volatility.framework.automagic.pdbscan module¶

A module for scanning translation layers looking for Windows PDB records from loaded PE files.

This module contains a standalone scanner, and also a ScannerInterface based scanner for use within the framework by calling scan().

class KernelPDBScanner(context, config_path, *args, **kwargs)[source]¶

Bases: volatility.framework.interfaces.automagic.AutomagicInterface

Windows symbol loader based on PDB signatures.

An Automagic object that looks for all Intel translation layers and scans each of them for a pdb signature. When found, a search for a corresponding Intermediate Format data file is carried out and if found an appropriate symbol space is automatically loaded.

Once a specific kernel PDB signature has been found, a virtual address for the loaded kernel is determined by one of two methods. The first method assumes a specific mapping from the kernel’s physical address to its virtual address (typically the kernel is loaded at its physical location plus a specific offset). The second method searches for a particular structure that lists the kernel module’s virtual address, its size (not checked) and the module’s name. This value is then used if one was not found using the previous method.

Basic initializer that allows configurables to access their own config settings.

build_configuration()¶

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type: HierarchicalDict

check_kernel_offset(context, vlayer, address, progress_callback=None)[source]¶

Scans a virtual address.

Return type: Dict[str, Tuple[int, Dict[str, Union[bytes, str, int, None]]]]

property config¶

The Hierarchical configuration Dictionary for this Configurable object.

Return type: HierarchicalDict

property config_path¶

The configuration path on which this configurable lives.

Return type: str

property context¶

The context object that this configurable belongs to/configuration is stored in.

Return type: ContextInterface

determine_valid_kernels(context, potential_layers, progress_callback=None)[source]¶

Runs through the identified potential kernels and verifies their suitability.

This carries out a scan using the pdb_signature scanner on a physical layer. It uses the results of the scan to determine the virtual offset of the kernel. On early windows implementations there is a fixed mapping between the physical and virtual addresses of the kernel. On more recent versions a search is conducted for a structure that will identify the kernel’s virtual offset.

Parameters

context (ContextInterface) – Context on which to operate
potential_kernels – Dictionary containing GUID, age, pdb_name and mz_offset keys
progress_callback (Optional[Callable[[float, str], None]]) – Function taking a percentage and optional description to be called during expensive computations to indicate progress

Return type

Dict[str, Tuple[int, Dict[str, Union[bytes, str, int, None]]]]

Returns

A dictionary of valid kernels

download_pdb_isf(guid, age, pdb_name, progress_callback=None)[source]¶

Attempts to download the PDB file, convert it to an ISF file and save it to one of the symbol locations.

Return type: None

find_requirements(context, config_path, requirement_root, requirement_type, shortcut=True)¶

Determines if there is actually an unfulfilled Requirement waiting.

This ensures we do not carry out an expensive search when there is no need for a particular Requirement

Parameters

context (ContextInterface) – Context on which to operate
config_path (str) – Configuration path of the top-level requirement
requirement_root (RequirementInterface) – Top-level requirement whose subrequirements will all be searched
requirement_type (Union[Tuple[Type[RequirementInterface], …], Type[RequirementInterface]]) – Type of requirement to find
shortcut (bool) – Only returns requirements that live under unsatisfied requirements

Return type

List[Tuple[str, RequirementInterface]]

Returns

A list of tuples containing the config_path, sub_config_path and requirement identifying the unsatisfied Requirements

find_virtual_layers_from_req(context, config_path, requirement)[source]¶

Traverses the requirement tree, rooted at requirement looking for virtual layers that might contain a windows PDB.

Returns a list of possible layers

Parameters

context (ContextInterface) – The context in which the requirement lives
config_path (str) – The path within the context for the requirement’s configuration variables
requirement (RequirementInterface) – The root of the requirement tree to search for :class:~`volatility.framework.interfaces.layers.TranslationLayerRequirement` objects to scan
progress_callback – Means of providing the user with feedback during long processes

Return type

List[str]

Returns

A list of (layer_name, scan_results)

get_physical_layer_name(context, vlayer)[source]¶

classmethod get_requirements()¶

Returns a list of RequirementInterface objects required by this object.

Return type: List[RequirementInterface]

classmethod make_subconfig(context, base_config_path, **kwargs)¶

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters

context (ContextInterface) – The context in which to store the new configuration
base_config_path (str) – The base configuration path on which to build the new configuration
kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

max_pdb_size = 4194304¶

method_fixed_mapping(context, vlayer, progress_callback=None)[source]¶

Return type: Dict[str, Tuple[int, Dict[str, Union[bytes, str, int, None]]]]

method_kdbg_offset(context, vlayer, progress_callback=None)[source]¶

Return type: Dict[str, Tuple[int, Dict[str, Union[bytes, str, int, None]]]]

method_module_offset(context, vlayer, progress_callback=None)[source]¶

Method for finding a suitable kernel offset based on a module table.

Return type: Dict[str, Tuple[int, Dict[str, Union[bytes, str, int, None]]]]

methods = [<function KernelPDBScanner.method_kdbg_offset>, <function KernelPDBScanner.method_module_offset>, <function KernelPDBScanner.method_fixed_mapping>]¶

priority = 30¶

recurse_symbol_fulfiller(context, valid_kernels, progress_callback=None)[source]¶

Fulfills the SymbolTableRequirements in self._symbol_requirements found by the recurse_symbol_requirements.

This pass will construct any requirements that may need it in the context it was passed

Parameters

context (ContextInterface) – Context on which to operate
valid_kernels (Dict[str, Tuple[int, Dict[str, Union[bytes, str, int, None]]]]) – A list of offsets where valid kernels have been found

Return type

None

set_kernel_virtual_offset(context, valid_kernels)[source]¶

Traverses the requirement tree, looking for kernel_virtual_offset values that may need setting and sets it based on the previously identified valid_kernels.

Parameters

context (ContextInterface) – Context on which to operate and provide the kernel virtual offset
valid_kernels (Dict[str, Tuple[int, Dict[str, Union[bytes, str, int, None]]]]) – List of valid kernels and offsets

Return type

None

classmethod unsatisfied(context, config_path)¶

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)

Return type: Dict[str, RequirementInterface]

class PdbSignatureScanner(pdb_names)[source]¶

Bases: volatility.framework.interfaces.layers.ScannerInterface

A ScannerInterface based scanner use to identify Windows PDB records.

Parameters: pdb_names (List[bytes]) – A list of bytestrings, used to match pdb signatures against the pdb names within the records.

Note

The pdb_names must be a list of byte strings, unicode strs will not match against the data scanned

property context¶

Return type: Optional[ContextInterface]

property layer_name¶

Return type: Optional[str]

overlap = 16384¶: The size of overlap needed for the signature to ensure data cannot hide between two scanned chunks

thread_safe = True¶: Determines whether the scanner accesses global variables in a thread safe manner (for use with multiprocessing)

scan(ctx, layer_name, page_size, progress_callback=None, start=None, end=None)[source]¶

Scans through layer_name at ctx looking for RSDS headers that indicate one of four common pdb kernel names (as listed in self.pdb_names) and returns the tuple (GUID, age, pdb_name, signature_offset, mz_offset)

Note

This is automagical and therefore not guaranteed to provide correct results.

The UI should always provide the user an opportunity to specify the appropriate types and PDB values themselves

Return type: Generator[Dict[str, Union[bytes, str, int, None]], None, None]