Merge pull request #1585 from volatilityfoundation/issues/issue1577

ikelos · web-flow · commit 1f983aca73db · 2025-01-31T17:30:22.000Z
Expose and use `get_pefile_obj` rather than having local copies
diff --git a/volatility3/framework/plugins/windows/pe_symbols.py b/volatility3/framework/plugins/windows/pe_symbols.py
@@ -244,7 +244,7 @@ class PESymbols(interfaces.plugins.PluginInterface):
 
     _required_framework_version = (2, 7, 0)
 
-    _version = (1, 0, 1)
+    _version = (1, 1, 0)
 
     # used for special handling of the kernel PDB file. See later notes
     os_module_name = "ntoskrnl.exe"
@@ -292,8 +292,9 @@ def get_requirements(cls) -> List:
             ),
         ]
 
-    @staticmethod
-    def _get_pefile_obj(
+    @classmethod
+    def get_pefile_obj(
+        cls,
         context: interfaces.context.ContextInterface,
         pe_table_name: str,
         layer_name: str,
@@ -486,7 +487,7 @@ def _get_exported_symbols(
         module_start = module_info[1]
 
         # we need a valid PE with an export table
-        pe_module = PESymbols._get_pefile_obj(
+        pe_module = PESymbols.get_pefile_obj(
             context, pe_table_name, layer_name, module_start
         )
         if not pe_module:
diff --git a/volatility3/framework/plugins/windows/skeleton_key_check.py b/volatility3/framework/plugins/windows/skeleton_key_check.py
@@ -11,22 +11,21 @@
 #
 # https://volatility-labs.blogspot.com/2021/10/memory-forensics-r-illustrated.html
 
-import io
 import logging
 from typing import Iterable, Tuple, List, Optional
 
 import pefile
 
 from volatility3.framework import interfaces, symbols, exceptions
-from volatility3.framework import renderers, constants
+from volatility3.framework import renderers
 from volatility3.framework.configuration import requirements
 from volatility3.framework.layers import scanners
 from volatility3.framework.objects import utility
 from volatility3.framework.renderers import format_hints
 from volatility3.framework.symbols import intermed
 from volatility3.framework.symbols.windows import pdbutil
 from volatility3.framework.symbols.windows.extensions import pe
-from volatility3.plugins.windows import pslist, vadinfo
+from volatility3.plugins.windows import pslist, vadinfo, pe_symbols
 
 try:
     import capstone
@@ -61,43 +60,11 @@ def get_requirements(cls):
             requirements.VersionRequirement(
                 name="pdbutil", component=pdbutil.PDBUtility, version=(1, 0, 0)
             ),
+            requirements.VersionRequirement(
+                name="pe_symbols", component=pe_symbols.PESymbols, version=(1, 1, 0)
+            ),
         ]
 
-    def _get_pefile_obj(
-        self, pe_table_name: str, layer_name: str, base_address: int
-    ) -> pefile.PE:
-        """
-        Attempts to pefile object from the bytes of the PE file
-
-        Args:
-            pe_table_name: name of the pe types table
-            layer_name: name of the lsass.exe process layer
-            base_address: base address of cryptdll.dll in lsass.exe
-
-        Returns:
-            the constructed pefile object
-        """
-        pe_data = io.BytesIO()
-
-        try:
-            dos_header = self.context.object(
-                pe_table_name + constants.BANG + "_IMAGE_DOS_HEADER",
-                offset=base_address,
-                layer_name=layer_name,
-            )
-
-            for offset, data in dos_header.reconstruct():
-                pe_data.seek(offset)
-                pe_data.write(data)
-
-            pe_ret = pefile.PE(data=pe_data.getvalue(), fast_load=True)
-
-        except exceptions.InvalidAddressException:
-            vollog.debug("Unable to reconstruct cryptdll.dll in memory")
-            pe_ret = None
-
-        return pe_ret
-
     def _check_for_skeleton_key_vad(
         self,
         csystem: interfaces.objects.ObjectInterface,
@@ -497,7 +464,9 @@ def _find_csystems_with_export(
             self.context, self.config_path, "windows", "pe", class_types=pe.class_types
         )
 
-        cryptdll = self._get_pefile_obj(pe_table_name, proc_layer_name, cryptdll_base)
+        cryptdll = pe_symbols.PESymbols.get_pefile_obj(
+            self.context, pe_table_name, proc_layer_name, cryptdll_base
+        )
         if not cryptdll:
             return None
 
