# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0
# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
#
import random
import string
from typing import Union
from volatility3.framework import objects, interfaces
[docs]class GenericIntelProcess(objects.StructType):
def _add_process_layer(
self,
context: interfaces.context.ContextInterface,
dtb: Union[int, interfaces.objects.ObjectInterface],
config_prefix: str = None,
preferred_name: str = None,
) -> str:
"""Constructs a new layer based on the process's DirectoryTableBase."""
if config_prefix is None:
# TODO: Ensure collisions can't happen by verifying the config_prefix is empty
random_prefix = "".join(
random.SystemRandom().choice(string.ascii_uppercase + string.digits)
for _ in range(8)
)
config_prefix = interfaces.configuration.path_join(
"temporary", "_" + random_prefix
)
# Figure out a suitable name we can use for the new layer
if preferred_name is None:
preferred_name = context.layers.free_layer_name(
prefix=self.vol.layer_name + "_Process"
)
else:
if preferred_name in context.layers:
preferred_name = context.layers.free_layer_name(prefix=preferred_name)
# Copy the parent's config and then make suitable changes
parent_layer = context.layers[self.vol.layer_name]
parent_config = parent_layer.build_configuration()
# It's an intel layer, because we hardwire the "memory_layer" config option
# FIXME: this could be for other architectures if we don't hardwire this/these values
parent_config["memory_layer"] = parent_layer.config["memory_layer"]
parent_config["page_map_offset"] = dtb
# Set the new configuration and construct the layer
config_path = interfaces.configuration.path_join(config_prefix, preferred_name)
context.config.splice(config_path, parent_config)
new_layer = parent_layer.__class__(
context, config_path=config_path, name=preferred_name
)
# Add the constructed layer and return the name
context.layers.add_layer(new_layer)
return preferred_name