Merge pull request #765 from volatilityfoundation/win10_19041

add Win10 19041 support

Author: iMHLv2

README.txt

@@ -36,8 +36,8 @@ Windows:
 * 64-bit Windows 7 Service Pack 0 and 1
 * 64-bit Windows 8, 8.1, and 8.1 Update 1
 * 64-bit Windows Server 2012 and 2012 R2 
-* 64-bit Windows 10 (including at least 10.0.18362)
-* 64-bit Windows Server 2016 (including at least 10.0.18362)
+* 64-bit Windows 10 (including at least 10.0.19041)
+* 64-bit Windows Server 2016 (including at least 10.0.19041)
 
 Note: Please see the guidelines at the following link for notes on 
 compatibility with recently patched Windows 7 (or later) memory samples:

volatility/plugins/bigpagepools.py

@@ -31,16 +31,27 @@ class PoolTrackTypeOverlay(obj.ProfileModification):
 
     # This ensures _POOL_DESCRIPTOR will be available, 
     # so we can copy the PoolType enumeration
+    # Win10 19041 (May 2020) removed _POOL_DESCRIPTOR, so switch to
+    # _OBJECT_TYPE_INITIALIZER instead
     before = ['WindowsVTypes']
 
     # PoolType didn't exist until Vista 
     conditions = {'os': lambda x: x == 'windows', 
         'major': lambda x : x >= 6}
 
     def modification(self, profile):
+        minor = profile.metadata.get("minor", 0)
+        build = profile.metadata.get("build", 0)
+
+        if minor < 4 or (minor == 4 and build < 19041):
+            pool_type_name = "_POOL_DESCRIPTOR"
+        else:
+            pool_type_name = "_OBJECT_TYPE_INITIALIZER"
+
+
         profile.merge_overlay({
             '_POOL_TRACKER_BIG_PAGES': [ None, {
-            'PoolType': [ None, profile.vtypes['_POOL_DESCRIPTOR'][1]['PoolType'][1]],
+            'PoolType': [ None, profile.vtypes[pool_type_name][1]['PoolType'][1]],
             'Key': [ None, ['String', dict(length = 4)]], 
              }],
         })
@@ -68,7 +79,7 @@ def modification(self, profile):
             (6, 2, '32bit') : [[92, 88]],
             (6, 2, '64bit') : [[-5200, -5224]], 
             (6, 3, '32bit') : [[116, 120]],
-            (6, 4, '64bit') : [[-48, -10328], [208, 184], [168, 192], [176, 168], [48, 40], [32, 24], [24, 48], [56, 32], [-56, -10328], [24, 32], [-10344, -10336], [-10328, -10288], [-48, -10344], [-5208, -5200], [-188, -200], [40, 32], [-5200, -5208], [64, 24], [-10328, -10320], [32, 40], [-56, -64], [-10312, -10320], [24, 64], [-10304, -10344], [-64, -72], [-10328, -10336], [40, 48], [10304, 10296], [10304, 16], [-5192, -5184], [10320, 10312], [-64, -56], [-40, -64], [-10320, -10344], [-48, -72], [-72, -64], [-10304, -10328], [-56, -48], [-5224, -5216], [-10336, -10312], [-5168, -5208], [10304, 24], [10288, 24], [32, 72], [10336, 10328]],
+            (6, 4, '64bit') : [[-72, -64], [-48, -10328], [208, 184], [168, 192], [176, 168], [48, 40], [32, 24], [24, 48], [56, 32], [-56, -10328], [24, 32], [-10344, -10336], [-10328, -10288], [-48, -10344], [-5208, -5200], [-188, -200], [40, 32], [-5200, -5208], [64, 24], [-10328, -10320], [32, 40], [-56, -64], [-10312, -10320], [24, 64], [-10304, -10344], [-64, -72], [-10328, -10336], [40, 48], [10304, 10296], [10304, 16], [-5192, -5184], [10320, 10312], [-64, -56], [-40, -64], [-10320, -10344], [-48, -72], [-72, -64], [-10304, -10328], [-56, -48], [-5224, -5216], [-10336, -10312], [-5168, -5208], [10304, 24], [10288, 24], [32, 72], [10336, 10328], [-56, -10344], [-10352, -10344]],
             (6, 4, '32bit') : [[-168, -164], [-160, -172]],
         }
 

volatility/plugins/malware/svcscan.py

@@ -370,6 +370,25 @@ def modification(self, profile):
             } ],
         })
 
+class Service10_19041x64(obj.ProfileModification):
+    """Service structures for Win10 19041 (May 2020)"""
+
+    before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase', 'ServiceVista', 'Service8x64',
+              'Service10_15063x64', 'Service10_16299x64', 'Service10_18362x64']
+    conditions = {'os': lambda x: x == 'windows',
+                  'major': lambda x: x == 6,
+                  'minor': lambda x: x == 4,
+                  'build': lambda x: x >= 19041,
+                  'memory_model': lambda x: x == '64bit'}
+
+    def modification(self, profile):
+        profile.merge_overlay({
+            '_SERVICE_RECORD' : [ None, {
+            'DriverName' : [ 0x128, ['pointer', ['String', dict(encoding = 'utf16', length = 256)]]],
+            'ServiceProcess' : [ 0x128, ['pointer', ['_SERVICE_PROCESS']]],
+            } ],
+        })
+
 class Service8x86(obj.ProfileModification):
     """Service structures for Win8/8.1 32-bit"""
 
@@ -495,6 +514,28 @@ def modification(self, profile):
             } ],
         })
 
+class Service10_19041x86(obj.ProfileModification):
+    """Service structures for Win10 19041 (May 2020)"""
+
+    before = ['WindowsOverlay', 'WindowsObjectClasses', 'ServiceBase', 'ServiceVista', 'Service8x86',
+              'Service10_15063x86', 'Service10_16299x86', 'Service10_17763x86', 'Service10_18362x86']
+    conditions = {'os': lambda x: x == 'windows',
+                  'major': lambda x: x == 6,
+                  'minor': lambda x: x == 4,
+                  'build': lambda x: x >= 19041,
+                  'memory_model': lambda x: x == '32bit'}
+
+    def modification(self, profile):
+        profile.merge_overlay({
+            '_SERVICE_HEADER' : [ None, {
+            'ServiceRecord': [0x10, ['pointer', ['_SERVICE_RECORD']]],
+            }],
+            '_SERVICE_RECORD': [None, {
+            'DriverName': [0xc0, ['pointer', ['String', dict(encoding='utf16', length=256)]]],
+            'ServiceProcess': [0xc0, ['pointer', ['_SERVICE_PROCESS']]],
+            }],
+        })
+
 #--------------------------------------------------------------------------------
 # svcscan plugin 
 #--------------------------------------------------------------------------------

volatility/plugins/malware/timers.py

@@ -212,9 +212,17 @@ def calculate(self):
             # at _KPCR.PrcbData.TimerTable.TimerEntries (credits to Matt Suiche
             # for this one. See http://pastebin.com/FiRsGW3f).
             for kpcr in tasks.get_kdbg(addr_space).kpcrs():
-                for table in kpcr.ProcessorBlock.TimerTable.TimerEntries:
-                    for t in table.Entry.list_of_type("_KTIMER", "TimerListEntry"):
-                        timers.append(t)
+                # Starting with Win10 19041, there is another level of arrays holding the TimerListEntry items,
+                # along with a new TableState member in _KTIMER_TABLE
+                if hasattr(kpcr.ProcessorBlock.TimerTable, "TableState"):
+                    for table in kpcr.ProcessorBlock.TimerTable.TimerEntries:
+                        for table_entry in table:
+                            for t in table_entry.Entry.list_of_type("_KTIMER", "TimerListEntry"):
+                                timers.append(t)
+                else:
+                    for table in kpcr.ProcessorBlock.TimerTable.TimerEntries:
+                        for t in table.Entry.list_of_type("_KTIMER", "TimerListEntry"):
+                            timers.append(t)
 
         for timer in timers:
 

volatility/plugins/overlays/windows/win10.py

@@ -88,7 +88,9 @@ class Win10x64DTB(obj.ProfileModification):
     def modification(self, profile):
         build = profile.metadata.get("build", 0)
 
-        if build >= 18362:
+        if build >= 19041:
+            signature = "\x03\x00\x00\x00"
+        elif build >= 18362:
             signature = "\x03\x00\xb8\x00"
         else:
             signature = "\x03\x00\xb6\x00"
@@ -111,7 +113,9 @@ class Win10x86DTB(obj.ProfileModification):
     def modification(self, profile):
         build = profile.metadata.get("build", 0)
 
-        if build >= 15063:
+        if build >= 19041:
+            signature = "\x03\x00\x00\x00"
+        elif build >= 15063:
             signature = "\x03\x00\x2C\x00"
         else:
             signature = "\x03\x00\x2A\x00"
@@ -1072,6 +1076,16 @@ class Win10x86_18362(obj.Profile):
     _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x86_18362_vtypes'
     _md_product = ["NtProductWinNt"]
 
+class Win10x86_19041(obj.Profile):
+    """ A Profile for Windows 10 x86 (10.0.19041.0 / 2020-04-17) """
+    _md_memory_model = '32bit'
+    _md_os = 'windows'
+    _md_major = 6
+    _md_minor = 4
+    _md_build = 19041
+    _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x86_19041_vtypes'
+    _md_product = ["NtProductWinNt"]
+
 class Win10x64_15063(obj.Profile):
     """ A Profile for Windows 10 x64 (10.0.15063.0 / 2017-04-04) """
     _md_memory_model = '64bit'
@@ -1120,4 +1134,14 @@ class Win10x64_18362(obj.Profile):
     _md_minor = 4
     _md_build = 18362
     _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x64_18362_vtypes'
+    _md_product = ["NtProductWinNt"]
+
+class Win10x64_19041(obj.Profile):
+    """ A Profile for Windows 10 x64 (10.0.19041.0 / 2020-04-17) """
+    _md_memory_model = '64bit'
+    _md_os = 'windows'
+    _md_major = 6
+    _md_minor = 4
+    _md_build = 19041
+    _md_vtype_module = 'volatility.plugins.overlays.windows.win10_x64_19041_vtypes'
     _md_product = ["NtProductWinNt"]