# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0
# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
import json
import logging
import os
from typing import List
from volatility3.framework import renderers, interfaces, objects, exceptions, constants
from volatility3.framework.configuration import requirements
from volatility3.plugins.windows import pslist
vollog = logging.getLogger(__name__)
[docs]class Privs(interfaces.plugins.PluginInterface):
"""Lists process token privileges"""
_version = (1, 2, 0)
_required_framework_version = (2, 0, 0)
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
# Find the sids json path (or raise error if its not in the plugin directory).
for plugin_dir in constants.PLUGINS_PATH:
sids_json_file_name = os.path.join(plugin_dir, os.path.join("windows", "sids_and_privileges.json"))
if os.path.exists(sids_json_file_name):
break
else:
vollog.log(constants.LOGLEVEL_VVV, 'sids_and_privileges.json file is missing plugin error')
raise RuntimeError("The sids_and_privileges.json file missed from you plugin directory")
# Get service sids dictionary (we need only the service sids).
with open(sids_json_file_name, 'r') as file_handle:
temp_json = json.load(file_handle)['privileges']
self.privilege_info = {int(priv_num): temp_json[priv_num] for priv_num in temp_json}
[docs] @classmethod
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.ModuleRequirement(name = 'kernel', description = 'Windows kernel',
architectures = ["Intel32", "Intel64"]),
requirements.ListRequirement(name = 'pid',
description = 'Filter on specific process IDs',
element_type = int,
optional = True),
requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (2, 0, 0)),
]
def _generator(self, procs):
for task in procs:
try:
process_token = task.Token.dereference().cast("_TOKEN")
except exceptions.InvalidAddressException:
vollog.log(constants.LOGLEVEL_VVV, 'Skip invalid token.')
continue
for value, present, enabled, default in process_token.privileges():
# Skip privileges whose bit positions cannot be
# translated to a privilege name
if not self.privilege_info.get(int(value)):
vollog.log(constants.LOGLEVEL_VVV, f'Skip invalid privilege ({value}).')
continue
name, desc = self.privilege_info.get(int(value))
# Set the attributes
attributes = []
if present:
attributes.append("Present")
if enabled:
attributes.append("Enabled")
if default:
attributes.append("Default")
yield (0, [
int(task.UniqueProcessId),
objects.utility.array_to_string(task.ImageFileName),
int(value),
str(name), ",".join(attributes),
str(desc)
])
[docs] def run(self):
filter_func = pslist.PsList.create_pid_filter(self.config.get('pid', None))
kernel = self.context.modules[self.config['kernel']]
return renderers.TreeGrid([("PID", int), ("Process", str), ("Value", int), ("Privilege", str),
("Attributes", str), ("Description", str)],
self._generator(
pslist.PsList.list_processes(context = self.context,
layer_name = kernel.layer_name,
symbol_table = kernel.symbol_table_name,
filter_func = filter_func)))