working on windows heaps + volatility

CHANGES.txt

@@ -23,6 +23,10 @@ Changes to architecture.txt:
  - mapping should represent the memory dump entity
  - ctypes for internal haystack loading should be a Proxy ctypes, saved the mapping instance
 
+2015-09:
+ - Working on Volatility dump reader
+ - working a WinXP chunk iterator
+ - adding PEB to winXP list of know structures
 
 2015-08:
  - Fixes for travis in setup.py

haystack/mappings/vol.py

@@ -79,9 +79,10 @@ def read_array(self, addr, basetype, count):
 
 class VolatilityProcessMapper(interfaces.IMemoryLoader):
 
-    def __init__(self, imgname, pid):
+    def __init__(self, imgname, profile, pid):
         self.pid = pid
         self.imgname = imgname
+        self.profile = profile
         self._memory_handler = None
         self._unload_volatility()
         self._init_volatility()
@@ -113,7 +114,7 @@ def _init_volatility(self):
         registry.register_global_options(config, commands.Command)
         registry.register_global_options(config, addrspace.BaseAddressSpace)
         config.parse_options()
-        config.PROFILE = "WinXPSP2x86"
+        config.PROFILE = self.profile
         #_target_platform.LOCATION = "file:///media/memory/private/image.dmp"
         config.LOCATION = "file://%s" % self.imgname
         config.PID = str(self.pid)

haystack/memory_mapper.py

@@ -36,7 +36,7 @@ def __init__(self, pid=None, mmap=True, memfile=None,
                  baseOffset=None, dumpname=None, volname=None):
         memory_handler = None
         if not (volname is None) and not (pid is None):
-            memory_handler = self._init_volatility(dumpname, pid)
+            memory_handler = self._init_volatility(dumpname, "WinXPSP2x86", pid)
         if not (pid is None):
             memory_handler = self._init_pid(pid, mmap)
         elif not (memfile is None):
@@ -105,7 +105,7 @@ def _init_pid(pid, mmap):
         return _memory_handler
 
     @staticmethod
-    def _init_volatility(volname, pid):
-        mapper = VolatilityProcessMapper(volname, pid)
+    def _init_volatility(volname, profile, pid):
+        mapper = VolatilityProcessMapper(volname, profile, pid)
         _memory_handler = mapper.make_memory_handler()
         return _memory_handler

haystack/outputters/text.py

@@ -119,12 +119,12 @@ def _attrToString(self, attr, field, attrtype, prefix, depth=-1):
             #if field == 'ProcessHeaps':
             #    import code
             #    code.interact(local=locals())
-            if myaddress == 0:# or contents is None: # FIXME the solution is probably to remove the content test here
+            if myaddress == 0 or contents is None: # FIXME the solution is probably to remove the content test here
                 # only print address/null
                 s = '%s,' % (myaddress_fmt)
             elif self._ctypes.is_pointer_to_void_type(attrtype):
                 # c_void_p, c_char_p, can load target
-                s = '%s, #(FIELD NOT LOADED: void pointer)' % self._utils.formatAddress(attr.value) #(myaddress_fmt)
+                s = '%s, #(FIELD NOT LOADED: void pointer)' % myaddress_fmt # self._utils.formatAddress(attr.value)
             elif isinstance(self, type(contents)):
                 # pointer of self type ? lists ?
                 # TODO: decide if we recurse in lists or not.

haystack/structures/win32/profiles/WinXPSP3X86.32.h

@@ -203,6 +203,10 @@ struct _HEAP_SEGMENT;
 typedef struct _HEAP_SEGMENT HEAP_SEGMENT;
 typedef HEAP_SEGMENT *PHEAP_SEGMENT, **PPHEAP_SEGMENT;
 
+struct _PEB;
+typedef struct _PEB PEB;
+typedef PEB *PPEB, **PPPEB;
+
 struct _RTL_CRITICAL_SECTION;
 typedef struct _RTL_CRITICAL_SECTION RTL_CRITICAL_SECTION;
 typedef RTL_CRITICAL_SECTION *PRTL_CRITICAL_SECTION, **PPRTL_CRITICAL_SECTION;
@@ -219,6 +223,13 @@ typedef struct _LIST_ENTRY {
 
 } __attribute__((packed)) LIST_ENTRY, *PLIST_ENTRY, **PPLIST_ENTRY ;
 
+typedef struct _UNICODE_STRING {
+ USHORT Length;
+ USHORT MaximumLength;
+ PUSHORT Buffer;
+
+} __attribute__((packed)) UNICODE_STRING, *PUNICODE_STRING, **PPUNICODE_STRING ;
+
 typedef struct _HEAP_UNCOMMMTTED_RANGE {
  struct _HEAP_UNCOMMMTTED_RANGE* Next;
  ULONG Address;
@@ -262,6 +273,36 @@ typedef struct _OWNER_ENTRY {
 
 } __attribute__((packed)) OWNER_ENTRY, *POWNER_ENTRY, **PPOWNER_ENTRY ;
 
+typedef union _LARGE_INTEGER {
+ struct {
+  ULONG LowPart;
+  LONG HighPart;
+ };
+ struct {
+ ULONG LowPart;
+ LONG HighPart;
+} u;
+ struct {
+  LONGLONG QuadPart;
+ };
+
+} __attribute__((packed)) LARGE_INTEGER, *PLARGE_INTEGER, **PPLARGE_INTEGER ;
+
+typedef union _ULARGE_INTEGER {
+ struct {
+  ULONG LowPart;
+  ULONG HighPart;
+ };
+ struct {
+ ULONG LowPart;
+ ULONG HighPart;
+} u;
+ struct {
+  ULONGLONG QuadPart;
+ };
+
+} __attribute__((packed)) ULARGE_INTEGER, *PULARGE_INTEGER, **PPULARGE_INTEGER ;
+
 typedef struct _HEAP_PSEUDO_TAG_ENTRY {
  ULONG Allocs;
  ULONG Frees;
@@ -274,6 +315,12 @@ typedef struct _SINGLE_LIST_ENTRY {
 
 } __attribute__((packed)) SINGLE_LIST_ENTRY, *PSINGLE_LIST_ENTRY, **PPSINGLE_LIST_ENTRY ;
 
+typedef struct _PEB_FREE_BLOCK {
+ struct _PEB_FREE_BLOCK* Next;
+ ULONG Size;
+
+} __attribute__((packed)) PEB_FREE_BLOCK, *PPEB_FREE_BLOCK, **PPPEB_FREE_BLOCK ;
+
 typedef struct _HEAP_UCR_SEGMENT {
  struct _HEAP_UCR_SEGMENT* Next;
  ULONG ReservedSize;
@@ -282,6 +329,13 @@ typedef struct _HEAP_UCR_SEGMENT {
 
 } __attribute__((packed)) HEAP_UCR_SEGMENT, *PHEAP_UCR_SEGMENT, **PPHEAP_UCR_SEGMENT ;
 
+typedef struct _STRING {
+ USHORT Length;
+ USHORT MaximumLength;
+ PUCHAR Buffer;
+
+} __attribute__((packed)) STRING, *PSTRING, **PPSTRING ;
+
 typedef union _SLIST_HEADER {
  ULONGLONG Alignment;
  struct {
@@ -292,6 +346,14 @@ typedef union _SLIST_HEADER {
 
 } __attribute__((packed)) SLIST_HEADER, *PSLIST_HEADER, **PPSLIST_HEADER ;
 
+typedef struct _RTL_DRIVE_LETTER_CURDIR {
+ USHORT Flags;
+ USHORT Length;
+ ULONG TimeStamp;
+ STRING DosPath;
+
+} __attribute__((packed)) RTL_DRIVE_LETTER_CURDIR, *PRTL_DRIVE_LETTER_CURDIR, **PPRTL_DRIVE_LETTER_CURDIR ;
+
 typedef struct _DISPATCHER_HEADER {
  UCHAR Type;
  UCHAR Absolute;
@@ -302,16 +364,28 @@ typedef struct _DISPATCHER_HEADER {
 
 } __attribute__((packed)) DISPATCHER_HEADER, *PDISPATCHER_HEADER, **PPDISPATCHER_HEADER ;
 
+typedef struct _PEB_LDR_DATA {
+ ULONG Length;
+ UCHAR Initialized;
+ UINT8 gap_in_pdb_ofs_5[0x3];
+ PVOID SsHandle;
+ LIST_ENTRY InLoadOrderModuleList;
+ LIST_ENTRY InMemoryOrderModuleList;
+ LIST_ENTRY InInitializationOrderModuleList;
+ PVOID EntryInProgress;
+
+} __attribute__((packed)) PEB_LDR_DATA, *PPEB_LDR_DATA, **PPPEB_LDR_DATA ;
+
 typedef struct _KEVENT {
  DISPATCHER_HEADER Header;
 
 } __attribute__((packed)) KEVENT, *PKEVENT, **PPKEVENT ;
 
-typedef struct _KSEMAPHORE {
- DISPATCHER_HEADER Header;
- LONG Limit;
+typedef struct _CURDIR {
+ UNICODE_STRING DosPath;
+ PVOID Handle;
 
-} __attribute__((packed)) KSEMAPHORE, *PKSEMAPHORE, **PPKSEMAPHORE ;
+} __attribute__((packed)) CURDIR, *PCURDIR, **PPCURDIR ;
 
 typedef struct _HEAP_FREE_ENTRY {
 union {
@@ -330,6 +404,44 @@ union {
 };
 } __attribute__((packed)) HEAP_FREE_ENTRY, *PHEAP_FREE_ENTRY, **PPHEAP_FREE_ENTRY ;
 
+typedef struct _KSEMAPHORE {
+ DISPATCHER_HEADER Header;
+ LONG Limit;
+
+} __attribute__((packed)) KSEMAPHORE, *PKSEMAPHORE, **PPKSEMAPHORE ;
+
+typedef struct _RTL_USER_PROCESS_PARAMETERS {
+ ULONG MaximumLength;
+ ULONG Length;
+ ULONG Flags;
+ ULONG DebugFlags;
+ PVOID ConsoleHandle;
+ ULONG ConsoleFlags;
+ PVOID StandardInput;
+ PVOID StandardOutput;
+ PVOID StandardError;
+ CURDIR CurrentDirectory;
+ UNICODE_STRING DllPath;
+ UNICODE_STRING ImagePathName;
+ UNICODE_STRING CommandLine;
+ PVOID Environment;
+ ULONG StartingX;
+ ULONG StartingY;
+ ULONG CountX;
+ ULONG CountY;
+ ULONG CountCharsX;
+ ULONG CountCharsY;
+ ULONG FillAttribute;
+ ULONG WindowFlags;
+ ULONG ShowWindowFlags;
+ UNICODE_STRING WindowTitle;
+ UNICODE_STRING DesktopInfo;
+ UNICODE_STRING ShellInfo;
+ UNICODE_STRING RuntimeData;
+ RTL_DRIVE_LETTER_CURDIR CurrentDirectores[0x20];
+
+} __attribute__((packed)) RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS, **PPRTL_USER_PROCESS_PARAMETERS ;
+
 typedef struct _ERESOURCE {
  LIST_ENTRY SystemResourcesList;
  POWNER_ENTRY OwnerTable;
@@ -359,14 +471,6 @@ typedef struct _RTL_CRITICAL_SECTION {
 
 } __attribute__((packed)) RTL_CRITICAL_SECTION, *PRTL_CRITICAL_SECTION, **PPRTL_CRITICAL_SECTION ;
 
-typedef struct _HEAP_LOCK {
- union {
- RTL_CRITICAL_SECTION CriticalSection;
- ERESOURCE Resource;
-} Lock;
-
-} __attribute__((packed)) HEAP_LOCK, *PHEAP_LOCK, **PPHEAP_LOCK ;
-
 typedef struct _HEAP_SEGMENT {
  HEAP_ENTRY Entry;
  ULONG Signature;
@@ -386,17 +490,6 @@ typedef struct _HEAP_SEGMENT {
 
 } __attribute__((packed)) HEAP_SEGMENT, *PHEAP_SEGMENT, **PPHEAP_SEGMENT ;
 
-typedef struct _RTL_CRITICAL_SECTION_DEBUG {
- USHORT Type;
- USHORT CreatorBackTraceIndex;
- PRTL_CRITICAL_SECTION CriticalSection;
- LIST_ENTRY ProcessLocksList;
- ULONG EntryCount;
- ULONG ContentionCount;
- ULONG Spare[0x2];
-
-} __attribute__((packed)) RTL_CRITICAL_SECTION_DEBUG, *PRTL_CRITICAL_SECTION_DEBUG, **PPRTL_CRITICAL_SECTION_DEBUG ;
-
 typedef struct _HEAP {
  HEAP_ENTRY Entry;
  ULONG Signature;
@@ -442,6 +535,96 @@ typedef struct _HEAP {
  UCHAR LastSegmentIndex;
 
 } __attribute__((packed)) HEAP, *PHEAP, **PPHEAP ;
+
+typedef struct _HEAP_LOCK {
+ union {
+ RTL_CRITICAL_SECTION CriticalSection;
+ ERESOURCE Resource;
+} Lock;
+
+} __attribute__((packed)) HEAP_LOCK, *PHEAP_LOCK, **PPHEAP_LOCK ;
+
+typedef struct _RTL_CRITICAL_SECTION_DEBUG {
+ USHORT Type;
+ USHORT CreatorBackTraceIndex;
+ PRTL_CRITICAL_SECTION CriticalSection;
+ LIST_ENTRY ProcessLocksList;
+ ULONG EntryCount;
+ ULONG ContentionCount;
+ ULONG Spare[0x2];
+
+} __attribute__((packed)) RTL_CRITICAL_SECTION_DEBUG, *PRTL_CRITICAL_SECTION_DEBUG, **PPRTL_CRITICAL_SECTION_DEBUG ;
+
+typedef struct _PEB {
+ UCHAR InheritedAddressSpace;
+ UCHAR ReadImageFileExecOptions;
+ UCHAR BeingDebugged;
+ UCHAR SpareBool;
+ PVOID Mutant;
+ PVOID ImageBaseAddress;
+ PPEB_LDR_DATA Ldr;
+ PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
+ PVOID SubSystemData;
+ PVOID ProcessHeap;
+ PRTL_CRITICAL_SECTION FastPebLock;
+ PVOID FastPebLockRoutine;
+ PVOID FastPebUnlockRoutine;
+ ULONG EnvironmentUpdateCount;
+ PVOID KernelCallbackTable;
+ ULONG SystemReserved[0x1];
+ ULONG AtlThunkSListPtr32;
+ PPEB_FREE_BLOCK FreeList;
+ ULONG TlsExpansionCounter;
+ PVOID TlsBitmap;
+ ULONG TlsBitmapBits[0x2];
+ PVOID ReadOnlySharedMemoryBase;
+ PVOID ReadOnlySharedMemoryHeap;
+ PPVOID ReadOnlyStaticServerData;
+ PVOID AnsiCodePageData;
+ PVOID OemCodePageData;
+ PVOID UnicodeCaseTableData;
+ ULONG NumberOfProcessors;
+ ULONG NtGlobalFlag;
+ UINT8 gap_in_pdb_ofs_6C[0x4];
+ LARGE_INTEGER CriticalSectionTimeout;
+ ULONG HeapSegmentReserve;
+ ULONG HeapSegmentCommit;
+ ULONG HeapDeCommitTotalFreeThreshold;
+ ULONG HeapDeCommitFreeBlockThreshold;
+ ULONG NumberOfHeaps;
+ ULONG MaximumNumberOfHeaps;
+ PPVOID ProcessHeaps;
+ PVOID GdiSharedHandleTable;
+ PVOID ProcessStarterHelper;
+ ULONG GdiDCAttributeList;
+ PVOID LoaderLock;
+ ULONG OSMajorVersion;
+ ULONG OSMinorVersion;
+ USHORT OSBuildNumber;
+ USHORT OSCSDVersion;
+ ULONG OSPlatformId;
+ ULONG ImageSubsystem;
+ ULONG ImageSubsystemMajorVersion;
+ ULONG ImageSubsystemMinorVersion;
+ ULONG ImageProcessAffinityMask;
+ ULONG GdiHandleBuffer[0x22];
+ VOID (*PostProcessInitRoutine)();
+ PVOID TlsExpansionBitmap;
+ ULONG TlsExpansionBitmapBits[0x20];
+ ULONG SessionId;
+ ULARGE_INTEGER AppCompatFlags;
+ ULARGE_INTEGER AppCompatFlagsUser;
+ PVOID pShimData;
+ PVOID AppCompatInfo;
+ UNICODE_STRING CSDVersion;
+ PVOID ActivationContextData;
+ PVOID ProcessAssemblyStorageMap;
+ PVOID SystemDefaultActivationContextData;
+ PVOID SystemAssemblyStorageMap;
+ ULONG MinimumStackCommit;
+ UINT8 gap_in_pdb_ofs_20C[0x4];
+
+} __attribute__((packed)) PEB, *PPEB, **PPPEB ;
 # 1 "WinXPSP3X86.ntoskrnl.32.h"
 # 1 "<built-in>" 1
 # 1 "<built-in>" 3