volatility 2.6-1 / usr / lib / python2.7 / dist-packages / volatility / plugins / gui / vtypes / vista.py

This file is indexed.

/usr/lib/python2.7/dist-packages/volatility/plugins/gui/vtypes/vista.py is in volatility 2.6-1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Volatility
# Copyright (C) 2007-2013 Volatility Foundation
# Copyright (C) 2010,2011,2012 Michael Hale Ligh <michael.ligh@mnin.org>
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility.  If not, see <http://www.gnu.org/licenses/>.
#

import volatility.obj as obj
import volatility.plugins.gui.vtypes.win7_sp0_x64_vtypes_gui as win7_sp0_x64_vtypes_gui
import volatility.plugins.gui.constants as consts

class Vista2008x64GuiVTypes(obj.ProfileModification):

    before = ["XP2003x64BaseVTypes", "Win32Kx64VTypes"]

    conditions = {'os': lambda x: x == 'windows',
                  'memory_model': lambda x: x == '64bit',
                  'major': lambda x: x == 6,
                  'minor': lambda x: x == 0}

    def modification(self, profile):
        # Enough stayed the same between Vista/2008 and Windows 7, 
        ## so we can re-use the Windows 7 types. This is a bit unconventional
        ## because we typically when we re-use, we do it forward (i.e. use 
        ## an older OS's types for a newer OS). However since the win32k.sys
        ## vtypes were never public until Windows 7, we're re-using backward.
        profile.vtypes.update(win7_sp0_x64_vtypes_gui.win32k_types)

        # We don't want to overlay or HeEntrySize from Win7 will
        # appear to be a valid member of the Vista structure.
        profile.vtypes.update({
            'tagSHAREDINFO' : [ 0x238, {
            'psi' : [ 0x0, ['pointer64', ['tagSERVERINFO']]],
            'aheList' : [ 0x8, ['pointer64', ['_HANDLEENTRY']]],
            'ulSharedDelta' : [ 0x18, ['unsigned long long']],
            }],
        })

        profile.merge_overlay({
            # From Win7SP0x64
            'tagDESKTOP' : [ None, {
            'pheapDesktop' : [ 0x78, ['pointer64', ['tagWIN32HEAP']]],
            'ulHeapSize' : [ 0x80, ['unsigned long']],
            }],
            'tagTHREADINFO' : [ None, {
            'ppi' : [ 0x68, ['pointer64', ['tagPROCESSINFO']]],
            'PtiLink' : [ 0x160, ['_LIST_ENTRY']],
            }],
            'tagHOOK': [ None, {
            'flags': [ None, ['Flags', {'bitmap': consts.HOOK_FLAGS}]]
            }],
            '_HANDLEENTRY': [ None, {
            'bType': [ None, ['Enumeration', dict(target = 'unsigned char', choices = consts.HANDLE_TYPE_ENUM)]],
            }],
            'tagWINDOWSTATION' : [ None, {
            'pClipBase' : [ None, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]],
            }],
            'tagCLIP': [ None, {
            'fmt' : [ 0x0, ['Enumeration', dict(target = 'unsigned long', choices = consts.CLIPBOARD_FORMAT_ENUM)]],
            }],
        })

class Vista2008x86GuiVTypes(obj.ProfileModification):

    before = ["XP2003x86BaseVTypes", "Win32Kx86VTypes"]

    conditions = {'os': lambda x: x == 'windows',
                  'memory_model': lambda x: x == '32bit',
                  'major': lambda x: x == 6,
                  'minor': lambda x: x == 0}

    def modification(self, profile):

        profile.merge_overlay({
            # The size is very important since we carve from bottom up
            'tagWINDOWSTATION' : [ 0x54, {
            'pClipBase' : [ None, ['pointer', ['array', lambda x : x.cNumClipFormats, ['tagCLIP']]]],
            }],
            'tagDESKTOP' : [ None, {
            'PtiList' : [ 0x64, ['_LIST_ENTRY']],
            'hsectionDesktop' : [ 0x3c, ['pointer', ['void']]],
            'pheapDesktop' : [ 0x40, ['pointer', ['tagWIN32HEAP']]],
            'ulHeapSize' : [ 0x44, ['unsigned long']],
            }],
            'tagTHREADINFO' : [ None, { # same as win2003x86
            'PtiLink' : [ 0xB0, ['_LIST_ENTRY']],
            'fsHooks' : [ 0x9C, ['unsigned long']],
            'aphkStart' : [ 0xF8, ['array', 16, ['pointer', ['tagHOOK']]]],
            }],
            'tagSERVERINFO' : [ None, {
            'cHandleEntries' : [ 0x4, ['unsigned long']],
            'cbHandleTable' : [ 0x1c8, ['unsigned long']],
            }],
            'tagSHAREDINFO' : [ 0x11c, { # From Win7SP0x86
            'psi' : [ 0x0, ['pointer', ['tagSERVERINFO']]],
            'aheList' : [ 0x4, ['pointer', ['_HANDLEENTRY']]],
            'ulSharedDelta' : [ 0xC, ['unsigned long']],
            }],
            'tagCLIP' : [ 16, { # just a size change
            }]})

APT Browse - Built by Thomas Orozco.