Skip to content

Commit 321162d

Browse files
gleedagleeda
authored
Merge pull request #29 from ruben03/patch-3
Update baseline.py
2 parents 800a84a + 7103002 commit 321162d

File tree

1 file changed

+71
-66
lines changed

1 file changed

+71
-66
lines changed

CsabaBarta/baseline.py

Lines changed: 71 additions & 66 deletions
Original file line numberDiff line numberDiff line change
@@ -480,39 +480,40 @@ def calculate(self):
480480
addr_space = utils.load_as(self._config)
481481
drv_scan = DriverScan(self._config)
482482

483-
if volatility.constants.VERSION != "2.4":
484-
for obj, drv, ext in drv_scan.calculate():
485-
if ext.ServiceKeyName != None:
486-
service_key_name = str(ext.ServiceKeyName).lower()
483+
if volatility.constants.VERSION == "2.6" or volatility.constants.VERSION == "2.4":
484+
for driver in drv_scan.calculate():
485+
header = driver.get_object_header()
486+
if driver.DriverExtension.ServiceKeyName != None:
487+
service_key_name = str(driver.DriverExtension.ServiceKeyName).lower()
487488
else:
488489
service_key_name = None
489490

490-
if obj.NameInfo.Name != None:
491-
name = str(obj.NameInfo.Name).lower()
491+
if header.NameInfo.Name != None:
492+
name = str(header.NameInfo.Name).lower()
492493
else:
493494
name = None
494495

495-
if drv.DriverName != None:
496-
driver_name = str(drv.DriverName).lower()
496+
if driver.DriverName != None:
497+
driver_name = str(driver.DriverName).lower()
497498
else:
498499
driver_name = None
499500

500-
if drv.DriverSize != None:
501-
driver_size = drv.DriverSize
501+
if driver.DriverSize != None:
502+
driver_size = driver.DriverSize
502503
else:
503504
driver_size = None
504505

505-
if drv.DriverStart != None:
506-
driver_start = drv.DriverStart
506+
if driver.DriverStart != None:
507+
driver_start = driver.DriverStart
507508
else:
508509
driver_start = None
509510

510511
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in lsmod(addr_space))
511512
mod_addrs = sorted(mods.keys())
512513

513514
IRPs = {}
514-
for i, function in enumerate(drv.MajorFunction):
515-
function = drv.MajorFunction[i]
515+
for i, function in enumerate(driver.MajorFunction):
516+
function = driver.MajorFunction[i]
516517
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
517518
if module:
518519
module_name = str(module.BaseDllName or '').lower()
@@ -528,40 +529,40 @@ def calculate(self):
528529
'driver_start': driver_start,
529530
'irps': IRPs
530531
})
532+
531533
else:
532-
for driver in drv_scan.calculate():
533-
header = driver.get_object_header()
534-
if driver.DriverExtension.ServiceKeyName != None:
535-
service_key_name = str(driver.DriverExtension.ServiceKeyName).lower()
534+
for obj, drv, ext in drv_scan.calculate():
535+
if ext.ServiceKeyName != None:
536+
service_key_name = str(ext.ServiceKeyName).lower()
536537
else:
537538
service_key_name = None
538539

539-
if header.NameInfo.Name != None:
540-
name = str(header.NameInfo.Name).lower()
540+
if obj.NameInfo.Name != None:
541+
name = str(obj.NameInfo.Name).lower()
541542
else:
542543
name = None
543544

544-
if driver.DriverName != None:
545-
driver_name = str(driver.DriverName).lower()
545+
if drv.DriverName != None:
546+
driver_name = str(drv.DriverName).lower()
546547
else:
547548
driver_name = None
548549

549-
if driver.DriverSize != None:
550-
driver_size = driver.DriverSize
550+
if drv.DriverSize != None:
551+
driver_size = drv.DriverSize
551552
else:
552553
driver_size = None
553554

554-
if driver.DriverStart != None:
555-
driver_start = driver.DriverStart
555+
if drv.DriverStart != None:
556+
driver_start = drv.DriverStart
556557
else:
557558
driver_start = None
558559

559560
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in lsmod(addr_space))
560561
mod_addrs = sorted(mods.keys())
561562

562563
IRPs = {}
563-
for i, function in enumerate(driver.MajorFunction):
564-
function = driver.MajorFunction[i]
564+
for i, function in enumerate(drv.MajorFunction):
565+
function = drv.MajorFunction[i]
565566
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
566567
if module:
567568
module_name = str(module.BaseDllName or '').lower()
@@ -577,6 +578,7 @@ def calculate(self):
577578
'driver_start': driver_start,
578579
'irps': IRPs
579580
})
581+
580582

581583
# Instantiating Modules plugin
582584
for m in lsmod(addr_space):
@@ -616,39 +618,41 @@ def calculate(self):
616618
# Instantiating DriverScan plugin
617619
addr_space = utils.load_as(self._config)
618620
drv_scan = DriverScan(self._config)
619-
if volatility.constants.VERSION != "2.4":
620-
for obj, drv, ext in drv_scan.calculate():
621-
if ext.ServiceKeyName != None:
622-
service_key_name = str(ext.ServiceKeyName).lower()
621+
622+
if volatility.constants.VERSION == "2.6" or volatility.constants.VERSION == "2.4":
623+
for driver in drv_scan.calculate():
624+
header = driver.get_object_header()
625+
if driver.DriverExtension.ServiceKeyName != None:
626+
service_key_name = str(driver.DriverExtension.ServiceKeyName).lower()
623627
else:
624628
service_key_name = None
625629

626-
if obj.NameInfo.Name != None:
627-
name = str(obj.NameInfo.Name).lower()
630+
if header.NameInfo.Name != None:
631+
name = str(header.NameInfo.Name).lower()
628632
else:
629633
name = None
630634

631-
if drv.DriverName != None:
632-
driver_name = str(drv.DriverName).lower()
635+
if driver.DriverName != None:
636+
driver_name = str(driver.DriverName).lower()
633637
else:
634638
driver_name = None
635639

636-
if drv.DriverSize != None:
637-
driver_size = drv.DriverSize
640+
if driver.DriverSize != None:
641+
driver_size = driver.DriverSize
638642
else:
639643
driver_size = None
640644

641-
if drv.DriverStart != None:
642-
driver_start = drv.DriverStart
645+
if driver.DriverStart != None:
646+
driver_start = driver.DriverStart
643647
else:
644648
driver_start = None
645649

646650
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in lsmod(addr_space))
647651
mod_addrs = sorted(mods.keys())
648652

649653
IRPs = {}
650-
for i, function in enumerate(drv.MajorFunction):
651-
function = drv.MajorFunction[i]
654+
for i, function in enumerate(driver.MajorFunction):
655+
function = driver.MajorFunction[i]
652656
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
653657
if module:
654658
module_name = str(module.BaseDllName or '').lower()
@@ -663,44 +667,44 @@ def calculate(self):
663667
'driver_size': driver_size,
664668
'driver_start': driver_start,
665669
'irps': IRPs,
666-
'obj': obj,
667-
'drv': drv,
668-
'ext': ext
670+
'obj': header,
671+
'drv': driver,
672+
'ext': driver.DriverExtension
669673
})
670-
else:
671-
for driver in drv_scan.calculate():
672-
header = driver.get_object_header()
673-
if driver.DriverExtension.ServiceKeyName != None:
674-
service_key_name = str(driver.DriverExtension.ServiceKeyName).lower()
674+
675+
else:
676+
for obj, drv, ext in drv_scan.calculate():
677+
if ext.ServiceKeyName != None:
678+
service_key_name = str(ext.ServiceKeyName).lower()
675679
else:
676680
service_key_name = None
677681

678-
if header.NameInfo.Name != None:
679-
name = str(header.NameInfo.Name).lower()
682+
if obj.NameInfo.Name != None:
683+
name = str(obj.NameInfo.Name).lower()
680684
else:
681685
name = None
682686

683-
if driver.DriverName != None:
684-
driver_name = str(driver.DriverName).lower()
687+
if drv.DriverName != None:
688+
driver_name = str(drv.DriverName).lower()
685689
else:
686690
driver_name = None
687691

688-
if driver.DriverSize != None:
689-
driver_size = driver.DriverSize
692+
if drv.DriverSize != None:
693+
driver_size = drv.DriverSize
690694
else:
691695
driver_size = None
692696

693-
if driver.DriverStart != None:
694-
driver_start = driver.DriverStart
697+
if drv.DriverStart != None:
698+
driver_start = drv.DriverStart
695699
else:
696700
driver_start = None
697701

698702
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in lsmod(addr_space))
699703
mod_addrs = sorted(mods.keys())
700704

701705
IRPs = {}
702-
for i, function in enumerate(driver.MajorFunction):
703-
function = driver.MajorFunction[i]
706+
for i, function in enumerate(drv.MajorFunction):
707+
function = drv.MajorFunction[i]
704708
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
705709
if module:
706710
module_name = str(module.BaseDllName or '').lower()
@@ -715,11 +719,11 @@ def calculate(self):
715719
'driver_size': driver_size,
716720
'driver_start': driver_start,
717721
'irps': IRPs,
718-
'obj': header,
719-
'drv': driver,
720-
'ext': driver.DriverExtension
722+
'obj': obj,
723+
'drv': drv,
724+
'ext': ext
721725
})
722-
726+
723727
for m in lsmod(addr_space):
724728
self.image_mod_list.append({
725729
'full_dll_name': str(m.FullDllName).lower(),
@@ -823,9 +827,10 @@ def render_text(self, outfd, data):
823827
('Path', '')
824828
])
825829

830+
826831
for object_obj, driver_obj, extension_obj, known, d_name, drv_name, drv_mod, drv_size, drv_path, drv_irp, drv_irps, drv_bl_irps in data:
827832

828-
self.table_row(outfd,
833+
self.table_row(outfd,
829834
driver_obj.obj_offset,
830835
str(extension_obj.ServiceKeyName or ''),
831836
str(known),
@@ -835,7 +840,7 @@ def render_text(self, outfd, data):
835840
str(drv_size),
836841
str(drv_irp),
837842
str(drv_path)
838-
)
843+
)
839844
##########################################################################################
840845
# SERVICEBL PLUGIN
841846
##########################################################################################

0 commit comments

Comments
 (0)