qwhai / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

PE IAT and EAT enumeration object classes and test plugin #197

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I just committed pe_vtypes.py to the trunk and linked them with appropriate 
profiles. Ikelos and I have been working on this and I now have a patch for 
integrating the object classes. 

Here's whats in the patch:

   * object class for _IMAGE_IMPORT_DESCRIPTOR 
   * object class for _IMAGE_EXPORT_DIRECTORY 
   * object class for _LDR_DATA_TABLE_ENTRY with generators for imports() and exports() and a getprocaddress() API 
   * a plugin for the contrib/ directory that enumerates imported and exported functions from processes and kernel drivers (optionally finds the objects by scanning just to test the obj_native_vm stuff) 

I've tested the plugin on a variety of x86 and x64 memory dumps. This code was 
mostly available in malware.py until now, so I've ported it, cleaned it up, and 
added lots of comments. It  will not only be used by malware plugins in the 
future (for example to find exported functions in order to check if they're 
hooked), but it will be necessary for the ssdt plugin on x64. 

Please let me know if you have any questions or comments, I'd like to get it 
committed ASAP so I can follow up with the ssdt.py patch and bring us x64 
support. 

Original issue reported on code.google.com by michael.hale@gmail.com on 30 Jan 2012 at 6:39

GoogleCodeExporter commented 9 years ago
Here's the patch....

Original comment by michael.hale@gmail.com on 30 Jan 2012 at 6:40

Attachments:

GoogleCodeExporter commented 9 years ago
Oh yeah, just FYI it handles functions imported by name or ordinal, functions 
exported by name or ordinal, and forwarded exported. It does not attempt to 
enumerate delayed imports. 

Original comment by michael.hale@gmail.com on 30 Jan 2012 at 6:42

GoogleCodeExporter commented 9 years ago
Excellent job.

Original comment by marko.th...@gmail.com on 31 Jan 2012 at 10:52

GoogleCodeExporter commented 9 years ago
Hey guys, I'm gonna go ahead and commit this so I can submit the next patch for 
review (it will be attached to the ssdt issue). If you have any problems with 
this patch please feel free to re-open.

Original comment by michael.hale@gmail.com on 31 Jan 2012 at 1:02

GoogleCodeExporter commented 9 years ago
This issue was closed by revision r1322.

Original comment by michael.hale@gmail.com on 31 Jan 2012 at 1:03