Skip to content

Commit

Permalink
Merge pull request #1071 from hsarkey/hsarkey/windows-malfind
Browse files Browse the repository at this point in the history 
Windows: Added '--refined' option to windows malfind plugin
  • Loading branch information
@ikelos
ikelos authored Feb 1, 2024
2 parents e436328 + 470c750 commit 9b281c4
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions volatility3/framework/plugins/windows/malfind.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -141,16 +141,30 @@ def _generator(self, procs):
# determine if we're on a 32 or 64 bit kernel
kernel = self.context.modules[self.config["kernel"]]

# set refined criteria to know when to add to "Notes" column
refined_criteria = {
b"MZ": "MZ header",
b"\x55\x8B": "PE header",
b"\x55\x48": "Function prologue",
b"\x55\x89": "Function prologue",
}

is_32bit_arch = not symbols.symbol_table_is_64bit(
self.context, kernel.symbol_table_name
)

for proc in procs:
# by default, "Notes" column will be set to N/A
notes = renderers.NotApplicableValue()
process_name = utility.array_to_string(proc.ImageFileName)

for vad, data in self.list_injections(
self.context, kernel.layer_name, kernel.symbol_table_name, proc
):
# Check for unique headers and update "Notes" column if criteria is met
if data[0:2] in refined_criteria:
notes = refined_criteria[data[0:2]]

# if we're on a 64 bit kernel, we may still need 32 bit disasm due to wow64
if is_32bit_arch or proc.get_is_wow64():
architecture = "intel"
Expand Down Expand Up @@ -196,6 +210,7 @@ def _generator(self, procs):
vad.get_commit_charge(),
vad.get_private_memory(),
file_output,
notes,
format_hints.HexBytes(data),
disasm,
),
Expand All @@ -216,6 +231,7 @@ def run(self):
("CommitCharge", int),
("PrivateMemory", int),
("File output", str),
("Notes", str),
("Hexdump", format_hints.HexBytes),
("Disasm", interfaces.renderers.Disassembly),
],
Expand Down

0 comments on commit 9b281c4

Please sign in to comment.