Skip to content

Commit

Permalink
Some more bug fixes.
Browse files Browse the repository at this point in the history 
darcs-hash:20090128145306-f1522-d4486b222f4123ab031432837a61d69dd7ebb847.gz
  • Loading branch information
scudette committed Jan 28, 2009
1 parent c371388 commit 6850fb2
Show file tree
Hide file tree
Showing 5 changed files with 60 additions and 56 deletions.
61 changes: 34 additions & 27 deletions src/plugins/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/object2.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,14 +79,20 @@ class NoneObject(object):
Instantiate with the reason for the error.
"""
def __init__(self, reason):
def __init__(self, reason, strict=False):
self.reason = reason
self.bt = get_bt_string()
self.strict = strict
if strict:
self.bt = get_bt_string()

def __str__(self):
result = "Error: %s\n%s" % (self.reason, self.bt)
print result
sys.exit(0)
## If we are strict we blow up here
if self.strict:
result = "Error: %s\n%s" % (self.reason, self.bt)
print result
sys.exit(0)
else:
return "Error: %s" % (self.reason)

## Behave like an empty set
def __iter__(self):
Expand All @@ -107,7 +113,7 @@ def __bool__(self):
def __nonzero__(self):
return False

def __eq__(self):
def __eq__(self, other):
return False

## Make us subscriptable obj[j]
Expand All @@ -116,6 +122,9 @@ def __getitem__(self, item):

def __add__(self, x):
return self

def __call__(self, *arg, **kwargs):
return self

class InvalidType(Exception):
def __init__(self, typename=None):
Expand Down Expand Up @@ -144,7 +153,7 @@ def NewObject(theType, offset, vm, parent=None, profile=None, name=None, **kwarg
## If we cant instantiate the object here, we just error out:
if not vm.is_valid_address(offset):
return NoneObject("Invalid Address 0x%08X, instantiating %s from %s"\
% (offset, name, parent))
% (offset, name, parent), strict=profile.strict)

if theType in profile.types:
result = profile.types[theType](offset=offset, vm=vm, name=name,
Expand Down Expand Up @@ -185,12 +194,6 @@ def __sub__(self, other):
def __neg__(self):
return -self.v()

def __getattribute__(self, attr):
""" We use this to evaluate ourselves or dereference or
whatever
"""
return object.__getattribute__(self, attr)

def __eq__(self, other):
if isinstance(other, Object):
return (self.__class__ == other.__class__) and (self.offset == other.offset)
Expand Down Expand Up @@ -222,7 +225,7 @@ def is_valid(self):
return self.vm.is_valid_address(self.offset)

def dereference(self):
return NoneObject("Cant derenference %s" % self.name)
return NoneObject("Cant derenference %s" % self.name, self.profile.strict)

def dereference_as(self, derefType):
return NewObject(derefType, self.v(), \
Expand All @@ -237,7 +240,7 @@ def v(self):
def value(self):
""" Do the actual reading and decoding of this member
"""
return NoneObject("No value for %s" % self.name)
return NoneObject("No value for %s" % self.name, self.profile.strict)

def get_member_names(self):
return False
Expand Down Expand Up @@ -303,6 +306,12 @@ def __hex__(self):
def __str__(self):
return " [%s]: %s" % (self.theType, self.v())

def __and__(self, other):
return int(self) & other

def __mod__(self, other):
return int(self) % other

class Void(NativeType):
def __init__(self, theType, offset, vm, parent=None, profile=None,
format_string=None, **args):
Expand Down Expand Up @@ -338,7 +347,7 @@ def dereference(self):
profile=self.profile, name=self.name)
return result
else:
return NoneObject("Pointer %s invalid" % self.name)
return NoneObject("Pointer %s invalid" % self.name, self.profile.strict)

def cdecl(self):
return "Pointer %s" % self.v()
Expand Down Expand Up @@ -448,7 +457,8 @@ def next(self):
profile=self.profile, parent=self,
name="%s %s" % (self.name, self.position))
else:
return NoneObject("Array %s, Invalid position %s" % (self.name, self.position))
return NoneObject("Array %s, Invalid position %s" % (self.name, self.position),
self.profile.strict)

def __str__(self):
return "Array (len=%s of %s)\n" % (self.count, self.current.name)
Expand Down Expand Up @@ -476,7 +486,8 @@ def __getitem__(self, pos):
vm=self.vm, parent=self,
profile=self.profile)
else:
return NoneObject("Array %s invalid member %s" % (self.name, pos))
return NoneObject("Array %s invalid member %s" % (self.name, pos),
self.profile.strict)

class CType(Object):
""" A CType is an object which represents a c struct """
Expand Down Expand Up @@ -531,13 +542,8 @@ def m(self, attr):

def __getattribute__(self,attr):
try:
return Object.__getattribute__(self, "_"+attr)(attr)
except AttributeError,e:
pass

try:
return Object.__getattribute__(self, attr)
except AttributeError,e:
return object.__getattribute__(self, attr)
except AttributeError:
pass

result = self.m(attr)
Expand All @@ -551,9 +557,10 @@ class Profile:
system. We parse the abstract_types and join them with
native_types to make everything work together.
"""
def __init__(self, native_types=x86_native_types, abstract_types=types):
def __init__(self, native_types=x86_native_types, abstract_types=types, strict=False):
self.types = {}

self.strict = strict

# Load the native types
for nt, value in native_types.items():
if type(value)==list:
Expand Down
2 changes: 2 additions & 0 deletions src/plugins/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/win32/hive2.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,8 @@ def vtop(self, vaddr):
# return Obj("_HMAP_ENTRY", table, self.base)

def read(self, vaddr, length, zero=False):
length = int(length)
vaddr = int(vaddr)
first_block = BLOCK_SIZE - vaddr % BLOCK_SIZE
full_blocks = ((length + (vaddr % BLOCK_SIZE)) / BLOCK_SIZE) - 1
left_over = (length + vaddr) % BLOCK_SIZE
Expand Down
47 changes: 19 additions & 28 deletions src/plugins/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/win32/rawreg.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,13 +83,12 @@ def open_key(root, key):
return None

def read_sklist(sk):
sub_list = []
if (sk.Signature == LH_SIG or
sk.Signature == LF_SIG):
return sk.List
if (sk.Signature.v() == LH_SIG or
sk.Signature.v() == LF_SIG):
for i in sk.List:
yield i

elif sk.Signature == RI_SIG:
l = []
elif sk.Signature.v() == RI_SIG:
for i in range(sk.Count):
# Read and dereference the pointer
ptr_off = sk.get_member_offset('List')+(i*4)
Expand All @@ -98,49 +97,41 @@ def read_sklist(sk):
if not self.vm.is_valid_address(ssk_off): continue

ssk = NewObject("_CM_KEY_INDEX", ssk_off, sk.vm, profile=sk.profile)
l += read_sklist(ssk)
return l
else:
return []

for i in read_sklist(ssk):
yield i

# Note: had to change SubKeyLists to be array of 2 pointers in vtypes.py
def subkeys(key):
if not key.is_valid(): return []
sub_list = []
if not key.is_valid(): return
if key.SubKeyCounts[0] > 0:
sk_off = key.SubKeyLists[0]
sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile)
if not sk or not sk.is_valid():
pass
else:
tmp = read_sklist(sk)
for tmp in tmp:
sub_list.append(tmp.dereference())
for i in read_sklist(sk):
if i.Signature.v() == NK_SIG:
yield i

if key.SubKeyCounts[1] > 0:
sk_off = key.SubKeyLists[1]
sk = NewObject("_CM_KEY_INDEX", sk_off, key.vm, profile=key.profile)
if not sk or not sk.is_valid():
pass
else:
tmp = read_sklist(sk)
for tmp in tmp:
sub_list.append(tmp.dereference())

#sub_list = [s.value for s in sub_list]
return [ s for s in sub_list if
s and s.is_valid() and s.Signature == NK_SIG]
for i in read_sklist(sk):
if i and i.Signature.v() == NK_SIG:
yield i

def values(key):
return [ v for v in key.ValueList.List.dereference()
if v and v.is_valid() and
v.Signature == VK_SIG ]
if v.Signature.v() == VK_SIG ]

def key_flags(key):
return [ k for k in KEY_FLAGS if key.Flags & KEY_FLAGS[k] ]

def value_data(val):
valtype = VALUE_TYPES[val.Type]
valtype = VALUE_TYPES[val.Type.v()]
inline = val.DataLength & 0x80000000

if inline:
Expand All @@ -150,9 +141,9 @@ def value_data(val):

if (valtype == "REG_SZ" or valtype == "REG_EXPAND_SZ" or
valtype == "REG_LINK"):
valdata = valdata.decode('utf-16-le')
valdata = valdata.decode('utf-16-le',"ignore")
elif valtype == "REG_MULTI_SZ":
valdata = valdata.decode('utf-16-le').split('\0')
valdata = valdata.decode('utf-16-le',"ignore").split('\0')
elif valtype == "REG_DWORD":
valdata = unpack("<L", valdata)[0]
elif valtype == "REG_DWORD_BIG_ENDIAN":
Expand Down
2 changes: 1 addition & 1 deletion src/plugins/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/win32/regtypes.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@
'Dacl' : [ 0x10, ['unsigned long']],
} ],
'_CM_KEY_VALUE' : [ 0x18, {
'Signature' : [ 0x0, ['unsigned short']],
'Signature' : [ 0x0, ['String', dict(length=2)]],
'NameLength' : [ 0x2, ['unsigned short']],
'DataLength' : [ 0x4, ['unsigned long']],
'Data' : [ 0x8, ['unsigned long']],
Expand Down
4 changes: 4 additions & 0 deletions src/plugins/MemoryForensics/Volatility-1.3_Linux_rc.1/forensics/x86.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,8 @@ def vtop(self, vaddr):
return retVal

def read(self, vaddr, length):
length = int(length)
vaddr = int(vaddr)
first_block = 0x1000 - vaddr % 0x1000
full_blocks = ((length + (vaddr % 0x1000)) / 0x1000) - 1
left_over = (length + vaddr) % 0x1000
Expand Down Expand Up @@ -314,6 +316,7 @@ def vtop(self, vaddr):
return retVal

def read(self, vaddr, length):
length = int(length)
first_block = 0x1000 - vaddr % 0x1000
full_blocks = ((length + (vaddr % 0x1000)) / 0x1000) - 1
left_over = (length + vaddr) % 0x1000
Expand Down Expand Up @@ -354,6 +357,7 @@ def read(self, vaddr, length):
return stuff_read

def zread(self, vaddr, length):
length=int(length)
first_block = 0x1000 - vaddr % 0x1000
full_blocks = ((length + (vaddr % 0x1000)) / 0x1000) - 1
left_over = (length + vaddr) % 0x1000
Expand Down

0 comments on commit 6850fb2

Please sign in to comment.