def gdb_write_thread_register(thread_id, thread_list, gdb_register_index, buf):
'''
Given a GDB register index, write the provided value. Obtain
the value either from the running CPU or the saved KTRAP_FRAME.
NOTE: Not all registers are supported, if so, 0's are returned.
'''
from utils import ConfigurationManager as conf_m
from api import r_cpu
from cpus import RT_SEGMENT
from cpus import RT_REGULAR
if conf_m.platform == "i386-softmmu":
from cpus import gdb_map_i386_softmmu as gdb_map
elif conf_m.platform == "x86_64-softmmu":
from cpus import gdb_map_x86_64_softmmu as gdb_map
else:
raise NotImplementedError(
"[gdb_write_thread_register] Architecture not supported yet")
# If it is not mapped to a CPU register or KTRAP_FRAME value,
# we just return 0s.
if gdb_register_index not in gdb_map:
return 0
else:
str_size = gdb_map[gdb_register_index][2]
cpu_index = None
thread = None
# First, check if we can read the register from the CPU object
for element in thread_list:
if element['id'] == thread_id:
cpu_index = element['running']
thread = element
break
if thread is None:
return None
if cpu_index is not None:
val = str_to_val(buf, str_size)
w_r(cpu_index, gdb_map[gdb_register_index][0], val)
return str_size
# If the thread is not running, read it from the KTRAP_FRAME
else:
if os_family == OS_FAMILY_WIN:
from windows_vmi import win_read_thread_register_from_ktrap_frame
try:
bytes_written = win_write_thread_register_in_ktrap_frame(
thread, gdb_map[gdb_register_index][1], buf, str_size)
except Exception as e:
pp_debug(
"Exception after win_write_thread_register_in_ktrap_frame: "
+ str(e))
if bytes_written < 0:
bytes_written = 0
return bytes_written
elif os_family == OS_FAMILY_LINUX:
raise NotImplementedError(
"gdb_write_thread_register not implemented yet on Linux guests"
)
def ntmapviewofsection_ret(params, cm, callback_name, mapped_sec, mapping_proc,
base_p, size_p, offset_p, proc, update_vads,
long_size):
from core import SectionMap
import api
global interproc_data
global interproc_config
TARGET_LONG_SIZE = api.get_os_bits() / 8
cpu_index = params["cpu_index"]
cpu = params["cpu"]
pgd = api.get_running_process(cpu_index)
# First, remove callback
cm.rm_callback(callback_name)
if base_p != 0:
base = dereference_target_long(base_p, pgd, long_size)
else:
base = 0
if size_p != 0:
size = dereference_target_long(size_p, pgd, long_size)
else:
size = 0
# Offset is always 8 bytes
if offset_p != 0:
try:
offset = struct.unpack("Q", api.r_va(pgd, offset_p, 8))[0]
except:
offset = 0
pp_debug(
"Could not dereference offset in NtMapViewOfSection return, in interproc_callbacks.py\n"
)
else:
offset = 0
mapping_proc.add_section_map(
SectionMap(mapped_sec, pgd, base, size, offset))
if interproc_config.interproc_text_log and interproc_config.interproc_text_log_handle is not None:
f = interproc_config.interproc_text_log_handle
if TARGET_LONG_SIZE == 4:
f.write(
"[PID: %08x] NtMapViewOfSection: Base: %08x Size: %08x Offset: %08x / Section: %s\n"
% (proc.get_pid(), base, size, offset,
mapped_sec.get_backing_file()))
elif TARGET_LONG_SIZE == 8:
f.write(
"[PID: %08x] NtMapViewOfSection: Base: %16x Size: %16x Offset: %08x / Section: %s\n"
% (proc.get_pid(), base, size, offset,
mapped_sec.get_backing_file()))
if update_vads:
proc.update_vads()
def gdb_set_cpu_pc(thread_id, thread_list, val):
''' Set cpu PC '''
if conf_m.platform == "i386-softmmu":
from cpus import gdb_map_i386_softmmu as gdb_map
gdb_register_index = 8
elif conf_m.platform == "x86_64-softmmu":
from cpus import gdb_map_x86_64_softmmu as gdb_map
gdb_register_index = 16
else:
raise NotImplementedError(
"[gdb_write_thread_register] Architecture not supported yet")
# If it is not mapped to a CPU register or KTRAP_FRAME value,
# we just return 0s.
if gdb_register_index not in gdb_map:
return 0
else:
str_size = gdb_map[gdb_register_index][2]
cpu_index = None
thread = None
# First, check if we can read the register from the CPU object
for element in thread_list:
if element['id'] == thread_id:
cpu_index = element['running']
thread = element
break
if thread is None:
return None
if cpu_index is not None:
w_r(cpu_index, gdb_map[gdb_register_index][0], val)
return str_size
# If the thread is not running, read it from the KTRAP_FRAME
else:
if os_family == OS_FAMILY_WIN:
from windows_vmi import win_read_thread_register_from_ktrap_frame
try:
bytes_written = win_write_thread_register_in_ktrap_frame(
thread, gdb_map[gdb_register_index][1],
val_to_str(val, str_size), str_size)
except Exception as e:
pp_debug(
"Exception after win_write_thread_register_in_ktrap_frame: "
+ str(e))
if bytes_written < 0:
bytes_written = 0
return bytes_written
elif os_family == OS_FAMILY_LINUX:
raise NotImplementedError(
"gdb_set_cpu_pc not implemented yet on Linux guests")
def init_plugins():
try:
pp_debug("[*] Initializing scripts...\n")
# Locate python modules that should be loaded by default
for (module, enable) in conf_m.config.items("MODULES"):
if enable.strip().lower() == "true" or enable.strip().lower() == "yes":
import_module(module)
pp_debug("[*] Finished python module initialization\n")
return True
except Exception as e:
# Do this to make sure we print the stack trace to help trouble-shooting
traceback.print_exc()
raise e
def init_plugins():
try:
pp_debug("[*] Initializing scripts...\n")
# Locate python modules that should be loaded by default
for (module, enable) in conf_m.config.items("MODULES"):
if enable.strip().lower() == "true" or enable.strip().lower() == "yes":
import_module(module)
pp_debug("[*] Finished python module initialization\n")
return True
except Exception as e:
# Do this to make sure we print the stack trace to help trouble-shooting
traceback.print_exc()
raise e
def dereference_target_long(addr, pgd, long_size):
import api
typ = "<I" if long_size == 4 else "<Q"
try:
buff = api.r_va(pgd, addr, long_size)
except:
buff = "\x00" * long_size
pp_debug("Could not dereference TARGET_LONG in interproc_callbacks.py")
if len(buff) == 0:
pp_warning(
"[interproc_callbacks.py:dereference_target_long] Error while dereferencing parameter with address %x"
% addr)
return 0
return struct.unpack(typ, buff)[0]
def interproc_start_monitoring_process(params):
'''
Given a Process instance, do the magic
to start monitoring the process for the
interproc module
'''
global cm
global interproc_data
import api
from core import Process
from api import CallbackManager
# Get parameters
pid = params["pid"]
pgd = params["pgd"]
name = params["name"]
proc = Process(name)
proc.set_pgd(pgd)
proc.set_pid(pid)
# Append process to process list
interproc_data.add_process(proc)
# add_module, for every module loaded so far for this process. Because
# this function might be triggered by a call to NtOpenProcess over
# an already existing process
try:
for mod in api.get_module_list(pgd):
add_module(proc, {"pid": pid,
"pgd": pgd,
"base": mod["base"],
"size": mod["size"],
"name": mod["name"],
"fullname": mod["fullname"]})
# Callback for each module loaded
cm.add_callback(CallbackManager.LOADMODULE_CB,
functools.partial(module_loaded, proc),
pgd = pgd,
name = ("load_module_%x" % pgd))
except ValueError:
# Could happen that the process is still not on the list of
# created processes
pp_debug("Process still not in the list of created processes, setting CB on TLB exec.\n")
cm.add_callback(CallbackManager.TLB_EXEC_CB, functools.partial(tlb_exec, proc), name=("tlb_exec_%d" % pgd))
def init(platform, root_path, volatility_path):
global conf
try:
# Just configure basic logging
import logging
logging.basicConfig()
# Initialize stuff
pp_debug("[*] Platform: %s\n" % platform)
pp_debug("[*] Starting python module initialization\n")
pp_debug("[*] Reading configuration\n")
sys.settrace
config = ConfigParser.RawConfigParser()
if not os.path.isfile("pyrebox.conf"):
pp_error(
"[!] Could not initialize pyrebox, pyrebox.conf file missing!\n"
)
return None
config.read('pyrebox.conf')
vol_profile = config.get('VOL', 'profile')
conf = ConfigManager(volatility_path=volatility_path,
vol_profile=vol_profile,
platform=platform)
sys.path.append(conf.volatility_path)
sys.path.append(root_path)
sys.path.append(os.getcwd())
# Set global configuration
conf_m.conf = conf
if not init_volatility(conf_m.conf):
return None
# Initialize the shell now
from ipython_shell import initialize_shell
initialize_shell()
# Locate python modules that should be loaded by default
for (module, enable) in config.items("MODULES"):
if enable.strip().lower() == "true" or enable.strip().lower(
) == "yes":
import_module(module)
pp_debug("[*] Finished python module initialization\n")
return vol_profile
except Exception as e:
# Do this to make sure we print the stack trace to help trouble-shooting
traceback.print_exc()
raise e
def init(platform, root_path, volatility_path, conf_name):
try:
# Just configure basic logging
import logging
logging.basicConfig()
# Initialize stuff
pp_debug("[*] Platform: %s\n" % platform)
pp_debug("[*] Starting python module initialization\n")
pp_debug("[*] Reading configuration from '%s'\n" % (conf_name))
sys.settrace
config = ConfigParser.RawConfigParser()
# Store configuration information in raw,
# for plugins to be able to fetch it
conf_m.config = config
if not os.path.isfile(conf_name):
pp_error("[!] Could not initialize pyrebox, conf file '%s' missing!\n" % (conf_name))
return None
config.read(conf_name)
vol_profile = config.get('VOL', 'profile')
# Set global configuration
conf_m.volatility_path = volatility_path
conf_m.vol_profile = vol_profile
conf_m.platform = platform
conf_m.pyre_root = root_path
if platform == "x86_64-softmmu":
conf_m.bitness = 64
conf_m.endianess = "l"
elif platform == "i386-softmmu":
conf_m.bitness = 32
conf_m.endianess = "l"
sys.path.append(volatility_path)
sys.path.append(root_path)
sys.path.append(os.getcwd())
if not init_volatility():
return None
# Initialize the shell now
from ipython_shell import initialize_shell
initialize_shell()
# Initialize the symbol cache from the file
if config.has_option('SYMBOL_CACHE', 'path'):
from vmi import load_symbols_from_cache_file
from vmi import set_symbol_cache_path
set_symbol_cache_path(config.get('SYMBOL_CACHE', 'path'))
load_symbols_from_cache_file()
return vol_profile
except Exception as e:
# Do this to make sure we print the stack trace to help trouble-shooting
traceback.print_exc()
raise e
def init(platform, root_path, volatility_path, conf_name):
try:
# Just configure basic logging
import logging
logging.basicConfig()
# Initialize stuff
pp_debug("[*] Platform: %s\n" % platform)
pp_debug("[*] Starting python module initialization\n")
pp_debug("[*] Reading configuration from '%s'\n" % (conf_name))
sys.settrace
config = ConfigParser.RawConfigParser()
# Store configuration information in raw,
# for plugins to be able to fetch it
conf_m.config = config
if not os.path.isfile(conf_name):
pp_error(
"[!] Could not initialize pyrebox, conf file '%s' missing!\n" %
(conf_name))
return None
config.read(conf_name)
vol_profile = config.get('VOL', 'profile')
# Set global configuration
conf_m.volatility_path = volatility_path
conf_m.vol_profile = vol_profile
conf_m.platform = platform
conf_m.pyre_root = root_path
sys.path.append(volatility_path)
sys.path.append(root_path)
sys.path.append(os.getcwd())
if not init_volatility():
return None
# Initialize the shell now
from ipython_shell import initialize_shell
initialize_shell()
return vol_profile
except Exception as e:
# Do this to make sure we print the stack trace to help trouble-shooting
traceback.print_exc()
raise e
def init(platform, root_path, volatility_path, conf_name):
try:
# Just configure basic logging
import logging
logging.basicConfig()
# Initialize stuff
pp_debug("[*] Platform: %s\n" % platform)
pp_debug("[*] Starting python module initialization\n")
pp_debug("[*] Reading configuration from '%s'\n" % (conf_name))
sys.settrace
config = ConfigParser.RawConfigParser()
# Store configuration information in raw,
# for plugins to be able to fetch it
conf_m.config = config
if not os.path.isfile(conf_name):
pp_error("[!] Could not initialize pyrebox, conf file '%s' missing!\n" % (conf_name))
return None
config.read(conf_name)
vol_profile = config.get('VOL', 'profile')
# Set global configuration
conf_m.volatility_path = volatility_path
conf_m.vol_profile = vol_profile
conf_m.platform = platform
sys.path.append(volatility_path)
sys.path.append(root_path)
sys.path.append(os.getcwd())
if not init_volatility():
return None
# Initialize the shell now
from ipython_shell import initialize_shell
initialize_shell()
return vol_profile
except Exception as e:
# Do this to make sure we print the stack trace to help trouble-shooting
traceback.print_exc()
raise e
# Initialize the shell now
from ipython_shell import initialize_shell
initialize_shell()
return vol_profile
except Exception as e:
# Do this to make sure we print the stack trace to help trouble-shooting
traceback.print_exc()
raise e
def init_plugins():
try:
pp_debug("[*] Initializing scripts...\n")
# Locate python modules that should be loaded by default
for (module, enable) in conf_m.config.items("MODULES"):
if enable.strip().lower() == "true" or enable.strip().lower() == "yes":
import_module(module)
pp_debug("[*] Finished python module initialization\n")
return True
except Exception as e:
# Do this to make sure we print the stack trace to help trouble-shooting
traceback.print_exc()
raise e
if __name__ == "__main__":
pp_debug("\n[*] Loading python component initialization script\n")
def ntreadfile(params, cm, proc, update_vads, long_size, is_write=False):
import volatility.win32.tasks as tasks
from core import FileRead
from core import FileWrite
from core import File
from utils import get_addr_space
import api
TARGET_LONG_SIZE = api.get_os_bits() / 8
global interproc_data
global interproc_config
cpu_index = params["cpu_index"]
cpu = params["cpu"]
# IN HANDLE FileHandle,
# IN HANDLE Event OPTIONAL,
# IN PIO_APC_ROUTINE ApcRoutine OPTIONAL,
# IN PVOID ApcContext OPTIONAL,
# OUT PIO_STATUS_BLOCK IoStatusBlock,
# OUT PVOID Buffer,
# IN ULONG Length,
# IN PLARGE_INTEGER ByteOffset OPTIONAL,
# IN PULONG Key OPTIONAL
pgd = api.get_running_process(cpu_index)
# Read the parameters
ret_addr, file_handle, arg2, arg3, arg4, arg5, buff, length, offset_p, arg9 = read_parameters(
cpu, 9, long_size)
# Load volatility address space
addr_space = get_addr_space(pgd)
# Get list of processes, and filter out by the process that triggered the
# call (current process id)
eprocs = [
t for t in tasks.pslist(addr_space)
if t.UniqueProcessId == proc.get_pid()
]
# Initialize file_obj, that will point to the object of the referenced file
file_obj = None
# Search handle table for the new created process
for task in eprocs:
if task.UniqueProcessId == proc.get_pid(
) and task.ObjectTable.HandleTableList:
for handle in task.ObjectTable.handles():
if handle.is_valid(
) and handle.HandleValue == file_handle and handle.get_object_type(
) == "File":
file_obj = handle.dereference_as("_FILE_OBJECT")
break
break
if file_obj is not None:
file_instance = interproc_data.get_file_by_file_name(
str(file_obj.FileName))
# If we have still not recorded the file, add it to files to record
if file_instance is None:
file_instance = File(str(file_obj.FileName))
interproc_data.add_file(file_instance)
# Now, record the read/write
# curr_file_offset is never used
# curr_file_offset = int(file_obj.CurrentByteOffset.QuadPart)
# FO_SYNCHRONOUS_IO 0x0000002
is_offset_maintained = ((file_obj.Flags & 0x0000002) != 0)
# If no offset was specified, and the offset is mantained, the real
# offset is taken from the file object
offset = None
if offset_p == 0 and is_offset_maintained:
offset = int(file_obj.CurrentByteOffset.QuadPart)
elif offset_p != 0:
# If an offset is provided, the current offset in the file_object
# will be updated, regardless of the flag.
try:
offset = struct.unpack("Q", api.r_va(pgd, offset_p, 8))[0]
except:
offset = 0
pp_debug(
"Could not dereference offset in NtReadFile call in interproc_callbacks.py\n"
)
else:
# If no offset was specified and the file object does not have the flag set, we may be in front of some kind
# of corruption error or deliberate manipulation
pp_debug(
"[!] The file object flag FO_SYNCHRONOUS_IO is not set, and no offset was provided\n"
)
return
# At this moment we do not record the data
op = None
local_proc = proc
if not is_write:
op = FileRead(file_instance, local_proc, buff, offset, length,
None)
if interproc_config.interproc_text_log and interproc_config.interproc_text_log_handle is not None:
f = interproc_config.interproc_text_log_handle
if TARGET_LONG_SIZE == 4:
f.write(
"[PID: %08x] NtReadFile: Offset: %08x Size: %08x / %s\n"
% (proc.get_pid(), offset, length,
str(file_obj.FileName)))
elif TARGET_LONG_SIZE == 8:
f.write(
"[PID: %08x] NtReadFile: Offset: %16x Size: %16x / %s\n"
% (proc.get_pid(), offset, length,
str(file_obj.FileName)))
else:
op = FileWrite(file_instance, local_proc, buff, offset, length,
None)
if interproc_config.interproc_text_log and interproc_config.interproc_text_log_handle is not None:
f = interproc_config.interproc_text_log_handle
if TARGET_LONG_SIZE == 4:
f.write(
"[PID: %08x] NtWriteFile: Offset: %08x Size: %08x / %s\n"
% (proc.get_pid(), offset, length,
str(file_obj.FileName)))
elif TARGET_LONG_SIZE == 8:
f.write(
"[PID: %08x] NtWriteFile: Offset: %16x Size: %16x / %s\n"
% (proc.get_pid(), offset, length,
str(file_obj.FileName)))
file_instance.add_operation(op)
local_proc.add_file_operation(op)
if update_vads:
proc.update_vads()
def ntwritevirtualmemory(params,
cm,
proc,
update_vads,
long_size,
reverse=False):
import volatility.win32.tasks as tasks
from core import Injection
import api
from utils import get_addr_space
global interproc_data
global interproc_config
TARGET_LONG_SIZE = api.get_os_bits() / 8
cpu_index = params["cpu_index"]
cpu = params["cpu"]
# _In_ HANDLE ProcessHandle,
# _In_ PVOID BaseAddress,
# _In_ PVOID Buffer,
# _In_ SIZE_T NumberOfBytesToWrite,
# _Out_opt_ PSIZE_T NumberOfBytesWritten
pgd = api.get_running_process(cpu_index)
# Read the parameters
ret_addr, proc_hdl, remote_addr, local_addr, size, size_out = read_parameters(
cpu, 5, long_size)
local_proc = proc
# Try to get remote process from list of monitored processes
remote_proc = None
# Load volatility address space
addr_space = get_addr_space(pgd)
# Get list of processes, and filter out by the process that triggered the
# call (current process id)
eprocs = [
t for t in tasks.pslist(addr_space)
if t.UniqueProcessId == proc.get_pid()
]
# Initialize proc_obj, that will point to the eprocess of the new created
# process
proc_obj = None
# Search handle table for the new created process
for task in eprocs:
if task.UniqueProcessId == proc.get_pid(
) and task.ObjectTable.HandleTableList:
for handle in task.ObjectTable.handles():
if handle.is_valid(
) and handle.HandleValue == proc_hdl and handle.get_object_type(
) == "Process":
proc_obj = handle.dereference_as("_EPROCESS")
break
break
if proc_obj is not None:
remote_proc = interproc_data.get_process_by_pid(
int(proc_obj.UniqueProcessId))
else:
# Sometimes we get calls to this function over non-proc handles (e.g. type "Desktop")
return
if remote_proc is None:
pp_debug("[!] Could not obtain remote proc, or it is not monitored\n")
return
elif local_proc is None:
pp_debug("[!] Could not obtain local proc, or it is not monitored\n")
return
else:
if reverse:
data = None
if interproc_config.interproc_text_log and interproc_config.interproc_text_log_handle is not None:
f = interproc_config.interproc_text_log_handle
if TARGET_LONG_SIZE == 4:
f.write(
"[PID: %08x] NtReadVirtualMemory: PID: %x - Addr: %08x <-- PID: %x Addr: %08x / Size: %08x\n"
% (proc.get_pid(), local_proc.get_pid(), local_addr,
remote_proc.get_pid(), remote_addr, size))
elif TARGET_LONG_SIZE == 8:
f.write(
"[PID: %08x] NtReadVirtualMemory: PID: %x - Addr: %16x <-- PID: %x Addr: %16x / Size: %16x\n"
% (proc.get_pid(), local_proc.get_pid(), local_addr,
remote_proc.get_pid(), remote_addr, size))
else:
data = None
if interproc_config.interproc_text_log and interproc_config.interproc_text_log_handle is not None:
f = interproc_config.interproc_text_log_handle
if TARGET_LONG_SIZE == 4:
f.write(
"[PID: %08x] NtWriteVirtualMemory: PID: %x - Addr: %08x --> PID: %x Addr: %08x / Size: %08x\n"
% (proc.get_pid(), local_proc.get_pid(), local_addr,
remote_proc.get_pid(), remote_addr, size))
elif TARGET_LONG_SIZE == 8:
f.write(
"[PID: %08x] NtWriteVirtualMemory: PID: %x - Addr: %16x --> PID: %x Addr: %16x / Size: %16x\n"
% (proc.get_pid(), local_proc.get_pid(), local_addr,
remote_proc.get_pid(), remote_addr, size))
inj = Injection(remote_proc, remote_addr, local_proc, local_addr, size,
data, reverse)
local_proc.add_injection(inj)
if update_vads:
proc.update_vads()
def windows_insert_module_internal(
p_pid,
p_pgd,
base,
size,
fullname,
basename,
checksum,
update_symbols,
do_stop = False):
from utils import get_addr_space
from vmi import add_symbols
from vmi import get_symbols
from vmi import has_symbols
from vmi import Module
from vmi import add_module
from vmi import get_module
from vmi import has_module
from api_internal import dispatch_module_load_callback
from api_internal import dispatch_module_remove_callback
import pefile
import api
global filesystem
global symbol_cache_must_be_saved
if fullname.startswith("\\??\\"):
fullname = fullname[4:]
if fullname.upper().startswith("C:\\"):
fullname = fullname[3:]
if fullname.upper().startswith("\\SYSTEMROOT"):
fullname = "\WINDOWS" + fullname[11:]
fullname = fullname.replace("\\", "/")
if fullname[-4:].upper() == ".SYS" and not "/" in fullname:
fullname = "/WINDOWS/system32/DRIVERS/" + fullname
fullname = fullname.lower()
mod = Module(base, size, p_pid, p_pgd, checksum, basename, fullname)
# First, we try to get the symbols from the cache
if fullname != "" and has_symbols(fullname):
mod.set_symbols(get_symbols(fullname))
# If we are updating symbols (a simple module retrieval would
# not require symbol extraction), and we don't have any
# symbols on the cache:
elif fullname != "" and update_symbols:
pp_debug("Symbols not found in cache, extracting from %s...\n" % fullname)
unnamed_function_counter = 0
syms = {}
# Here, fetch the file using the sleuthkit, and use
# PE file to process it
# First select the file system if not selected already
if filesystem is None:
for fs in api.get_filesystems():
file_list = api.open_guest_path(fs["index"], "")
if isinstance(file_list, list) and len(file_list) > 0:
if "windows" in [f.lower() for f in file_list]:
filesystem = fs
if filesystem is not None:
# Try to read the file
f = None
try:
f = api.open_guest_path(filesystem["index"], fullname)
except Exception as e:
pp_error("%s - %s\n" % (str(e), fullname))
if f is not None:
data = f.read()
pe = pefile.PE(data=data)
if hasattr(pe, "DIRECTORY_ENTRY_EXPORT"):
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
if exp.name is not None:
syms[exp.name] = exp.address
else:
syms["unnamed_funcion_%d" % unnamed_function_counter] = exp.address
unnamed_function_counter += 1
add_symbols(fullname, syms)
mod.set_symbols(syms)
# Even if it is empty, the module symbols are set
# to an empty list, and thus are 'resolved'.
# Anyway, in future updates, they could be resolved,
# as we allow this in the first condition.
symbol_cache_must_be_saved = True
#Module load/del notification
if has_module(p_pid, p_pgd, base):
ex_mod = get_module(p_pid, p_pgd, base)
# Module replacement, only if it is a different module, and also
# take into consideration wow64 redirection. Never substitute the
# wow64 version by the system32 version of the same dll
if (ex_mod.get_fullname().lower() != fullname.lower()) and not ((ex_mod.get_name().lower() == basename.lower()) and ("windows/syswow64".lower() in ex_mod.get_fullname().lower()) and ("windows/system32" in fullname.lower())):
# Notify of module deletion and module load
dispatch_module_remove_callback(p_pid, p_pgd, base,
ex_mod.get_size(),
ex_mod.get_name(),
ex_mod.get_fullname())
add_module(p_pid, p_pgd, base, mod)
mod.set_present()
dispatch_module_load_callback(p_pid, p_pgd, base, size, basename, fullname)
# If we updated the symbols and have a bigger list now, dont substitute the module
# but update its symbols instead
elif len(mod.get_symbols()) > len(ex_mod.get_symbols()):
ex_mod.set_symbols(mod.get_symbols())
# In any case, mark as present
ex_mod.set_present()
else:
# Just notify of module load
add_module(p_pid, p_pgd, base, mod)
# Mark the module as present
mod.set_present()
dispatch_module_load_callback(p_pid, p_pgd, base, size, basename, fullname)
def gdb_read_thread_register(thread_id, thread_list, gdb_register_index):
'''
Given a GDB register index, return an str with its value. Obtain
the value either from the running CPU or the saved KTRAP_FRAME.
NOTE: Not all registers are supported, if so, 0's are returned.
'''
from utils import ConfigurationManager as conf_m
from api import r_cpu
from cpus import RT_SEGMENT
from cpus import RT_REGULAR
if conf_m.platform == "i386-softmmu":
from cpus import gdb_map_i386_softmmu as gdb_map
elif conf_m.platform == "x86_64-softmmu":
from cpus import gdb_map_x86_64_softmmu as gdb_map
else:
raise NotImplementedError(
"[gdb_read_thread_register] Architecture not supported yet")
# If it is not mapped to a CPU register or KTRAP_FRAME value,
# we just return 0s.
if gdb_register_index not in gdb_map:
return "\0" * (conf_m.bitness / 8)
else:
str_size = gdb_map[gdb_register_index][2]
cpu_index = None
thread = None
some_thread_running = False
# First, check if we can read the register from the CPU object
for element in thread_list:
if element['id'] == thread_id:
thread = element
cpu_index = element['running']
if cpu_index:
some_thread_running = True
if thread is None:
return None
if cpu_index is None and not some_thread_running:
cpu_index = 0
if cpu_index is not None:
cpu = r_cpu(cpu_index)
val = 0
try:
if gdb_map[gdb_register_index][3] == RT_SEGMENT:
val = getattr(cpu, gdb_map[gdb_register_index][0])['base']
else:
val = getattr(cpu, gdb_map[gdb_register_index][0])
except:
val = 0
if val == -1:
val = 0
return val_to_str(val, str_size)
# If the thread is not running, read it from the KTRAP_FRAME
else:
if os_family == OS_FAMILY_WIN:
from windows_vmi import win_read_thread_register_from_ktrap_frame
val = 0
try:
val = win_read_thread_register_from_ktrap_frame(
thread, gdb_map[gdb_register_index][1])
except Exception as e:
pp_debug(
"Exception after win_read_thread_register_from_ktrap_frame: "
+ str(e))
if val == -1:
val = 0
return val_to_str(val, str_size)
elif os_family == OS_FAMILY_LINUX:
raise NotImplementedError(
"gdb_read_thread_register not implemented yet on Linux guests")
pp_error("[!] Could not initialize pyrebox, pyrebox.conf file missing!\n")
return None
config.read('pyrebox.conf')
vol_profile = config.get('VOL', 'profile')
conf = ConfigManager(
volatility_path=volatility_path,
vol_profile=vol_profile,
platform=platform)
sys.path.append(conf.volatility_path)
sys.path.append(root_path)
sys.path.append(os.getcwd())
# Set global configuration
conf_m.conf = conf
init_volatility(conf_m.conf)
# Initialize the shell now
from ipython_shell import initialize_shell
initialize_shell()
# Locate python modules that should be loaded by default
for (module, enable) in config.items("MODULES"):
if enable.strip().lower() == "true" or enable.strip().lower() == "yes":
import_module(module)
pp_debug("[*] Finished python module initialization\n")
return vol_profile
if __name__ == "__main__":
pp_debug("\n[*] Loading python component initialization script\n")
def read_parameters(cpu, num_params, long_size):
'''
Reads parameters from the registers/stack
'''
import api
TARGET_LONG_SIZE = api.get_os_bits() / 8
if long_size == 4:
# All the parameters are on the stack
# We need to read num_params values + the return address
try:
if TARGET_LONG_SIZE == 4:
buff = api.r_va(cpu.CR3, cpu.ESP, (num_params + 1) * 4)
else:
buff = api.r_va(cpu.CR3, cpu.RSP, (num_params + 1) * 4)
except:
buff = "\x00" * ((num_params + 1) * 4)
if TARGET_LONG_SIZE == 4:
pp_debug(
"Could not read properly the parameters in interproc_callbacks.py at address %x - size %x"
% (cpu.ESP, (num_params + 1) * 4))
else:
pp_debug(
"Could not read properly the parameters in interproc_callbacks.py at address %x - size %x"
% (cpu.RSP, (num_params + 1) * 4))
params = struct.unpack("<" + "I" * (1 + num_params), buff)
return params
elif long_size == 8:
params_regs = []
params_stack = ()
# Add the return address as parameter 0
try:
buff = api.r_va(cpu.CR3, cpu.RSP, 8)
except:
buff = "\x00" * 8
pp_debug(
"Could not read properly the parameters in interproc_callbacks.py"
)
params_regs.append(struct.unpack("<Q", buff)[0])
if num_params >= 1:
params_regs.append(cpu.RCX)
if num_params >= 2:
params_regs.append(cpu.RDX)
if num_params >= 3:
params_regs.append(cpu.R8)
if num_params >= 4:
params_regs.append(cpu.R9)
if num_params > 4:
# We need to read num_params (-4 parameters read from
# registers) + the return address + 0x20
# 0x20 is for the 4 slots (of 8 bytes) allocated to store
# register parameters (allocated by caller, used by callee)
try:
buff = api.r_va(cpu.CR3, cpu.RSP, (num_params + 5 - 4) * 8)
except:
buff = "\x00" * ((num_params + 5 - 4) * 8)
pp_debug(
"Could not read properly the parameters in interproc_callbacks.py"
)
params_stack = struct.unpack("<" + "Q" * (5 + num_params - 4),
buff)
params_stack = params_stack[5:]
return (tuple(params_regs) + params_stack)
else:
raise Exception(
"[interproc::read_return_parameter(cpu)] : Non-supported TARGET_LONG_SIZE: %d"
% long_size)
