display file device names in handles output

[GoogleCodeExporter]

Hey guys, 

This is related to Issue #135 but different enough to submit a separate patch. 
You may have noticed that the handles output has always (since 1.3) printed 
many File objects that appear to be unnamed:

....
0xfffffadfe728ddc0   4      0x12019f   File             '\\'
0xfffffadfe606e050   4      0x1f01ff   File             
0xfffffadfe6b7d5a0   4      0x1f01ff   File             '\\255'
0xfffffadfe6c97270   4      0x1f01ff   File             
0xfffffadfe5cac800   4      0x1200a0   File             
0xfffffadfe6b8d1f0   4      0x12008b   File             
'\\WINDOWS\\system32\\MsDtc\\Trace\\dtctrace.log'
0xfffffadfe75a0420   4      0x12019f   File             
0xfffffadfe605b900   4      0x12019f   File             
0xfffffadfe6e2ac30   4      0x12019f   File             

....

Tools like Process Explorer show these as having names like \Device\Tcp. So 
they are in fact handles to file objects, but not for files on disk - they are 
file handles to network devices. 

The attached patch seeks to give us the ability to differentiate between 
handles to files on disk and these network devices. Here's what you see after 
the patch:

....
0xfffffadfe728ddc0   4      File             '\\Device\\NamedPipe\\'
0xfffffadfe606e050   4      File             '\\Device\\Udp'
0xfffffadfe6b7d5a0   4      File             '\\Device\\RawIp\\255'
0xfffffadfe6c97270   4      File             '\\Device\\Udp'
0xfffffadfe5cac800   4      File             '\\Device\\Udp'
0xfffffadfe6b8d1f0   4      File             
'\\Device\\HarddiskVolume1\\WINDOWS\\system32\\MsDtc\\Trace\\dtctrace.log'
0xfffffadfe75a0420   4      File             '\\Device\\Tcp'
0xfffffadfe605b900   4      File             '\\Device\\Tcp'
0xfffffadfe6e2ac30   4      File             '\\Device\\Tcp'
....

I think this is pretty important. Please review and let me know?

Original issue reported on code.google.com by michael.hale@gmail.com on 23 Jan 2012 at 5:47

Attachments:

• volatility-handle-value.patch

[GoogleCodeExporter]

Btw, the patch will not remove the GrantedAccess column like it appears 
above...that was just a copy & paste error when I entered the issue. 

Original comment by michael.hale@gmail.com on 23 Jan 2012 at 5:49

[GoogleCodeExporter]

Looks good, the only change I'd ask for is that

def get_item(self, entry, handle_value):

change to

def get_item(self, entry, handle_value = 0):

Otherwise looks good for a commit.

Original comment by mike.auty@gmail.com on 23 Jan 2012 at 2:24

[GoogleCodeExporter]

Oh, one other small note, I don't think the \ is required after the /.  The \ 
character forces the parser to read in the next line, but if an arithmetic 
operator is present, it should go to the next line anyway (similarly for 
multi-line dictionaries, etc)...

Original comment by mike.auty@gmail.com on 23 Jan 2012 at 2:28

[GoogleCodeExporter]

Uhh oops, I attached the patch for Issue #135 here. The patch for Issue #188 
should be named volatility-file-device.patch. 

Original comment by michael.hale@gmail.com on 23 Jan 2012 at 3:16

Attachments:

• volatility-file-device.patch

[GoogleCodeExporter]

Hey Ikelos can you take a second look at this now that I've attached the right 
patch ;-) 

Original comment by michael.hale@gmail.com on 24 Jan 2012 at 7:01

[GoogleCodeExporter]

Looks fine save for the rogue "import volatility.obj as obj".  Don't think 
that's needed, otherwise all looks good, commit away...

Original comment by mike.auty@gmail.com on 25 Jan 2012 at 11:49

[GoogleCodeExporter]

Thanks! Yeah I think that import volatility.obj was part of some other patch 
that snuck in somehow. Thx. 

Original comment by michael.hale@gmail.com on 26 Jan 2012 at 12:12

[GoogleCodeExporter]

This issue was closed by revision r1313.

Original comment by michael.hale@gmail.com on 26 Jan 2012 at 12:59

• Changed state: Fixed