Skip to content

Commit 48d4048

Browse files
author
Dave Lassalle
committed
#816 - fixes and additional windows versions
1 parent 5302e96 commit 48d4048

14 files changed

+3772
-130
lines changed

volatility3/framework/plugins/windows/consoles.py

Lines changed: 191 additions & 96 deletions
Large diffs are not rendered by default.

volatility3/framework/plugins/windows/verinfo.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@
1313
from volatility3.framework.renderers import format_hints
1414
from volatility3.framework.symbols import intermed
1515
from volatility3.framework.symbols.windows.extensions import pe
16-
from volatility3.plugins.windows import pslist, modules, dlllist
16+
from volatility3.plugins.windows import pslist, modules
1717

1818
vollog = logging.getLogger(__name__)
1919

volatility3/framework/symbols/windows/consoles/consoles-win10-17763-3232-x64.json

Lines changed: 68 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -152,8 +152,8 @@
152152
},
153153
"ExeAliasList": {
154154
"type": {
155-
"kind": "base",
156-
"name": "unsigned short"
155+
"kind": "struct",
156+
"name": "nt_symbols!_LIST_ENTRY"
157157
},
158158
"offset": 1392
159159
}
@@ -562,7 +562,8 @@
562562
}
563563
},
564564
"offset": 88
565-
} },
565+
}
566+
},
566567
"kind": "struct",
567568
"size": 96
568569
},
@@ -581,6 +582,70 @@
581582
},
582583
"kind": "struct",
583584
"size": 8
585+
},
586+
"_EXE_ALIAS_LIST": {
587+
"fields": {
588+
"ListEntry": {
589+
"type": {
590+
"kind": "struct",
591+
"name": "nt_symbols!_LIST_ENTRY"
592+
},
593+
"offset": 0
594+
},
595+
"ExeLength": {
596+
"type": {
597+
"kind": "base",
598+
"name": "short"
599+
},
600+
"offset": 8
601+
},
602+
"ExeName": {
603+
"type": {
604+
"kind": "pointer",
605+
"subtype": {
606+
"kind": "base",
607+
"name": "string"
608+
}
609+
},
610+
"offset": 24
611+
},
612+
"AliasList": {
613+
"type": {
614+
"kind": "struct",
615+
"name": "nt_symbols!_LIST_ENTRY"
616+
},
617+
"offset": 32
618+
}
619+
},
620+
"kind": "struct",
621+
"size": 48
622+
},
623+
"_ALIAS": {
624+
"fields": {
625+
"ListEntry": {
626+
"type": {
627+
"kind": "struct",
628+
"name": "nt_symbols!_LIST_ENTRY"
629+
},
630+
"offset": 0
631+
},
632+
"Source": {
633+
"type": {
634+
"kind": "struct",
635+
"name": "_ALIAS_STRING"
636+
},
637+
"offset": 16
638+
},
639+
"Target": {
640+
"type": {
641+
"kind": "struct",
642+
"name": "_ALIAS_STRING"
643+
},
644+
"offset": 48
645+
}
646+
},
647+
"kind": "struct",
648+
"size": 32
584649
}
585650
},
586651
"metadata": {

volatility3/framework/symbols/windows/consoles/consoles-win10-17763-x64.json

Lines changed: 68 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -152,8 +152,8 @@
152152
},
153153
"ExeAliasList": {
154154
"type": {
155-
"kind": "base",
156-
"name": "unsigned short"
155+
"kind": "struct",
156+
"name": "nt_symbols!_LIST_ENTRY"
157157
},
158158
"offset": 1392
159159
}
@@ -562,7 +562,8 @@
562562
}
563563
},
564564
"offset": 88
565-
} },
565+
}
566+
},
566567
"kind": "struct",
567568
"size": 96
568569
},
@@ -581,6 +582,70 @@
581582
},
582583
"kind": "struct",
583584
"size": 8
585+
},
586+
"_EXE_ALIAS_LIST": {
587+
"fields": {
588+
"ListEntry": {
589+
"type": {
590+
"kind": "struct",
591+
"name": "nt_symbols!_LIST_ENTRY"
592+
},
593+
"offset": 0
594+
},
595+
"ExeLength": {
596+
"type": {
597+
"kind": "base",
598+
"name": "short"
599+
},
600+
"offset": 16
601+
},
602+
"ExeName": {
603+
"type": {
604+
"kind": "pointer",
605+
"subtype": {
606+
"kind": "base",
607+
"name": "string"
608+
}
609+
},
610+
"offset": 24
611+
},
612+
"AliasList": {
613+
"type": {
614+
"kind": "struct",
615+
"name": "nt_symbols!_LIST_ENTRY"
616+
},
617+
"offset": 32
618+
}
619+
},
620+
"kind": "struct",
621+
"size": 48
622+
},
623+
"_ALIAS": {
624+
"fields": {
625+
"ListEntry": {
626+
"type": {
627+
"kind": "struct",
628+
"name": "nt_symbols!_LIST_ENTRY"
629+
},
630+
"offset": 0
631+
},
632+
"Source": {
633+
"type": {
634+
"kind": "struct",
635+
"name": "_ALIAS_STRING"
636+
},
637+
"offset": 16
638+
},
639+
"Target": {
640+
"type": {
641+
"kind": "struct",
642+
"name": "_ALIAS_STRING"
643+
},
644+
"offset": 48
645+
}
646+
},
647+
"kind": "struct",
648+
"size": 32
584649
}
585650
},
586651
"metadata": {

volatility3/framework/symbols/windows/consoles/consoles-win10-18362-x64.json

Lines changed: 69 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -152,10 +152,10 @@
152152
},
153153
"ExeAliasList": {
154154
"type": {
155-
"kind": "base",
156-
"name": "unsigned short"
155+
"kind": "struct",
156+
"name": "nt_symbols!_LIST_ENTRY"
157157
},
158-
"offset": 1436
158+
"offset": -856
159159
}
160160
},
161161
"kind": "struct",
@@ -552,7 +552,8 @@
552552
}
553553
},
554554
"offset": 88
555-
} },
555+
}
556+
},
556557
"kind": "struct",
557558
"size": 96
558559
},
@@ -571,6 +572,70 @@
571572
},
572573
"kind": "struct",
573574
"size": 8
575+
},
576+
"_EXE_ALIAS_LIST": {
577+
"fields": {
578+
"ListEntry": {
579+
"type": {
580+
"kind": "struct",
581+
"name": "nt_symbols!_LIST_ENTRY"
582+
},
583+
"offset": 0
584+
},
585+
"ExeLength": {
586+
"type": {
587+
"kind": "base",
588+
"name": "short"
589+
},
590+
"offset": 8
591+
},
592+
"ExeName": {
593+
"type": {
594+
"kind": "pointer",
595+
"subtype": {
596+
"kind": "base",
597+
"name": "string"
598+
}
599+
},
600+
"offset": 24
601+
},
602+
"AliasList": {
603+
"type": {
604+
"kind": "struct",
605+
"name": "nt_symbols!_LIST_ENTRY"
606+
},
607+
"offset": 32
608+
}
609+
},
610+
"kind": "struct",
611+
"size": 48
612+
},
613+
"_ALIAS": {
614+
"fields": {
615+
"ListEntry": {
616+
"type": {
617+
"kind": "struct",
618+
"name": "nt_symbols!_LIST_ENTRY"
619+
},
620+
"offset": 0
621+
},
622+
"Source": {
623+
"type": {
624+
"kind": "struct",
625+
"name": "_ALIAS_STRING"
626+
},
627+
"offset": 16
628+
},
629+
"Target": {
630+
"type": {
631+
"kind": "struct",
632+
"name": "_ALIAS_STRING"
633+
},
634+
"offset": 48
635+
}
636+
},
637+
"kind": "struct",
638+
"size": 32
574639
}
575640
},
576641
"metadata": {

volatility3/framework/symbols/windows/consoles/consoles-win10-19041-x64.json

Lines changed: 69 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
{
2-
"symbols": {},
2+
"symbols": {},
33
"enums": {},
44
"base_types": {
55
"unsigned long": {
@@ -152,8 +152,8 @@
152152
},
153153
"ExeAliasList": {
154154
"type": {
155-
"kind": "base",
156-
"name": "unsigned short"
155+
"kind": "struct",
156+
"name": "nt_symbols!_LIST_ENTRY"
157157
},
158158
"offset": 1436
159159
}
@@ -552,7 +552,8 @@
552552
}
553553
},
554554
"offset": 88
555-
} },
555+
}
556+
},
556557
"kind": "struct",
557558
"size": 96
558559
},
@@ -571,6 +572,70 @@
571572
},
572573
"kind": "struct",
573574
"size": 8
575+
},
576+
"_EXE_ALIAS_LIST": {
577+
"fields": {
578+
"ListEntry": {
579+
"type": {
580+
"kind": "struct",
581+
"name": "nt_symbols!_LIST_ENTRY"
582+
},
583+
"offset": 0
584+
},
585+
"ExeLength": {
586+
"type": {
587+
"kind": "base",
588+
"name": "short"
589+
},
590+
"offset": 8
591+
},
592+
"ExeName": {
593+
"type": {
594+
"kind": "pointer",
595+
"subtype": {
596+
"kind": "base",
597+
"name": "string"
598+
}
599+
},
600+
"offset": 24
601+
},
602+
"AliasList": {
603+
"type": {
604+
"kind": "struct",
605+
"name": "nt_symbols!_LIST_ENTRY"
606+
},
607+
"offset": 32
608+
}
609+
},
610+
"kind": "struct",
611+
"size": 48
612+
},
613+
"_ALIAS": {
614+
"fields": {
615+
"ListEntry": {
616+
"type": {
617+
"kind": "struct",
618+
"name": "nt_symbols!_LIST_ENTRY"
619+
},
620+
"offset": 0
621+
},
622+
"Source": {
623+
"type": {
624+
"kind": "struct",
625+
"name": "_ALIAS_STRING"
626+
},
627+
"offset": 16
628+
},
629+
"Target": {
630+
"type": {
631+
"kind": "struct",
632+
"name": "_ALIAS_STRING"
633+
},
634+
"offset": 48
635+
}
636+
},
637+
"kind": "struct",
638+
"size": 32
574639
}
575640
},
576641
"metadata": {

0 commit comments

Comments
 (0)