# Volatility
# Copyright (C) 2007-2013 Volatility Foundation
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility. If not, see <http://www.gnu.org/licenses/>.
#
import volatility.plugins.malware.malfind as malfind
import volatility.plugins.mac.pstasks as pstasks
import volatility.plugins.mac.common as common
import volatility.utils as utils
import volatility.debug as debug
import volatility.obj as obj
import re
try:
import yara
has_yara = True
except ImportError:
has_yara = False
class MapYaraScanner(malfind.BaseYaraScanner):
"""A scanner over all memory regions of a process."""
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
def scan(self, offset = 0, maxlen = None, max_size = None):
for map in self.task.get_proc_maps():
length = map.links.end - map.links.start
if max_size and length > max_size:
debug.warning("Skipping max size entry {0:#x} - {1:#x}".format(map.links.start, map.links.end))
continue
for match in malfind.BaseYaraScanner.scan(self, map.links.start, length):
yield match
class mac_yarascan(malfind.YaraScan):
"""Scan memory for yara signatures"""
def __init__(self, config, *args, **kwargs):
malfind.YaraScan.__init__(self, config, *args, **kwargs)
self._config.add_option('MAX-SIZE', short_option = 'M', default = 0x40000000, action = 'store', type = 'long', help = 'Set the maximum size (default is 1GB)')
@staticmethod
def is_valid_profile(profile):
return profile.metadata.get('os', 'Unknown').lower() == 'mac'
def filter_tasks(self):
tasks = pstasks.mac_tasks(self._config).allprocs()
if self._config.PID is not None:
try:
pidlist = [int(p) for p in self._config.PID.split(',')]
except ValueError:
debug.error("Invalid PID {0}".format(self._config.PID))
pids = [t for t in tasks if t.p_pid in pidlist]
if len(pids) == 0:
debug.error("Cannot find PID {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.PID))
return pids
if self._config.NAME is not None:
try:
name_re = re.compile(self._config.NAME, re.I)
except re.error:
debug.error("Invalid name {0}".format(self._config.NAME))
names = [t for t in tasks if name_re.search(str(t.p_comm))]
if len(names) == 0:
debug.error("Cannot find name {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.NAME))
return names
return tasks
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
vm_addr = self.addr_space.profile.get_symbol("_vm_min_kernel_address")
kernel_start = obj.Object("unsigned long", offset = vm_addr, vm = self.addr_space)
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan(max_size = self._config.MAX_SIZE):
yield (task, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
def render_text(self, outfd, data):
for task, address, hit, buf in data:
if task:
outfd.write("Task: {0} pid {1} rule {2} addr {3:#x}\n".format(
task.p_comm, task.p_pid, hit.rule, address))
else:
outfd.write("[kernel] rule {0} addr {1:#x}\n".format(hit.rule, address))
outfd.write("".join(["{0:#018x} {1:<48} {2}\n".format(
address + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)]))
