Add disassembly and perform some cleanup

Oliver Old · web-flow · commit 2e082dcc63c6 · 2020-07-02T00:33:00.000+02:00
diff --git a/volatility/plugins/overlays/windows/win10.py b/volatility/plugins/overlays/windows/win10.py
@@ -228,12 +228,19 @@ def findcookie(self, kernel_space):
                 return False
             # Did not find nt!ObGetObjectType, trying with YARA instead.
             if model == "32bit":
-                s = "8B FF 55 8B EC 8B 4D 08 8D 41 E8"
+                # 8bff   mov edi, edi
+                # 55     push ebp
+                # 8bec   mov ebp, esp
+                # 8b4d08 mov ecx, dword ptr [ebp + 8]
+                # 8d41e8 lea eax, dword ptr [ecx - 0x18]
+                nt_ObGetObjectType_signature = "8bff 55 8bec 8b4d08 8d41e8"
             else:
-                s = "48 8D 41 D0 0F B6 49 E8"
-            rules = yara.compile(sources = {
-                'n': 'rule r1 {strings: $a = {' + s + '} condition: $a}'
-            })
+                # 488d41d0 lea rax, qword ptr [rcx - 0x30]
+                # 0fb649e8 movzx ecx, byte ptr [rcx - 0x18]
+                nt_ObGetObjectType_signature = "488d41d0 0fb649e8"
+            rule = 'rule r1 {strings: $a = {%s} condition: $a}' \
+                % nt_ObGetObjectType_signature
+            rules = yara.compile(source = rule)
             scanner = malfind.DiscontigYaraScanner(
                 address_space = kernel_space,
                 rules = rules)
