rekall.plugins.windows.gui.vtypes.win7

1 # Rekall Memory Forensics 2 # Copyright (C) 2007,2008 Volatile Systems 3 # Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.ligh@mnin.org> 4 # Copyright 2013 Google Inc. All Rights Reserved. 5 # 6 # This program is free software; you can redistribute it and/or modify 7 # it under the terms of the GNU General Public License as published by 8 # the Free Software Foundation; either version 2 of the License, or (at 9 # your option) any later version. 10 # 11 # This program is distributed in the hope that it will be useful, but 12 # WITHOUT ANY WARRANTY; without even the implied warranty of 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 # General Public License for more details. 15 # 16 # You should have received a copy of the GNU General Public License 17 # along with this program; if not, write to the Free Software 18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 # 20 21 import logging 22 23 24 from rekall import obj 25 from rekall.plugins.windows.gui import constants 26 from rekall.plugins.windows.gui import win32k_core 27 28 from rekall.plugins.windows.gui.vtypes import win7_sp0_x64_vtypes_gui 29 from rekall.plugins.windows.gui.vtypes import win7_sp1_x64_vtypes_gui 30 from rekall.plugins.windows.gui.vtypes import win7_sp0_x86_vtypes_gui 31 from rekall.plugins.windows.gui.vtypes import win7_sp1_x86_vtypes_gui

32 33 34 -class _MM_SESSION_SPACE(win32k_core._MM_SESSION_SPACE):

35 """A class for session spaces on Windows 7""" 36

37 - def find_shared_info(self):

38 """The way we find win32k!gSharedInfo on Windows 7 39 is different than before. For each DWORD in the 40 win32k.sys module's .data section (DWORD-aligned) 41 we check if its the HeEntrySize member of a possible 42 tagSHAREDINFO structure. This should equal the size 43 of a _HANDLEENTRY. 44 45 The HeEntrySize member didn't exist before Windows 7 46 thus the need for separate methods.""" 47 handle_table_size = self.obj_profile.get_obj_size("_HANDLEENTRY") 48 49 handle_entry_offset = self.obj_profile.get_obj_offset( 50 "tagSHAREDINFO", "HeEntrySize") 51 52 import pdb; pdb.set_trace() 53 54 for chunk in self._section_chunks(".data"): 55 56 if chunk != handle_table_size: 57 continue 58 59 shared_info = self.obj_profile.tagSHAREDINFO( 60 offset = chunk.obj_offset - handle_entry_offset, 61 vm = self.obj_vm) 62 63 if shared_info.is_valid(): 64 return shared_info 65 66 return obj.NoneObject("Cannot find win32k!gSharedInfo")

67

68 69 -class tagSHAREDINFO(win32k_core.tagSHAREDINFO):

70 """A class for shared info blocks on Windows 7""" 71

72 - def is_valid(self):

73 """Sanity checks for tagSHAREDINFO""" 74 75 if not super(tagSHAREDINFO, self).is_valid(): 76 return False 77 78 if self.ulSharedDelta != 0: 79 return False 80 81 if not self.psi.is_valid(): 82 return False 83 84 return (self.psi.cbHandleTable / self.HeEntrySize == 85 self.psi.cHandleEntries)

86

87 88 -class Win32GUIWin7(obj.ProfileModification):

89 """Installs the win7 specific profiles for the GUI modules.""" 90 91 @classmethod

92 - def modify(cls, profile):

93 version = ".".join(profile.metadatas('major', 'minor')) 94 build = profile.metadata("build", 7601) 95 architecture = profile.metadata("arch") 96 97 if architecture == "AMD64": 98 # http://doxygen.reactos.org/d5/dd0/timer_8h_source.html#l00019 99 profile.add_overlay({ 100 'tagTIMER' : [None, { 101 'head' : [0x00, ['_HEAD']], 102 'ListEntry' : [0x18, ['_LIST_ENTRY']], 103 'spwnd' : [0x28, ['pointer', ['tagWND']]], 104 'pti' : [0x30, ['pointer', ['tagTHREADINFO']]], 105 'nID' : [0x38, ['unsigned short']], 106 'cmsCountdown' : [0x40, ['unsigned int']], 107 'cmsRate' : [0x44, ['unsigned int']], 108 'flags' : [0x48, ['Flags', dict( 109 bitmap=constants.TIMER_FLAGS)]], 110 'pfn' : [0x50, ['pointer', ['void']]], 111 }]}) 112 113 if build == 7600: 114 profile.add_overlay(win7_sp0_x64_vtypes_gui.win32k_types) 115 elif build == 7601: 116 profile.add_overlay(win7_sp1_x64_vtypes_gui.win32k_types) 117 else: 118 logging.warning("Unsupported version %s, will use win7sp1", 119 version) 120 121 profile.add_overlay(win7_sp1_x64_vtypes_gui.win32k_types) 122 123 elif architecture == "I386": 124 # http://doxygen.reactos.org/d5/dd0/timer_8h_source.html#l00019 125 profile.vtypes.update({ 126 'tagTIMER' : [None, { 127 'ListEntry' : [0xc, ['_LIST_ENTRY']], 128 'pti' : [0x18, ['pointer', ['tagTHREADINFO']]], 129 'spwnd' : [0x14, ['pointer', ['tagWND']]], #?? 130 'nID' : [0x1C, ['unsigned short']], 131 'cmsCountdown' : [0x20, ['unsigned int']], 132 'cmsRate' : [0x24, ['unsigned int']], 133 'flags' : [0x28, ['Flags', dict( 134 bitmap=constants.TIMER_FLAGS) 135 ]], 136 'pfn' : [0x2C, ['pointer', ['void']]], 137 }]}) 138 139 if build == 7600: 140 profile.add_overlay(win7_sp0_x86_vtypes_gui.win32k_types) 141 142 elif build == 7601: 143 profile.add_overlay(win7_sp1_x86_vtypes_gui.win32k_types) 144 145 else: 146 logging.warning("Unsupported version %s, will use win7sp1", 147 version) 148 149 profile.add_overlay(win7_sp1_x86_vtypes_gui.win32k_types) 150 151 profile.add_overlay({ 152 'tagHOOK': [None, { 153 'flags': [None, ['Flags', dict( 154 bitmap=constants.HOOK_FLAGS 155 )]], 156 }], 157 '_HANDLEENTRY': [None, { 158 'bType': [None, ['Enumeration', dict( 159 target='unsigned char', 160 choices=constants.HANDLE_TYPE_ENUM_SEVEN 161 )]], 162 }], 163 'tagWINDOWSTATION' : [None, { 164 'pClipBase' : [None, ['Pointer', dict( 165 target="Array", 166 target_args=dict( 167 count=lambda x : x.cNumClipFormats, 168 target='tagCLIP' 169 ), 170 )]], 171 }], 172 'tagCLIP': [None, { 173 'fmt' : [None, ['Enumeration', dict( 174 target='unsigned long', 175 choices=constants.CLIPBOARD_FORMAT_ENUM 176 )]], 177 }]}) 178 179 profile.add_classes({ 180 '_MM_SESSION_SPACE': _MM_SESSION_SPACE, 181 'tagSHAREDINFO': tagSHAREDINFO, 182 }) 183 184 return profile

185

Source Code for Module rekall.plugins.windows.gui.vtypes.win7