Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows psscan issue 591 - Fix offsets when --physical is used #1215

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from
+53 −31
Open

Windows psscan issue 591 - Fix offsets when --physical is used #1215

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ebf3b8a
Windows: update windows.pslist to display phy addrs when requested on…
eve-mem Dec 20, 2023
a8c561d
Merge branch 'volatilityfoundation:develop' into windows_psscan_issue…
eve-mem Dec 20, 2023
3b536c4
Merge branch 'volatilityfoundation:develop' into windows_psscan_issue…
eve-mem Jan 8, 2024
bd96f8d
Windows: update windows.pslist to display phy addrs when requested on…
eve-mem Dec 20, 2023
1ef04f5
Merge branch 'windows_psscan_issue_591' of github.com:eve-mem/volatil…
eve-mem Jul 25, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 53 additions & 31 deletions volatility3/framework/plugins/windows/psscan.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -261,40 +261,62 @@
filter_func=pslist.PsList.create_pid_filter(self.config.get("pid", None)),
):
file_output = "Disabled"
if self.config["dump"]:
# windows 10 objects (maybe others in the future) are already in virtual memory
if proc.vol.layer_name == kernel.layer_name:
vproc = proc

# windows 10 objects (maybe others in the future) are already in virtual memory
# if the proc is built on the same layer as the kernel then it is already
# in 'virtual' memory.
if proc.vol.layer_name == kernel.layer_name:
# proc is already in a virtual mem, so a new object is not needed. it means
# that if physical addresses are requested in the output then proc.vol.offset
# cannot be used because it will be virtual, so the mapping is needed.
vproc = proc
if self.config["physical"]:
# the display should be physical addresses, so proc cannot be used. The
# mappings are needed to find where it would be physically.
offset = (_, _, offset, _, _) = list(

Check warning

Code scanning / CodeQL

Variable defined multiple times Warning

This assignment to 'offset' is unnecessary as it is
redefined
Loading
before this value is used.
memory.mapping(offset=proc.vol.offset, length=0)
)[0]
else:
try:
vproc = self.virtual_process_from_physical(
self.context,
kernel.layer_name,
kernel.symbol_table_name,
proc,
)
except exceptions.PagedInvalidAddressException:
vproc = None
# the display should be virtual addresses, so proc can be used
offset = proc.vol.offset

file_output = "Error outputting file"
if vproc:
file_handle = pslist.PsList.process_dump(
self.context,
kernel.symbol_table_name,
pe_table_name,
vproc,
self.open,
)
# renderers.UnreadableValue()
else:
# proc is in virtual mem, so a new object needs to be creatd.
vproc = self.virtual_process_from_physical(
self.context, kernel.layer_name, kernel.symbol_table_name, proc
)
if self.config["physical"]:
# the display should be physical addresses, so proc can be used
# as it is
offset = proc.vol.offset
else:
# the display should be virtual address, so vproc should be used
# however virtual_process_from_physical is not always able to create
# a vproc, in that case we need to display a UnreadableValue()
if vproc is not None:
offset = vproc.vol.offset
else:
offset = renderers.UnreadableValue()

if file_handle:
file_output = file_handle.preferred_filename
if self.config["dump"]:
file_handle = pslist.PsList.process_dump(
self.context,
kernel.symbol_table_name,
pe_table_name,
vproc,
self.open,
)
file_output = "Error outputting file"
if file_handle:
file_output = file_handle.preferred_filename

if not self.config["physical"]:
offset = proc.vol.offset
else:
(_, _, offset, _, _) = list(
memory.mapping(offset=proc.vol.offset, length=0)
)[0]
# format offset for display, but catch errors when UnreadableValue
# cannot be formatted
try:
display_offset = format_hints.Hex(offset)
except TypeError:
display_offset = offset

try:
yield (
Expand All @@ -307,7 +329,7 @@
max_length=proc.ImageFileName.vol.count,
errors="replace",
),
format_hints.Hex(offset),
display_offset,
proc.ActiveThreads,
proc.get_handle_count(),
proc.get_session_id(),
Expand Down
Loading