def test_number_of_mappings(self):
""" check the number of mappings on 3 processes """
#check vad numbers with
#vol.py -f /home/jal/outputs/vol/zeus.vmem -p 856 vadwalk |wc -l
#5 headers lines to be removed from count
#
#analysis here:
#https://malwarereversing.wordpress.com/2011/09/23/zeus-analysis-in-volatility-2-0/
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 856
# PID 856 has 176 _memory_handler
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 176)
# testing that we can use the Mapper twice in a row, without breaking
# volatility
pid = 676
# PID 676 has 118 _memory_handler
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 118)
pid = 1668
# PID 1668 has 159 _memory_handler
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 159)
def test_is_heaps_856(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 856
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
finder = memory_handler.get_heap_finder()
walkers = finder.list_heap_walkers()
self.assertEquals(len(walkers), len(zeus_856_svchost_exe.known_heaps))
for addr, size in zeus_856_svchost_exe.known_heaps:
heap_walker = finder.get_heap_walker(addr)
self.assertIsNotNone(heap_walker)
heap_addr = heap_walker.get_heap_address()
self.assertEqual(heap_addr, addr)
def test_is_heaps_856(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 856
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
finder = memory_handler.get_heap_finder()
heaps = finder.get_heap_mappings()
self.assertEquals(len(heaps), len(zeus_856_svchost_exe.known_heaps))
for addr, size in zeus_856_svchost_exe.known_heaps:
heap = memory_handler.get_mapping_for_address(addr)
self.assertTrue(heap.is_marked_as_heap())
heap_addr = heap.get_marked_heap_address()
self.assertTrue(heap_addr is not None)
self.assertTrue(finder._is_heap(heap, heap_addr))
def test_read_mem(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 888 # wscntfy.exe
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 51)
self.assertEquals(memory_handler.get_target_platform().get_os_name(),
'winxp')
ctypes = memory_handler.get_target_platform().get_target_ctypes()
from haystack.allocators.win32 import winxp_32
#print ctypes
for m in memory_handler.get_mappings():
data = m.read_word(m.start + 8)
if data == 0xeeffeeff:
# we have a heap
x = m.read_struct(m.start, winxp_32.HEAP)
#print x
self.assertEquals(ctypes.sizeof(x), 1416)
# print x
finder = memory_handler.get_heap_finder()
walkers = finder.list_heap_walkers()
def _init_volatility(volname, profile, pid):
mapper = VolatilityProcessMapper(volname, profile, pid)
_memory_handler = mapper.make_memory_handler()
return _memory_handler
