Source code for

# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0
# which is available at

import datetime
from typing import Iterable

from volatility.framework import renderers, exceptions, interfaces
from volatility.framework.configuration import requirements
from volatility.framework.renderers import format_hints
from volatility.plugins import timeliner
from import poolscanner

[docs]class SymlinkScan(interfaces.plugins.PluginInterface, timeliner.TimeLinerInterface): """Scans for links present in a particular windows memory image."""
[docs] @classmethod def get_requirements(cls): return [ requirements.TranslationLayerRequirement(name = 'primary', description = 'Memory layer for the kernel', architectures = ["Intel32", "Intel64"]), requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"), ]
def _generator(self): for link in self.scan_symlinks(self.context, self.config['primary'], self.config['nt_symbols']): try: from_name = link.get_link_name() except exceptions.InvalidAddressException: continue try: to_name = link.LinkTarget.String except exceptions.InvalidAddressException: continue yield (0, (format_hints.Hex(link.vol.offset), link.get_create_time(), from_name, to_name))
[docs] def generate_timeline(self): for row in self._generator(): _depth, row_data = row description = "Symlink: {} -> {}".format(row_data[2], row_data[3]) yield (description, timeliner.TimeLinerType.CREATED, row_data[1])
[docs] def run(self): return renderers.TreeGrid([ ("Offset", format_hints.Hex), ("CreateTime", datetime.datetime), ("From Name", str), ("To Name", str), ], self._generator())