Beispiel #1
0
    def get_syscalls(self,
                     index_info=None,
                     get_hidden=False,
                     compute_name=True):
        linux_common.set_plugin_members(self)

        if get_hidden:
            hidden_mods = list(
                linux_hidden_modules.linux_hidden_modules(
                    self._config).calculate())
        else:
            hidden_mods = []

        if compute_name:
            visible_mods = linux_lsmod.linux_lsmod(self._config).calculate()
        else:
            visible_mods = []

        if index_info == None:
            index_info = self._find_and_parse_index_file()

        table_name = self.addr_space.profile.metadata.get(
            'memory_model', '32bit')
        sym_addrs = self.profile.get_all_addresses()
        sys_call_info = self._get_table_info("sys_call_table")
        addrs = [(table_name, sys_call_info)]

        # 64 bit systems with 32 bit emulation
        ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table")
        if ia32:
            ia32_info = self._get_table_info("ia32_sys_call_table")
            addrs.append(("32bit", ia32_info))

        for (table_name, (tableaddr, tblsz)) in addrs:
            table = obj.Object(theType='Array',
                               offset=tableaddr,
                               vm=self.addr_space,
                               targetType='unsigned long',
                               count=tblsz + 1)

            for (i, call_addr) in enumerate(table):
                if not call_addr:
                    continue

                idx_name = self._index_name(table_name, index_info, i)

                call_addr = int(call_addr)

                if not call_addr in sym_addrs:
                    hooked = 1
                    sym_name = self._compute_hook_sym_name(
                        visible_mods, hidden_mods, call_addr)
                else:
                    hooked = 0
                    sym_name = self.profile.get_symbol_by_address(
                        "kernel", call_addr)

                yield (tableaddr, table_name, i, idx_name, call_addr, sym_name,
                       hooked)
Beispiel #2
0
    def get_syscalls(self, index_info = None, get_hidden = False, compute_name = True):
        linux_common.set_plugin_members(self)

        if get_hidden:
            hidden_mods = list(linux_hidden_modules.linux_hidden_modules(self._config).calculate())
        else:
            hidden_mods = []    
   
        if compute_name:
            visible_mods = linux_lsmod.linux_lsmod(self._config).calculate()
        else:
            visible_mods = []

        if index_info == None:
            index_info = self._find_and_parse_index_file()

        table_name = self.addr_space.profile.metadata.get('memory_model', '32bit')
        sym_addrs = self.profile.get_all_addresses()
        sys_call_info = self._get_table_info("sys_call_table")
        addrs = [(table_name, sys_call_info)]

        # 64 bit systems with 32 bit emulation
        ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table")
        if ia32:
            ia32_info = self._get_table_info("ia32_sys_call_table")
            addrs.append(("32bit", ia32_info))

        for (table_name, (tableaddr, tblsz)) in addrs:
            table = obj.Object(theType = 'Array', offset = tableaddr, vm = self.addr_space, targetType = 'unsigned long', count = tblsz)

            for (i, call_addr) in enumerate(table):
                if not call_addr:
                    continue

                idx_name = self._index_name(table_name, index_info, i)

                call_addr = int(call_addr)

                if not call_addr in sym_addrs:
                    hooked = 1
                    sym_name = self._compute_hook_sym_name(visible_mods, hidden_mods, call_addr)
                else:
                    hooked = 0 
                    sym_name = self.profile.get_symbol_by_address("kernel", call_addr)

                yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked)
Beispiel #3
0
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = "LinuxDebian31604x64"
config.LOCATION = "vmi://debian-hvm"

# Other imports
import time

# Import Plugins

print "Checking for Malware"

# Retrieve hidden modules
import volatility.plugins.linux.hidden_modules as hiddenModulesPlugin
hiddenModulesData = hiddenModulesPlugin.linux_hidden_modules(config)

# Retrieve hidden af info
import volatility.plugins.linux.check_afinfo as afInfoPlugin
afInfoData = afInfoPlugin.linux_check_afinfo(config)

while True:
    for msg in hiddenModulesData.calculate():
        print "***Possible malware detected by checking for hidden modules***"
        print msg
        dir(msg)

    for msg in afInfoData.calculate():
        print "***Possible malware detected by checking for network connection tampering***"
        print msg
        dir(msg)
Beispiel #4
0
    def get_syscalls(self, index_lines = None, get_hidden = False):
        linux_common.set_plugin_members(self)

        if get_hidden:
            hidden_mods = list(linux_hidden_modules.linux_hidden_modules(self._config).calculate())
        else:
            hidden_mods = []    
    
        visible_mods = linux_lsmod.linux_lsmod(self._config).calculate()

        if not index_lines:
            index_lines = self._find_and_parse_index_file()

        if index_lines:
            index_names = {}
            for line in index_lines.split("\n"): 
                ents = line.split()

                if len(ents) == 3 and ents[0] == "#define":
                    name  = ents[1].replace("__NR_", "")

                    # "(__NR_timer_create+1)"
                    index = ents[2] 
                    if index[0] == "(":
                        index = self._find_index(index_names, index)
                    else:
                        index = int(index)
        
                    index_names[index] = name
        else:
            index_names = None

        table_name = self.addr_space.profile.metadata.get('memory_model', '32bit')
        sym_addrs = self.profile.get_all_addresses()
        sys_call_info = self._get_table_info("sys_call_table")
        addrs = [(table_name, sys_call_info)]

        # 64 bit systems with 32 bit emulation
        ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table")
        if ia32:
            ia32_info = self._get_table_info("ia32_sys_call_table")
            addrs.append(("32bit", ia32_info))

        for (table_name, (tableaddr, tblsz)) in addrs:
            table = obj.Object(theType = 'Array', offset = tableaddr, vm = self.addr_space, targetType = 'unsigned long', count = tblsz)

            for (i, call_addr) in enumerate(table):
                if not call_addr:
                    continue

                if index_names:
                    idx_name = self._index_name(index_names, i)
                else:
                    idx_name = ""

                call_addr = int(call_addr)

                if not call_addr in sym_addrs:
                    hooked = 1

                    sym_name = self._compute_hook_sym_name(visible_mods, hidden_mods, call_addr)
                else:
                    hooked = 0 
                    sym_name = self.profile.get_symbol_by_address("kernel", call_addr)

                yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked)
Beispiel #5
0
    def calculate(self):
        """ 
        This works by walking the system call table 
        and verifies that each is a symbol in the kernel
        """
        linux_common.set_plugin_members(self)

        if not has_distorm:
            debug.warning(
                "distorm not installed. The best method to calculate the system call table size will not be used."
            )

        if self._config.SYSCALL_INDEXES:
            if not os.path.exists(self._config.SYSCALL_INDEXES):
                debug.error("Given syscall indexes file does not exist!")

            index_names = {}

            for line in open(self._config.SYSCALL_INDEXES, "r").readlines():
                ents = line.split()
                if len(ents) == 3 and ents[0] == "#define":
                    name = ents[1].replace("__NR_", "")

                    # "(__NR_timer_create+1)"
                    index = ents[2]
                    if index[0] == "(":
                        index = self._find_index(index_names, index)
                    else:
                        index = int(index)

                    index_names[index] = name
        else:
            index_names = None

        hidden_mods = list(
            linux_hidden_modules.linux_hidden_modules(
                self._config).calculate())
        visible_mods = linux_lsmod.linux_lsmod(self._config).calculate()

        table_name = self.addr_space.profile.metadata.get(
            'memory_model', '32bit')
        sym_addrs = self.profile.get_all_addresses()
        sys_call_info = self._get_table_info("sys_call_table")
        addrs = [(table_name, sys_call_info)]

        # 64 bit systems with 32 bit emulation
        ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table")
        if ia32:
            ia32_info = self._get_table_info("ia32_sys_call_table")
            addrs.append(("32bit", ia32_info))

        for (table_name, (tableaddr, tblsz)) in addrs:
            table = obj.Object(theType='Array',
                               offset=tableaddr,
                               vm=self.addr_space,
                               targetType='unsigned long',
                               count=tblsz)

            for (i, call_addr) in enumerate(table):
                if not call_addr:
                    continue

                if index_names:
                    idx_name = self._index_name(index_names, i)
                else:
                    idx_name = ""

                call_addr = int(call_addr)

                if not call_addr in sym_addrs:
                    hooked = 1

                    sym_name = self._compute_hook_sym_name(
                        visible_mods, hidden_mods, call_addr)
                else:
                    hooked = 0
                    sym_name = self.profile.get_symbol_by_address(
                        "kernel", call_addr)

                yield (tableaddr, table_name, i, idx_name, call_addr, sym_name,
                       hooked)
Beispiel #6
0
    def get_syscalls(self, index_lines=None, get_hidden=False):
        linux_common.set_plugin_members(self)

        if get_hidden:
            hidden_mods = list(
                linux_hidden_modules.linux_hidden_modules(
                    self._config).calculate())
        else:
            hidden_mods = []

        visible_mods = linux_lsmod.linux_lsmod(self._config).calculate()

        if not index_lines:
            index_lines = self._find_and_parse_index_file()

        if index_lines:
            index_names = {}
            for line in index_lines.split("\n"):
                ents = line.split()

                if len(ents) == 3 and ents[0] == "#define":
                    name = ents[1].replace("__NR_", "")

                    # "(__NR_timer_create+1)"
                    index = ents[2]
                    if index[0] == "(":
                        index = self._find_index(index_names, index)
                    else:
                        index = int(index)

                    index_names[index] = name
        else:
            index_names = None

        table_name = self.addr_space.profile.metadata.get(
            'memory_model', '32bit')
        sym_addrs = self.profile.get_all_addresses()
        sys_call_info = self._get_table_info("sys_call_table")
        addrs = [(table_name, sys_call_info)]

        # 64 bit systems with 32 bit emulation
        ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table")
        if ia32:
            ia32_info = self._get_table_info("ia32_sys_call_table")
            addrs.append(("32bit", ia32_info))

        for (table_name, (tableaddr, tblsz)) in addrs:
            table = obj.Object(theType='Array',
                               offset=tableaddr,
                               vm=self.addr_space,
                               targetType='unsigned long',
                               count=tblsz)

            for (i, call_addr) in enumerate(table):
                if not call_addr:
                    continue

                if index_names:
                    idx_name = self._index_name(index_names, i)
                else:
                    idx_name = ""

                call_addr = int(call_addr)

                if not call_addr in sym_addrs:
                    hooked = 1

                    sym_name = self._compute_hook_sym_name(
                        visible_mods, hidden_mods, call_addr)
                else:
                    hooked = 0
                    sym_name = self.profile.get_symbol_by_address(
                        "kernel", call_addr)

                yield (tableaddr, table_name, i, idx_name, call_addr, sym_name,
                       hooked)
Beispiel #7
0
    def calculate(self):
        """ 
        This works by walking the system call table 
        and verifies that each is a symbol in the kernel
        """
        linux_common.set_plugin_members(self)

        if not has_distorm:
            debug.warning("distorm not installed. The best method to calculate the system call table size will not be used.")
                        
        if self._config.SYSCALL_INDEXES:
            if not os.path.exists(self._config.SYSCALL_INDEXES):
                debug.error("Given syscall indexes file does not exist!")

            index_names = {}

            for line in open(self._config.SYSCALL_INDEXES, "r").readlines():
                ents = line.split()
                if len(ents) == 3 and ents[0] == "#define":
                    name  = ents[1].replace("__NR_", "")

                    # "(__NR_timer_create+1)"
                    index = ents[2] 
                    if index[0] == "(":
                        index = self._find_index(index_names, index)
                    else:
                        index = int(index)
                    
                    index_names[index] = name
        else:
            index_names = None

        hidden_mods = list(linux_hidden_modules.linux_hidden_modules(self._config).calculate())
        visible_mods = linux_lsmod.linux_lsmod(self._config).calculate()

        table_name = self.addr_space.profile.metadata.get('memory_model', '32bit')
        sym_addrs = self.profile.get_all_addresses()
        sys_call_info = self._get_table_info("sys_call_table")
        addrs = [(table_name, sys_call_info)]

        # 64 bit systems with 32 bit emulation
        ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table")
        if ia32:
            ia32_info = self._get_table_info("ia32_sys_call_table")
            addrs.append(("32bit", ia32_info))

        for (table_name, (tableaddr, tblsz)) in addrs:
            table = obj.Object(theType = 'Array', offset = tableaddr, vm = self.addr_space, targetType = 'unsigned long', count = tblsz)

            for (i, call_addr) in enumerate(table):
                if not call_addr:
                    continue

                if index_names:
                    idx_name = self._index_name(index_names, i)
                else:
                    idx_name = ""

                call_addr = int(call_addr)

                if not call_addr in sym_addrs:
                    hooked = 1

                    sym_name = self._compute_hook_sym_name(visible_mods, hidden_mods, call_addr)
                else:
                    hooked = 0 
                    sym_name = self.profile.get_symbol_by_address("kernel", call_addr)
                
                yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked)