Source Code for Module rekall.plugins.windows.gui.windowstations

  1  # Rekall Memory Forensics 
  2  # Copyright (C) 2007,2008 Volatile Systems 
  3  # Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.ligh@mnin.org> 
  4  # Copyright 2013 Google Inc. All Rights Reserved. 
  5  # 
  6  # This program is free software; you can redistribute it and/or modify 
  7  # it under the terms of the GNU General Public License as published by 
  8  # the Free Software Foundation; either version 2 of the License, or (at 
  9  # your option) any later version. 
 10  # 
 11  # This program is distributed in the hope that it will be useful, but 
 12  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 13  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 14  # General Public License for more details. 
 15  # 
 16  # You should have received a copy of the GNU General Public License 
 17  # along with this program; if not, write to the Free Software 
 18  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 19  # 
 20   
 21  """The following is a description of windows stations from MSDN: 
 22   
 23  http://msdn.microsoft.com/en-us/library/windows/desktop/ms687096(v=vs.85).aspx 
 24   
 25  A window station contains a clipboard, an atom table, and one or more desktop 
 26  objects. Each window station object is a securable object. When a window station 
 27  is created, it is associated with the calling process and assigned to the 
 28  current session. 
 29   
 30  The interactive window station is the only window station that can display a 
 31  user interface or receive user input. It is assigned to the logon session of the 
 32  interactive user, and contains the keyboard, mouse, and display device. It is 
 33  always named "WinSta0". All other window stations are noninteractive, which 
 34  means they cannot display a user interface or receive user input. 
 35   
 36   
 37  Ref: 
 38  http://volatility-labs.blogspot.de/2012/09/movp-13-desktops-heaps-and-ransomware.html 
 39   
 40  NOTE: Windows 8 does not have a global atom table any more. 
 41  http://mista.nu/research/smashing_the_atom.pdf 
 42   
 43  """ 
 44  from rekall.plugins.windows import common 
 45  from rekall.plugins.windows.gui import win32k_core 
 46   
 47   
 48 -class WindowsStations(win32k_core.Win32kPluginMixin, 
 49                        common.WindowsCommandPlugin): 
 50      """Displays all the windows stations by following lists.""" 
 51   
 52      __name = "windows_stations" 
 53   
 54      table_header = [ 
 55          dict(name="WindowStation", style="address"), 
 56          dict(name="Name", width=20), 
 57          dict(name="SesId", width=5), 
 58          dict(name="AtomTable", style="address"), 
 59          dict(name="Interactive", width=11), 
 60          dict(name="Desktops") 
 61      ] 
 62   
 63 -    def stations_in_session(self, session): 
 64          # Get the start of the Window station list from 
 65          # win32k.sys. These are all the Windows stations that exist in 
 66          # this Windows session. 
 67          station_list = self.win32k_profile.get_constant_object( 
 68              "grpWinStaList", 
 69              target="Pointer", 
 70              target_args=dict( 
 71                  target="tagWINDOWSTATION" 
 72                  ), 
 73              vm=session.obj_vm, 
 74              ) 
 75   
 76          for station in station_list.walk_list("rpwinstaNext"): 
 77              yield station 
 78   
 79 -    def stations(self): 
 80          """A generator of tagWINDOWSTATION objects.""" 
 81          # Each windows session has a unique set of windows stations. 
 82          for session in self.session.plugins.sessions().session_spaces(): 
 83              for station in self.stations_in_session(session): 
 84                  yield station 
 85   
 86 -    def collect(self): 
 87          for window_station in self.stations(): 
 88              desktops = [desk.Name for desk in window_station.desktops()] 
 89              yield dict(WindowStation=window_station, 
 90                         Name=window_station.Name, 
 91                         SesId=window_station.dwSessionId, 
 92                         AtomTable=window_station.pGlobalAtomTable, 
 93                         Interactive=window_station.Interactive, 
 94                         Desktops=desktops) 
 95   
 96   
 97 -class WinDesktops(WindowsStations): 
 98      """Print information on each desktop.""" 
 99   
100      __name = "desktops" 
101   
102      table_header = [ 
103          dict(name="divider", type="Divider"), 
104          dict(name="tagDESKTOP", style="address"), 
105          dict(name="Name", width=20), 
106          dict(name="Sid", width=3), 
107          dict(name="Hooks", width=5), 
108          dict(name="tagWND", style="address"), 
109          dict(name="Winds", width=5), 
110          dict(name="Thrd", width=5), 
111          dict(name="_EPROCESS"), 
112      ] 
113   
114 -    def collect(self): 
115          for window_station in self.stations(): 
116              for desktop in window_station.desktops(): 
117                  divider = "Desktop: {0:#x}, Name: {1}\\{2}\n".format( 
118                      desktop, 
119                      window_station.Name, 
120                      desktop.Name) 
121   
122                  divider += ("Heap: {0:#x}, Size: {1:#x}, Base: {2:#x}, " 
123                              "Limit: {3:#x}\n").format( 
124                                  desktop.pheapDesktop.v(), 
125                                  (desktop.DeskInfo.pvDesktopLimit.v() - 
126                                   desktop.DeskInfo.pvDesktopBase.v()), 
127                                  desktop.DeskInfo.pvDesktopBase, 
128                                  desktop.DeskInfo.pvDesktopLimit, 
129                              ) 
130   
131                  yield dict(divider=divider) 
132   
133                  window_count = len(list(desktop.windows( 
134                      desktop.DeskInfo.spwnd))) 
135   
136                  for thrd in desktop.threads(): 
137                      yield dict( 
138                          tagDESKTOP=desktop, 
139                          Name=desktop.Name, 
140                          Sid=desktop.dwSessionId, 
141                          Hooks=desktop.DeskInfo.fsHooks, 
142                          tagWND=desktop.DeskInfo.spwnd.deref(), 
143                          Winds=window_count, 
144                          Thrd=thrd.pEThread.Cid.UniqueThread, 
145                          _EPROCESS=thrd.ppi.Process.deref()) 
146