volatility3.framework.automagic.pdbscan module

A module for scanning translation layers looking for Windows PDB records from loaded PE files.

This module contains a standalone scanner, and also a ScannerInterface based scanner for use within the framework by calling scan().

class KernelPDBScanner(context, config_path, *args, **kwargs)[source]

Bases: AutomagicInterface

Windows symbol loader based on PDB signatures.

An Automagic object that looks for all Intel translation layers and scans each of them for a pdb signature. When found, a search for a corresponding Intermediate Format data file is carried out and if found an appropriate symbol space is automatically loaded.

Once a specific kernel PDB signature has been found, a virtual address for the loaded kernel is determined by one of two methods. The first method assumes a specific mapping from the kernel’s physical address to its virtual address (typically the kernel is loaded at its physical location plus a specific offset). The second method searches for a particular structure that lists the kernel module’s virtual address, its size (not checked) and the module’s name. This value is then used if one was not found using the previous method.

Basic initializer that allows configurables to access their own config settings.

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type:

HierarchicalDict

check_kernel_offset(context, vlayer, address, progress_callback=None)[source]

Scans a virtual address.

Return type:

Optional[Tuple[str, int, Dict[str, Union[bytes, str, int, None]]]]

property config: HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

property config_path: str

The configuration path on which this configurable lives.

property context: ContextInterface

The context object that this configurable belongs to/configuration is stored in.

determine_valid_kernel(context, potential_layers, progress_callback=None)[source]

Runs through the identified potential kernels and verifies their suitability.

This carries out a scan using the pdb_signature scanner on a physical layer. It uses the results of the scan to determine the virtual offset of the kernel. On early windows implementations there is a fixed mapping between the physical and virtual addresses of the kernel. On more recent versions a search is conducted for a structure that will identify the kernel’s virtual offset.

Parameters:
  • context (ContextInterface) – Context on which to operate

  • potential_layers (List[str]) – List of layer names that the kernel might live at

  • progress_callback (Optional[Callable[[float, str], None]]) – Function taking a percentage and optional description to be called during expensive computations to indicate progress

Return type:

Optional[Tuple[str, int, Dict[str, Union[bytes, str, int, None]]]]

Returns:

A dictionary of valid kernels

exclusion_list = ['linux', 'mac']

A list of plugin categories (typically operating systems) which the plugin will not operate on

find_requirements(context, config_path, requirement_root, requirement_type, shortcut=True)

Determines if there is actually an unfulfilled Requirement waiting.

This ensures we do not carry out an expensive search when there is no need for a particular Requirement

Parameters:
Return type:

List[Tuple[str, RequirementInterface]]

Returns:

A list of tuples containing the config_path, sub_config_path and requirement identifying the unsatisfied Requirements

find_virtual_layers_from_req(context, config_path, requirement)[source]

Traverses the requirement tree, rooted at requirement looking for virtual layers that might contain a windows PDB.

Returns a list of possible layers

Parameters:
  • context (ContextInterface) – The context in which the requirement lives

  • config_path (str) – The path within the context for the requirement’s configuration variables

  • requirement (RequirementInterface) – The root of the requirement tree to search for :class:~`volatility3.framework.interfaces.layers.TranslationLayerRequirement` objects to scan

Return type:

List[str]

Returns:

A list of (layer_name, scan_results)

get_physical_layer_name(context, vlayer)[source]
classmethod get_requirements()

Returns a list of RequirementInterface objects required by this object.

Return type:

List[RequirementInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters:
  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns:

The newly generated full configuration path

Return type:

str

max_pdb_size = 4194304
method_fixed_mapping(context, vlayer, progress_callback=None)[source]
Return type:

Optional[Tuple[str, int, Dict[str, Union[bytes, str, int, None]]]]

method_kdbg_offset(context, vlayer, progress_callback=None)[source]
Return type:

Optional[Tuple[str, int, Dict[str, Union[bytes, str, int, None]]]]

method_module_offset(context, vlayer, progress_callback=None)[source]
Return type:

Optional[Tuple[str, int, Dict[str, Union[bytes, str, int, None]]]]

method_slow_scan(context, vlayer, progress_callback=None)[source]
Return type:

Optional[Tuple[str, int, Dict[str, Union[bytes, str, int, None]]]]

methods = [<function KernelPDBScanner.method_kdbg_offset>, <function KernelPDBScanner.method_module_offset>, <function KernelPDBScanner.method_fixed_mapping>, <function KernelPDBScanner.method_slow_scan>]
priority = 30

An ordering to indicate how soon this automagic should be run

recurse_symbol_fulfiller(context, valid_kernel, progress_callback=None)[source]

Fulfills the SymbolTableRequirements in self._symbol_requirements found by the recurse_symbol_requirements.

This pass will construct any requirements that may need it in the context it was passed

Parameters:
Return type:

None

set_kernel_virtual_offset(context, valid_kernel)[source]

Traverses the requirement tree, looking for kernel_virtual_offset values that may need setting and sets it based on the previously identified valid_kernel.

Parameters:
Return type:

None

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type:

Dict[str, RequirementInterface]