Python volatility.win32.tasks.find_module() Examples
The following are 30
code examples of volatility.win32.tasks.find_module().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.win32.tasks
, or try the search function
.
.
Example #1
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 6 votes |
|
def extract_callbacks(self):
debug.info("[time-consuming task] extracting kernel callbacks...")
records = []
# added for default option values (filescan)
self._config.VIRTUAL = False
self._config.SHOW_UNALLOCATED = False
self._config.START = None
self._config.LENGTH = None
for (sym, cb, detail), mods, mod_addrs in callbacks.Callbacks.calculate(self):
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
type_name = '{0}'.format(sym)
#records.append((module.DllBase.v(), type_name, cb.v(), str(detail or "-")))
records.append((str(module.DllBase.v()), type_name, str(cb.v()), str(detail or "-")))
if len(records) == 0:
records.append(('dummy', 'dummy', 'dummy', 'dummy')) # insert dummy for done
self.cur.executemany("insert or ignore into kernel_mods_callbacks values (?, ?, ?, ?)", records)
return [record[1] for record in records if self.kmod.DllBase.v() == record[0]]
Example #2
| Source File: callbacks.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def render_text(self, outfd, data):
self.table_header(outfd,
[("Type", "36"),
("Callback", "[addrpad]"),
("Module", "20"),
("Details", ""),
])
for (sym, cb, detail), mods, mod_addrs in data:
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
## The original callbacks plugin searched driver objects
## if the owning module isn't found (Rustock.B). We leave that
## task up to the user this time, and will be incoporating
## some different module association methods later.
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
self.table_row(outfd, sym, cb, module_name, detail or "-")
Example #3
| Source File: callbacks.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def render_text(self, outfd, data):
self.table_header(outfd,
[("Type", "36"),
("Callback", "[addrpad]"),
("Module", "20"),
("Details", ""),
])
for (sym, cb, detail), mods, mod_addrs in data:
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
## The original callbacks plugin searched driver objects
## if the owning module isn't found (Rustock.B). We leave that
## task up to the user this time, and will be incoporating
## some different module association methods later.
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
self.table_row(outfd, sym, cb, module_name, detail or "-")
Example #4
| Source File: callbacks.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def render_text(self, outfd, data):
self.table_header(outfd,
[("Type", "36"),
("Callback", "[addrpad]"),
("Module", "20"),
("Details", ""),
])
for (sym, cb, detail), mods, mod_addrs in data:
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
## The original callbacks plugin searched driver objects
## if the owning module isn't found (Rustock.B). We leave that
## task up to the user this time, and will be incoporating
## some different module association methods later.
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
self.table_row(outfd, sym, cb, module_name, detail or "-")
Example #5
| Source File: malfind.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def _scan_kernel_memory(self, addr_space, rules):
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #6
| Source File: drivermodule.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
drivers = dtree.DriverIrp(self._config).calculate()
found_driver = "UNKNOWN"
if self._config.ADDR:
find_address = self._config.ADDR
found_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(find_address))
if found_module:
found_module = found_module.BaseDllName or found_module.FullDllName
else:
found_module = "UNKNOWN"
for driver in drivers:
if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
header = driver.get_object_header()
found_driver = header.NameInfo.Name
break
yield (found_module, found_driver)
else:
for driver in drivers:
driver_name = driver.get_object_header().NameInfo.Name
owning_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(driver.DriverStart))
if owning_module:
module_name = owning_module.BaseDllName or owning_module.FullDllName
else:
module_name = "UNKNOWN"
yield (module_name, driver_name)
Example #7
| Source File: sessions.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
# Kernel AS for looking up modules
kernel_space = utils.load_as(self._config)
# Modules sorted for address lookups
mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space))
mod_addrs = sorted(mods.keys())
for session in data:
outfd.write("*" * 50 + "\n")
outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format(
session.obj_offset,
session.SessionId,
len(list(session.processes())),
))
outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format(
session.PagedPoolStart,
session.PagedPoolEnd,
))
for process in session.processes():
outfd.write(" Process: {0} {1} {2}\n".format(
process.UniqueProcessId,
process.ImageFileName,
process.CreateTime,
))
for image in session.images():
module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address))
outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format(
image.obj_offset,
image.Address,
str(module and module.BaseDllName or '')
))
Example #8
| Source File: idt.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a IDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
# Get the GDT for access to selector bases
gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
for i, entry in kpcr.idt_entries():
# Where the IDT entry points.
addr = entry.Address
# Per MITRE, add the GDT selector base if available.
# This allows us to detect sneaky attempts to hook IDT
# entries by changing the entry's GDT selector.
gdt_entry = gdt.get(entry.Selector.v())
if gdt_entry != None and "Code" in gdt_entry.Type:
addr += gdt_entry.Base
# Lookup the function's owner
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))
yield i, entry, addr, module
Example #9
| Source File: callbacks.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def generator(self, data):
for (sym, cb, detail), mods, mod_addrs in data:
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
## The original callbacks plugin searched driver objects
## if the owning module isn't found (Rustock.B). We leave that
## task up to the user this time, and will be incoporating
## some different module association methods later.
if module:
module_name = module.FullDllName or module.BaseDllName
else:
module_name = "UNKNOWN"
yield (0, [str(sym), Address(cb), str(module_name), str(detail or "-")])
Example #10
| Source File: drivermodule.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
drivers = dtree.DriverIrp(self._config).calculate()
found_driver = "UNKNOWN"
if self._config.ADDR:
find_address = self._config.ADDR
found_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(find_address))
if found_module:
found_module = found_module.BaseDllName or found_module.FullDllName
else:
found_module = "UNKNOWN"
for driver in drivers:
if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
header = driver.get_object_header()
found_driver = header.NameInfo.Name
break
yield (found_module, found_driver)
else:
for driver in drivers:
driver_name = str(driver.get_object_header().NameInfo.Name or '')
service_key = str(driver.DriverExtension.ServiceKeyName or '')
driver_name3 = str(driver.DriverName or '')
owning_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(driver.DriverStart))
if owning_module:
module_name = owning_module.BaseDllName or owning_module.FullDllName
else:
module_name = "UNKNOWN"
yield (module_name, driver_name, service_key, driver_name3)
Example #11
| Source File: sessions.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
# Kernel AS for looking up modules
kernel_space = utils.load_as(self._config)
# Modules sorted for address lookups
mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space))
mod_addrs = sorted(mods.keys())
for session in data:
outfd.write("*" * 50 + "\n")
outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format(
session.obj_offset,
session.SessionId,
len(list(session.processes())),
))
outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format(
session.PagedPoolStart,
session.PagedPoolEnd,
))
for process in session.processes():
outfd.write(" Process: {0} {1} {2}\n".format(
process.UniqueProcessId,
process.ImageFileName,
process.CreateTime,
))
for image in session.images():
module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address))
outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format(
image.obj_offset,
image.Address,
str(module and module.BaseDllName or '')
))
Example #12
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _scan_kernel_memory(self, addr_space, rules):
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address - self._config.REVERSE, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #13
| Source File: memory.py From CuckooSploit with GNU General Public License v3.0 | 5 votes |
|
def callbacks(self):
"""Volatility callbacks plugin.
@see volatility/plugins/malware/callbacks.py
"""
log.debug("Executing Volatility callbacks plugin on "
"{0}".format(self.memdump))
self.__config()
results = []
command = self.plugins["callbacks"](self.config)
for (sym, cb, detail), mods, mod_addrs in command.calculate():
module = tasks.find_module(mods, mod_addrs, self.addr_space.address_mask(cb))
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
new = {
"type": str(sym),
"callback": hex(int(cb)),
"module": str(module_name),
"details": str(detail or "-"),
}
results.append(new)
return dict(config={}, data=results)
Example #14
| Source File: sessions.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
# Kernel AS for looking up modules
kernel_space = utils.load_as(self._config)
# Modules sorted for address lookups
mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space))
mod_addrs = sorted(mods.keys())
for session in data:
outfd.write("*" * 50 + "\n")
outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format(
session.obj_offset,
session.SessionId,
len(list(session.processes())),
))
outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format(
session.PagedPoolStart,
session.PagedPoolEnd,
))
for process in session.processes():
outfd.write(" Process: {0} {1} {2}\n".format(
process.UniqueProcessId,
process.ImageFileName,
process.CreateTime,
))
for image in session.images():
module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address))
outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format(
image.obj_offset,
image.Address,
str(module and module.BaseDllName or '')
))
Example #15
| Source File: idt.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a IDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
# Get the GDT for access to selector bases
gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
for i, entry in kpcr.idt_entries():
# Where the IDT entry points.
addr = entry.Address
# Per MITRE, add the GDT selector base if available.
# This allows us to detect sneaky attempts to hook IDT
# entries by changing the entry's GDT selector.
gdt_entry = gdt.get(entry.Selector.v())
if gdt_entry != None and "Code" in gdt_entry.Type:
addr += gdt_entry.Base
# Lookup the function's owner
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))
yield i, entry, addr, module
Example #16
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 5 votes |
|
def extract_IRP_info(self):
debug.info("[time-consuming task] extracting hooking module names in IRP array...")
records = []
# added for default option values (AbstractScanCommand)
self._config.VIRTUAL = False
self._config.SHOW_UNALLOCATED = False
self._config.START = None
self._config.LENGTH = None
mods = dict((self.kernel_space.address_mask(mod.DllBase), mod) for mod in win32.modules.lsmod(self.kernel_space))
mod_addrs = sorted(mods.keys())
for driver in devicetree.DriverIrp.calculate(self):
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, self.kernel_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
#records.append((driver.DriverStart.v(), MAJOR_FUNCTIONS[i], function.v(), module_name))
records.append((str(driver.DriverStart.v()), str(MAJOR_FUNCTIONS[i]), str(function.v()), module_name))
self.cur.executemany("insert or ignore into kernel_mods_irp values (?, ?, ?, ?)", records)
return [record[3] for record in records if self.kmod.DllBase.v() == record[0]]
Example #17
| Source File: callbacks.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def get_alloc(self, addr_space):
'''
Mimics volatility's PPP plugin.
'''
import volatility.plugins.malware.callbacks as callbacks
import volatility.win32.tasks as tasks
# for conn in connections.Connections(self.vol.config).calculate():
vol_callback = callbacks.Callbacks(self.vol.config)
for (sym, cb, detail), mods, mod_addrs in vol_callback.calculate():
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
yield Callback(module, sym, cb, detail, 0)
Example #18
| Source File: idt.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a IDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
# Get the GDT for access to selector bases
gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
for i, entry in kpcr.idt_entries():
# Where the IDT entry points.
addr = entry.Address
# Per MITRE, add the GDT selector base if available.
# This allows us to detect sneaky attempts to hook IDT
# entries by changing the entry's GDT selector.
gdt_entry = gdt.get(entry.Selector.v())
if gdt_entry != None and "Code" in gdt_entry.Type:
addr += gdt_entry.Base
# Lookup the function's owner
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))
yield i, entry, addr, module
Example #19
| Source File: threads.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def check(self):
"""This check is True for system threads whose start address
do not map back to known/loaded kernel drivers."""
# Take the address space from any module object
addr_space = self.mods.values()[0].obj_vm
module = tasks.find_module(self.mods,
self.mod_addrs, addr_space.address_mask(self.thread.StartAddress))
return ('PS_CROSS_THREAD_FLAGS_SYSTEM' in self.flags and
module == None)
Example #20
| Source File: callbacks.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def generator(self, data):
for (sym, cb, detail), mods, mod_addrs in data:
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
## The original callbacks plugin searched driver objects
## if the owning module isn't found (Rustock.B). We leave that
## task up to the user this time, and will be incoporating
## some different module association methods later.
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
yield (0, [str(sym), Address(cb), str(module_name), str(detail or "-")])
Example #21
| Source File: idt.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a IDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
# Get the GDT for access to selector bases
gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
for i, entry in kpcr.idt_entries():
# Where the IDT entry points.
addr = entry.Address
# Per MITRE, add the GDT selector base if available.
# This allows us to detect sneaky attempts to hook IDT
# entries by changing the entry's GDT selector.
gdt_entry = gdt.get(entry.Selector.v())
if gdt_entry != None and "Code" in gdt_entry.Type:
addr += gdt_entry.Base
# Lookup the function's owner
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))
yield i, entry, addr, module
Example #22
| Source File: sessions.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
# Kernel AS for looking up modules
kernel_space = utils.load_as(self._config)
# Modules sorted for address lookups
mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space))
mod_addrs = sorted(mods.keys())
for session in data:
outfd.write("*" * 50 + "\n")
outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format(
session.obj_offset,
session.SessionId,
len(list(session.processes())),
))
outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format(
session.PagedPoolStart,
session.PagedPoolEnd,
))
for process in session.processes():
outfd.write(" Process: {0} {1} {2}\n".format(
process.UniqueProcessId,
process.ImageFileName,
process.CreateTime,
))
for image in session.images():
module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address))
outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format(
image.obj_offset,
image.Address,
str(module and module.BaseDllName or '')
))
Example #23
| Source File: malfind.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def _scan_kernel_memory(self, addr_space, rules):
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #24
| Source File: threads.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def check(self):
"""This check is True for system threads whose start address
do not map back to known/loaded kernel drivers."""
# Take the address space from any module object
addr_space = self.mods.values()[0].obj_vm
module = tasks.find_module(self.mods,
self.mod_addrs, addr_space.address_mask(self.thread.StartAddress))
return ('PS_CROSS_THREAD_FLAGS_SYSTEM' in self.flags and
module == None)
Example #25
| Source File: callbacks.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def generator(self, data):
for (sym, cb, detail), mods, mod_addrs in data:
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
## The original callbacks plugin searched driver objects
## if the owning module isn't found (Rustock.B). We leave that
## task up to the user this time, and will be incoporating
## some different module association methods later.
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
yield (0, [str(sym), Address(cb), str(module_name), str(detail or "-")])
Example #26
| Source File: idt.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a IDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
# Get the GDT for access to selector bases
gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
for i, entry in kpcr.idt_entries():
# Where the IDT entry points.
addr = entry.Address
# Per MITRE, add the GDT selector base if available.
# This allows us to detect sneaky attempts to hook IDT
# entries by changing the entry's GDT selector.
gdt_entry = gdt.get(entry.Selector.v())
if gdt_entry != None and "Code" in gdt_entry.Type:
addr += gdt_entry.Base
# Lookup the function's owner
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))
yield i, entry, addr, module
Example #27
| Source File: sessions.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def render_text(self, outfd, data):
# Kernel AS for looking up modules
kernel_space = utils.load_as(self._config)
# Modules sorted for address lookups
mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space))
mod_addrs = sorted(mods.keys())
for session in data:
outfd.write("*" * 50 + "\n")
outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format(
session.obj_offset,
session.SessionId,
len(list(session.processes())),
))
outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format(
session.PagedPoolStart,
session.PagedPoolEnd,
))
for process in session.processes():
outfd.write(" Process: {0} {1} {2}\n".format(
process.UniqueProcessId,
process.ImageFileName,
process.CreateTime,
))
for image in session.images():
module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address))
outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format(
image.obj_offset,
image.Address,
str(module and module.BaseDllName or '')
))
Example #28
| Source File: devicetree.py From vortessence with GNU General Public License v2.0 | 4 votes |
|
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
# Compile the regular expression for filtering by driver name
if self._config.regex != None:
mod_re = re.compile(self._config.regex, re.I)
else:
mod_re = None
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
bits = addr_space.profile.metadata.get('memory_model', '32bit')
self.table_header(None, [('i', ">4"),
('Funcs', "36"),
('addr', '[addrpad]'),
('name', '')
])
for driver in data:
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
# Continue if a regex was supplied and it doesn't match
if mod_re != None:
if not (mod_re.search(driver_name) or
mod_re.search(driver_name)): continue
# Write the standard header for each driver object
outfd.write("{0}\n".format("-" * 50))
outfd.write("DriverName: {0}\n".format(driver_name))
outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart))
outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize))
outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo))
# Write the address and owner of each IRP function
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
# This is where we check for inline hooks once the
# ApiHooks plugin is ported to 2.1.
self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name)
if self._config.verbose:
data = addr_space.zread(function, 64)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data,
start = function, bits = bits, stoponret = True)
]))
outfd.write("\n")
Example #29
| Source File: devicetree.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
# Compile the regular expression for filtering by driver name
if self._config.regex != None:
mod_re = re.compile(self._config.regex, re.I)
else:
mod_re = None
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
bits = addr_space.profile.metadata.get('memory_model', '32bit')
self.table_header(None, [('i', ">4"),
('Funcs', "36"),
('addr', '[addrpad]'),
('name', '')
])
for driver in data:
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
# Continue if a regex was supplied and it doesn't match
if mod_re != None:
if not (mod_re.search(driver_name) or
mod_re.search(driver_name)): continue
# Write the standard header for each driver object
outfd.write("{0}\n".format("-" * 50))
outfd.write("DriverName: {0}\n".format(driver_name))
outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart))
outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize))
outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo))
# Write the address and owner of each IRP function
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
# This is where we check for inline hooks once the
# ApiHooks plugin is ported to 2.1.
self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name)
if self._config.verbose:
data = addr_space.zread(function, 64)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data,
start = function, bits = bits, stoponret = True)
]))
outfd.write("\n")
Example #30
| Source File: ssdt.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
syscalls = addr_space.profile.syscalls
bits32 = addr_space.profile.metadata.get('memory_model', '32bit') == '32bit'
# Print out the entries for each table
for idx, table, n, vm, mods, mod_addrs in data:
outfd.write("SSDT[{0}] at {1:x} with {2} entries\n".format(idx, table, n))
for i in range(n):
if bits32:
# These are absolute function addresses in kernel memory.
syscall_addr = obj.Object('address', table + (i * 4), vm).v()
else:
# These must be signed long for x64 because they are RVAs relative
# to the base of the table and can be negative.
offset = obj.Object('long', table + (i * 4), vm).v()
# The offset is the top 20 bits of the 32 bit number.
syscall_addr = table + (offset >> 4)
try:
syscall_name = syscalls[idx][i]
except IndexError:
syscall_name = "UNKNOWN"
syscall_mod = tasks.find_module(mods, mod_addrs, addr_space.address_mask(syscall_addr))
if syscall_mod:
syscall_modname = syscall_mod.BaseDllName
else:
syscall_modname = "UNKNOWN"
outfd.write(" Entry {0:#06x}: {1:#x} ({2}) owned by {3}\n".format(idx * 0x1000 + i,
syscall_addr,
syscall_name,
syscall_modname))
## check for inline hooks if in --verbose mode, we're analyzing
## an x86 model system and the sycall_mod is available
if (self._config.VERBOSE and
addr_space.profile.metadata.get('memory_model', '32bit') == '32bit' and
syscall_mod is not None):
## leverage this static method from apihooks
ret = apihooks.ApiHooks.check_inline(va = syscall_addr, addr_space = vm,
mem_start = syscall_mod.DllBase,
mem_end = syscall_mod.DllBase + syscall_mod.SizeOfImage)
## could not analyze the memory
if ret == None:
continue
(hooked, data, dest_addr) = ret
## the function isn't hooked
if not hooked:
continue
## we found a hook, try to resolve the hooker. no mask required because
## we currently only work on x86 anyway
hook_mod = tasks.find_module(mods, mod_addrs, dest_addr)
if hook_mod:
hook_name = hook_mod.BaseDllName
else:
hook_name = "UNKNOWN"
## report it now
outfd.write(" ** INLINE HOOK? => {0:#x} ({1})\n".format(dest_addr, hook_name))
