volatility3.framework.automagic.windows module¶

Module to identify the Directory Table Base and architecture of windows memory images.

This module contains a PageMapScanner that scans a physical layer to identify self-referential pointers. All windows versions include a self-referential pointer in their Directory Table Base’s top table, in order to have a single offset that will allow manipulation of the page tables themselves.

In older windows version the self-referential pointer was at a specific fixed index within the table, which was different for each architecture. In very recent Windows versions, the self-referential pointer index has been randomized, so a different heuristic must be used. In these versions of windows it was found that the physical offset for the DTB was always within the range of 0x1a0000 to 0x1b0000. As such, a search for any self-referential pointer within these pages gives a high probability of being an accurate DTB.

The self-referential indices for older versions of windows are listed below:

Architecture

Index

x86

0x300

PAE

0x3

x64

0x1ED

class DtbSelfRef32bit[source]¶

Bases: volatility3.framework.automagic.windows.DtbSelfReferential

second_pass(dtb, data, data_offset)¶

Re-reads over the whole page to validate other records based on the number of pages marked user vs super.

Parameters

dtb (int) – The identified dtb that needs validating
data (bytes) – The chunk of data that contains the dtb to be validated
data_offset (int) – Where, within the layer, the chunk of data lives

Return type

Optional[Tuple[int, Any]]

Returns

A valid DTB within this page

class DtbSelfRef64bit[source]¶

Bases: volatility3.framework.automagic.windows.DtbSelfReferential

second_pass(dtb, data, data_offset)¶

Re-reads over the whole page to validate other records based on the number of pages marked user vs super.

Parameters

dtb (int) – The identified dtb that needs validating
data (bytes) – The chunk of data that contains the dtb to be validated
data_offset (int) – Where, within the layer, the chunk of data lives

Return type

Optional[Tuple[int, Any]]

Returns

A valid DTB within this page

class DtbSelfReferential(layer_type, ptr_struct, ptr_reference, mask)[source]¶

Bases: volatility3.framework.automagic.windows.DtbTest

A generic DTB test which looks for a self-referential pointer at any index within the page.

second_pass(dtb, data, data_offset)¶

Re-reads over the whole page to validate other records based on the number of pages marked user vs super.

Parameters

dtb (int) – The identified dtb that needs validating
data (bytes) – The chunk of data that contains the dtb to be validated
data_offset (int) – Where, within the layer, the chunk of data lives

Return type

Optional[Tuple[int, Any]]

Returns

A valid DTB within this page

class DtbTest(layer_type, ptr_struct, ptr_reference, mask)[source]¶

Bases: object

This class generically contains the tests for a page based on a set of class parameters.

When constructed it contains all the information necessary to extract a specific index from a page and determine whether it points back to that page’s offset.

second_pass(dtb, data, data_offset)[source]¶

Re-reads over the whole page to validate other records based on the number of pages marked user vs super.

Parameters

dtb (int) – The identified dtb that needs validating
data (bytes) – The chunk of data that contains the dtb to be validated
data_offset (int) – Where, within the layer, the chunk of data lives

Return type

Optional[Tuple[int, Any]]

Returns

A valid DTB within this page

class DtbTest32bit[source]¶

Bases: volatility3.framework.automagic.windows.DtbTest

second_pass(dtb, data, data_offset)¶

Re-reads over the whole page to validate other records based on the number of pages marked user vs super.

Parameters

dtb (int) – The identified dtb that needs validating
data (bytes) – The chunk of data that contains the dtb to be validated
data_offset (int) – Where, within the layer, the chunk of data lives

Return type

Optional[Tuple[int, Any]]

Returns

A valid DTB within this page

class DtbTest64bit[source]¶

Bases: volatility3.framework.automagic.windows.DtbTest

second_pass(dtb, data, data_offset)¶

Re-reads over the whole page to validate other records based on the number of pages marked user vs super.

Parameters

dtb (int) – The identified dtb that needs validating
data (bytes) – The chunk of data that contains the dtb to be validated
data_offset (int) – Where, within the layer, the chunk of data lives

Return type

Optional[Tuple[int, Any]]

Returns

A valid DTB within this page

class DtbTestPae[source]¶

Bases: volatility3.framework.automagic.windows.DtbTest

second_pass(dtb, data, data_offset)[source]¶

PAE top level directory tables contains four entries and the self- referential pointer occurs in the second level of tables (so as not to use up a full quarter of the space). This is very high in the space, and occurs in the fourht (last quarter) second-level table. The second-level tables appear always to come sequentially directly after the real dtb. The value for the real DTB is therefore four page earlier (and the fourth entry should point back to the dtb parameter this function was originally passed.

Parameters

dtb (int) – The identified self-referential pointer that needs validating
data (bytes) – The chunk of data that contains the dtb to be validated
data_offset (int) – Where, within the layer, the chunk of data lives

Return type

Optional[Tuple[int, Any]]

Returns

Returns the actual DTB of the PAE space

class PageMapScanner(tests)[source]¶

Bases: volatility3.framework.interfaces.layers.ScannerInterface

Scans through all pages using DTB tests to determine a dtb offset and architecture.

property context¶

Return type: Optional[ContextInterface]

property layer_name¶

Return type: Optional[str]

overlap = 16384¶

tests = [<volatility3.framework.automagic.windows.DtbTest64bit object>, <volatility3.framework.automagic.windows.DtbTest32bit object>, <volatility3.framework.automagic.windows.DtbTestPae object>]¶: The default tests to run when searching for DTBs

thread_safe = True¶

version = (0, 0, 0)¶

class WinSwapLayers(context, config_path, *args, **kwargs)[source]¶

Bases: volatility3.framework.interfaces.automagic.AutomagicInterface

Class to read swap_layers filenames from single-swap-layers, create the layers and populate the single-layers swap_layers.

Basic initializer that allows configurables to access their own config settings.

build_configuration()¶

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type: HierarchicalDict

property config¶

The Hierarchical configuration Dictionary for this Configurable object.

Return type: HierarchicalDict

property config_path¶

The configuration path on which this configurable lives.

Return type: str

property context¶

The context object that this configurable belongs to/configuration is stored in.

Return type: ContextInterface

find_requirements(context, config_path, requirement_root, requirement_type, shortcut=True)¶

Determines if there is actually an unfulfilled Requirement waiting.

This ensures we do not carry out an expensive search when there is no need for a particular Requirement

Parameters

context (ContextInterface) – Context on which to operate
config_path (str) – Configuration path of the top-level requirement
requirement_root (RequirementInterface) – Top-level requirement whose subrequirements will all be searched
requirement_type (Union[Tuple[Type[RequirementInterface], …], Type[RequirementInterface]]) – Type of requirement to find
shortcut (bool) – Only returns requirements that live under unsatisfied requirements

Return type

List[Tuple[str, RequirementInterface]]

Returns

A list of tuples containing the config_path, sub_config_path and requirement identifying the unsatisfied Requirements

static find_swap_requirement(config, requirement)[source]¶

Takes a Translation layer and returns its swap_layer requirement.

Return type: Tuple[str, Optional[LayerListRequirement]]

classmethod get_requirements()[source]¶

Returns the requirements of this plugin.

Return type: List[RequirementInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)¶

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters

context (ContextInterface) – The context in which to store the new configuration
base_config_path (str) – The base configuration path on which to build the new configuration
kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

priority = 10¶

classmethod unsatisfied(context, config_path)¶

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)

Return type: Dict[str, RequirementInterface]

class WindowsIntelStacker[source]¶

Bases: volatility3.framework.interfaces.automagic.StackerLayerInterface

exclusion_list = ['mac', 'linux']¶

classmethod stack(context, layer_name, progress_callback=None)[source]¶

Attempts to determine and stack an intel layer on a physical layer where possible.

Where the DTB scan fails, it attempts a heuristic of checking for the DTB within a specific range. New versions of windows, with randomized self-referential pointers, appear to always load their dtb within a small specific range (0x1a0000 and 0x1b0000), so instead we scan for all self-referential pointers in that range, and ignore any that contain multiple self-references (since the DTB is very unlikely to point to itself more than once).

Return type: Optional[DataLayerInterface]

stack_order = 40¶

classmethod stacker_slow_warning()¶

class WintelHelper(context, config_path, *args, **kwargs)[source]¶

Bases: volatility3.framework.interfaces.automagic.AutomagicInterface

Windows DTB finder based on self-referential pointers.

This class adheres to the AutomagicInterface interface and both determines the directory table base of an intel layer if one hasn’t been specified, and constructs the intel layer if necessary (for example when reconstructing a pre-existing configuration).

It will scan for existing TranslationLayers that do not have a DTB using the PageMapScanner

Basic initializer that allows configurables to access their own config settings.

build_configuration()¶

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type: HierarchicalDict

property config¶

The Hierarchical configuration Dictionary for this Configurable object.

Return type: HierarchicalDict

property config_path¶

The configuration path on which this configurable lives.

Return type: str

property context¶

The context object that this configurable belongs to/configuration is stored in.

Return type: ContextInterface

find_requirements(context, config_path, requirement_root, requirement_type, shortcut=True)¶

Determines if there is actually an unfulfilled Requirement waiting.

This ensures we do not carry out an expensive search when there is no need for a particular Requirement

Parameters

context (ContextInterface) – Context on which to operate
config_path (str) – Configuration path of the top-level requirement
requirement_root (RequirementInterface) – Top-level requirement whose subrequirements will all be searched
requirement_type (Union[Tuple[Type[RequirementInterface], …], Type[RequirementInterface]]) – Type of requirement to find
shortcut (bool) – Only returns requirements that live under unsatisfied requirements

Return type

List[Tuple[str, RequirementInterface]]

Returns

A list of tuples containing the config_path, sub_config_path and requirement identifying the unsatisfied Requirements

classmethod get_requirements()¶

Returns a list of RequirementInterface objects required by this object.

Return type: List[RequirementInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)¶

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters

context (ContextInterface) – The context in which to store the new configuration
base_config_path (str) – The base configuration path on which to build the new configuration
kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

priority = 20¶

tests = [<volatility3.framework.automagic.windows.DtbTest64bit object>, <volatility3.framework.automagic.windows.DtbTest32bit object>, <volatility3.framework.automagic.windows.DtbTestPae object>]¶

classmethod unsatisfied(context, config_path)¶

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)

Return type: Dict[str, RequirementInterface]