Skip to content

Commit

Permalink
Windows: Add filtering by type to handles.
Browse files Browse the repository at this point in the history
This change adds the '--types' option to the windows.handles plugin,
whereby a user may specify one or more types of handles to filter the
output by.  Any handles not of the type(s) specified are not returned.
Specified types are treated as case-insensitive.

Because the object type index map is generated dynamically,
user-inputted types are not validated against the map of possible object
types.  For example, a user-inputted type of value "Foo" does not raise
an error and will return no results.
  • Loading branch information
Alan Johnson committed Feb 5, 2024
1 parent fdf93f5 commit 7ef1aa6
Showing 1 changed file with 11 additions and 0 deletions.
11 changes: 11 additions & 0 deletions volatility3/framework/plugins/windows/handles.py
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,12 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
requirements.PluginRequirement(
name="pslist", plugin=pslist.PsList, version=(2, 0, 0)
),
requirements.ListRequirement(
name="types",
element_type=str,
description="Types of handles to include (all other handle types are excluded)",
optional=True,
),
]

def _decode_pointer(self, value, magic):
Expand Down Expand Up @@ -349,6 +355,8 @@ def _generator(self, procs):
symbol_table=kernel.symbol_table_name,
)

object_types = [s.lower() for s in self.config.get("types", [])]

cookie = self.find_cookie(
context=self.context,
layer_name=kernel.layer_name,
Expand All @@ -372,6 +380,9 @@ def _generator(self, procs):
obj_type = entry.get_object_type(type_map, cookie)
if obj_type is None:
continue
elif object_types and obj_type.lower() not in object_types:
continue

if obj_type == "File":
item = entry.Body.cast("_FILE_OBJECT")
obj_name = item.file_name_with_device()
Expand Down

0 comments on commit 7ef1aa6

Please sign in to comment.