Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add fix for missing cookie value when using a Windows 10 profile #729

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add fix for missing cookie value when using a Windows 10 profile #729

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
44 changes: 40 additions & 4 deletions volatility/plugins/overlays/windows/win10.py
View file
Open in desktop
Expand Up @@ -39,6 +39,13 @@
except ImportError:
has_distorm = False

try:
import yara
import volatility.plugins.malware.malfind as malfind
has_yara = True
except ImportError:
has_yara = False

class _HMAP_ENTRY(obj.CType):

@property
Expand Down Expand Up @@ -216,10 +223,37 @@ def findcookie(self, kernel_space):
debug.warning("Cannot find NT module")
return False

model = meta.get("memory_model")

addr = nt_mod.getprocaddress("ObGetObjectType")
if addr == None:
debug.warning("Cannot find nt!ObGetObjectType")
return False
if not has_yara:
debug.warning("Cannot find nt!ObGetObjectType")
return False
# Did not find nt!ObGetObjectType, trying with YARA instead.
if model == "32bit":
# 8bff mov edi, edi
# 55 push ebp
# 8bec mov ebp, esp
# 8b4d08 mov ecx, dword ptr [ebp + 8]
# 8d41e8 lea eax, dword ptr [ecx - 0x18]
nt_ObGetObjectType_signature = "8bff 55 8bec 8b4d08 8d41e8"
else:
# 488d41d0 lea rax, qword ptr [rcx - 0x30]
# 0fb649e8 movzx ecx, byte ptr [rcx - 0x18]
nt_ObGetObjectType_signature = "488d41d0 0fb649e8"
rule = 'rule r1 {strings: $a = {%s} condition: $a}' \
% nt_ObGetObjectType_signature
rules = yara.compile(source = rule)
scanner = malfind.DiscontigYaraScanner(
address_space = kernel_space,
rules = rules)
first_match = next(scanner.scan(), None)
if not first_match:
debug.warning("Cannot find nt!ObGetObjectType")
return False
_, addr = first_match
addr -= nt_mod.DllBase

# produce an absolute address by adding the DLL base to the RVA
addr += nt_mod.DllBase
Expand All @@ -228,7 +262,6 @@ def findcookie(self, kernel_space):
return False

# in theory...but so far we haven't tested 32-bits
model = meta.get("memory_model")
if model == "32bit":
mode = distorm3.Decode32Bits
else:
Expand Down Expand Up @@ -331,6 +364,9 @@ def TypeIndex(self):
addr = self.obj_offset
indx = int(self.m("TypeIndex"))

if cook is None:
debug.error("Cannot obtain nt!ObHeaderCookie value")

return ((addr >> 8) ^ cook ^ indx) & 0xFF

def is_valid(self):
Expand Down Expand Up @@ -1144,4 +1180,4 @@ class Win10x64_19041(obj.Profile):
_md_minor = 4
_md_build = 19041
_md_vtype_module = 'volatility.plugins.overlays.windows.win10_x64_19041_vtypes'
_md_product = ["NtProductWinNt"]
_md_product = ["NtProductWinNt"]