VAD Tools Code

#!/usr/bin/env python

from memutil import virt2phys, PagedOutException
from general import get_flags
from struct import unpack, calcsize

HANDLE_FLAGS = {
    "Locked":           0x80000000,
    "ObjectHeaderMask": 0xFFFFFFF8, # Mask
    "Audit":            0x00000004,
    "Inheritable":      0x00000002,
    "Protect":          0x00000001
}

class ObjectHeader:
    def __init__(self,memdump,pdba,address):
        self.address = address
        self.pdba = pdba
        self.memdump = memdump

class ObjectType:
    pass

class Handle:
    def __init__(self,memdump,pdba,str):
        """str: 8 bytes of handle table entry data"""
        self.pdba = pdba
        self.memdump = memdump
        
        (address, access_mask) = unpack("<LL", str)

        if address == 0:
            self.free = True
            return
        else:
            self.free = False

        obj_addr = (address & HANDLE_FLAGS["ObjectHeaderMask"]) | HANDLE_FLAGS["Locked"]
        self.object_header = ObjectHeader(memdump,pdba,obj_addr)
        self.flags = address & (HANDLE_FLAGS["Audit"] | 
                                HANDLE_FLAGS["Inheritable"] |
                                HANDLE_FLAGS["Protect"] )
    def getFlags(self):
        return get_flags(self.flags, HANDLE_FLAGS, ignore=["ObjectHeaderMask"])
    def __str__(self):
        if self.free:
            return "Free handle"
        else:
            return "Handle for obj@%08x" % self.object_header.address
    
class HandleTable:
    def __init__(self,memdump,pdba,address):
        self.address = address
        self.pdba = pdba
        self.memdump = memdump
        
        address_real = virt2phys(memdump,pdba,address)
        memdump.seek(address_real)
        ht_data = memdump.read(4096)
        self.handles = []
        for i in range(0,len(ht_data),8):
            self.handles.append(Handle(memdump,pdba,ht_data[i:i+8]))

    def __iter__(self):
        return self.handles.__iter__()