Last active
June 25, 2021 14:14
-
-
Save markusleh/9909454f19bb053458dd05dfe5e5e449 to your computer and use it in GitHub Desktop.
Python program to visualize Windows bigpool content
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import svgwrite | |
| import volatility.conf as conf | |
| import volatility.registry as registry | |
| import volatility.plugins.volshell as shell | |
| registry.PluginImporter() | |
| config = conf.ConfObject() | |
| import volatility.commands as commands | |
| import volatility.addrspace as addrspace | |
| import volatility.utils as utils | |
| registry.register_global_options(config, commands.Command) | |
| registry.register_global_options(config, addrspace.BaseAddressSpace) | |
| config.parse_options() | |
| # Volatility profile | |
| config.PROFILE = "Win7SP1x64" | |
| # Pool tag | |
| config.TAGS = "LSbf" | |
| # Path to the memorydump | |
| FILE = "/home/markus/5.dump" | |
| config.LOCATION = "file://" + FILE | |
| # Following is used for reading the content of the pool later | |
| _addrspace = utils.load_as(config) | |
| ### | |
| import volatility.plugins.bigpagepools as big | |
| bigpools = big.BigPools(config) | |
| def do(): | |
| """ Reads data from the pools | |
| This function reads some data from all the pools and converts the | |
| bytes to a hexadecimal rgb value that is used to visualize the pools | |
| """ | |
| entries = list(p.calculate()) | |
| entries = sorted(entries, key=getKey) | |
| for poolentry in entries: | |
| # Amount of data to read, max 1024 or the size of the buffer is it | |
| # is shorter | |
| size = min(poolentry.NumberOfBytes, 1024) | |
| data = _addrspace.read(poolentry.Va, size) | |
| data_list = [] | |
| # RGB Hex is three bytes, read three at a time | |
| for offset in xrange(0, len(data), 3): | |
| row_data = data[offset:offset + 3] | |
| hexdata = "".join(["{0:02x}".format(ord(x)) for x in row_data]) | |
| # Pads the final value with zeros if it is shorter than 3 bytes | |
| if len(hexdata) < 6: | |
| hexdata = hexdata + '0' * (6 - len(hexdata)) | |
| # Save the color value in "#FF00FF" format | |
| data_list.append("#{}".format(hexdata)) | |
| yield poolentry, data_list | |
| def main(): | |
| dwg = svgwrite.Drawing(filename=FILE + ".svg") | |
| y = 0 | |
| x = 0 | |
| last = 0 | |
| # Size of a single "block" in pixels | |
| block_size = 10 | |
| pos = [] | |
| for poolentry, data in do(): | |
| pos.append((long(poolentry.Va), long(poolentry.NumberOfBytes))) | |
| print "Va", hex(poolentry.Va), "Offset to last", int(poolentry.Va - last), hex(poolentry.NumberOfBytes) | |
| x = 0 | |
| for entry in data: | |
| dwg.add( | |
| dwg.rect( | |
| insert=( | |
| x, y), size=( | |
| block_size, block_size), fill=entry)) | |
| x = x + block_size | |
| y = y + block_size | |
| last = poolentry.Va | |
| dwg.save() | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment