# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0
# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
#
import copy
from typing import Any, Dict, Iterable, Optional, Type
from volatility3.framework import constants, interfaces, objects
[docs]class NativeTable(interfaces.symbols.NativeTableInterface):
"""Symbol List that handles Native types."""
# FIXME: typing the native_dictionary as Tuple[interfaces.objects.ObjectInterface, str] throws many errors
def __init__(self, name: str, native_dictionary: Dict[str, Any]) -> None:
super().__init__(name, self)
self._native_dictionary = copy.deepcopy(native_dictionary)
self._overrides: Dict[str, interfaces.objects.ObjectInterface] = {}
for native_type in self._native_dictionary:
native_class, _native_struct = self._native_dictionary[native_type]
self._overrides[native_type] = native_class
# Create this once early, because it may get used a lot
self._types = set(self._native_dictionary).union(
{"enum", "array", "bitfield", "void", "string", "bytes", "function"}
)
[docs] def get_type_class(self, name: str) -> Type[interfaces.objects.ObjectInterface]:
ntype, _ = self._native_dictionary.get(name, (objects.Integer, None))
return ntype
@property
def types(self) -> Iterable[str]:
"""Returns an iterator of the symbol type names."""
return self._types
[docs] def get_type(self, type_name: str) -> interfaces.objects.Template:
"""Resolves a symbol name into an object template.
This always construct a new python object, rather than using a
cached value otherwise changes made later may affect the cached
copy. Calling clone after every native type construction was
extremely slow.
"""
# NOTE: These need updating whenever the object init signatures change
prefix = ""
if constants.BANG in type_name:
name_split = type_name.split(constants.BANG)
if len(name_split) > 2:
raise ValueError(
f"SymbolName cannot contain multiple {constants.BANG} separators"
)
table_name, type_name = name_split
prefix = table_name + constants.BANG
additional: Dict[str, Any] = {}
obj: Optional[Type[interfaces.objects.ObjectInterface]] = None
if type_name == "void" or type_name == "function":
obj = objects.Void
elif type_name == "array":
obj = objects.Array
additional = {"count": 0, "subtype": self.get_type("void")}
elif type_name == "enum":
obj = objects.Enumeration
additional = {"base_type": self.get_type("void"), "choices": {}}
elif type_name == "bitfield":
obj = objects.BitField
additional = {
"start_bit": 0,
"end_bit": 0,
"base_type": self.get_type("void"),
}
elif type_name == "string":
obj = objects.String
additional = {"max_length": 0}
elif type_name == "bytes":
obj = objects.Bytes
additional = {"length": 0}
if obj is not None:
return objects.templates.ObjectTemplate(
obj, type_name=prefix + type_name, **additional
)
_native_type, native_format = self._native_dictionary[type_name]
if type_name == "pointer":
additional = {"subtype": self.get_type("void")}
return objects.templates.ObjectTemplate(
self.get_type_class(type_name), # pylint: disable=W0142
type_name=prefix + type_name,
data_format=objects.DataFormatInfo(*native_format),
**additional,
)
std_ctypes = {
"int": (objects.Integer, (4, "little", True)),
"long": (objects.Integer, (4, "little", True)),
"unsigned long": (objects.Integer, (4, "little", False)),
"unsigned int": (objects.Integer, (4, "little", False)),
"char": (objects.Integer, (1, "little", True)),
"byte": (objects.Bytes, (1, "little", True)),
"unsigned char": (objects.Integer, (1, "little", False)),
"unsigned short int": (objects.Integer, (2, "little", False)),
"unsigned short": (objects.Integer, (2, "little", False)),
"unsigned be short": (objects.Integer, (2, "big", False)),
"short": (objects.Integer, (2, "little", True)),
"long long": (objects.Integer, (8, "little", True)),
"unsigned long long": (objects.Integer, (8, "little", True)),
"float": (objects.Float, (4, "little", True)),
"double": (objects.Float, (8, "little", True)),
"wchar": (objects.Integer, (2, "little", False)),
}
native_types = std_ctypes.copy()
native_types["pointer"] = (objects.Pointer, (4, "little", False))
x86NativeTable = NativeTable("native", native_types)
native_types["pointer"] = (objects.Pointer, (8, "little", False))
x64NativeTable = NativeTable("native", native_types)