Add fix for missing cookie value when using a Windows 10 profile

Oliver Old · web-flow · commit a55be9c1496a · 2020-06-30T20:01:22.000+02:00
Use YARA and the DiscontigYaraScanner from malfind to find the address of nt!ObGetObjectType. This fix only applies to 64-bit profiles since I don't have the signature for 32-bit Windows.
diff --git a/volatility/plugins/overlays/windows/win10.py b/volatility/plugins/overlays/windows/win10.py
@@ -39,6 +39,13 @@
 except ImportError:
     has_distorm = False
 
+try:
+    import yara
+    import volatility.plugins.malware.malfind as malfind
+    has_yara = True
+except ImportError:
+    has_yara = False
+
 class _HMAP_ENTRY(obj.CType):
 
     @property
@@ -212,10 +219,28 @@ def findcookie(self, kernel_space):
             debug.warning("Cannot find NT module")
             return False
 
+        model = meta.get("memory_model")
+
         addr = nt_mod.getprocaddress("ObGetObjectType")
         if addr == None:
-            debug.warning("Cannot find nt!ObGetObjectType")
-            return False 
+            if not has_yara or model == "32bit":
+                debug.warning("Cannot find nt!ObGetObjectType")
+                return False
+            # Did not find nt!ObGetObjectType, trying with YARA instead.
+            # TODO: Need signature for 32-bit.
+            s = "48 8D 41 D0 0F B6 49 E8"
+            rules = yara.compile(sources = {
+                'n': 'rule r1 {strings: $a = {' + s + '} condition: $a}'
+            })
+            scanner = malfind.DiscontigYaraScanner(
+                address_space = kernel_space,
+                rules = rules)
+            first_match = next(scanner.scan(), None)
+            if not first_match:
+                debug.warning("Cannot find nt!ObGetObjectType")
+                return False
+            _, addr = first_match
+            addr -= nt_mod.DllBase
 
         # produce an absolute address by adding the DLL base to the RVA 
         addr += nt_mod.DllBase 
@@ -224,7 +249,6 @@ def findcookie(self, kernel_space):
             return False 
 
         # in theory...but so far we haven't tested 32-bits 
-        model = meta.get("memory_model")    
         if model == "32bit":
             mode = distorm3.Decode32Bits
         else:
@@ -1120,4 +1144,4 @@ class Win10x64_18362(obj.Profile):
     _md_minor = 4
     _md_build = 18362
     _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x64_18362_vtypes'
-    _md_product = ["NtProductWinNt"]
+    _md_product = ["NtProductWinNt"]
