python-rekall-core 1.6.0+dfsg-2 / usr / lib / python2.7 / dist-packages / rekall / plugins / overlays / windows / win10.py

This file is indexed.

/usr/lib/python2.7/dist-packages/rekall/plugins/overlays/windows/win10.py is in python-rekall-core 1.6.0+dfsg-2.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
from rekall.plugins.overlays.windows import win8

win10_undocumented_amd64 = {
    # wi10.raw 18:05:45> dis "nt!MiSessionInsertImage"
    #        call 0xf8014a9d4e80                      nt!memset
    # ...    or rax, 3    <---- Base address is ORed with 3.
    #        mov dword ptr [rbp + 0x3c], 1   <--- ImageCountInThisSession
    #        mov qword ptr [rbp + 0x28], rax  <---- Address
    '_IMAGE_ENTRY_IN_SESSION': [None, {
        'Address': [0x28, ["_EX_FAST_REF"]],
        }],
    }

win10_undocumented_i386 = {
    '_IMAGE_ENTRY_IN_SESSION': [None, {
        'Address': [0x14, ["Pointer"]],
        }],
    }

win10_overlays = {
    '_MM_SESSION_SPACE': [None, {
        # Specialized iterator to produce all the _IMAGE_ENTRY_IN_SESSION
        # records. In Win10 these are stored in an AVL tree instead.
        'ImageIterator': lambda x: x.ImageTree.Root.traverse(
            type="_IMAGE_ENTRY_IN_SESSION")
    }],

    "_UNLOADED_DRIVERS": [None, {
        "CurrentTime": [None, ["WinFileTime"]],
    }],

    "_MI_HARDWARE_STATE": [None, {
        "SystemNodeInformation": [None, ["Pointer", dict(
            target="Array",
            target_args=dict(
                target="_MI_SYSTEM_NODE_INFORMATION",
                count=lambda x: x.obj_profile.get_constant_object(
                    "KeNumberNodes", "unsigned int").v(),
            )
        )]],
    }],
}


def InitializeWindows10Profile(profile):
    """Initialize windows 10 profiles."""
    win8.InitializeWindows8Profile(profile)
    profile.add_overlay(win10_overlays)

    if profile.metadata("arch") == "AMD64":
        profile.add_overlay(win10_undocumented_amd64)
    else:
        profile.add_overlay(win10_undocumented_i386)

    # Older Win10 releases include SystemNodeInformation inside
    # _MI_SYSTEM_INFORMATION
    if not profile.has_type("_MI_HARDWARE_STATE"):
        profile.add_overlay({
            "_MI_SYSTEM_INFORMATION": [None, {
                "SystemNodeInformation": [None, ["Pointer", dict(
                    target="Array",
                    target_args=dict(
                        target="_MI_SYSTEM_NODE_INFORMATION",
                        count=lambda x: x.obj_profile.get_constant_object(
                            "KeNumberNodes", "unsigned int").v(),
                    )
                )]],
            }],
        })

APT Browse - Built by Thomas Orozco.