Source Code for Module rekall.plugins.windows.gui.vtypes.xp

  1  # Rekall Memory Forensics 
  2  # Copyright (C) 2007,2008 Volatile Systems 
  3  # Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.ligh@mnin.org> 
  4  # Copyright 2013 Google Inc. All Rights Reserved. 
  5  # 
  6  # This program is free software; you can redistribute it and/or modify 
  7  # it under the terms of the GNU General Public License as published by 
  8  # the Free Software Foundation; either version 2 of the License, or (at 
  9  # your option) any later version. 
 10  # 
 11  # This program is distributed in the hope that it will be useful, but 
 12  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 13  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 14  # General Public License for more details. 
 15  # 
 16  # You should have received a copy of the GNU General Public License 
 17  # along with this program; if not, write to the Free Software 
 18  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 19  # 
 20   
 21  """Most of the following structures are actually documented in Windows 7 
 22  onwards, but are not documented in windows XP. 
 23   
 24  For those structs which did not change between Windows XP and Windows 7, we can 
 25  just copy the ones from Win7 but some things have changes so we still need to 
 26  hard code the following. 
 27   
 28  Ideally we should use generate_types here. 
 29  """ 
 30   
 31  from rekall.plugins.windows.gui import constants 
 32   
 33   
 34  vtypes_xp_32 = { 
 35      'tagWINDOWSTATION' : [0x5C, { 
 36          'dwSessionId' : [0x0, ['unsigned long']], 
 37          'rpwinstaNext' : [0x4, ['pointer', ['tagWINDOWSTATION']]], 
 38          'rpdeskList' : [0x8, ['pointer', ['tagDESKTOP']]], 
 39          'dwWSF_Flags' : [0x10, ['unsigned long']], 
 40          'ptiDrawingClipboard' : [0x1C, ['pointer', ['tagTHREADINFO']]], 
 41          'spwndClipOpen' : [0x20, ['pointer', ['tagWND']]], 
 42          'spwndClipViewer' : [0x24, ['pointer', ['tagWND']]], 
 43          'spwndClipOwner' : [0x28, ['pointer', ['tagWND']]], 
 44          'pClipBase' : [0x2C, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], 
 45          'cNumClipFormats' : [0x30, ['unsigned int']], 
 46          'iClipSerialNumber' : [0x34, ['unsigned int']], 
 47          'iClipSequenceNumber' : [0x38, ['unsigned int']], 
 48          #'spwndClipboardListener' : [0x3C, ['pointer', ['tagWND']]], 
 49          'pGlobalAtomTable' : [0x40, ['pointer', ['void']]], 
 50          }], 
 51   
 52      'tagDESKTOP' : [0x84, { 
 53          'dwSessionId' : [0x0, ['unsigned long']], 
 54          'pDeskInfo' : [0x4, ['pointer', ['tagDESKTOPINFO']]], 
 55          'rpdeskNext' : [0xc, ['pointer', ['tagDESKTOP']]], 
 56          'rpwinstaParent' : [0x10, ['pointer', ['tagWINDOWSTATION']]], 
 57          'hsectionDesktop' : [0x40, ['pointer', ['void']]], 
 58          'pheapDesktop' : [0x44, ['pointer', ['tagWIN32HEAP']]], 
 59          'PtiList' : [0x64, ['_LIST_ENTRY']], 
 60          }], 
 61   
 62      'tagTHREADINFO' : [None, { 
 63          'pEThread' : [0x00, ['pointer', ['_ETHREAD']]], 
 64          'ppi' : [0x2C, ['pointer', ['tagPROCESSINFO']]], 
 65          'pq' : [0x30, ['pointer', ['tagQ']]], 
 66          'pDeskInfo' : [0x40, ['pointer', ['tagDESKTOPINFO']]], 
 67          'PtiLink' : [0xAC, ['_LIST_ENTRY']], 
 68          'fsHooks' : [0x98, ['unsigned long']], 
 69          'aphkStart' : [0xF4, ['array', 16, ['pointer', ['tagHOOK']]]], 
 70          }], 
 71   
 72      'tagQ' : [None, { 
 73          'mlInput' : [0x00, ['tagMLIST']], 
 74          }], 
 75   
 76      'tagMLIST' : [None, { 
 77          'pqmsgRead' : [0x00, ['pointer', ['tagQMSG']]], 
 78          'cMsgs' : [0x08, ['unsigned long']], 
 79          }], 
 80      'tagQMSG' : [None, { 
 81          'pqmsgNext' : [0x00, ['pointer', ['tagQMSG']]], 
 82          'pqmsgPrev' : [0x04, ['pointer', ['tagQMSG']]], 
 83          'msg' : [0x08, ['tagMSG']], 
 84          }], 
 85      'tagMSG' : [None, { 
 86          'hwnd' : [0x00, ['unsigned long']], 
 87          'message' : [0x04, ['unsigned long']], 
 88          'wParam' : [0x08, ['unsigned long']], 
 89          'lParam' : [0x0C, ['unsigned long']], 
 90          'time' : [0x10, ['unsigned long']], 
 91          'pt' : [0x14, ['tagPOINT']], 
 92          }], 
 93      'tagPOINT' : [None, { 
 94          'x' : [0x00, ['long']], 
 95          'y' : [0x04, ['long']], 
 96          }], 
 97      'tagHOOK' : [None, { 
 98          'head' : [0x0, ['_THRDESKHEAD']], 
 99          'phkNext' : [0x14, ['pointer', ['tagHOOK']]], 
100          'iHook' : [0x18, ['long']], 
101          'offPfn' : [0x1c, ['unsigned long']], 
102          'flags': [0x20, ['Flags', {'bitmap': constants.HOOK_FLAGS}]], 
103          'ihmod' : [0x24, ['long']], 
104          'ptiHooked' : [0x28, ['pointer', ['tagTHREADINFO']]], 
105          'rpdesk' : [0x2c, ['pointer', ['tagDESKTOP']]], 
106          }], 
107      'tagDESKTOPINFO' : [None, { 
108          'pvDesktopBase' : [0x0, ['pointer', ['void']]], 
109          'pvDesktopLimit' : [0x4, ['pointer', ['void']]], 
110          'spwnd' : [0x08, ['pointer', ['tagWND']]], 
111          'fsHooks' : [0x0c, ['unsigned long']], 
112          'aphkStart' : [0x10, ['array', 16, ['pointer', ['tagHOOK']]]], 
113          }], 
114      'tagSERVERINFO' : [0xffc, { 
115          'cHandleEntries' : [8, ['unsigned long']], 
116          'cbHandleTable' : [0x1bc, ['unsigned long']], 
117          }], 
118   
119      'tagPROCESSINFO' : [None, { 
120          'Process' : [0x0, ['pointer', ['_EPROCESS']]], 
121          }], 
122      '_THRDESKHEAD' : [0x14, { 
123          'h' : [0x0, ['pointer', ['void']]], 
124          'cLockObj' : [0x4, ['unsigned long']], 
125          'pti' : [0x8, ['pointer', ['tagTHREADINFO']]], 
126          'rpdesk' : [0xc, ['pointer', ['tagDESKTOP']]], 
127          'pSelf' : [0x10, ['pointer', ['unsigned char']]], 
128          }], 
129      'tagCLS' : [0x5c, { 
130          'pclsNext' : [0x0, ['pointer', ['tagCLS']]], 
131          'atomClassName' : [0x4, ['unsigned short']], 
132          'atomNVClassName' : [0x6, ['unsigned short']], 
133          }], 
134      'tagRECT' : [0x10, { 
135          'left' : [0x0, ['long']], 
136          'top' : [0x4, ['long']], 
137          'right' : [0x8, ['long']], 
138          'bottom' : [0xc, ['long']], 
139          }], 
140      'tagWND' : [0x90, { 
141          'head' : [0x0, ['_THRDESKHEAD']], 
142          'ExStyle' : [0x1c, ['unsigned long']], 
143          'style' : [0x20, ['unsigned long']], 
144          'hModule' : [0x24, ['pointer', ['void']]], 
145          'spwndNext' : [0x2c, ['pointer', ['tagWND']]], 
146          'spwndPrev' : [0x30, ['pointer', ['tagWND']]], 
147          'spwndParent' : [0x34, ['pointer', ['tagWND']]], 
148          'spwndChild' : [0x38, ['pointer', ['tagWND']]], 
149          'spwndOwner' : [0x3c, ['pointer', ['tagWND']]], 
150          'rcWindow' : [0x40, ['tagRECT']], 
151          'rcClient' : [0x50, ['tagRECT']], 
152          'lpfnWndProc' : [0x60, ['pointer', ['void']]], 
153          'pcls' : [0x64, ['pointer', ['tagCLS']]], 
154          'strName' : [0x80, ['_LARGE_UNICODE_STRING']], 
155          'cbwndExtra' : [0x8C, ['long']], 
156          'dwUserData' : [0x98, ['unsigned long']], 
157          }], 
158      '_LARGE_UNICODE_STRING' : [0xc, { 
159          'Length' : [0x0, ['unsigned long']], 
160          'MaximumLength' : [0x4, ['BitField', dict(start_bit = 0, end_bit = 31)]], 
161          'bAnsi' : [0x4, ['BitField', dict(start_bit = 31, end_bit = 32)]], 
162          'Buffer' : [0x8, ['pointer', ['unsigned short']]], 
163          }], 
164      } 
165   
166  vtypes_xp_64 = { 
167      'tagWINDOWSTATION' : [0x90, { # !poolfind Wind is 100h 
168      'dwSessionId' : [0x0, ['unsigned long']], 
169      'rpwinstaNext' : [0x8, ['pointer64', ['tagWINDOWSTATION']]], # FreeWindowStation 
170      'rpdeskList' : [0x10, ['pointer64', ['tagDESKTOP']]], 
171      'dwWSF_Flags' : [0x20, ['unsigned long']], # FreeWindowStation 
172      'ptiDrawingClipboard' : [0x38, ['pointer64', ['tagTHREADINFO']]], # xxxDrawClipboard 
173      'spwndClipOpen' : [0x40, ['pointer64', ['tagWND']]], 
174      'spwndClipViewer' : [0x48, ['pointer64', ['tagWND']]], 
175      'spwndClipOwner' : [0x50, ['pointer64', ['tagWND']]], 
176      'pClipBase' : [0x58, ['pointer64', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]], # InternalSetClipboardData 
177      'cNumClipFormats' : [0x60, ['unsigned int']], # InternalSetClipboardData 
178      'iClipSerialNumber' : [0x64, ['unsigned int']], # InternalSetClipboardData 
179      'iClipSequenceNumber' : [0x68, ['unsigned int']], # InternalSetClipboardData 
180      'pGlobalAtomTable' : [0x70, ['pointer64', ['void']]], 
181      }], 
182   
183      # !poolfind Desk is 140h 
184      'tagDESKTOP' : [0xd0, { 
185          'dwSessionId' : [0x0, ['unsigned long']], 
186          'pDeskInfo' : [0x8, ['pointer64', ['tagDESKTOPINFO']]], # xxxCreateDesktop 
187          'rpdeskNext' : [0x18, ['pointer64', ['tagDESKTOP']]], # ParseDesktop 
188          'rpwinstaParent' : [0x20, ['pointer64', ['tagWINDOWSTATION']]], 
189          'hsectionDesktop' : [0x70, ['pointer64', ['void']]], # MapDesktop 
190          'pheapDesktop' : [0x78, ['pointer64', ['tagWIN32HEAP']]], # DesktopAlloc 
191          'PtiList' : [0xa0, ['_LIST_ENTRY']], # zzzJournalAttach 
192          }], 
193   
194      'tagTHREADINFO' : [None, { 
195          'pEThread' : [0x00, ['pointer', ['_ETHREAD']]], 
196          'ppi' : [0x68, ['pointer64', ['tagPROCESSINFO']]], # xxxSetThreadDesktop 
197          #'pq' : [0x30, ['pointer', ['tagQ']]], 
198          'pDeskInfo' : [0x90, ['pointer64', ['tagDESKTOPINFO']]], # xxxDesktopThread 
199          'PtiLink' : [0x160, ['_LIST_ENTRY']], 
200          'fsHooks' : [0x138, ['unsigned long']], # xxxSetThreadDesktop, CheckWHFBits 
201          'aphkStart' : [0x140, ['array', 16, ['pointer64', ['tagHOOK']]]], 
202          }], 
203   
204      'tagDESKTOPINFO' : [None, { 
205          'pvDesktopBase' : [0x0, ['pointer64', ['void']]], 
206          'pvDesktopLimit' : [0x8, ['pointer64', ['void']]], 
207          'spwnd' : [0x10, ['pointer64', ['tagWND']]], 
208          'fsHooks' : [0x18, ['unsigned long']], # CheckWHFBits 
209          'aphkStart' : [0x20, ['array', 16, ['pointer64', ['tagHOOK']]]], 
210          }], 
211   
212      'tagWND' : [None, { 
213          'head' : [0x0, ['_THRDESKHEAD']], 
214          'ExStyle' : [0x30, ['unsigned long']], # xxxCreateWindowEx 
215          'style' : [0x34, ['unsigned long']], # xxxCreateWindowEx 
216          'spwndNext' : [0x48, ['pointer64', ['tagWND']]], 
217          'spwndPrev' : [0x50, ['pointer64', ['tagWND']]], 
218          'spwndParent' : [0x58, ['pointer64', ['tagWND']]], 
219          'spwndChild' : [0x60, ['pointer64', ['tagWND']]], 
220          'spwndOwner' : [0x68, ['pointer64', ['tagWND']]], 
221          'rcWindow' : [0x70, ['tagRECT']], 
222          'rcClient' : [0x80, ['tagRECT']], 
223          'lpfnWndProc' : [0x90, ['pointer64', ['void']]], 
224          'pcls' : [0x98, ['pointer64', ['tagCLS']]], # HMChangeOwnerThread 
225          'strName' : [0xd0, ['_LARGE_UNICODE_STRING']], 
226          }], 
227   
228      'tagRECT' : [0x10, { 
229          'left' : [0x0, ['long']], 
230          'top' : [0x4, ['long']], 
231          'right' : [0x8, ['long']], 
232          'bottom' : [0xc, ['long']], 
233          }], 
234   
235      'tagCLS' : [None, { 
236          'pclsNext' : [0x0, ['pointer64', ['tagCLS']]], 
237          'atomClassName' : [0x8, ['unsigned short']], # HMChangeOwnerThread 
238          'atomNVClassName' : [0xA, ['unsigned short']], 
239          }], 
240      } 
241