Skip to content

Commit

Permalink
Merge pull request #1632 from volatilityfoundation/fix_poolscanners
Browse files Browse the repository at this point in the history 
Check Win10+ SlushSize member to support Windows 11 pool scanning. Re…
  • Loading branch information
@ikelos
ikelos authored Feb 23, 2025
2 parents 2ffb3ac + ba56e42 commit 37bdb6c
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 15 deletions.
29 changes: 15 additions & 14 deletions volatility3/framework/plugins/windows/poolscanner.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -205,6 +205,7 @@ def builtin_constraints(
b"AtmT",
type_name=symbol_table + constants.BANG + "_RTL_ATOM_TABLE",
size=(200, None),
# TODO - update this after the GUI code goes on
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
),
# processes on windows before windows 8
Expand All @@ -214,7 +215,7 @@ def builtin_constraints(
object_type="Process",
size=(600, None),
skip_type_test=True,
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# processes on windows starting with windows 8
PoolConstraint(
Expand All @@ -223,7 +224,7 @@ def builtin_constraints(
object_type="Process",
size=(600, None),
skip_type_test=True,
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# threads on windows before windows8
PoolConstraint(
Expand All @@ -232,55 +233,55 @@ def builtin_constraints(
object_type="Thread",
size=(600, None), # -> 0x0258 - size of struct in win5.1
skip_type_test=True,
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# threads on windows starting with windows8
PoolConstraint(
b"Thre",
type_name=symbol_table + constants.BANG + "_ETHREAD",
object_type="Thread",
size=(600, None), # -> 0x0258 - size of struct in win5.1
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# files on windows before windows 8
PoolConstraint(
b"Fil\xe5",
type_name=symbol_table + constants.BANG + "_FILE_OBJECT",
object_type="File",
size=(150, None),
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# files on windows starting with windows 8
PoolConstraint(
b"File",
type_name=symbol_table + constants.BANG + "_FILE_OBJECT",
object_type="File",
size=(150, None),
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# mutants on windows before windows 8
PoolConstraint(
b"Mut\xe1",
type_name=symbol_table + constants.BANG + "_KMUTANT",
object_type="Mutant",
size=(64, None),
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# mutants on windows starting with windows 8
PoolConstraint(
b"Muta",
type_name=symbol_table + constants.BANG + "_KMUTANT",
object_type="Mutant",
size=(64, None),
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# drivers on windows before windows 8
PoolConstraint(
b"Dri\xf6",
type_name=symbol_table + constants.BANG + "_DRIVER_OBJECT",
object_type="Driver",
size=(248, None),
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
additional_structures=["_DRIVER_EXTENSION"],
),
# drivers on windows starting with windows 8
Expand All @@ -289,37 +290,37 @@ def builtin_constraints(
type_name=symbol_table + constants.BANG + "_DRIVER_OBJECT",
object_type="Driver",
size=(248, None),
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# kernel modules
PoolConstraint(
b"MmLd",
type_name=symbol_table + constants.BANG + "_LDR_DATA_TABLE_ENTRY",
size=(76, None),
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# symlinks on windows before windows 8
PoolConstraint(
b"Sym\xe2",
type_name=symbol_table + constants.BANG + "_OBJECT_SYMBOLIC_LINK",
object_type="SymbolicLink",
size=(72, None),
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# symlinks on windows starting with windows 8
PoolConstraint(
b"Symb",
type_name=symbol_table + constants.BANG + "_OBJECT_SYMBOLIC_LINK",
object_type="SymbolicLink",
size=(72, None),
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.NONPAGED | PoolType.FREE,
),
# registry hives
PoolConstraint(
b"CM10",
type_name=symbol_table + constants.BANG + "_CMHIVE",
size=(800, None),
page_type=PoolType.PAGED | PoolType.NONPAGED | PoolType.FREE,
page_type=PoolType.PAGED | PoolType.FREE,
skip_type_test=True,
),
]
Expand Down
4 changes: 3 additions & 1 deletion volatility3/framework/symbols/windows/__init__.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,9 @@ def __init__(self, *args, **kwargs) -> None:

# This doesn't exist in very specific versions of windows
with contextlib.suppress(ValueError):
if self.get_type("_POOL_TRACKER_BIG_PAGES").has_member("PoolType"):
if self.get_type("_POOL_TRACKER_BIG_PAGES").has_member(
"PoolType"
) or self.get_type("_POOL_TRACKER_BIG_PAGES").has_member("SlushSize"):
self.set_type_class("_POOL_HEADER", pool.POOL_HEADER_VISTA)
else:
self.set_type_class("_POOL_HEADER", pool.POOL_HEADER)
Expand Down

0 comments on commit 37bdb6c

Please sign in to comment.