Skip to content

Commit 0dd082b

Browse files
author
Dave Lassalle
committed
#816 initial PR comment fixes
1 parent ece2dbe commit 0dd082b

14 files changed

+111
-427
lines changed

volatility3/framework/plugins/windows/cmdscan.py

Lines changed: 22 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@ def get_filtered_vads(
6161
cls,
6262
conhost_proc: interfaces.context.ContextInterface,
6363
size_filter: Optional[int] = 0x40000000,
64-
) -> List[Tuple[int, int]]:
64+
) -> Generator[Tuple[int, int], None, None]:
6565
"""
6666
Returns vads of a process with size smaller than size_filter
6767
@@ -73,20 +73,17 @@ def get_filtered_vads(
7373
vad_base: the base address
7474
vad_size: the size of the VAD
7575
"""
76-
vads = []
7776
for vad in conhost_proc.get_vad_root().traverse():
7877
base = vad.get_start()
7978
if vad.get_size() < size_filter:
80-
vads.append((base, vad.get_size()))
81-
82-
return vads
79+
yield (base, vad.get_size())
8380

8481
@classmethod
8582
def get_command_history(
8683
cls,
8784
context: interfaces.context.ContextInterface,
8885
kernel_layer_name: str,
89-
kernel_table_name: str,
86+
kernel_symbol_table_name: str,
9087
config_path: str,
9188
procs: Generator[interfaces.objects.ObjectInterface, None, None],
9289
max_history: Set[int],
@@ -100,7 +97,7 @@ def get_command_history(
10097
Args:
10198
context: The context to retrieve required elements (layers, symbol tables) from
10299
kernel_layer_name: The name of the layer on which to operate
103-
kernel_table_name: The name of the table containing the kernel symbols
100+
kernel_symbol_table_name: The name of the table containing the kernel symbols
104101
config_path: The config path where to find symbol files
105102
procs: list of process objects
106103
max_history: an initial set of CommandHistorySize values
@@ -138,7 +135,7 @@ def get_command_history(
138135
conhost_symbol_table = consoles.Consoles.create_conhost_symbol_table(
139136
context,
140137
kernel_layer_name,
141-
kernel_table_name,
138+
kernel_symbol_table_name,
142139
config_path,
143140
proc_layer_name,
144141
conhostexe_base,
@@ -147,6 +144,9 @@ def get_command_history(
147144
conhost_module = context.module(
148145
conhost_symbol_table, proc_layer_name, offset=conhostexe_base
149146
)
147+
command_count_max_offset = conhost_module.get_type(
148+
"_COMMAND_HISTORY"
149+
).relative_child_offset("CommandCountMax")
150150

151151
sections = cls.get_filtered_vads(conhost_proc)
152152
found_history_for_proc = False
@@ -161,15 +161,13 @@ def get_command_history(
161161
scanners.BytesScanner(max_history_bytes),
162162
sections=sections,
163163
):
164+
command_history = None
164165
command_history_properties = []
165166

166167
try:
167168
command_history = conhost_module.object(
168169
"_COMMAND_HISTORY",
169-
offset=address
170-
- conhost_module.get_type(
171-
"_COMMAND_HISTORY"
172-
).relative_child_offset("CommandCountMax"),
170+
offset=address - command_count_max_offset,
173171
absolute=True,
174172
)
175173

@@ -184,21 +182,21 @@ def get_command_history(
184182
"level": 0,
185183
"name": "_COMMAND_HISTORY",
186184
"address": command_history.vol.offset,
187-
"data": "",
185+
"data": None,
188186
}
189187
)
190188
command_history_properties.append(
191189
{
192190
"level": 1,
193-
"name": f"_COMMAND_HISTORY.Application",
191+
"name": "_COMMAND_HISTORY.Application",
194192
"address": command_history.Application.vol.offset,
195193
"data": command_history.get_application(),
196194
}
197195
)
198196
command_history_properties.append(
199197
{
200198
"level": 1,
201-
"name": f"_COMMAND_HISTORY.ProcessHandle",
199+
"name": "_COMMAND_HISTORY.ProcessHandle",
202200
"address": command_history.ConsoleProcessHandle.ProcessHandle.vol.offset,
203201
"data": hex(
204202
command_history.ConsoleProcessHandle.ProcessHandle
@@ -208,23 +206,23 @@ def get_command_history(
208206
command_history_properties.append(
209207
{
210208
"level": 1,
211-
"name": f"_COMMAND_HISTORY.CommandCount",
209+
"name": "_COMMAND_HISTORY.CommandCount",
212210
"address": None,
213211
"data": command_history.CommandCount,
214212
}
215213
)
216214
command_history_properties.append(
217215
{
218216
"level": 1,
219-
"name": f"_COMMAND_HISTORY.LastDisplayed",
217+
"name": "_COMMAND_HISTORY.LastDisplayed",
220218
"address": command_history.LastDisplayed.vol.offset,
221219
"data": command_history.LastDisplayed,
222220
}
223221
)
224222
command_history_properties.append(
225223
{
226224
"level": 1,
227-
"name": f"_COMMAND_HISTORY.CommandCountMax",
225+
"name": "_COMMAND_HISTORY.CommandCountMax",
228226
"address": command_history.CommandCountMax.vol.offset,
229227
"data": command_history.CommandCountMax,
230228
}
@@ -233,7 +231,7 @@ def get_command_history(
233231
command_history_properties.append(
234232
{
235233
"level": 1,
236-
"name": f"_COMMAND_HISTORY.CommandBucket",
234+
"name": "_COMMAND_HISTORY.CommandBucket",
237235
"address": command_history.CommandBucket.vol.offset,
238236
"data": "",
239237
}
@@ -248,7 +246,7 @@ def get_command_history(
248246
"level": 2,
249247
"name": f"_COMMAND_HISTORY.CommandBucket_Command_{cmd_index}",
250248
"address": bucket_cmd.vol.offset,
251-
"data": bucket_cmd.get_command(),
249+
"data": bucket_cmd.get_command_string(),
252250
}
253251
)
254252
except Exception as e:
@@ -264,6 +262,9 @@ def get_command_history(
264262
found_history_for_proc = True
265263
yield conhost_proc, command_history, command_history_properties
266264

265+
# if found_history_for_proc is still False, then none of the scanned locations found
266+
# a valid _COMMAND_HISTORY for the process, so yield the process and some empty data
267+
# so the process can at least be reported that it was found with no history
267268
if not found_history_for_proc:
268269
yield conhost_proc, command_history or None, []
269270

@@ -349,7 +350,7 @@ def _generator(
349350
if proc is None:
350351
vollog.warn("No conhost.exe processes found.")
351352

352-
def _conhost_proc_filter(self, proc):
353+
def _conhost_proc_filter(self, proc: interfaces.objects.ObjectInterface):
353354
"""
354355
Used to filter to only conhost.exe processes
355356
"""

volatility3/framework/plugins/windows/consoles.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -209,7 +209,7 @@ def determine_conhost_version(
209209
(10, 0, 20348, 2520): "consoles-win10-20348-2461-x64",
210210
(10, 0, 22000, 0): "consoles-win10-22000-x64",
211211
(10, 0, 22621, 1): "consoles-win10-22621-x64",
212-
(10, 0, 22621, 3672): "consoles-win10-22621-3672-x64",
212+
(10, 0, 22621, 3527): "consoles-win10-22621-3527-x64",
213213
(10, 0, 25398, 0): "consoles-win10-22000-x64",
214214
}
215215

@@ -706,7 +706,7 @@ def get_console_info(
706706
"level": 3,
707707
"name": f"_CONSOLE_INFORMATION.HistoryList.CommandHistory_{index}_Command_{cmd_index}",
708708
"address": bucket_cmd.vol.offset,
709-
"data": bucket_cmd.get_command(),
709+
"data": bucket_cmd.get_command_string(),
710710
}
711711
)
712712
except Exception as e:
@@ -918,7 +918,7 @@ def _generator(
918918
if proc is None:
919919
vollog.warn("No conhost.exe processes found.")
920920

921-
def _conhost_proc_filter(self, proc):
921+
def _conhost_proc_filter(self, proc: interfaces.objects.ObjectInterface) -> bool:
922922
"""
923923
Used to filter to only conhost.exe processes
924924
"""

volatility3/framework/symbols/windows/consoles/consoles-win10-17763-3232-x64.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -632,14 +632,14 @@
632632
"Source": {
633633
"type": {
634634
"kind": "struct",
635-
"name": "_ALIAS_STRING"
635+
"name": "_COMMAND"
636636
},
637637
"offset": 16
638638
},
639639
"Target": {
640640
"type": {
641641
"kind": "struct",
642-
"name": "_ALIAS_STRING"
642+
"name": "_COMMAND"
643643
},
644644
"offset": 48
645645
}

volatility3/framework/symbols/windows/consoles/consoles-win10-17763-x64.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -632,14 +632,14 @@
632632
"Source": {
633633
"type": {
634634
"kind": "struct",
635-
"name": "_ALIAS_STRING"
635+
"name": "_COMMAND"
636636
},
637637
"offset": 16
638638
},
639639
"Target": {
640640
"type": {
641641
"kind": "struct",
642-
"name": "_ALIAS_STRING"
642+
"name": "_COMMAND"
643643
},
644644
"offset": 48
645645
}

volatility3/framework/symbols/windows/consoles/consoles-win10-18362-x64.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -622,14 +622,14 @@
622622
"Source": {
623623
"type": {
624624
"kind": "struct",
625-
"name": "_ALIAS_STRING"
625+
"name": "_COMMAND"
626626
},
627627
"offset": 16
628628
},
629629
"Target": {
630630
"type": {
631631
"kind": "struct",
632-
"name": "_ALIAS_STRING"
632+
"name": "_COMMAND"
633633
},
634634
"offset": 48
635635
}

volatility3/framework/symbols/windows/consoles/consoles-win10-19041-x64.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -622,14 +622,14 @@
622622
"Source": {
623623
"type": {
624624
"kind": "struct",
625-
"name": "_ALIAS_STRING"
625+
"name": "_COMMAND"
626626
},
627627
"offset": 16
628628
},
629629
"Target": {
630630
"type": {
631631
"kind": "struct",
632-
"name": "_ALIAS_STRING"
632+
"name": "_COMMAND"
633633
},
634634
"offset": 48
635635
}

volatility3/framework/symbols/windows/consoles/consoles-win10-20348-1970-x64.json

Lines changed: 3 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -598,7 +598,7 @@
598598
"ExeName": {
599599
"type": {
600600
"kind": "struct",
601-
"name": "_ALIAS_STRING"
601+
"name": "_COMMAND"
602602
},
603603
"offset": 16
604604
},
@@ -628,61 +628,20 @@
628628
"Source": {
629629
"type": {
630630
"kind": "struct",
631-
"name": "_ALIAS_STRING"
631+
"name": "_COMMAND"
632632
},
633633
"offset": 16
634634
},
635635
"Target": {
636636
"type": {
637637
"kind": "struct",
638-
"name": "_ALIAS_STRING"
638+
"name": "_COMMAND"
639639
},
640640
"offset": 48
641641
}
642642
},
643643
"kind": "struct",
644644
"size": 32
645-
},
646-
"_ALIAS_STRING": {
647-
"fields": {
648-
"Chars": {
649-
"type": {
650-
"count": 1,
651-
"kind": "array",
652-
"subtype": {
653-
"kind": "base",
654-
"name": "unsigned char"
655-
}
656-
},
657-
"offset": 0
658-
},
659-
"Pointer": {
660-
"type": {
661-
"kind": "pointer",
662-
"subtype": {
663-
"kind": "base",
664-
"name": "string"
665-
}
666-
},
667-
"offset": 0
668-
},
669-
"Length": {
670-
"type": {
671-
"kind": "base",
672-
"name": "unsigned int"
673-
},
674-
"offset": 16
675-
},
676-
"Allocated": {
677-
"type": {
678-
"kind": "base",
679-
"name": "unsigned int"
680-
},
681-
"offset": 24
682-
}
683-
},
684-
"kind": "struct",
685-
"size": 32
686645
}
687646
},
688647
"metadata": {

0 commit comments

Comments
 (0)