Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upload ntoskrnl.exe and generate symbol #1020

Closed
garanews opened this issue Feb 15, 2024 · 1 comment
Closed

Upload ntoskrnl.exe and generate symbol #1020

garanews opened this issue Feb 15, 2024 · 1 comment
Assignees
@dadokkio @garanews
Labels
enhancement New feature or request

Comments

@garanews
Copy link
Member

For missing Windows OS symbols :

  1. upload ntoskrnl.exe (taken from Windows OS at C:\Windows\System32\ntoskrnl.exe )
  2. generate GUID:
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#

import binascii
from pefile import PE

pe = PE("C:\\Windows\\System32\\ntoskrnl.exe")
debug = pe.DIRECTORY_ENTRY_DEBUG[0].entry
guid = "{0:08X}{1:04X}{2:04X}{3}{4}".format(debug.Signature_Data1,
                                      debug.Signature_Data2,
                                      debug.Signature_Data3,
                                      binascii.hexlify(debug.Signature_Data4).decode("utf-8"),
                                      debug.Age).upper()
print(guid)
  1. generate symbol:
pip3 install pefile==2022.5.30 yara-python capstone
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py install
python3 volatility3/framework/symbols/windows/pdbconv.py  -f ntkrnlmp.pdb --guid $guid  -o $guid.json
@garanews garanews added the enhancement New feature or request label Feb 15, 2024
@dadokkio
Copy link
Collaborator

Small fixes to work on linux:

import binascii
from pefile import PE
from volatility3.framework.contexts import Context
from volatility3.framework.symbols.windows.pdbconv import PdbReader, PdbRetreiver


pe = PE("/home/dadokkio/Downloads/ntoskrnl.exe")
debug = pe.DIRECTORY_ENTRY_DEBUG[0].entry
guid = "{0:08X}{1:04X}{2:04X}{3}{4}".format(
    debug.Signature_Data1,
    debug.Signature_Data2,
    debug.Signature_Data3,
    f"{debug.Signature_Data4:x}{debug.Signature_Data5:x}{binascii.hexlify(debug.Signature_Data6).decode('utf-8')}",
    debug.Age,
).upper()

filename = PdbRetreiver().retreive_pdb(
    guid, file_name="ntkrnlmp.pdb", progress_callback=None
)
ctxt = Context()
profile = PdbReader(ctxt, filename).get_json()

with open(f"{guid}.json", "w") as f:
    json.dump(profile, f, indent=4)

@dadokkio dadokkio added the in progress In progress label Feb 19, 2024
@dadokkio dadokkio removed the in progress In progress label Mar 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dadokkio dadokkio

@garanews garanews

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dadokkio @garanews