Skip to content

Commit 29567a7

Browse files
hsarkeyhsarkey
committed
Updates to address the dlllist wow64 upgrades
1 parent 830c28a commit 29567a7

File tree

1 file changed

+21
-19
lines changed
  • volatility3/framework/symbols/windows/extensions

1 file changed

+21
-19
lines changed

volatility3/framework/symbols/windows/extensions/__init__.py

Lines changed: 21 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -776,7 +776,7 @@ def get_peb(self) -> interfaces.objects.ObjectInterface:
776776
)
777777
return peb
778778

779-
def get_peb32(self) -> interfaces.objects.ObjectInterface:
779+
def get_peb32(self) -> Optional[interfaces.objects.ObjectInterface]:
780780
"""Constructs a PEB32 object"""
781781
if constants.BANG not in self.vol.type_name:
782782
raise ValueError(
@@ -834,6 +834,14 @@ def get_peb32(self) -> interfaces.objects.ObjectInterface:
834834
)
835835
return peb32
836836

837+
def set_types(self, peb) -> str:
838+
ldr_data = self._context.symbol_space.get_type(
839+
self._32bit_table_name + constants.BANG + "_PEB_LDR_DATA"
840+
)
841+
peb.Ldr = peb.Ldr.cast("pointer", subtype=ldr_data)
842+
sym_table = self._32bit_table_name
843+
return sym_table
844+
837845
def load_order_modules(self) -> Iterable[interfaces.objects.ObjectInterface]:
838846
"""Generator for DLLs in the order that they were loaded."""
839847
try:
@@ -844,12 +852,10 @@ def load_order_modules(self) -> Iterable[interfaces.objects.ObjectInterface]:
844852
for peb in pebs:
845853
if peb:
846854
sym_table = self.get_symbol_table_name()
847-
if peb.Ldr.vol.type_name.endswith("unsigned long"):
848-
ldr_data = self._context.symbol_space.get_type(
849-
self._32bit_table_name + constants.BANG + "_PEB_LDR_DATA"
850-
)
851-
peb.Ldr = peb.Ldr.cast("pointer", subtype=ldr_data)
852-
sym_table = self._32bit_table_name
855+
if peb.Ldr.vol.type_name.split(constants.BANG)[-1] == (
856+
"unsigned long"
857+
):
858+
sym_table = self.set_types(peb)
853859
yield from peb.Ldr.InLoadOrderModuleList.to_list(
854860
f"{sym_table}{constants.BANG}" + "_LDR_DATA_TABLE_ENTRY",
855861
"InLoadOrderLinks",
@@ -868,12 +874,10 @@ def init_order_modules(self) -> Iterable[interfaces.objects.ObjectInterface]:
868874
for peb in pebs:
869875
if peb:
870876
sym_table = self.get_symbol_table_name()
871-
if peb.Ldr.vol.type_name.endswith("unsigned long"):
872-
ldr_data = self._context.symbol_space.get_type(
873-
self._32bit_table_name + constants.BANG + "_PEB_LDR_DATA"
874-
)
875-
peb.Ldr = peb.Ldr.cast("pointer", subtype=ldr_data)
876-
sym_table = self._32bit_table_name
877+
if peb.Ldr.vol.type_name.split(constants.BANG)[-1] == (
878+
"unsigned long"
879+
):
880+
sym_table = self.set_types(peb)
877881
yield from peb.Ldr.InInitializationOrderModuleList.to_list(
878882
f"{sym_table}{constants.BANG}" + "_LDR_DATA_TABLE_ENTRY",
879883
"InInitializationOrderLinks",
@@ -891,12 +895,10 @@ def mem_order_modules(self) -> Iterable[interfaces.objects.ObjectInterface]:
891895
for peb in pebs:
892896
if peb:
893897
sym_table = self.get_symbol_table_name()
894-
if peb.Ldr.vol.type_name.endswith("unsigned long"):
895-
ldr_data = self._context.symbol_space.get_type(
896-
self._32bit_table_name + constants.BANG + "_PEB_LDR_DATA"
897-
)
898-
peb.Ldr = peb.Ldr.cast("pointer", subtype=ldr_data)
899-
sym_table = self._32bit_table_name
898+
if peb.Ldr.vol.type_name.split(constants.BANG)[-1] == (
899+
"unsigned long"
900+
):
901+
sym_table = self.set_types(peb)
900902
yield from peb.Ldr.InMemoryOrderModuleList.to_list(
901903
f"{sym_table}{constants.BANG}" + "_LDR_DATA_TABLE_ENTRY",
902904
"InMemoryOrderLinks",

0 commit comments

Comments
 (0)