Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows: Added '--refined' option to windows malfind plugin #1071

Merged
merged 5 commits into from
Feb 1, 2024
Merged

Windows: Added '--refined' option to windows malfind plugin #1071

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
409ce95
Windows: Added '--refined' option to windows malfind plugin
hsarkey Dec 7, 2023
4e89040
Updated changes to the windows.malfind plugin. Eliminated --refined a…
hsarkey Jan 14, 2024
e6e138f
Updated windows.malfind to have a "Notes" column which will indicate …
hsarkey Jan 17, 2024
ef36cb5
Updated windows.malfind to have a "Notes" column to indicate if a pro…
hsarkey Jan 17, 2024
470c750
Updated to use dictionary for refined criteria and BaseAbsentValue fo…
hsarkey Jan 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions volatility3/framework/plugins/windows/malfind.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,16 +141,30 @@ def _generator(self, procs):
# determine if we're on a 32 or 64 bit kernel
kernel = self.context.modules[self.config["kernel"]]

# set refined criteria to know when to add to "Notes" column
refined_criteria = {
b"MZ": "MZ header",
b"\x55\x8B": "PE header",
b"\x55\x48": "Function prologue",
b"\x55\x89": "Function prologue",
}

is_32bit_arch = not symbols.symbol_table_is_64bit(
self.context, kernel.symbol_table_name
)

for proc in procs:
# by default, "Notes" column will be set to N/A
notes = renderers.NotApplicableValue()
process_name = utility.array_to_string(proc.ImageFileName)

for vad, data in self.list_injections(
self.context, kernel.layer_name, kernel.symbol_table_name, proc
):
# Check for unique headers and update "Notes" column if criteria is met
if data[0:2] in refined_criteria:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This list needs keeping in sync with refined_criteria, it might be better to make refined_criteria a dictionary that listen an initial byte pattern with a value for notes? It would make this code a little more generic and it would be easier to add future classifiers if needed...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be worth using startswith or something, rather than limiting all future things to exactly 2 bytes, but that's something we can do fairly easily if we decide to extend the dictionary in the future, so not a show stopper.

notes = refined_criteria[data[0:2]]

# if we're on a 64 bit kernel, we may still need 32 bit disasm due to wow64
if is_32bit_arch or proc.get_is_wow64():
architecture = "intel"
Expand Down Expand Up @@ -196,6 +210,7 @@ def _generator(self, procs):
vad.get_commit_charge(),
vad.get_private_memory(),
file_output,
notes,
format_hints.HexBytes(data),
disasm,
),
Expand All @@ -216,6 +231,7 @@ def run(self):
("CommitCharge", int),
("PrivateMemory", int),
("File output", str),
("Notes", str),
("Hexdump", format_hints.HexBytes),
("Disasm", interfaces.renderers.Disassembly),
],
Expand Down
Loading