0x8E: 'CF_DSPENHMETAFILE', 
283      ## The following are ranges, not actual formats 
284      #0x200: 'CF_PRIVATEFIRST', 
285      #0x2FF: 'CF_PRIVATELAST', 
286      #0x300: 'CF_GDIOBJFIRST', 
287      #0x3FF: 'CF_GDIOBJLAST', 
288  } 
289   
290  # Flags for timer objects 
291  TIMER_FLAGS = dict( 
292      TMRF_READY=0, # 0x0001 
293      TMRF_SYSTEM=1, # 0x0002 
294      TMRF_RIT=2, # 0x0004 
295      TMRF_INIT=3, # 0x0008 
296      TMRF_ONESHOT=4, # 0x0010 
297      TMRF_WAITING=5, # 0x0020 
298      TMRF_TIFROMWND=6, # 0x0040 
299  ) 
300

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:54 2017 http://epydoc.sourceforge.net