quentinleher / volatility

Automatically exported from code.google.com/p/volatility
0 stars 0 forks source link

auto-generated pe vtypes #290

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Hey guys, 

In the volatility/plugins/overlays/windows/pe_vtypes.py file we have mostly 
hand-made PE structures. The nt module from which we auto-generate OS vtypes 
don't define them, so a while back I compiled an exe with Visual Studio that 
imported many of the headers like WinNT.h, then used pdbparse on the exe's PDB 
file so I could extract the structures. You'll notice a lot of 
unnecessary/unrelated stuff at the top of this attachment, those are related to 
the MS compiler junk, so we'll likely just want to strip out the real PE 
structures near the end. Then I know scudette has some pretty awesome overlays 
we could merge. The end goal is to eliminate all the hand-made PE structures 
which may be using slightly different types (i.e. int vs unsigned int) and 
maybe even slighly different member names. 

If you have any questions, let me know. 

Original issue reported on code.google.com by michael.hale@gmail.com on 6 Jul 2012 at 5:28

Attachments:

GoogleCodeExporter commented 8 years ago
This will probably need some more cleanup for things like:

'ITypeLib' : [ 0x4, {
    'òñ^Q^U^[' : [ 0x0, ['IUnknown']],  <- binary stuff
} ],
  'ITypeInfo' : [ 0x4, {
    'òñ^Q^U^[' : [ 0x0, ['IUnknown']],
} ],
  'IRecordInfo' : [ 0x4, {
    'òñ^Q^U^[' : [ 0x0, ['IUnknown']],
} ],

[skip]

I think "<unnamed-type-u>::<unnamed-type-s>" will give a problem: 

'_TP_CALLBACK_ENVIRON_V1::<unnamed-type-u>::<unnamed-type-s>' : [ 0x4, {
    'LongFunction' : [ 0x0, ['BitField', dict(start_bit = 0, end_bit = 1, native_type='unsigned long')]],
    'Persistent' : [ 0x0, ['BitField', dict(start_bit = 1, end_bit = 2, native_type='unsigned long')]],
    'Private' : [ 0x0, ['BitField', dict(start_bit = 2, end_bit = 32, native_type='unsigned long')]],
} ],

etc.  otherwise looks interesting

Original comment by jamie.l...@gmail.com on 7 Jul 2012 at 6:26

GoogleCodeExporter commented 8 years ago
Ah, that's what I was referring to as "unnecessary/unrelated stuff at the 
top"....we'd actually only need lines below 2260 in that file (so starting with 
the _IMAGE_OS2_HEADER struct). In other words, just the PE related structs, not 
all the other stuff.

Original comment by michael.hale@gmail.com on 7 Jul 2012 at 8:26

GoogleCodeExporter commented 8 years ago
ah ok.  here's a new copy w/o those lines then

Original comment by jamie.l...@gmail.com on 7 Jul 2012 at 8:31

Attachments:

GoogleCodeExporter commented 8 years ago
actually we still have things like <unnamed-type-N>::<unnamed-type-Name> in the 
lines you requested

Original comment by jamie.l...@gmail.com on 7 Jul 2012 at 8:33

GoogleCodeExporter commented 8 years ago
Ah yeah, this attached one is more likely what we need, but there's still some 
unfamiliar stuff in the ImageThunkData structs. I'll pass this along to BDG on 
the pdbparse site and see what he thinks. 

Original comment by michael.hale@gmail.com on 7 Jul 2012 at 11:12

Attachments:

GoogleCodeExporter commented 8 years ago
Just adding mooyix 

Original comment by michael.hale@gmail.com on 8 Jul 2012 at 12:07

GoogleCodeExporter commented 8 years ago
At this time, I don't think we really have a need for auto-generated types. I 
think scudette has done some work with PE vtypes, so when 3.0 comes along, we 
should be pretty well off...and we can always reopen this if needed. 

Original comment by michael.hale@gmail.com on 1 Feb 2013 at 5:01