Skip to content

Commit a982939

Browse files
ikelosikelos
authored
Merge pull request #1608 from volatilityfoundation/issue_1319_dumpfiles
Switch virtual and physical addresses to lists to support dumping mul…
2 parents 0ea766a + 49b40eb commit a982939

File tree

1 file changed

+27
-19
lines changed

1 file changed

+27
-19
lines changed

volatility3/framework/plugins/windows/dumpfiles.py

Lines changed: 27 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -44,14 +44,16 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
4444
description="Process ID to include (all other processes are excluded)",
4545
optional=True,
4646
),
47-
requirements.IntRequirement(
47+
requirements.ListRequirement(
4848
name="virtaddr",
49-
description="Dump a single _FILE_OBJECT at this virtual address",
49+
element_type=int,
50+
description="Dump the _FILE_OBJECTs at the given virtual address(es)",
5051
optional=True,
5152
),
52-
requirements.IntRequirement(
53+
requirements.ListRequirement(
5354
name="physaddr",
54-
description="Dump a single _FILE_OBJECT at this physical address",
55+
element_type=int,
56+
description="Dump a single _FILE_OBJECTs at the given physical address(es)",
5557
optional=True,
5658
),
5759
requirements.StringRequirement(
@@ -318,24 +320,26 @@ def _generator(self, procs: List, offsets: List):
318320
)
319321

320322
elif offsets:
323+
virtual_layer_name = kernel.layer_name
324+
325+
# FIXME - change this after standard access to physical layer
326+
physical_layer_name = self.context.layers[virtual_layer_name].config[
327+
"memory_layer"
328+
]
329+
321330
# Now process any offsets explicitly requested by the user.
322331
for offset, is_virtual in offsets:
323332
try:
324-
layer_name = kernel.layer_name
325-
# switch to a memory layer if the user provided --physaddr instead of --virtaddr
326-
if not is_virtual:
327-
layer_name = self.context.layers[layer_name].config[
328-
"memory_layer"
329-
]
330-
331333
file_obj = self.context.object(
332334
kernel.symbol_table_name + constants.BANG + "_FILE_OBJECT",
333-
layer_name=layer_name,
334-
native_layer_name=kernel.layer_name,
335+
layer_name=(
336+
virtual_layer_name if is_virtual else physical_layer_name
337+
),
338+
native_layer_name=virtual_layer_name,
335339
offset=offset,
336340
)
337341
for result in self.process_file_object(
338-
self.context, kernel.layer_name, self.open, file_obj
342+
self.context, virtual_layer_name, self.open, file_obj
339343
):
340344
yield (0, result)
341345
except exceptions.InvalidAddressException:
@@ -355,11 +359,15 @@ def run(self):
355359
):
356360
raise ValueError("Cannot use filter flag with an address flag")
357361

358-
if self.config.get("virtaddr", None) is not None:
359-
offsets.append((self.config["virtaddr"], True))
360-
elif self.config.get("physaddr", None) is not None:
361-
offsets.append((self.config["physaddr"], False))
362-
else:
362+
if self.config.get("virtaddr"):
363+
for virtaddr in self.config["virtaddr"]:
364+
offsets.append((virtaddr, True))
365+
366+
if self.config.get("physaddr"):
367+
for physaddr in self.config["physaddr"]:
368+
offsets.append((physaddr, False))
369+
370+
if not offsets:
363371
filter_func = pslist.PsList.create_pid_filter(
364372
[self.config.get("pid", None)]
365373
)

0 commit comments

Comments
 (0)