Skip to content

Commit

Permalink
Merge pull request #1608 from volatilityfoundation/issue_1319_dumpfiles
Browse files Browse the repository at this point in the history 
Switch virtual and physical addresses to lists to support dumping mul…
  • Loading branch information
@ikelos
ikelos authored Feb 15, 2025
2 parents 0ea766a + 49b40eb commit a982939
Showing 1 changed file with 27 additions and 19 deletions.
46 changes: 27 additions & 19 deletions volatility3/framework/plugins/windows/dumpfiles.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,14 +44,16 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
description="Process ID to include (all other processes are excluded)",
optional=True,
),
requirements.IntRequirement(
requirements.ListRequirement(
name="virtaddr",
description="Dump a single _FILE_OBJECT at this virtual address",
element_type=int,
description="Dump the _FILE_OBJECTs at the given virtual address(es)",
optional=True,
),
requirements.IntRequirement(
requirements.ListRequirement(
name="physaddr",
description="Dump a single _FILE_OBJECT at this physical address",
element_type=int,
description="Dump a single _FILE_OBJECTs at the given physical address(es)",
optional=True,
),
requirements.StringRequirement(
Expand Down Expand Up @@ -318,24 +320,26 @@ def _generator(self, procs: List, offsets: List):
)

elif offsets:
virtual_layer_name = kernel.layer_name

# FIXME - change this after standard access to physical layer
physical_layer_name = self.context.layers[virtual_layer_name].config[
"memory_layer"
]

# Now process any offsets explicitly requested by the user.
for offset, is_virtual in offsets:
try:
layer_name = kernel.layer_name
# switch to a memory layer if the user provided --physaddr instead of --virtaddr
if not is_virtual:
layer_name = self.context.layers[layer_name].config[
"memory_layer"
]

file_obj = self.context.object(
kernel.symbol_table_name + constants.BANG + "_FILE_OBJECT",
layer_name=layer_name,
native_layer_name=kernel.layer_name,
layer_name=(
virtual_layer_name if is_virtual else physical_layer_name
),
native_layer_name=virtual_layer_name,
offset=offset,
)
for result in self.process_file_object(
self.context, kernel.layer_name, self.open, file_obj
self.context, virtual_layer_name, self.open, file_obj
):
yield (0, result)
except exceptions.InvalidAddressException:
Expand All @@ -355,11 +359,15 @@ def run(self):
):
raise ValueError("Cannot use filter flag with an address flag")

if self.config.get("virtaddr", None) is not None:
offsets.append((self.config["virtaddr"], True))
elif self.config.get("physaddr", None) is not None:
offsets.append((self.config["physaddr"], False))
else:
if self.config.get("virtaddr"):
for virtaddr in self.config["virtaddr"]:
offsets.append((virtaddr, True))

if self.config.get("physaddr"):
for physaddr in self.config["physaddr"]:
offsets.append((physaddr, False))

if not offsets:
filter_func = pslist.PsList.create_pid_filter(
[self.config.get("pid", None)]
)
Expand Down

0 comments on commit a982939

Please sign in to comment.