Skip to content

Commit d172e12

Browse files
hsarkeyhsarkey
committed
Updated fixes after internal review. Allows windows.dlllist to report back DLLs from wow64 processes.
1 parent c317cad commit d172e12

File tree

1 file changed

+31
-42
lines changed
  • volatility3/framework/symbols/windows/extensions

1 file changed

+31
-42
lines changed

volatility3/framework/symbols/windows/extensions/__init__.py

Lines changed: 31 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -790,13 +790,13 @@ def get_peb32(self) -> interfaces.objects.ObjectInterface:
790790

791791
# Determine if process is running under WOW64.
792792
if self.get_is_wow64():
793-
peb32 = self.get_wow_64_process()
793+
proc = self.get_wow_64_process()
794794
else:
795795
return None
796796
# Confirm WoW64Process points to a valid process address
797-
if not proc_layer.is_valid(peb32):
797+
if not proc_layer.is_valid(proc):
798798
raise exceptions.InvalidAddressException(
799-
proc_layer_name, peb32, f"Invalid Wow64Process address at {self.Peb:0x}"
799+
proc_layer_name, proc, f"Invalid Wow64Process address at {self.Peb:0x}"
800800
)
801801

802802
# Leverage the context of existing symbol table to help configure
@@ -816,50 +816,41 @@ def get_peb32(self) -> interfaces.objects.ObjectInterface:
816816
if self._context.symbol_space.has_type(
817817
sym_table + constants.BANG + "_EWOW64PROCESS"
818818
):
819-
peb32 = self._context.object(
820-
f"{self._32bit_table_name}{constants.BANG}_PEB32",
821-
layer_name=proc_layer_name,
822-
offset=peb32.Peb,
823-
)
824-
return peb32
819+
offset=proc.Peb
825820

826821
# vista sp0-sp1 and 2003 sp1-sp2
827822
elif self._context.symbol_space.has_type(
828823
sym_table + constants.BANG + "_WOW64_PROCESS"
829824
):
830-
peb32 = self._context.object(
831-
f"{self._32bit_table_name}{constants.BANG}_PEB32",
832-
layer_name=proc_layer_name,
833-
offset=peb32.Wow64,
834-
)
835-
return peb32
825+
offset=proc.Wow64
836826

837827
else:
838-
peb32 = self._context.object(
839-
f"{self._32bit_table_name}{constants.BANG}_PEB32",
840-
layer_name=proc_layer_name,
841-
offset=peb32,
842-
)
843-
return peb32
828+
offset=proc
829+
830+
peb32 = self._context.object(
831+
f"{self._32bit_table_name}{constants.BANG}_PEB32",
832+
layer_name=proc_layer_name,
833+
offset=offset,
834+
)
835+
return peb32
844836

845837
def load_order_modules(self) -> Iterable[interfaces.objects.ObjectInterface]:
846838
"""Generator for DLLs in the order that they were loaded."""
847839
try:
848840
pebs = [
849-
[self.get_peb(), "_LDR_DATA_TABLE_ENTRY"],
850-
[self.get_peb32(), "_LDR_DATA_TABLE_ENTRY"],
841+
self.get_peb(), self.get_peb32(),
851842
]
852-
for peb, table_name in pebs:
853-
if peb != None:
843+
for peb in pebs:
844+
if peb:
854845
sym_table = self.get_symbol_table_name()
855846
if peb.Ldr.vol.type_name.endswith("unsigned long"):
856-
Ldr_data = self._context.symbol_space.get_type(
847+
ldr_data = self._context.symbol_space.get_type(
857848
self._32bit_table_name + constants.BANG + "_PEB_LDR_DATA"
858849
)
859-
peb.Ldr = peb.Ldr.cast("pointer", subtype=Ldr_data)
850+
peb.Ldr = peb.Ldr.cast("pointer", subtype=ldr_data)
860851
sym_table = self._32bit_table_name
861852
for entry in peb.Ldr.InLoadOrderModuleList.to_list(
862-
f"{sym_table}{constants.BANG}" + table_name,
853+
f"{sym_table}{constants.BANG}" + "_LDR_DATA_TABLE_ENTRY",
863854
"InLoadOrderLinks",
864855
):
865856
yield entry
@@ -871,20 +862,19 @@ def init_order_modules(self) -> Iterable[interfaces.objects.ObjectInterface]:
871862

872863
try:
873864
pebs = [
874-
[self.get_peb(), "_LDR_DATA_TABLE_ENTRY"],
875-
[self.get_peb32(), "_LDR_DATA_TABLE_ENTRY"],
865+
self.get_peb(), self.get_peb32(),
876866
]
877-
for peb, table_name in pebs:
878-
if peb != None:
867+
for peb in pebs:
868+
if peb:
879869
sym_table = self.get_symbol_table_name()
880870
if peb.Ldr.vol.type_name.endswith("unsigned long"):
881-
Ldr_data = self._context.symbol_space.get_type(
871+
ldr_data = self._context.symbol_space.get_type(
882872
self._32bit_table_name + constants.BANG + "_PEB_LDR_DATA"
883873
)
884-
peb.Ldr = peb.Ldr.cast("pointer", subtype=Ldr_data)
874+
peb.Ldr = peb.Ldr.cast("pointer", subtype=ldr_data)
885875
sym_table = self._32bit_table_name
886876
for entry in peb.Ldr.InInitializationOrderModuleList.to_list(
887-
f"{sym_table}{constants.BANG}" + table_name,
877+
f"{sym_table}{constants.BANG}" + "_LDR_DATA_TABLE_ENTRY",
888878
"InInitializationOrderLinks",
889879
):
890880
yield entry
@@ -895,20 +885,19 @@ def mem_order_modules(self) -> Iterable[interfaces.objects.ObjectInterface]:
895885
"""Generator for DLLs in the order that they appear in memory"""
896886
try:
897887
pebs = [
898-
[self.get_peb(), "_LDR_DATA_TABLE_ENTRY"],
899-
[self.get_peb32(), "_LDR_DATA_TABLE_ENTRY"],
888+
self.get_peb(), self.get_peb32(),
900889
]
901-
for peb, table_name in pebs:
902-
if peb != None:
890+
for peb in pebs:
891+
if peb:
903892
sym_table = self.get_symbol_table_name()
904893
if peb.Ldr.vol.type_name.endswith("unsigned long"):
905-
Ldr_data = self._context.symbol_space.get_type(
894+
ldr_data = self._context.symbol_space.get_type(
906895
self._32bit_table_name + constants.BANG + "_PEB_LDR_DATA"
907896
)
908-
peb.Ldr = peb.Ldr.cast("pointer", subtype=Ldr_data)
897+
peb.Ldr = peb.Ldr.cast("pointer", subtype=ldr_data)
909898
sym_table = self._32bit_table_name
910899
for entry in peb.Ldr.InMemoryOrderModuleList.to_list(
911-
f"{sym_table}{constants.BANG}" + table_name,
900+
f"{sym_table}{constants.BANG}" + "_LDR_DATA_TABLE_ENTRY",
912901
"InMemoryOrderLinks",
913902
):
914903
yield entry

0 commit comments

Comments
 (0)