# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0
# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
#
from volatility3.framework import objects, interfaces
from volatility3.framework import exceptions
from volatility3.framework.symbols.wrappers import Flags
from volatility3.framework import renderers
from typing import Union
[docs]class SERVICE_RECORD(objects.StructType):
"""A service record structure."""
[docs] def is_valid(self) -> bool:
"""Determine if the structure is valid."""
if self.Order < 0 or self.Order > 0xFFFF:
return False
try:
_ = self.State.description
_ = self.Start.description
except ValueError:
return False
return True
[docs] def get_pid(self) -> Union[int, interfaces.renderers.BaseAbsentValue]:
"""Return the pid of the process, if any."""
if self.State.description != "SERVICE_RUNNING" or "PROCESS" not in self.get_type():
return renderers.NotApplicableValue()
try:
return self.ServiceProcess.ProcessId
except exceptions.InvalidAddressException:
return renderers.UnreadableValue()
[docs] def get_binary(self) -> Union[str, interfaces.renderers.BaseAbsentValue]:
"""Returns the binary associated with the service."""
if self.State.description != "SERVICE_RUNNING":
return renderers.NotApplicableValue()
# depending on whether the service is for a process
# or kernel driver, the binary path is stored differently
try:
if "PROCESS" in self.get_type():
return self.ServiceProcess.BinaryPath.dereference().cast("string",
encoding = "utf-16",
errors = "replace",
max_length = 512)
else:
return self.DriverName.dereference().cast("string",
encoding = "utf-16",
errors = "replace",
max_length = 512)
except exceptions.InvalidAddressException:
return renderers.UnreadableValue()
[docs] def get_name(self) -> Union[str, interfaces.renderers.BaseAbsentValue]:
"""Returns the service name."""
try:
return self.ServiceName.dereference().cast("string",
encoding = "utf-16",
errors = "replace",
max_length = 512)
except exceptions.InvalidAddressException:
return renderers.UnreadableValue()
[docs] def get_display(self) -> Union[str, interfaces.renderers.BaseAbsentValue]:
"""Returns the service display."""
try:
return self.DisplayName.dereference().cast("string",
encoding = "utf-16",
errors = "replace",
max_length = 512)
except exceptions.InvalidAddressException:
return renderers.UnreadableValue()
[docs] def get_type(self) -> str:
"""Returns the binary types."""
SERVICE_TYPE_FLAGS = {
'SERVICE_KERNEL_DRIVER': 1,
'SERVICE_FILE_SYSTEM_DRIVER': 2,
'SERVICE_ADAPTOR': 4,
'SERVICE_RECOGNIZER_DRIVER': 8,
'SERVICE_WIN32_OWN_PROCESS': 16,
'SERVICE_WIN32_SHARE_PROCESS': 32,
'SERVICE_INTERACTIVE_PROCESS': 256
}
type_flags = Flags(choices = SERVICE_TYPE_FLAGS)
return "|".join(type_flags(self.Type))
[docs] def traverse(self):
"""Generator that enumerates other services."""
try:
if hasattr(self, "PrevEntry"):
yield self
# make sure we dereference these pointers, or the
# is_valid() checks will apply to the pointer and
# not the _SERVICE_RECORD object as intended.
rec = self.PrevEntry
while rec and rec.is_valid():
yield rec
rec = rec.PrevEntry
else:
rec = self
while rec and rec.is_valid():
yield rec
rec = rec.ServiceList.Blink.dereference()
except exceptions.InvalidAddressException:
return
class_types = {'_SERVICE_RECORD': SERVICE_RECORD, '_SERVICE_HEADER': SERVICE_HEADER}