nitro.backends.windows package

Submodules

nitro.backends.windows.arguments module

class nitro.backends.windows.arguments.WindowsArgumentMap(event, process)

Bases: nitro.backends.arguments.ArgumentMap

WindowsArgumentMap provides read and write access to system call arguments.

CONVENTION = {<SyscallType.syscall: 1>: [(<SyscallArgumentType.register: 0>, 'rcx'), (<SyscallArgumentType.register: 0>, 'rdx'), (<SyscallArgumentType.register: 0>, 'r8'), (<SyscallArgumentType.register: 0>, 'r9'), (<SyscallArgumentType.memory: 1>, 5)]}

nitro.backends.windows.backend module

class nitro.backends.windows.backend.WindowsBackend(domain, libvmi, listener, syscall_filtering=True)

Bases: nitro.backends.backend.Backend

Extract information about system calls produced by the guest. This backend supports 66-bit Windows 7 guests.

add_syscall_filter(syscall_name)

associate_process(cr3)

define_hook(name, callback, direction=<SyscallDirection.enter: 0>)

find_eprocess(cr3)

find_syscall_nb(syscall_name)

get_syscall_name(rax)

load_symbols()

nb_vcpu

pdbase_offset

process_event(event)

processes

remove_syscall_filter(syscall_name)

sdt

symbols

syscall_stack

tasks_offset

undefine_hook(name, direction=<SyscallDirection.enter: 0>)

nitro.backends.windows.backend.clean_name(name)

nitro.backends.windows.process module

class nitro.backends.windows.process.WindowsProcess(libvmi, cr3, eproc, symbols)

Bases: nitro.backends.process.Process

as_dict()

command_line

create_time

eproc

iswow64

name

parent_pid

path

pid

symbols

nitro.backends.windows.types module

class nitro.backends.windows.types.AccessMask(desired_access)

Bases: object

STANDARD_RIGHTS = [(65536, 'DELETE'), (131072, 'READ_CONTROL'), (262144, 'WRITE_DAC'), (524288, 'WRITE_OWNER'), (1048576, 'SYNCHRONIZE'), (16777216, 'ACCESS_SYSTEM_SECURITY'), (33554432, 'MAXIMUM_ALLOWED'), (268435456, 'GENERIC_ALL'), (536870912, 'GENERIC_EXECUTE'), (1073741824, 'GENERIC_WRITE'), (2147483648, 'GENERIC_READ')]

class nitro.backends.windows.types.ClientID(addr, process)

Bases: nitro.backends.windows.types.WinStruct

UniqueProcess

UniqueThread

class nitro.backends.windows.types.FileAccessMask(desired_access)

Bases: nitro.backends.windows.types.AccessMask

SPECIFIC_RIGHTS = [(1, 'FILE_READ_DATA'), (2, 'FILE_WRITE_DATA'), (4, 'FILE_APPEND_DATA'), (8, 'FILE_READ_EA'), (16, 'FILE_WRITE_EA'), (32, 'FILE_EXECUTE'), (128, 'FILE_READ_ATTRIBUTES'), (256, 'FILE_WRITE_ATTRIBUTES')]

class nitro.backends.windows.types.FileBasicInformation(addr, process)

Bases: nitro.backends.windows.types.WinStruct

ChangeTime

CreationTime

FileAttributes

LastAccessTime

LastWriteTime

class nitro.backends.windows.types.FileDispositionInformation(addr, process)

Bases: nitro.backends.windows.types.WinStruct

DeleteFile

class nitro.backends.windows.types.FileRenameInformation(addr, process)

Bases: nitro.backends.windows.types.WinStruct

FileName

FileNameLength

ReplaceIfExists

RootDirectory

exception nitro.backends.windows.types.InconsistentMemoryError

Bases: Exception

class nitro.backends.windows.types.LargeInteger(addr, process)

Bases: nitro.backends.windows.types.WinStruct

HighPartQuadPart

LowPart

class nitro.backends.windows.types.ObjectAttributes(addr, process)

Bases: nitro.backends.windows.types.WinStruct

Length

ObjectName

RootDirectory

class nitro.backends.windows.types.PEB(addr, process)

Bases: nitro.backends.windows.types.WinStruct

ProcessParameters

class nitro.backends.windows.types.RtlUserProcessParameters(addr, process)

Bases: nitro.backends.windows.types.WinStruct

CommandLine

ImagePathName

class nitro.backends.windows.types.UnicodeString(addr, process)

Bases: nitro.backends.windows.types.WinStruct

Buffer

Length

MaximumLength

class nitro.backends.windows.types.WinStruct(addr, process)

Bases: object

Module contents