1# This file is Copyright 2019 Volatility Foundation and licensed under the Volatility Software License 1.0
2# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
3#
4
5from volatility.framework import constants
6from volatility.framework import renderers, exceptions, interfaces
7from volatility.framework.configuration import requirements
8from volatility.framework.renderers import format_hints
9from volatility.plugins.windows import ssdt, driverscan
10
11MAJOR_FUNCTIONS = [
12    'IRP_MJ_CREATE', 'IRP_MJ_CREATE_NAMED_PIPE', 'IRP_MJ_CLOSE', 'IRP_MJ_READ', 'IRP_MJ_WRITE',
13    'IRP_MJ_QUERY_INFORMATION', 'IRP_MJ_SET_INFORMATION', 'IRP_MJ_QUERY_EA', 'IRP_MJ_SET_EA', 'IRP_MJ_FLUSH_BUFFERS',
14    'IRP_MJ_QUERY_VOLUME_INFORMATION', 'IRP_MJ_SET_VOLUME_INFORMATION', 'IRP_MJ_DIRECTORY_CONTROL',
15    'IRP_MJ_FILE_SYSTEM_CONTROL', 'IRP_MJ_DEVICE_CONTROL', 'IRP_MJ_INTERNAL_DEVICE_CONTROL', 'IRP_MJ_SHUTDOWN',
16    'IRP_MJ_LOCK_CONTROL', 'IRP_MJ_CLEANUP', 'IRP_MJ_CREATE_MAILSLOT', 'IRP_MJ_QUERY_SECURITY', 'IRP_MJ_SET_SECURITY',
17    'IRP_MJ_POWER', 'IRP_MJ_SYSTEM_CONTROL', 'IRP_MJ_DEVICE_CHANGE', 'IRP_MJ_QUERY_QUOTA', 'IRP_MJ_SET_QUOTA',
18    'IRP_MJ_PNP'
19]
20
21
22class DriverIrp(interfaces.plugins.PluginInterface):
23    """List IRPs for drivers in a particular windows memory image."""
24
25    @classmethod
26    def get_requirements(cls):
27        return [
28            requirements.PluginRequirement(name = 'ssdt', plugin = ssdt.SSDT, version = (1, 0, 0)),
29            requirements.PluginRequirement(name = 'driverscan', plugin = driverscan.DriverScan, version = (1, 0, 0)),
30            requirements.TranslationLayerRequirement(name = 'primary',
31                                                     description = 'Memory layer for the kernel',
32                                                     architectures = ["Intel32", "Intel64"]),
33            requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
34        ]
35
36    def _generator(self):
37
38        collection = ssdt.SSDT.build_module_collection(self.context, self.config['primary'], self.config['nt_symbols'])
39
40        for driver in driverscan.DriverScan.scan_drivers(self.context, self.config['primary'],
41                                                         self.config['nt_symbols']):
42
43            try:
44                driver_name = driver.get_driver_name()
45            except exceptions.InvalidAddressException:
46                driver_name = renderers.NotApplicableValue()
47
48            for i, address in enumerate(driver.MajorFunction):
49                module_symbols = collection.get_module_symbols_by_absolute_location(address)
50
51                for module_name, symbol_generator in module_symbols:
52                    symbols_found = False
53
54                    for symbol in symbol_generator:
55                        symbols_found = True
56                        yield (0, (format_hints.Hex(driver.vol.offset), driver_name, MAJOR_FUNCTIONS[i],
57                                   format_hints.Hex(address), module_name, symbol.split(constants.BANG)[1]))
58
59                    if not symbols_found:
60                        yield (0, (format_hints.Hex(driver.vol.offset), driver_name, MAJOR_FUNCTIONS[i],
61                                   format_hints.Hex(address), module_name, renderers.NotAvailableValue()))
62
63    def run(self):
64
65        return renderers.TreeGrid([
66            ("Offset", format_hints.Hex),
67            ("Driver Name", str),
68            ("IRP", str),
69            ("Address", format_hints.Hex),
70            ("Module", str),
71            ("Symbol", str),
72        ], self._generator())
73