int WinPmem32::extract_driver() { // 32 bit acquisition defaults to physical device. default_mode_ = PMEM_MODE_PHYSICAL; if (!driver_filename_) { TCHAR path[MAX_PATH + 1]; TCHAR filename[MAX_PATH + 1]; // Gets the temp path env string (no guarantee it's a valid path). if (!GetTempPath(MAX_PATH, path)) { dprintf("[WINPMEM] Unable to determine temporary path."); goto error; } GetTempFileName(path, service_name, 0, filename); set_driver_filename(filename); driver_is_tempfile_ = true; }; dprintf("[WINPMEM] Extracting driver to %S", driver_filename_); return extract_file_(WINPMEM_32BIT_DRIVER, driver_filename_); error: return -1; }
__int64 WinPmem32::load_driver_() { // 32 bit acquisition defaults to physical device. default_mode_ = PMEM_MODE_PHYSICAL; return extract_file_(WINPMEM_32BIT_DRIVER); }
// Copy the pagefile to the current place in the output file. void WinPmem::write_page_file() { unsigned __int64 pagefile_offset = out_offset; TCHAR path[MAX_PATH + 1]; TCHAR filename[MAX_PATH + 1]; if (!GetTempPath(MAX_PATH, path)) { dprintf("[WINPMEM] Unable to determine temporary path."); goto error; } // filename is now the random path. GetTempFileName(path, L"fls", 0, filename); dprintf("[WINPMEM] Extracting fcat to %s", filename); if (extract_file_(WINPMEM_FCAT_EXECUTABLE, filename) < 0) { goto error; }; SECURITY_ATTRIBUTES saAttr; HANDLE stdout_rd = NULL; HANDLE stdout_wr = NULL; saAttr.nLength = sizeof(SECURITY_ATTRIBUTES); saAttr.bInheritHandle = TRUE; saAttr.lpSecurityDescriptor = NULL; // Create a pipe for the child process's STDOUT. if (!CreatePipe(&stdout_rd, &stdout_wr, &saAttr, 0)) { dprintf("[WINPMEM] StdoutRd CreatePipe"); goto error; }; // Ensure the read handle to the pipe for STDOUT is not inherited. SetHandleInformation(stdout_rd, HANDLE_FLAG_INHERIT, 0); WCHAR command_line[1000]; swprintf(command_line, 1000, L"%s %s \\\\.\\%s", filename, &pagefile_path_[3], pagefile_path_); CreateChildProcess(command_line, stdout_wr); dprintf("[WINPMEM] Preparing to read pagefile."); while (1) { DWORD bytes_read = buffer_size_; DWORD bytes_written = 0; if (!ReadFile(stdout_rd, buffer_, bytes_read, &bytes_read, NULL)) { break; }; if (!WriteFile(out_fd_, buffer_, bytes_read, &bytes_written, NULL) || bytes_written != bytes_read) { dprintf("[WINPMEM] Failed to write image file"); goto error; }; out_offset += bytes_written; }; error: // Write another metadata header. { char metadata[1000]; _snprintf_s(metadata, sizeof(metadata), _TRUNCATE, "# PMEM\n" "---\n" "PreviousHeader: %#llx\n" "PagefileOffset: %#llx\n" "PagefileSize: %#llx\n" "...\n", last_header_offset_, pagefile_offset, out_offset - pagefile_offset ); DWORD metadata_len = (DWORD)strlen(metadata); DWORD bytes_written = 0; if (!WriteFile(out_fd_, metadata, metadata_len, &bytes_written, NULL) || bytes_written != metadata_len) { dprintf("[WINPMEM] Failed to write image file"); }; out_offset += bytes_written; }; DeleteFile(filename); return; };
__int64 WinPmem64::load_driver_() { // 64 bit drivers use PTE acquisition by default. default_mode_ = PMEM_MODE_PTE; return extract_file_(WINPMEM_64BIT_DRIVER); }