Merge pull request #1640 from volatilityfoundation/plugin/windows_gui

Add APIs and initial plugins for GUI support and fit Windows major APIs to current design flow

Author: ikelos

doc/source/simple-plugin.rst

@@ -198,7 +198,6 @@ that will be output as part of the :py:class:`~volatility3.framework.interfaces.
         def run(self):
 
             filter_func = pslist.PsList.create_pid_filter(self.config.get('pid', None))
-            kernel = self.context.modules[self.config['kernel']]
 
             return renderers.TreeGrid(
                 [
@@ -211,9 +210,8 @@ that will be output as part of the :py:class:`~volatility3.framework.interfaces.
                 ],
                 self._generator(
                     pslist.PsList.list_processes(
-                        self.context,
-                        kernel.layer_name,
-                        kernel.symbol_table_name,
+                        context=self.context,
+                        kernel_module_name=self.config['kernel'],
                         filter_func = filter_func
                     )
                 )
@@ -235,7 +233,7 @@ the :py:class:`~volatility3.plugins.windows.pslist.PsList` plugin.  That plugin
 so that other plugins can call it.  As such, it takes all the necessary parameters rather than accessing them
 from a configuration.  Since it must be portable code, it takes a context, as well as the layer name,
 symbol table and optionally a filter.  In this instance we unconditionally
-pass it the values from the configuration for the layer and symbol table from the kernel module object, constructed from
+pass it the value from the configuration for the kernel module name, constructed from
 the ``kernel`` configuration requirement.  This will generate a list
 of :py:class:`~volatility3.framework.symbols.windows.extensions.EPROCESS` objects, as provided by the :py:class:`~volatility.plugins.windows.pslist.PsList` plugin,
 and is not covered here but is used as an example for how to share code across plugins

volatility3/cli/volshell/windows.py

@@ -18,7 +18,7 @@ def get_requirements(cls):
         return [
             requirements.ModuleRequirement(name="kernel", description="Windows kernel"),
             requirements.PluginRequirement(
-                name="pslist", plugin=pslist.PsList, version=(2, 0, 0)
+                name="pslist", plugin=pslist.PsList, version=(3, 0, 0)
             ),
             requirements.IntRequirement(
                 name="pid", description="Process ID", optional=True
@@ -39,9 +39,7 @@ def list_processes(self):
         """Returns a list of EPROCESS objects from the primary layer"""
         # We always use the main kernel memory and associated symbols
         return list(
-            pslist.PsList.list_processes(
-                self.context, self.current_layer, self.current_symbol_table
-            )
+            pslist.PsList.list_processes(self.context, self.current_kernel_name)
         )
 
     def get_process(self, pid=None, virtaddr=None, physaddr=None):

volatility3/framework/constants/_version.py

@@ -1,6 +1,6 @@
 # We use the SemVer 2.0.0 versioning scheme
 VERSION_MAJOR = 2  # Number of releases of the library with a breaking change
-VERSION_MINOR = 22  # Number of changes that only add to the interface
+VERSION_MINOR = 23  # Number of changes that only add to the interface
 VERSION_PATCH = 0  # Number of changes that do not change the interface
 VERSION_SUFFIX = ""
 

volatility3/framework/layers/registry.py

@@ -66,7 +66,7 @@ def __init__(
         # Win10 17063 introduced the Registry process to map most hives.  Check
         # if it exists and update RegistryHive._base_layer
         for proc in pslist.PsList.list_processes(
-            self.context, self.config["base_layer"], self.config["nt_symbols"]
+            context=self.context, kernel_module_name=self.config["kernel_module_name"]
         ):
             proc_name = proc.ImageFileName.cast(
                 "string", max_length=proc.ImageFileName.vol.count, errors="replace"

volatility3/framework/plugins/linux/bash.py

@@ -46,7 +46,7 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
     def _generator(self, tasks):
         vmlinux = self.context.modules[self.config["kernel"]]
         is_32bit = not symbols.symbol_table_is_64bit(
-            self.context, vmlinux.symbol_table_name
+            context=self.context, symbol_table_name=vmlinux.symbol_table_name
         )
         if is_32bit:
             pack_format = "I"

volatility3/framework/plugins/linux/malfind.py

@@ -64,7 +64,7 @@ def _generator(self, tasks):
         # determine if we're on a 32 or 64 bit kernel
         vmlinux = self.context.modules[self.config["kernel"]]
         is_32bit_arch = not symbols.symbol_table_is_64bit(
-            self.context, vmlinux.symbol_table_name
+            context=self.context, symbol_table_name=vmlinux.symbol_table_name
         )
 
         for task in tasks:

volatility3/framework/plugins/linux/psscan.py

@@ -84,7 +84,9 @@ def scan_tasks(
         vmlinux = context.modules[vmlinux_module_name]
 
         # check if this image is 32bit or 64bit
-        is_32bit = not symbols.symbol_table_is_64bit(context, vmlinux.symbol_table_name)
+        is_32bit = not symbols.symbol_table_is_64bit(
+            context=context, symbol_table_name=vmlinux.symbol_table_name
+        )
         if is_32bit:
             pack_format = "I"
         else:

volatility3/framework/plugins/mac/bash.py

@@ -44,7 +44,7 @@ def get_requirements(cls):
     def _generator(self, tasks):
         darwin = self.context.modules[self.config["kernel"]]
         is_32bit = not symbols.symbol_table_is_64bit(
-            self.context, darwin.symbol_table_name
+            context=self.context, symbol_table_name=darwin.symbol_table_name
         )
         if is_32bit:
             pack_format = "I"

volatility3/framework/plugins/windows/amcache.py

@@ -218,7 +218,9 @@ class Amcache(interfaces.plugins.PluginInterface, timeliner.TimeLinerInterface):
     """Extract information on executed applications from the AmCache."""
 
     _required_framework_version = (2, 0, 0)
-    _version = (1, 0, 0)
+
+    # 2.0.0 - changed the signature of get_amcache_hive
+    _version = (2, 0, 0)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -230,7 +232,7 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
                 architectures=["Intel32", "Intel64"],
             ),
             requirements.PluginRequirement(
-                name="hivelist", plugin=hivelist.HiveList, version=(1, 0, 0)
+                name="hivelist", plugin=hivelist.HiveList, version=(2, 0, 0)
             ),
         ]
 
@@ -252,7 +254,7 @@ def get_amcache_hive(
         cls,
         context: interfaces.context.ContextInterface,
         config_path: str,
-        kernel: interfaces.context.ModuleInterface,
+        kernel_module_name: str,
     ) -> Optional[registry.RegistryHive]:
         """Retrieves the `Amcache.hve` registry hive from the kernel module, if it can be located."""
         return next(
@@ -261,8 +263,7 @@ def get_amcache_hive(
                 base_config_path=interfaces.configuration.path_join(
                     config_path, "hivelist"
                 ),
-                layer_name=kernel.layer_name,
-                symbol_table=kernel.symbol_table_name,
+                kernel_module_name=kernel_module_name,
                 filter_string="amcache",
             ),
             None,
@@ -523,8 +524,6 @@ def parse_driver_binary_key(
             )
 
     def _generator(self) -> Iterator[Tuple[int, _AmcacheEntry]]:
-        kernel = self.context.modules[self.config["kernel"]]
-
         def indented(
             entry_gen: Iterable[_AmcacheEntry], indent: int = 0
         ) -> Iterator[Tuple[int, _AmcacheEntry]]:
@@ -533,7 +532,9 @@ def indented(
 
         # Building the dictionary ahead of time is much better for performance
         # vs looking up each service's DLL individually.
-        amcache = self.get_amcache_hive(self.context, self.config_path, kernel)
+        amcache = self.get_amcache_hive(
+            self.context, self.config_path, self.config["kernel"]
+        )
         if amcache is None:
             return
 

volatility3/framework/plugins/windows/cachedump.py

@@ -33,7 +33,7 @@ def get_requirements(cls):
                 architectures=["Intel32", "Intel64"],
             ),
             requirements.PluginRequirement(
-                name="hivelist", plugin=hivelist.HiveList, version=(1, 0, 0)
+                name="hivelist", plugin=hivelist.HiveList, version=(2, 0, 0)
             ),
             requirements.PluginRequirement(
                 name="lsadump", plugin=lsadump.Lsadump, version=(1, 0, 0)
@@ -169,13 +169,11 @@ def run(self):
         offset = self.config.get("offset", None)
 
         syshive = sechive = None
-        kernel = self.context.modules[self.config["kernel"]]
 
         for hive in hivelist.HiveList.list_hives(
-            self.context,
-            self.config_path,
-            kernel.layer_name,
-            kernel.symbol_table_name,
+            context=self.context,
+            base_config_path=self.config_path,
+            kernel_module_name=self.config["kernel"],
             hive_offsets=None if offset is None else [offset],
         ):
             if hive.get_name().split("\\")[-1].upper() == "SYSTEM":