8cb553eb11
Update base code for windows 7, 8, 8.1
...
Because the tag is different in lower version of Windows, need to
change the tag in scan algorithm
4b29cf1986/volatility/framework/plugins/windows/poolscanner.py (L229)
2020-06-30 04:09:13 +07:00
abb7a70b72
Update
...
- Driver scan device tree and output more data
- Print ssdt scanning base on kernel modules traversing
2020-06-23 18:27:24 +07:00
199c3ca10b
Update cargo dependencies
...
And ready for a lisp repl
2020-06-22 22:31:55 +07:00
0350ec46d9
Scan unloaded module/driver
...
By reversing MmLocateUnloadedDriver, we can know the algorithm
to extract name/start/end of unloaded drivers
2020-06-22 22:30:35 +07:00
5619048a4a
Update lpus feature
...
Traverse scan
- PsActiveProcessHead
- PsLoadedModuleList
- KiProcessListHead
- HandleTableList
pdb_store has dt(struct) to display struct
2020-06-22 17:45:06 +07:00
8cf91aef79
Update scan for kernel modules and driver
...
Scan kernel modules
Driver scan major functions' address
2020-06-22 14:52:15 +07:00
1707b301ff
Generalize the API for common scan and return json
2020-06-17 01:47:20 +07:00
060f222c0a
Introducing Address type
...
Use address type to represent address
Decompose address with ease using DriverState.decompose
2020-06-11 01:27:26 +07:00
72a947ccd7
Update scan algorithm
...
- Scan _ETHREAD with PoolTag='Thre'
- Parse pid/ppid from _EPROCESS
- Build process tree from output log
- Static link for machine missing Windows C++ dev environment
2020-06-09 04:13:15 +07:00
8c642f6ba0
add dump test 1
2020-06-05 19:37:13 +07:00
c8ce82e8a7
Update lpus
...
File scan printing update
Update values sent to driver in ioctl for Windows 10 2019/2018
2020-06-02 16:27:29 +07:00
4bf2bb71ff
check read access when dump file name in _FILE_OBJECT
2020-05-29 01:39:32 +07:00
ecc476c604
Update scan frontend
...
Reject invalid block size
Unicode string handle for empty ptr, empty size
Add _FILE_OBJECT scan
Add FileImage dump of _EPROCESS scan
2020-05-22 14:44:47 +07:00
ee13c6be58
Update non-paged pool range documentation
2020-05-21 17:36:06 +07:00
7be3b2fc05
General updates
...
Driver is renamed to lpus.sys
Pdb will be downloaded ino %APPDATA%/nganhkhoa/lpus
And some little fixes
2020-05-20 15:02:09 +07:00
5842ed216c
Add Windows 10 2019 support
2020-05-20 13:51:38 +07:00
ff53a1a31c
Fix runtime BOSD
...
Chunk size and tag is check before handle.
Check if heuristics search is not correct, and the try_ptr goes of the bound,
making dereference an invalid address.
2020-05-20 00:42:24 +07:00
dd16a31984
update READMME
2020-05-19 04:20:04 +07:00
5bddf90501
Merge pull request #2 from nganhkhoa/device_io_call
2020-05-19 04:00:32 +07:00
dae10a5312
multiple binary and code refactor
2020-05-19 03:52:18 +07:00
3214e79d63
code renew build ok
2020-05-18 04:04:40 +07:00
cbc3cb7e15
update new design in code call, no test build
2020-05-04 11:40:31 +00:00
862a5c0788
hide process call
2020-02-27 23:37:04 +07:00
d0c0161b06
find eprocess offset base on CreateTime
2020-02-27 08:25:39 +07:00
d08852af55
finish device io call to scan
2020-02-27 03:27:54 +07:00
0ca87a871c
fix driver file name path
2020-02-25 01:33:16 +07:00
2ee77d16c7
Fix load driver issue
...
The Buffer pointer of UNICODE_STRING seems to be cleaned up after
routine, so we cannot store the string, but have to init the string when
needed.
2020-02-25 01:20:54 +07:00
8928e4e4cb
add device io call
2020-02-24 22:53:30 +07:00
c036f3645a
Merge pull request #1 from nganhkhoa/loaddriver
...
Load Driver and PdbStore
2020-02-24 00:36:04 +07:00
ebeea02962
remove warnings
2020-02-24 00:32:53 +07:00
f872b8e14a
moved functions to modules
2020-02-24 00:10:00 +07:00
71b59861c5
add driver to registry
2020-02-23 03:06:01 +07:00
30da3fe60a
load driver code
2020-02-23 02:04:09 +07:00
fc61c5e605
update sample ouput
2020-02-18 17:44:14 +07:00
0bb4ecd0e3
update 18/2/2020
2020-02-18 17:39:31 +07:00
c53fb94ddf
add rekall source reference in readme
2020-02-15 18:35:09 +07:00
4a9c49a61e
add readme
2020-02-15 18:34:04 +07:00
1bf07214ef
first init
...
Working pdb download and parser
- Read ntoskrnl.exe for GUID
- Download correspoding pdb file
- Parse for globals symbols
- Parse for offset in structs
(Only symbols and structs helps with finding
NonPagedPool{Start,End/First,Last}[Va] are parsed)
2020-02-15 17:39:45 +07:00
