-
Notifications
You must be signed in to change notification settings - Fork 0
/
timers.py
338 lines (268 loc) · 12.9 KB
/
timers.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
# Volatility
# Copyright (C) 2007-2013 Volatility Foundation
# Copyright (c) 2010, 2011, 2012 Michael Ligh <michael.ligh@mnin.org>
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility. If not, see <http://www.gnu.org/licenses/>.
#
import volatility.utils as utils
import volatility.obj as obj
import volatility.plugins.common as common
import volatility.debug as debug
import volatility.win32.tasks as tasks
import volatility.win32.modules as modules
import volatility.plugins.patchguard as patchguard
import volatility.plugins.overlays.windows.win8_kdbg as win8_kdbg
from volatility.renderers import TreeGrid
from volatility.renderers.basic import Address
import struct
#--------------------------------------------------------------------------------
# vtypes
#--------------------------------------------------------------------------------
timer_types_64 = {
'_KTIMER_TABLE_ENTRY' : [ 0x18, {
'Entry' : [ 0x0, ['_LIST_ENTRY']],
'Time' : [ 0x10, ['_ULARGE_INTEGER']],
}]}
timer_types_32 = {
'_KTIMER_TABLE_ENTRY' : [ 0x10, {
'Entry' : [ 0x0, ['_LIST_ENTRY']],
'Time' : [ 0x8, ['_ULARGE_INTEGER']],
}]}
class _KTIMER(obj.CType):
@property
def Dpc(self):
vm = self.obj_vm
profile = vm.profile
bits = profile.metadata.get("memory_model")
if bits == "32bit":
return self.m("Dpc")
# cycle through the parents until we reach the top
parent = self.obj_parent
while parent and parent.obj_name != "_KDDEBUGGER_DATA64":
parent = parent.obj_parent
if not parent:
return obj.NoneObject("Parent is not a KDBG structure")
# test if the patchguard magic is already available to us
if (not hasattr(parent, 'wait_always') or
not hasattr(parent, 'wait_never')):
# this scans for the patchguard magic by indirectly
# finding the KdCopyDataBlock function
kdbg = win8_kdbg.VolatilityKDBG("", offset = 0, vm = vm).v()
if not kdbg:
return obj.NoneObject("Cannot find KDBG structure")
# transfer the attributes to our parent
parent.newattr('wait_never', kdbg.wait_never)
parent.newattr('wait_always', kdbg.wait_always)
dpc = self.m("Dpc").v()
decoded = patchguard.bswap(patchguard.rol(dpc ^ \
parent.wait_never, parent.wait_never & 0xFF) ^ \
self.obj_offset) ^ parent.wait_always
return obj.Object("_KDPC", offset = decoded, vm = vm)
#--------------------------------------------------------------------------------
# profile modifications
#--------------------------------------------------------------------------------
class TimerVTypes(obj.ProfileModification):
before = ['WindowsOverlay']
conditions = {'os': lambda x: x == 'windows'}
def modification(self, profile):
version = (profile.metadata.get('major', 0),
profile.metadata.get('minor', 0))
if version < (6, 1):
if profile.metadata.get("memory_model", "32bit") == "32bit":
profile.vtypes.update(timer_types_32)
else:
profile.vtypes.update(timer_types_64)
profile.object_classes.update({'_KTIMER': _KTIMER})
#--------------------------------------------------------------------------------
# timers
#--------------------------------------------------------------------------------
class Timers(common.AbstractWindowsCommand):
"""Print kernel timers and associated module DPCs"""
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('ListHead', short_option = 'L', default = None,
help = 'Virtual address of nt!KiTimerTableListHead',
action = 'store', type = 'int')
def find_list_head(self, nt_mod, func, sig):
"""
Find the KiTimerTableListHead given an exported
function as a starting point and a small signature.
@param nt_mod: _LDR_DATA_TABLE_ENTRY object for NT module
@param func: function name exported by the NT module
@param sig: byte string/pattern to use for finding the symbol
"""
# Lookup the exported function
func_rva = nt_mod.getprocaddress(func)
if func_rva == None:
return None
func_addr = func_rva + nt_mod.DllBase
# Read enough of the function prolog
data = nt_mod.obj_vm.zread(func_addr, 300)
# Scan for the byte signature
n = data.find(sig)
if n == -1:
return None
return obj.Object('address', func_addr + n + len(sig), nt_mod.obj_vm)
def find_list_head_offset(self, nt_mod, func, sig):
# Lookup the exported function
func_rva = nt_mod.getprocaddress(func)
if func_rva == None:
return None
func_addr = func_rva + nt_mod.DllBase
# Read enough of the function prolog
data = nt_mod.obj_vm.zread(func_addr, 300)
# Scan for the byte signature
n = data.find(sig)
if n == -1:
return None
ptr = nt_mod.obj_vm.zread( func_addr + n+ len(sig), 4 )
ptr = struct.unpack("I", ptr)[0]
return ptr + func_addr + n + len(sig) + 4
def calculate(self):
addr_space = utils.load_as(self._config)
# Get the OS version we're analyzing
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
# KTIMERs collected
timers = []
# Valid KTIMER.Header.Type values
TimerNotificationObject = 8
TimerSynchronizationObject = 9
valid_types = (TimerNotificationObject, TimerSynchronizationObject)
if version == (5, 1) or (version == (5, 2) and
addr_space.profile.metadata.get('build', 0) == 3789):
# On XP SP0-SP3 x86 and Windows 2003 SP0, KiTimerTableListHead
# is an array of 256 _LIST_ENTRY for _KTIMERs.
if self._config.LISTHEAD:
KiTimerTableListHead = self._config.LISTHEAD
else:
KiTimerTableListHead = self.find_list_head(modlist[0],
"KeUpdateSystemTime",
"\x25\xFF\x00\x00\x00\x8D\x0C\xC5")
if not KiTimerTableListHead:
debug.warning("Cannot find KiTimerTableListHead")
else:
lists = obj.Object("Array", offset = KiTimerTableListHead,
vm = addr_space,
targetType = '_LIST_ENTRY',
count = 256)
for l in lists:
for t in l.list_of_type("_KTIMER", "TimerListEntry"):
timers.append(t)
elif version == (5, 2) or version == (6, 0):
# On XP x64, Windows 2003 SP1-SP2, and Vista SP0-SP2, KiTimerTableListHead
# is an array of 512 _KTIMER_TABLE_ENTRY structs.
if self._config.LISTHEAD:
KiTimerTableListHead = self._config.LISTHEAD
else:
if addr_space.profile.metadata.get("memory_model") == "32bit":
sigData = [ (False, "KeCancelTimer", "\xC1\xE7\x04\x81\xC7"),
(True, "KeUpdateSystemTime", "\x48\xB9\x00\x00\x00\x00\x80\xF7\xFF\xFF\x4C\x8D\x1D") ]
else:
sigData = [ (True, "KeCancelTimer", "\x48\x8D\x4C\x6D\x00\x48\x8D\x05"), # lea rcx, [rbp+rbp*2+0] / lea rax, KiTimerTableListHead (nt.dll md5 825926D6AD714A529F4069D9EBBD1D3B)
(True, "KeUpdateSystemTime", "\x48\xB9\x00\x00\x00\x00\x80\xF7\xFF\xFF\x4C\x8D\x1D") # mov rcx, 0FFFFF78000000000h / lea r11, KiTimerTableListHead (xp64sp1/2k3sp2 B1E08186348ED662D50118618F012445)
]
for sig in sigData:
if sig[0]:
KiTimerTableListHead = self.find_list_head_offset(modlist[0], sig[1], sig[2])
else:
KiTimerTableListHead = self.find_list_head(modlist[0], sig[1], sig[2])
if KiTimerTableListHead:
break
if not KiTimerTableListHead:
debug.warning("Cannot find KiTimerTableListHead")
else:
lists = obj.Object("Array", offset = KiTimerTableListHead,
vm = addr_space,
targetType = '_KTIMER_TABLE_ENTRY',
count = 512)
for l in lists:
# print "List at %s" % hex(int(l.obj_offset))
for t in l.Entry.list_of_type("_KTIMER", "TimerListEntry"):
# print "Timer at %s" % hex(int(t.obj_offset))
timers.append(t)
elif version >= (6, 1):
# Starting with Windows 7, there is no more KiTimerTableListHead. The list is
# at _KPCR.PrcbData.TimerTable.TimerEntries (credits to Matt Suiche
# for this one. See http://pastebin.com/FiRsGW3f).
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
for table in kpcr.ProcessorBlock.TimerTable.TimerEntries:
for t in table.Entry.list_of_type("_KTIMER", "TimerListEntry"):
timers.append(t)
for timer in timers:
# Sanity check on the timer type
if timer.Header.Type not in valid_types:
# print 'bad type %d' % timer.Header.Type
continue
# Ignore timers without DPCs
# if not timer.Dpc.is_valid():
# print 'dpc not valid'
# continue
# if not timer.Dpc.DeferredRoutine.is_valid():
# print 'dpc deferredroutine not valid'
# continue
# Lookup the module containing the DPC
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(timer.Dpc.DeferredRoutine))
yield timer, module
def unified_output(self, data):
return TreeGrid([("Offset(V)", Address),
("DueTime", str),
("Period(ms)", int),
("Signaled", str),
("Routine", Address),
("Module", str)],
self.generator(data))
def generator(self, data):
for timer, module in data:
if timer.Header.SignalState.v():
signaled = "Yes"
else:
signaled = "-"
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "UNKNOWN"
due_time = "{0:#010x}:{1:#010x}".format(timer.DueTime.HighPart, timer.DueTime.LowPart)
yield (0, [Address(timer.obj_offset), due_time, int(timer.Period), signaled, Address(timer.Dpc.DeferredRoutine), module_name])
def render_text(self, outfd, data):
self.table_header(outfd,
[("Offset(V)", "[addrpad]"),
("DueTime", "24"),
("Period(ms)", "10"),
("Signaled", "10"),
("Routine", "[addrpad]"),
("Module", ""),
])
for timer, module in data:
if timer.Header.SignalState.v():
signaled = "Yes"
else:
signaled = "-"
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "UNKNOWN"
due_time = "{0:#010x}:{1:#010x}".format(timer.DueTime.HighPart, timer.DueTime.LowPart)
self.table_row(outfd,
timer.obj_offset,
due_time,
timer.Period,
signaled,
timer.Dpc.DeferredRoutine,
module_name)