Beispiel #1
0
    def pslist(self):
        """Volatility pslist plugin.
        @see volatility/plugins/taskmods.py
        """
        log.debug("Executing Volatility pslist plugin on "
                  "{0}".format(self.memdump))

        self.__config()
        results = []

        command = taskmods.PSList(self.config)
        for process in command.calculate():
            new = {
                "process_name": str(process.ImageFileName),
                "process_id": int(process.UniqueProcessId),
                "parent_id": int(process.InheritedFromUniqueProcessId),
                "num_threads": str(process.ActiveThreads),
                "num_handles": str(process.ObjectTable.HandleCount),
                "session_id": str(process.SessionId),
                "create_time": str(process.CreateTime or ""),
                "exit_time": str(process.ExitTime or ""),
            }

            results.append(new)

        return dict(config={}, data=results)
Beispiel #2
0
def main():
    if len(sys.argv) != 4:
        print "Usage: %s %s %s %s" % (sys.argv[0], "profile", "memdump", "targetprocname")
        sys.exit(1)

    registry.PluginImporter()
    config = conf.ConfObject()

    registry.register_global_options(config, commands.Command)
    registry.register_global_options(config, addrspace.BaseAddressSpace)
    config.parse_options()
    
    config.PROFILE = sys.argv[1] 
    config.LOCATION = sys.argv[2]

    processes = taskmods.PSList(config)
    
    target = filter_by_name(processes, sys.argv[3])
     
    # .text info
    imagebase, va, rawsize = get_text_section_info(target)
    
    if imagebase == None:
        print "[-] Error: probably wrong .text section name"
        sys.exit(1)
    
    text_start = imagebase + va
    text_end = imagebase + va + rawsize
    permissions = get_vad_protect_flags(target, text_start, text_end)
    print "0x%x-0x%x %s %s" % (text_start, text_end, permissions, TEXT_TAG)

    # dll info
    modules = get_dll_info(target)

    # printing dll info
    for name, info in modules.items():
        dll_start = info[0]
        dll_end = info[0] + info[1]
        permissions = get_vad_protect_flags(target, dll_start, dll_end)
        print "0x%x-0x%x %s %s" % (dll_start, dll_end, permissions, name)
    
    # heap info
    hs = get_heap_info(target)
    
    # printing heap info
    for h in hs:
        heap_start = h.BaseAddress.v()
        heap_end = h.LastValidEntry.v()
        permissions = get_vad_protect_flags(target, heap_start, heap_end)
        print "0x%x-0x%x %s %s" % (h.BaseAddress, h.LastValidEntry, permissions, HEAP_TAG)

    # stack info
    tebs = get_stack_info(target)
    
    # printing stack info
    for t in tebs:
        stack_start = t.NtTib.StackBase.v()
        stack_end = t.NtTib.StackLimit.v()
        permissions = get_vad_protect_flags(target, stack_start, stack_end)
        print "0x%x-0x%x %s %s" % (stack_start, stack_end, permissions, STACK_TAG)
Beispiel #3
0
    def find_elites(self):
        """ Find elite level implants using a distinctive shared memory region that the malware uses instead of a mutex"""
        infected_pids = []
        process_names = {}
        display_indicators = []
        p = handles.Handles(self._config)

        for handle in p.calculate():
            pid, handle, object_type, name = handle
            if object_type == "Section":
                if re.match(
                        "^[a-zA-Z0-9]{7,8}$", name
                ):  # HT Implants map a 7/8 character shared memory section to use instead of a Mutex
                    # Elite implants have two watermarks per PID, so neither PIDs nor watermarks are unique.
                    infected_pids.append({
                        "pid": str(pid),
                        "watermark": name,
                        "confidence": 1,
                        "implant_type": "Elite"
                    })

        # Now do post-processing of results
        if infected_pids:
            # Get a list of processes, so we can tie a name to a PID
            p = taskmods.PSList(self._config)
            for process in p.calculate():
                process_names[str(process.UniqueProcessId)] = str(
                    process.ImageFileName)

            deletelist = []
            for i in infected_pids:
                ###  Do Confidence correlation. ###
                # If we have both a 7 and an 8 character watermark, this makes it more certain it's a HT elite implant
                pid = i["pid"]
                watermark = i["watermark"]
                # Search through all the other infected pid/name combinations for a 7 char version of our 8 char watermark
                searchlist = infected_pids
                if len(watermark) == 8:
                    for j in infected_pids:
                        compare_pid = j["pid"]
                        compare_watermark = j["watermark"]

                        if len(compare_watermark) == 7 and compare_pid == pid:
                            # We've found both a 7 char and 8 char version - we're more confident that this is HT
                            i["confidence"] = i["confidence"] + 1
                            # Remove the shorter version from the list (attributable watermarks are 8 chars)
                            deletelist.append(j)

                if i not in deletelist:
                    # Now see if the watermark can be attributed
                    if watermark in watermark_table:
                        i["threat_actor"] = watermark_table[watermark]
                        i["confidence"] = i[
                            "confidence"] + 1  # We've matched a Hacking Team client, we're pretty sure it's HT

                    # Tie process name to PID
                    if pid in process_names:
                        i["process_name"] = process_names[pid]
                    else:
                        i["process_name"] = "Not Found"

                    # If we've got more than one infected process, it's more likely that we've found a HT infection, and this is typical of an Elite level implant
                    if len(infected_pids) > 1:
                        i["confidence"] = i["confidence"] + 1
                        i["implant_type"] = "Elite/Soldier"

            # Now delete the PIDS in the delete list
            for j in deletelist:
                del infected_pids[infected_pids.index(j)]

        return infected_pids
Beispiel #4
0
registry.PluginImporter()
config = conf.ConfObject()

import volatility.commands as commands
import volatility.addrspace as addrspace

registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)

config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://%s" % memory_file

import volatility.plugins.taskmods as taskmods

p = taskmods.PSList(config)

for process in p.calculate():
    if str(process.ImageFileName) == "calc.exe":
        print("[*] Found calc.exe with PID %d" % process.UniqueProcessId)
        print("[*] Hunting for physical offsets...please wait.")

        address_space = process.get_process_address_space()
        pages = address_space.get_available_pages()

    for page in pages:
        physical = address_space.vtop(page[0])

        if physical is not None:
            if slack_space is None:
                fd = open(memory_file, "r+")
shellCodeFd = open("cmeasure.bin", "rb")
shellContents = shellCodeFd.read()
shellCodeFd.close()

sys.path.append("<*****PATH TO VOLATILITY******>")

registry.PluginImporter()
config = conf.ConfObject()

registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrsspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = "<********PROFILE******>"
config.LOCATION = "file://%s" % memory_file

processes = taskmods.PSList(config)
for process in processes.calculate():
    if str(process.ImageFileName) == "calc.exe":
        print "[*] Found calc.exe with PID: %d" % process.UniqueProcessId
        print "[*] Hunting for physical offsets...Please wait"
        address_space = process.get_process_address_space()
        pages = address_space.get_available_pages()

        for page in pages:
            physical = address_space.vtop(page[0])
            if physical is not None:
                if slack_space is None:
                    fd = open(memory_file, "r+")
                    fd.seek(physical)
                    buff = fd.read(page[1])
                    try: