[Vol-dev] get_symbol

Carl Pulley c.pulley at acme-labs.org.uk
Wed May 1 13:03:05 CDT 2013


Hi Pranjal,
  as promised, I've now released a plugin that wraps up pdbparse and so allows Windows symbol lookups.

Symbol files are automatically downloaded upon demand and stored within the Volatility cache directories. As all testing has currently been on OS X and Ubuntu boxes, (ironically) there may be issues in using the code within a Windows environment!

In the end, I didn't rework the name undecoration code (phew!). However, to avoid a possible segmentation fault, you currently need to apply a small patch when building pdbparse.

FYI, undecoration doesn't process exported strings (though this shouldn't be hard to do as these are currently recognised, but not decoded) and there's a small number of (template?) related function names that do not get undecorated (this is in common with Wine's undname.c code - pdbparse's src/undname.c is based on the same code).

Details of the (minor) pdbparse patch are here:

  https://code.google.com/p/pdbparse/issues/detail?id=13

and the plugin code is here:

  https://github.com/carlpulley/volatility/blob/master/symbols.py

Despite nomenclature, the idea is not to really use this code as a plugin! Either: extend the plugin (and so get access to its lookup method); or create an instance of the plugin's class and then call calculate (which will allow lookup to then be initialised and usable).

Hope that helps,

  Carl.



More information about the Vol-dev mailing list