Windows: Add support for missing callback types #1110
Conversation
There was a problem hiding this comment.
Thanks, there's a lot to go through here but it generally looks pretty good. It's quite a significant chunk of functionality though so I'd quite like to defer to @iMHLv2 's opinion to ensure it does what it's supposed and there's no gotchas that I've missed...
186c814
to
84f8997
Compare
Updates the windows callbacks symbol files to include structures that were missing from the original volatility plugin.
Fixes a bad format string inside of a raised exception
84f8997
to
953b433
Compare
| context, layer_name, nt_symbol_table, constraints | ||
| ): | ||
| try: | ||
| if hasattr(mem_object, "is_valid") and not mem_object.is_valid(): |
There was a problem hiding this comment.
What objects don't have an is_valid method? Feels like this could be changed to just check pointers?
There was a problem hiding this comment.
The check fails for StructType objects if we remove the hasattr check. For instance: AttributeError: StructType has no attribute: callbacks-x641!_NOTIFICATION_PACKET.is_valid
There is an explicitly defined is_valid method in the callbacks extension added as part of this PR, but I don't think any other objects will have an is_valid method since they are just StructType objects defined in the callbacks symbol files.
|
@iMHLv2 could you give this a scan over to check there's nothing subtle I've missed please? |
Updates the Windows callbacks plugin to support several types of callbacks that were present in the original volatility framework, but were missing in volatility3. Adds an extension for `_SHUTDOWN_PACKET` structures for determining validity of structure.
This plugin class was missing a `_version` attribute, so I added one and set it to (1, 0, 0).
953b433
to
717d085
Compare
This PR updates the windows.callbacks.Callbacks plugin to support callback types that were present in the original volatility framework but have not yet been added to volatility3. These callback types include:
IoRegisterShutdownNotificationIoRegisterFsRegistrationChangeGenericKernelCallbackEventCategoryHardwareProfileChangeEventCategoryDeviceInterfaceChangeEventCategoryTargetDeviceChangeDbgSetDebugPrintCallbackThis required updates to the callbacks JSON symbol files, the creation of a
_SHUTDOWN_PACKETextension, and updates to the plugin itself. Because it introduces three new requirements (handles, driverirp, and poolscanner), I have incremented the major version number for the callbacks plugin. No other plugins depend on the callbacks plugin at this time, so it was not necessary to increase version numbers in other plugins.