Merge pull request #151 from siliconblade/main

Update Volatility3 reader for framework version 2

Author: skelsec

pypykatz/commons/readers/volatility3/volreader.py

@@ -54,8 +54,9 @@ def __init__(self):
 		self.major_version = 6
 
 class Vol3Reader:
-	def __init__(self, vol_obj):
+	def __init__(self, vol_obj, framework_version):
 		self.vol_obj = vol_obj
+		self.framework_version = framework_version
 		self.proc_layer_name = None
 		self.proc_layer = None
 		self.lsass_process = None
@@ -83,10 +84,18 @@ def get_sysinfo(self):
 
 	def find_lsass(self):
 		filter_func = pslist.PsList.create_name_filter(['lsass.exe'])
+		if self.framework_version == 1:
+			layer_name = self.vol_obj.config['primary']
+			symbol_table = self.vol_obj.config['nt_symbols']
+		elif self.framework_version == 2:
+			layer_name = self.vol_obj.context.modules[self.vol_obj.config['kernel']].layer_name
+			symbol_table = self.vol_obj.context.modules[self.vol_obj.config['kernel']].symbol_table_name
+		else:
+			raise Exception('Unsupported Volatility Framework Version')
 		for proc in pslist.PsList.list_processes(
 					context = self.vol_obj.context,
-					layer_name = self.vol_obj.config['primary'],
-					symbol_table = self.vol_obj.config['nt_symbols'],
+					layer_name = layer_name,
+					symbol_table = symbol_table,
 					filter_func = filter_func
 				):
 			self.lsass_process = proc
@@ -112,8 +121,14 @@ def list_dlls(self):
 
 	def get_buildnumber(self):
 		# https://github.com/volatilityfoundation/volatility3/blob/ee31ece0062ce762ed38f6d0a1c54e9f1cd37970/volatility/framework/plugins/windows/cmdline.py
+		if self.framework_version == 1:
+			vol_object = self.vol_obj.config["nt_symbols"] + constants.BANG + "_PEB"
+		elif self.framework_version == 2:
+			vol_object = self.vol_obj.context.modules[self.vol_obj.config['kernel']].symbol_table_name + constants.BANG + "_PEB"
+		else:
+			raise Exception('Unsupported Volatility Framework Version')
 		peb = self.vol_obj.context.object(
-		    self.vol_obj.config["nt_symbols"] + constants.BANG + "_PEB",
+		    vol_object,
 		    layer_name = self.proc_layer_name,
 		    offset = self.lsass_process.Peb
 		)
@@ -126,7 +141,13 @@ def list_sections(self):
 			self.sections.append(VOL3Section.from_vad(vad))
 
 	def get_arch(self):
-		if not symbols.symbol_table_is_64bit(self.vol_obj.context, self.vol_obj.config["nt_symbols"]):
+		if self.framework_version == 1:
+			symbol_table_is_64bit = symbols.symbol_table_is_64bit(self.vol_obj.context, self.vol_obj.config["nt_symbols"])
+		elif self.framework_version == 2:
+			symbol_table_is_64bit = symbols.symbol_table_is_64bit(self.vol_obj.context, self.vol_obj.context.modules[self.vol_obj.config['kernel']].symbol_table_name)
+		else:
+			raise Exception('Unsupported Volatility Framework Version')
+		if not symbol_table_is_64bit:
 			self.processor_architecture = KatzSystemArchitecture.X86
 		self.processor_architecture = KatzSystemArchitecture.X64
 
@@ -229,6 +250,7 @@ def vol3_generator(mimi):
 			x = [str(t['credtype']), '', '', '', '', '', str(t['masterkey']), str(t['sha1_masterkey']), str(t['key_guid']), '']
 			yield 0, x
 
+
 def vol3_treegrid(mimi):
 	return renderers.TreeGrid([
 			("credtype", str),

pypykatz/pypykatz.py

@@ -213,9 +213,9 @@ def go_rekall(session, override_timestamp = None, buildnumber = None, packages =
 		return mimi
 
 	@staticmethod
-	def go_volatility3(vol3_obj, packages = ['all']):
+	def go_volatility3(vol3_obj, framework_version = 2, packages = ['all']):
 		from pypykatz.commons.readers.volatility3.volreader import Vol3Reader, vol3_treegrid
-		reader = Vol3Reader(vol3_obj)
+		reader = Vol3Reader(vol3_obj, framework_version)
 		sysinfo = reader.get_sysinfo()
 		mimi = pypykatz(reader, sysinfo)
 		mimi.start(packages)