# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0
# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
#
import logging
from typing import List, Tuple, Dict, Generator
from volatility3.framework import interfaces, renderers, exceptions
from volatility3.framework.configuration import requirements
from volatility3.framework.layers import intel
from volatility3.framework.renderers import format_hints
vollog = logging.getLogger(__name__)
[docs]class VirtMap(interfaces.plugins.PluginInterface):
"""Lists virtual mapped sections."""
_required_framework_version = (2, 0, 0)
[docs] @classmethod
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.ModuleRequirement(name = 'kernel', description = 'Windows kernel',
architectures = ["Intel32", "Intel64"])
]
def _generator(self, map):
for entry in sorted(map):
for (start, end) in map[entry]:
yield (0, (entry, format_hints.Hex(start), format_hints.Hex(end)))
[docs] @classmethod
def determine_map(cls, module: interfaces.context.ModuleInterface) -> \
Dict[str, List[Tuple[int, int]]]:
"""Returns the virtual map from a windows kernel module."""
layer = module.context.layers[module.layer_name]
if not isinstance(layer, intel.Intel):
raise
result: Dict[str, List[Tuple[int, int]]] = {}
system_va_type = module.get_enumeration('_MI_SYSTEM_VA_TYPE')
large_page_size = (layer.page_size ** 2) // module.get_type("_MMPTE").size
if module.has_symbol('MiVisibleState'):
symbol = module.get_symbol('MiVisibleState')
visible_state = module.object(object_type = 'pointer',
offset = symbol.address,
subtype = module.get_type('_MI_VISIBLE_STATE')).dereference()
if hasattr(visible_state, 'SystemVaRegions'):
for i in range(visible_state.SystemVaRegions.count):
lookup = system_va_type.lookup(i)
region_range = result.get(lookup, [])
region_range.append(
(visible_state.SystemVaRegions[i].BaseAddress, visible_state.SystemVaRegions[i].NumberOfBytes))
result[lookup] = region_range
elif hasattr(visible_state, 'SystemVaType'):
system_range_start = module.object(object_type = "pointer",
offset = module.get_symbol("MmSystemRangeStart").address)
result = cls._enumerate_system_va_type(large_page_size, system_range_start, module,
visible_state.SystemVaType)
else:
raise exceptions.SymbolError(None, module.name, "Required structures not found")
elif module.has_symbol('MiSystemVaType'):
system_range_start = module.object(object_type = "pointer",
offset = module.get_symbol("MmSystemRangeStart").address)
symbol = module.get_symbol('MiSystemVaType')
array_count = (0xFFFFFFFF + 1 - system_range_start) // large_page_size
type_array = module.object(object_type = 'array',
offset = symbol.address,
count = array_count,
subtype = module.get_type('char'))
result = cls._enumerate_system_va_type(large_page_size, system_range_start, module, type_array)
else:
raise exceptions.SymbolError(None, module.name, "Required structures not found")
return result
@classmethod
def _enumerate_system_va_type(cls, large_page_size: int, system_range_start: int,
module: interfaces.context.ModuleInterface,
type_array: interfaces.objects.ObjectInterface) -> Dict[str, List[Tuple[int, int]]]:
result: Dict[str, List[Tuple[int, int]]] = {}
system_va_type = module.get_enumeration('_MI_SYSTEM_VA_TYPE')
start = system_range_start
prev_entry = -1
cur_size = large_page_size
for entry in type_array:
entry = system_va_type.lookup(entry)
if entry != prev_entry:
region_range = result.get(entry, [])
region_range.append((start, cur_size))
result[entry] = region_range
start = start + cur_size
cur_size = large_page_size
else:
cur_size += large_page_size
prev_entry = entry
return result
[docs] @classmethod
def scannable_sections(cls, module: interfaces.context.ModuleInterface) -> Generator[Tuple[int, int], None, None]:
mapping = cls.determine_map(module)
for entry in mapping:
if 'Unused' not in entry:
for value in mapping[entry]:
yield value
[docs] def run(self):
kernel = self.context.modules[self.config['kernel']]
layer = self.context.layers[kernel.layer_name]
module = self.context.module(kernel.symbol_table_name,
layer_name = layer.name,
offset = layer.config['kernel_virtual_offset'])
return renderers.TreeGrid([("Region", str), ("Start offset", format_hints.Hex),
("End offset", format_hints.Hex)],
self._generator(self.determine_map(module = module)))