Skip to content

Commit

Permalink
Merge pull request #1049 from volatilityfoundation/issues/improve-mft…
Browse files Browse the repository at this point in the history 
…scan

Simplify attribute object accesses
  • Loading branch information
@ikelos
ikelos authored Nov 28, 2023
2 parents 9f9afbf + 8d5877e commit 4ce42fc
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 35 deletions.
48 changes: 16 additions & 32 deletions volatility3/framework/plugins/windows/mftscan.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -67,27 +67,17 @@ def _generator(self):
)
# We will update this on each pass in the next loop and use it as the new offset.
attr_base_offset = mft_record.FirstAttrOffset

attr_header = self.context.object(
header_object,
attr = self.context.object(
attribute_object,
offset=offset + attr_base_offset,
layer_name=layer.name,
)

# There is no field that has a count of Attributes
# Keep Attempting to read attributes until we get an invalid attr_header.AttrType

while attr_header.AttrType.is_valid_choice:
vollog.debug(f"Attr Type: {attr_header.AttrType.lookup()}")

# Offset past the headers to the attribute data
attr_data_offset = (
offset
+ attr_base_offset
+ self.context.symbol_space.get_type(
attribute_object
).relative_child_offset("Attr_Data")
)
while attr.Attr_Header.AttrType.is_valid_choice:
vollog.debug(f"Attr Type: {attr.Attr_Header.AttrType.lookup()}")

# MFT Flags determine the file type or dir
# If we don't have a valid enum, coerce to hex so we can keep the record
Expand All @@ -97,19 +87,16 @@ def _generator(self):
mft_flag = hex(mft_record.Flags)

# Standard Information Attribute
if attr_header.AttrType.lookup() == "STANDARD_INFORMATION":
attr_data = self.context.object(
si_object, offset=attr_data_offset, layer_name=layer.name
)

if attr.Attr_Header.AttrType.lookup() == "STANDARD_INFORMATION":
attr_data = attr.Attr_Data.cast(si_object)
yield 0, (
format_hints.Hex(attr_data_offset),
format_hints.Hex(attr_data.vol.offset),
mft_record.get_signature(),
mft_record.RecordNumber,
mft_record.LinkCount,
mft_flag,
renderers.NotApplicableValue(),
attr_header.AttrType.lookup(),
attr.Attr_Header.AttrType.lookup(),
conversion.wintime_to_datetime(attr_data.CreationTime),
conversion.wintime_to_datetime(attr_data.ModifiedTime),
conversion.wintime_to_datetime(attr_data.UpdatedTime),
Expand All @@ -118,10 +105,8 @@ def _generator(self):
)

# File Name Attribute
if attr_header.AttrType.lookup() == "FILE_NAME":
attr_data = self.context.object(
fn_object, offset=attr_data_offset, layer_name=layer.name
)
if attr.Attr_Header.AttrType.lookup() == "FILE_NAME":
attr_data = attr.Attr_Data.cast(fn_object)
file_name = attr_data.get_full_name()

# If we don't have a valid enum, coerce to hex so we can keep the record
Expand All @@ -131,13 +116,13 @@ def _generator(self):
permissions = hex(attr_data.Flags)

yield 1, (
format_hints.Hex(attr_data_offset),
format_hints.Hex(attr_data.vol.offset),
mft_record.get_signature(),
mft_record.RecordNumber,
mft_record.LinkCount,
mft_flag,
permissions,
attr_header.AttrType.lookup(),
attr.Attr_Header.AttrType.lookup(),
conversion.wintime_to_datetime(attr_data.CreationTime),
conversion.wintime_to_datetime(attr_data.ModifiedTime),
conversion.wintime_to_datetime(attr_data.UpdatedTime),
Expand All @@ -146,14 +131,13 @@ def _generator(self):
)

# If there's no advancement the loop will never end, so break it now
if attr_header.Length == 0:
if attr.Attr_Header.Length == 0:
break

# Update the base offset to point to the next attribute
attr_base_offset += attr_header.Length
# Get the next attribute
attr_header = self.context.object(
header_object,
attr_base_offset += attr.Attr_Header.Length
attr = self.context.object(
attribute_object,
offset=offset + attr_base_offset,
layer_name=layer.name,
)
Expand Down
6 changes: 3 additions & 3 deletions volatility3/framework/symbols/windows/mft.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,21 +230,21 @@
"offset": 0,
"type": {
"kind": "struct",
"name": "mft!ATTR_HEADER"
"name": "ATTR_HEADER"
}
},
"Resident_Header": {
"offset": 16,
"type": {
"kind": "struct",
"name": "mft!RESIDENT_HEADER"
"name": "RESIDENT_HEADER"
}
},
"Attr_Data": {
"offset": 24,
"type": {
"kind": "struct",
"name": "mft!ATTR_HEADER"
"name": "ATTR_HEADER"
}
}
},
Expand Down

0 comments on commit 4ce42fc

Please sign in to comment.