Skip to content

Commit 2db50c1

Browse files
hsarkeyhsarkey
committed
Updated fixes after internal review. Allows windows.dlllist to report back DLLs from wow64 processes.
1 parent 283c370 commit 2db50c1

File tree

1 file changed

+31
-42
lines changed
  • volatility3/framework/symbols/windows/extensions

1 file changed

+31
-42
lines changed

volatility3/framework/symbols/windows/extensions/__init__.py

Lines changed: 31 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -759,13 +759,13 @@ def get_peb32(self) -> interfaces.objects.ObjectInterface:
759759

760760
# Determine if process is running under WOW64.
761761
if self.get_is_wow64():
762-
peb32 = self.get_wow_64_process()
762+
proc = self.get_wow_64_process()
763763
else:
764764
return None
765765
# Confirm WoW64Process points to a valid process address
766-
if not proc_layer.is_valid(peb32):
766+
if not proc_layer.is_valid(proc):
767767
raise exceptions.InvalidAddressException(
768-
proc_layer_name, peb32, f"Invalid Wow64Process address at {self.Peb:0x}"
768+
proc_layer_name, proc, f"Invalid Wow64Process address at {self.Peb:0x}"
769769
)
770770

771771
# Leverage the context of existing symbol table to help configure
@@ -785,50 +785,41 @@ def get_peb32(self) -> interfaces.objects.ObjectInterface:
785785
if self._context.symbol_space.has_type(
786786
sym_table + constants.BANG + "_EWOW64PROCESS"
787787
):
788-
peb32 = self._context.object(
789-
f"{self._32bit_table_name}{constants.BANG}_PEB32",
790-
layer_name=proc_layer_name,
791-
offset=peb32.Peb,
792-
)
793-
return peb32
788+
offset=proc.Peb
794789

795790
# vista sp0-sp1 and 2003 sp1-sp2
796791
elif self._context.symbol_space.has_type(
797792
sym_table + constants.BANG + "_WOW64_PROCESS"
798793
):
799-
peb32 = self._context.object(
800-
f"{self._32bit_table_name}{constants.BANG}_PEB32",
801-
layer_name=proc_layer_name,
802-
offset=peb32.Wow64,
803-
)
804-
return peb32
794+
offset=proc.Wow64
805795

806796
else:
807-
peb32 = self._context.object(
808-
f"{self._32bit_table_name}{constants.BANG}_PEB32",
809-
layer_name=proc_layer_name,
810-
offset=peb32,
811-
)
812-
return peb32
797+
offset=proc
798+
799+
peb32 = self._context.object(
800+
f"{self._32bit_table_name}{constants.BANG}_PEB32",
801+
layer_name=proc_layer_name,
802+
offset=offset,
803+
)
804+
return peb32
813805

814806
def load_order_modules(self) -> Iterable[interfaces.objects.ObjectInterface]:
815807
"""Generator for DLLs in the order that they were loaded."""
816808
try:
817809
pebs = [
818-
[self.get_peb(), "_LDR_DATA_TABLE_ENTRY"],
819-
[self.get_peb32(), "_LDR_DATA_TABLE_ENTRY"],
810+
self.get_peb(), self.get_peb32(),
820811
]
821-
for peb, table_name in pebs:
822-
if peb != None:
812+
for peb in pebs:
813+
if peb:
823814
sym_table = self.get_symbol_table_name()
824815
if peb.Ldr.vol.type_name.endswith("unsigned long"):
825-
Ldr_data = self._context.symbol_space.get_type(
816+
ldr_data = self._context.symbol_space.get_type(
826817
self._32bit_table_name + constants.BANG + "_PEB_LDR_DATA"
827818
)
828-
peb.Ldr = peb.Ldr.cast("pointer", subtype=Ldr_data)
819+
peb.Ldr = peb.Ldr.cast("pointer", subtype=ldr_data)
829820
sym_table = self._32bit_table_name
830821
for entry in peb.Ldr.InLoadOrderModuleList.to_list(
831-
f"{sym_table}{constants.BANG}" + table_name,
822+
f"{sym_table}{constants.BANG}" + "_LDR_DATA_TABLE_ENTRY",
832823
"InLoadOrderLinks",
833824
):
834825
yield entry
@@ -840,20 +831,19 @@ def init_order_modules(self) -> Iterable[interfaces.objects.ObjectInterface]:
840831

841832
try:
842833
pebs = [
843-
[self.get_peb(), "_LDR_DATA_TABLE_ENTRY"],
844-
[self.get_peb32(), "_LDR_DATA_TABLE_ENTRY"],
834+
self.get_peb(), self.get_peb32(),
845835
]
846-
for peb, table_name in pebs:
847-
if peb != None:
836+
for peb in pebs:
837+
if peb:
848838
sym_table = self.get_symbol_table_name()
849839
if peb.Ldr.vol.type_name.endswith("unsigned long"):
850-
Ldr_data = self._context.symbol_space.get_type(
840+
ldr_data = self._context.symbol_space.get_type(
851841
self._32bit_table_name + constants.BANG + "_PEB_LDR_DATA"
852842
)
853-
peb.Ldr = peb.Ldr.cast("pointer", subtype=Ldr_data)
843+
peb.Ldr = peb.Ldr.cast("pointer", subtype=ldr_data)
854844
sym_table = self._32bit_table_name
855845
for entry in peb.Ldr.InInitializationOrderModuleList.to_list(
856-
f"{sym_table}{constants.BANG}" + table_name,
846+
f"{sym_table}{constants.BANG}" + "_LDR_DATA_TABLE_ENTRY",
857847
"InInitializationOrderLinks",
858848
):
859849
yield entry
@@ -864,20 +854,19 @@ def mem_order_modules(self) -> Iterable[interfaces.objects.ObjectInterface]:
864854
"""Generator for DLLs in the order that they appear in memory"""
865855
try:
866856
pebs = [
867-
[self.get_peb(), "_LDR_DATA_TABLE_ENTRY"],
868-
[self.get_peb32(), "_LDR_DATA_TABLE_ENTRY"],
857+
self.get_peb(), self.get_peb32(),
869858
]
870-
for peb, table_name in pebs:
871-
if peb != None:
859+
for peb in pebs:
860+
if peb:
872861
sym_table = self.get_symbol_table_name()
873862
if peb.Ldr.vol.type_name.endswith("unsigned long"):
874-
Ldr_data = self._context.symbol_space.get_type(
863+
ldr_data = self._context.symbol_space.get_type(
875864
self._32bit_table_name + constants.BANG + "_PEB_LDR_DATA"
876865
)
877-
peb.Ldr = peb.Ldr.cast("pointer", subtype=Ldr_data)
866+
peb.Ldr = peb.Ldr.cast("pointer", subtype=ldr_data)
878867
sym_table = self._32bit_table_name
879868
for entry in peb.Ldr.InMemoryOrderModuleList.to_list(
880-
f"{sym_table}{constants.BANG}" + table_name,
869+
f"{sym_table}{constants.BANG}" + "_LDR_DATA_TABLE_ENTRY",
881870
"InMemoryOrderLinks",
882871
):
883872
yield entry

0 commit comments

Comments
 (0)