def IOSProcesses(coredumpFilename, options):
returnString = ''
oIOSCoreDumpAnalysis = naft_impf.cIOSCoreDumpAnalysis(coredumpFilename)
if oIOSCoreDumpAnalysis.error != '':
returnString += (oIOSCoreDumpAnalysis.error)
return returnString
for (processID, addressProcess,
oIOSProcess) in oIOSCoreDumpAnalysis.processes:
if options.filter == '' or processID == int(options.filter):
if oIOSProcess != None:
if oIOSProcess.error == '':
line = oIOSProcess.Line()
else:
line = '%4d %s' % (processID, oIOSProcess.error)
returnString += (line) + '<br>'
if options.dump:
naft_uf.DumpBytes(oIOSProcess.data, addressProcess)
else:
returnString += ('addressProcess not found %d %08X <br>' %
(processID, addressProcess))
if oIOSCoreDumpAnalysis.RanHeuristics:
returnString += ('<br>')
returnString += ('*** WARNING ***<br>')
returnString += ('Unexpected process structure<br>')
returnString += ('Please reports these results<br>')
returnString += ('Fields determined with heuristics:<br>')
returnString += ('Process structure size: %d<br>' %
oIOSCoreDumpAnalysis.HeuristicsSize)
keys = oIOSCoreDumpAnalysis.HeuristicsFields.keys()
keys.sort(key=str.lower)
for key in keys:
value = oIOSCoreDumpAnalysis.HeuristicsFields[key]
if value != None:
returnString += ('%-22s: 0x%04X <br>' % (key, value[1]))
if options.statistics:
keys = oIOSCoreDumpAnalysis.dProcessStructureStats.keys()
keys.sort()
returnString += ('Number of different process structures: %d<br>' %
len(keys))
for index in keys:
returnString += ('Process structures length: %d<br>' % index)
PrintStatsAnalysis(
oIOSCoreDumpAnalysis.dProcessStructureStats[index],
oIOSCoreDumpAnalysis.oIOSCoreDump)
return returnString
def IOSFrames(coredumpFilename, filenameIOMEM, filenamePCAP, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParserHeap = naft_impf.cIOSMemoryParser(memoryHeap)
oIOSMemoryParserHeap.ResolveNames(oIOSCoreDump)
dataIOMEM = naft_uf.File2Data(filenameIOMEM)
oIOSMemoryParserIOMEM = naft_impf.cIOSMemoryParser(dataIOMEM)
addressIOMEM = oIOSMemoryParserIOMEM.baseAddress
if addressIOMEM == None:
print('Error parsing IOMEM')
return
oFrames = naft_pfef.cFrames()
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParserHeap.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == '*Packet Header*':
frameAddress = struct.unpack(
'>I',
oIOSMemoryBlockHeader.GetData()[40:44])[0]
frameSize = struct.unpack(
'>H',
oIOSMemoryBlockHeader.GetData()[72:74])[0]
if frameSize <= 1:
frameSize = struct.unpack(
'>H',
oIOSMemoryBlockHeader.GetData()[68:70])[0]
if frameAddress != 0 and frameSize != 0:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.DumpBytes(
dataIOMEM[frameAddress - addressIOMEM:frameAddress -
addressIOMEM + frameSize], frameAddress)
oFrames.AddFrame(
frameAddress - addressIOMEM,
dataIOMEM[frameAddress - addressIOMEM:frameAddress -
addressIOMEM + frameSize], True)
oFrames.WritePCAP(filenamePCAP)
def IOSHeap(coredumpFilename, options):
global decoders
decoders = []
LoadDecoders(options.decoders, True)
returnString = ''
if options.yara != None:
if not 'yara' in sys.modules:
print('Error: option yara requires the YARA Python module.')
return returnString
rules = YARACompile(options.yara)
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
returnString += (oIOSCoreDump.error)
return returnString
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
returnString += ('Heap region not found')
return returnString
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
if options.resolve or options.filter != '':
oIOSMemoryParser.ResolveNames(oIOSCoreDump)
if options.filter == '':
if options.write:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.Data2File(
oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' %
(coredumpFilename, oIOSMemoryBlockHeader.address))
elif options.yara:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
linePrinted = False
oDecoders = [cIdentity(oIOSMemoryBlockHeader.GetData(), None)]
for cDecoder in decoders:
try:
oDecoder = cDecoder(oIOSMemoryBlockHeader.GetData(),
options.decoderoptions)
oDecoders.append(oDecoder)
except Exception as e:
print('Error instantiating decoder: %s' %
cDecoder.name)
raise e
for oDecoder in oDecoders:
while oDecoder.Available():
for result in rules.match(data=oDecoder.Decode()):
if not linePrinted:
print(oIOSMemoryBlockHeader.ShowLine())
linePrinted = True
print(' YARA rule%s: %s' % (IFF(
oDecoder.Name() == '', '', ' (decoder: %s)' %
oDecoder.Name()), result.rule))
if options.yarastrings:
for stringdata in result.strings:
print(' %06x %s:' %
(stringdata[0], stringdata[1]))
print(' %s' %
binascii.hexlify(stringdata[2]))
print(' %s' % repr(stringdata[2]))
else:
returnString += oIOSMemoryParser.Show()
else:
returnString += (naft_impf.cIOSMemoryBlockHeader.ShowHeader) + '<br>'
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == options.filter:
if not options.strings:
returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>'
if options.strings:
dStrings = naft_uf.SearchASCIIStrings(
oIOSMemoryBlockHeader.GetData())
if options.grep != '':
printHeader = True
for key, value in dStrings.items():
if value.find(options.grep) >= 0:
if printHeader:
returnString += (oIOSMemoryBlockHeader.
ShowLine()) + '<br>'
printHeader = False
returnString += (
' %08X: %s<br>' %
(oIOSMemoryBlockHeader.address +
oIOSMemoryBlockHeader.BlockSize + key,
value))
elif options.minimum == 0 or len(
dStrings) >= options.minimum:
returnString += (
oIOSMemoryBlockHeader.ShowLine()) + '<br>'
for key, value in dStrings.items():
returnString += (
' %08X: %s<br>' %
(oIOSMemoryBlockHeader.address +
oIOSMemoryBlockHeader.BlockSize + key, value))
if options.dump:
naft_uf.DumpBytes(
oIOSMemoryBlockHeader.GetData(),
oIOSMemoryBlockHeader.address +
oIOSMemoryBlockHeader.headerSize)
if options.dumpraw:
naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetRawData(),
oIOSMemoryBlockHeader.address)
if options.write:
naft_uf.Data2File(
oIOSMemoryBlockHeader.GetData(),
'%s-heap-0x%08X.data' %
(coredumpFilename, oIOSMemoryBlockHeader.address))
return returnString