Skip to content

Commit

Permalink
Windows: update windows.pslist to display phy addrs when requested on…
Browse files Browse the repository at this point in the history 
… older samples
  • Loading branch information
@eve-mem
eve-mem committed Dec 20, 2023
1 parent a08b780 commit ebf3b8a
Showing 1 changed file with 44 additions and 14 deletions.
58 changes: 44 additions & 14 deletions volatility3/framework/plugins/windows/psscan.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,15 +192,45 @@ def _generator(self):
filter_func=pslist.PsList.create_pid_filter(self.config.get("pid", None)),
):
file_output = "Disabled"
if self.config["dump"]:
# windows 10 objects (maybe others in the future) are already in virtual memory
if proc.vol.layer_name == kernel.layer_name:
vproc = proc

# windows 10 objects (maybe others in the future) are already in virtual memory
# if the proc is built on the same layer as the kernel then it is already
# in 'virtual' memory.
if proc.vol.layer_name == kernel.layer_name:
# proc is already in a virtual mem, so a new object is not needed. it means
# that if physical addresses are requested in the output then proc.vol.offset
# cannot be used because it will be virtual, so the mapping is needed.
vproc = proc
if self.config["physical"]:
# the display should be physical addresses, so proc cannot be used. The
# mappings are needed to find where it would be physically.
offset = (_, _, offset, _, _) = list(
memory.mapping(offset=proc.vol.offset, length=0)
)[0]
else:
vproc = self.virtual_process_from_physical(
self.context, kernel.layer_name, kernel.symbol_table_name, proc
)
# the display should be virtual addresses, so proc can be used
offset = proc.vol.offset

# renderers.UnreadableValue()
else:
# proc is in virtual mem, so a new object needs to be creatd.
vproc = self.virtual_process_from_physical(
self.context, kernel.layer_name, kernel.symbol_table_name, proc
)
if self.config["physical"]:
# the display should be physical addresses, so proc can be used
# as it is
offset = proc.vol.offset
else:
# the display should be virtual address, so vproc should be used
# however virtual_process_from_physical is not always able to create
# a vproc, in that case we need to display a UnreadableValue()
if vproc is not None:
offset = vproc.vol.offset
else:
offset = renderers.UnreadableValue()

if self.config["dump"]:
file_handle = pslist.PsList.process_dump(
self.context,
kernel.symbol_table_name,
Expand All @@ -212,12 +242,12 @@ def _generator(self):
if file_handle:
file_output = file_handle.preferred_filename

if not self.config["physical"]:
offset = proc.vol.offset
else:
(_, _, offset, _, _) = list(
memory.mapping(offset=proc.vol.offset, length=0)
)[0]
# format offset for display, but catch errors when UnreadableValue

This comment has been minimized.

Sign in to view

Copy link
@ikelos

ikelos Jul 14, 2024
edited
Loading

Member

This is a little surprising? I'd expect format_hints.Hex to be able to handle BaseAbsentValues but seemingly it can't (it's just a call to int() essentially) so this works...

I wonder how we've dealt with this elsewhere, or perhaps we don't bother outputting virtual addresses for things we have physically?
# cannot be formatted
try:
display_offset = format_hints.Hex(offset)
except TypeError:
display_offset = offset

try:
yield (
Expand All @@ -230,7 +260,7 @@ def _generator(self):
max_length=proc.ImageFileName.vol.count,
errors="replace",
),
format_hints.Hex(offset),
display_offset,
proc.ActiveThreads,
proc.get_handle_count(),
proc.get_session_id(),
Expand Down

0 comments on commit ebf3b8a

Please sign in to comment.