volatility3.framework.automagic.windows module

Module to identify the Directory Table Base and architecture of windows memory images.

This module contains a PageMapScanner that scans a physical layer to identify self-referential pointers. All windows versions include a self-referential pointer in their Directory Table Base’s top table, in order to have a single offset that will allow manipulation of the page tables themselves.

In older windows version the self-referential pointer was at a specific fixed index within the table, which was different for each architecture. In very recent Windows versions, the self-referential pointer index has been randomized, so a different heuristic must be used. In these versions of windows it was found that the physical offset for the DTB was always within the range of 0x1a0000 to 0x1b0000. As such, a search for any self-referential pointer within these pages gives a high probability of being an accurate DTB.

The self-referential indices for older versions of windows are listed below:

Architecture

Index

x86

0x300

PAE

0x3

x64

0x1ED

class DtbSelfRef32bit[source]: Bases: DtbSelfReferential

class DtbSelfRef64bit[source]: Bases: DtbSelfReferential

class DtbSelfRef64bitOldWindows[source]: Bases: DtbSelfReferential

class DtbSelfRefPae[source]: Bases: DtbSelfReferential

class DtbSelfReferential(layer_type, ptr_struct, mask, valid_range, reserved_bits)[source]

Bases: object

A generic DTB test which looks for a self-referential pointer at any index within the page.

class PageMapScanner(tests)[source]

Bases: ScannerInterface

Scans through all pages using DTB tests to determine a dtb offset and architecture.

property context: ContextInterface | None

property layer_name: str | None

overlap = 16384

tests = [<volatility3.framework.automagic.windows.DtbSelfRef64bit object>, <volatility3.framework.automagic.windows.DtbSelfRefPae object>, <volatility3.framework.automagic.windows.DtbSelfRef32bit object>]: The default tests to run when searching for DTBs

thread_safe = True

version = (0, 0, 0)

class WinSwapLayers(context, config_path, *args, **kwargs)[source]

Bases: AutomagicInterface

Class to read swap_layers filenames from single-swap-layers, create the layers and populate the single-layers swap_layers.

Basic initializer that allows configurables to access their own config settings.

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type:: HierarchicalDict

property config: HierarchicalDict: The Hierarchical configuration Dictionary for this Configurable object.

property config_path: str: The configuration path on which this configurable lives.

property context: ContextInterface: The context object that this configurable belongs to/configuration is stored in.

exclusion_list = ['linux', 'mac']: A list of plugin categories (typically operating systems) which the plugin will not operate on

find_requirements(context, config_path, requirement_root, requirement_type, shortcut=True)

Determines if there is actually an unfulfilled Requirement waiting.

This ensures we do not carry out an expensive search when there is no need for a particular Requirement

Parameters:

context (ContextInterface) – Context on which to operate
config_path (str) – Configuration path of the top-level requirement
requirement_root (RequirementInterface) – Top-level requirement whose subrequirements will all be searched
requirement_type (Union[Tuple[Type[RequirementInterface], ...], Type[RequirementInterface]]) – Type of requirement to find
shortcut (bool) – Only returns requirements that live under unsatisfied requirements

Return type:

List[Tuple[str, RequirementInterface]]

Returns:

A list of tuples containing the config_path, sub_config_path and requirement identifying the unsatisfied Requirements

static find_swap_requirement(config, requirement)[source]

Takes a Translation layer and returns its swap_layer requirement.

Return type:: Tuple[str, Optional[LayerListRequirement]]

classmethod get_requirements()[source]

Returns the requirements of this plugin.

Return type:: List[RequirementInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters:

context (ContextInterface) – The context in which to store the new configuration
base_config_path (str) – The base configuration path on which to build the new configuration
kwargs – Keyword arguments that are used to populate the new configuration path

Returns:

The newly generated full configuration path

Return type:

str

priority = 10: An ordering to indicate how soon this automagic should be run

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)

Return type:: Dict[str, RequirementInterface]

class WindowsIntelStacker[source]

Bases: StackerLayerInterface

exclusion_list: List[str] = ['mac', 'linux']: The list operating systems/first-level plugin hierarchy that should exclude this stacker

classmethod stack(context, layer_name, progress_callback=None)[source]

Attempts to determine and stack an intel layer on a physical layer where possible.

Where the DTB scan fails, it attempts a heuristic of checking for the DTB within a specific range. New versions of windows, with randomized self-referential pointers, appear to always load their dtb within a small specific range (0x1a0000 and 0x1b0000), so instead we scan for all self-referential pointers in that range, and ignore any that contain multiple self-references (since the DTB is very unlikely to point to itself more than once).

Return type:: Optional[DataLayerInterface]

stack_order = 40: The order in which to attempt stacking, the lower the earlier

classmethod stacker_slow_warning()

test_sets = [('Detecting Self-referential pointer for recent windows', [<volatility3.framework.automagic.windows.DtbSelfRef64bit object>], [(1376256, 1376256), (6619136, 655360)]), ('Older windows fixed location self-referential pointers', [<volatility3.framework.automagic.windows.DtbSelfRefPae object>, <volatility3.framework.automagic.windows.DtbSelfRef32bit object>, <volatility3.framework.automagic.windows.DtbSelfRef64bitOldWindows object>], [(196608, 16777216)])]