volatility3.framework.automagic.pdbscan module
A module for scanning translation layers looking for Windows PDB records from loaded PE files.
This module contains a standalone scanner, and also a ScannerInterface
based scanner for use within the framework by calling scan()
.
- class KernelPDBScanner(context, config_path, *args, **kwargs)[source]
Bases:
AutomagicInterface
Windows symbol loader based on PDB signatures.
An Automagic object that looks for all Intel translation layers and scans each of them for a pdb signature. When found, a search for a corresponding Intermediate Format data file is carried out and if found an appropriate symbol space is automatically loaded.
Once a specific kernel PDB signature has been found, a virtual address for the loaded kernel is determined by one of two methods. The first method assumes a specific mapping from the kernel’s physical address to its virtual address (typically the kernel is loaded at its physical location plus a specific offset). The second method searches for a particular structure that lists the kernel module’s virtual address, its size (not checked) and the module’s name. This value is then used if one was not found using the previous method.
Basic initializer that allows configurables to access their own config settings.
- build_configuration()
Constructs a HierarchicalDictionary of all the options required to build this component in the current context.
Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too
- Return type:
- check_kernel_offset(context, vlayer, address, progress_callback=None)[source]
Scans a virtual address.
- property config: HierarchicalDict
The Hierarchical configuration Dictionary for this Configurable object.
- property context: ContextInterface
The context object that this configurable belongs to/configuration is stored in.
- determine_valid_kernel(context, potential_layers, progress_callback=None)[source]
Runs through the identified potential kernels and verifies their suitability.
This carries out a scan using the pdb_signature scanner on a physical layer. It uses the results of the scan to determine the virtual offset of the kernel. On early windows implementations there is a fixed mapping between the physical and virtual addresses of the kernel. On more recent versions a search is conducted for a structure that will identify the kernel’s virtual offset.
- Parameters:
context (
ContextInterface
) – Context on which to operatepotential_layers (
List
[str
]) – List of layer names that the kernel might live atprogress_callback (
Optional
[Callable
[[float
,str
],None
]]) – Function taking a percentage and optional description to be called during expensive computations to indicate progress
- Return type:
Optional
[Tuple
[str
,int
,Dict
[str
,Union
[bytes
,str
,int
,None
]]]]- Returns:
A dictionary of valid kernels
- exclusion_list = ['linux', 'mac']
A list of plugin categories (typically operating systems) which the plugin will not operate on
- find_requirements(context, config_path, requirement_root, requirement_type, shortcut=True)
Determines if there is actually an unfulfilled Requirement waiting.
This ensures we do not carry out an expensive search when there is no need for a particular Requirement
- Parameters:
context (
ContextInterface
) – Context on which to operateconfig_path (
str
) – Configuration path of the top-level requirementrequirement_root (
RequirementInterface
) – Top-level requirement whose subrequirements will all be searchedrequirement_type (
Union
[Tuple
[Type
[RequirementInterface
],...
],Type
[RequirementInterface
]]) – Type of requirement to findshortcut (
bool
) – Only returns requirements that live under unsatisfied requirements
- Return type:
- Returns:
A list of tuples containing the config_path, sub_config_path and requirement identifying the unsatisfied Requirements
- find_virtual_layers_from_req(context, config_path, requirement)[source]
Traverses the requirement tree, rooted at requirement looking for virtual layers that might contain a windows PDB.
Returns a list of possible layers
- Parameters:
context (
ContextInterface
) – The context in which the requirement livesconfig_path (
str
) – The path within the context for the requirement’s configuration variablesrequirement (
RequirementInterface
) – The root of the requirement tree to search for :class:~`volatility3.framework.interfaces.layers.TranslationLayerRequirement` objects to scan
- Return type:
- Returns:
A list of (layer_name, scan_results)
- classmethod get_requirements()
Returns a list of RequirementInterface objects required by this object.
- Return type:
- classmethod make_subconfig(context, base_config_path, **kwargs)
Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.
- Parameters:
context (
ContextInterface
) – The context in which to store the new configurationbase_config_path (
str
) – The base configuration path on which to build the new configurationkwargs – Keyword arguments that are used to populate the new configuration path
- Returns:
The newly generated full configuration path
- Return type:
- max_pdb_size = 4194304
- methods = [<function KernelPDBScanner.method_kdbg_offset>, <function KernelPDBScanner.method_module_offset>, <function KernelPDBScanner.method_fixed_mapping>, <function KernelPDBScanner.method_slow_scan>]
- priority = 30
An ordering to indicate how soon this automagic should be run
- recurse_symbol_fulfiller(context, valid_kernel, progress_callback=None)[source]
Fulfills the SymbolTableRequirements in self._symbol_requirements found by the recurse_symbol_requirements.
This pass will construct any requirements that may need it in the context it was passed
- Parameters:
context (
ContextInterface
) – Context on which to operatevalid_kernel (
Tuple
[str
,int
,Dict
[str
,Union
[bytes
,str
,int
,None
]]]) – A list of offsets where valid kernels have been foundprogress_callback (
Optional
[Callable
[[float
,str
],None
]]) – Means of providing the user with feedback during long processes
- Return type:
- set_kernel_virtual_offset(context, valid_kernel)[source]
Traverses the requirement tree, looking for kernel_virtual_offset values that may need setting and sets it based on the previously identified valid_kernel.
- classmethod unsatisfied(context, config_path)
Returns a list of the names of all unsatisfied requirements.
Since a satisfied set of requirements will return [], it can be used in tests as follows:
unmet = configurable.unsatisfied(context, config_path) if unmet: raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
- Return type: