def doProcessors(config): ''' Retrieve IDT data. ''' physical_address_space = utils.load_as(config) kernel_address_space = utils.load_as(config,astype='kernel') processors_obj = datastruct.rootType() proc_num = 0 for kpcr in FindKPCR(physical_address_space): processor_obj = processors_obj.Processor.add() processor_obj.ID = proc_num proc_num += 1 IdtBase = kpcr.IdtBase IDTs = obj.Array(None,physical_address_space.address_mask(IdtBase.v()),physical_address_space,count=256,target=IdtBase.target) for idt in IDTs: entry_obj = processor_obj.InterruptDescriptorTable.IDTEntry.add() iswin32 = not idt.m('OffsetMiddle') if iswin32: idttype = idt.Access & 0x1f if idt.Access >= 256 or (idt.Access & 0x80) != 0x80: entry_obj.InvalidGate = '' elif idttype==0x5: entry_obj.TaskGate = '' elif idttype==0x6 or idttype==0xe: entry_obj.InterruptGate = '' elif idttype==0x7 or idttype==0xf: entry_obj.TrapGate = '' else: entry_obj.InvalidGate = '' entry_obj.Address = (idt.ExtendedOffset << 16) | idt.Offset entry_obj.Attributes = idt.Access else: idttype = idt.Type if idt.Reserved0!=0 or idt.Reserved1!=0 or idt.Present==0: entry_obj.InvalidGate = '' elif idttype==0x5: entry_obj.TaskGate = '' elif idttype==0xe: entry_obj.InterruptGate = '' elif idttype==0xf: entry_obj.TrapGate = '' else: entry_obj.InvalidGate = '' entry_obj.Address = ((idt.OffsetHigh & 0xffffffff) << 32) | ((idt.OffsetMiddle & 0xffff) << 16) | (idt.OffsetLow & 0xffff) entry_obj.Attributes = (idt.IstIndex << 13) | (idt.Type << 3) | (idt.Dpl<<1) | idt.Present entry_obj.Selector = idt.Selector.v() module = find_module(config,entry_obj.Address) if module: entry_obj.Module = module.FullDllName.v() return processors_obj
def doDrivers(self, config, drivers, devices): print "Doing DoDrivers" driverObjList = driverdatastructs.rootType() for driver_name, driver_object in drivers: driverObj = driverObjList.Driver.add( resultitemtype=5) #ResultDriverItem baseaddress = driver_object.DriverStart.v() module = find_module(config, baseaddress) driverObj.ImagePath = module.FullDllName.v( ) if module and module.FullDllName else '' driverObj.BaseAddress = baseaddress driverObj.Type = driver_object.Type.v() driverObj.DeviceObj_Location = driver_object.obj_native_vm.vtop( driver_object.DeviceObject.v()) or 0 driverObj.Driver_Init = driver_object.DriverInit.v() driverObj.Driver_StartIO = driver_object.DriverStartIo.v() driverObj.Driver_Unload = driver_object.DriverUnload.v() driverObj.StartTime = '0000-00-00 00:00:00' # currently we don't have a reliable source for this info driverObj.Dependencies = '' # this is a linux thing driverObj.Size = driver_object.DriverSize.v() driverObj.Instances = 0 # this is a linux thing driverObj.Name = driver_object.DriverName.v() driverObj.StartedAs = '' driverObj.State = 4 #running driverObj.RealState = -1 #unknown driverObj.StartMode = -1 #unknown driverObj.RealStartMode = -1 #unknown driverObj.RealType = 0 #unknown driverObj.Path = '' driverObj.plist = '' driverObj.MD5 = BLANK_MD5 driverObj.SHA1 = BLANK_SHA1 #Leave out FuzzyHash for now #FuzzySize = #Fuzzy = #Fuzzy2X = driverObj.KFFStatus = 0 #I guess we don't do this driverObj.processid = 0 #meaningless for drivers major_functions = driver_object.MajorFunction driverObj.IRP_MJ_CREATE = major_functions[0].v() driverObj.IRP_MJ_CREATE_NAMED_PIPE = major_functions[1].v() driverObj.IRP_MJ_CLOSE = major_functions[2].v() driverObj.IRP_MJ_READ = major_functions[3].v() driverObj.IRP_MJ_WRITE = major_functions[4].v() driverObj.IRP_MJ_QUERY_INFORMATION = major_functions[5].v() driverObj.IRP_MJ_SET_INFORMATION = major_functions[6].v() driverObj.IRP_MJ_QUERY_EA = major_functions[7].v() driverObj.IRP_MJ_SET_EA = major_functions[8].v() driverObj.IRP_MJ_FLUSH_BUFFERS = major_functions[9].v() driverObj.IRP_MJ_QUERY_VOLUME_INFORMATION = major_functions[10].v() driverObj.IRP_MJ_SET_VOLUME_INFORMATION = major_functions[11].v() driverObj.IRP_MJ_DIRECTORY_CONTROL = major_functions[12].v() driverObj.IRP_MJ_FILE_SYSTEM_CONTROL = major_functions[13].v() driverObj.IRP_MJ_DEVICE_CONTROL = major_functions[14].v() driverObj.IRP_MJ_INTERNAL_DEVICE_CONTROL = major_functions[15].v() driverObj.IRP_MJ_SHUTDOWN = major_functions[16].v() driverObj.IRP_MJ_LOCK_CONTROL = major_functions[17].v() driverObj.IRP_MJ_CLEANUP = major_functions[18].v() driverObj.IRP_MJ_CREATE_MAILSLOT = major_functions[19].v() driverObj.IRP_MJ_QUERY_SECURITY = major_functions[20].v() driverObj.IRP_MJ_SET_SECURITY = major_functions[21].v() driverObj.IRP_MJ_POWER = major_functions[22].v() driverObj.IRP_MJ_SYSTEM_CONTROL = major_functions[23].v() driverObj.IRP_MJ_DEVICE_CHANGE = major_functions[24].v() driverObj.IRP_MJ_QUERY_QUOTA = major_functions[25].v() driverObj.IRP_MJ_SET_QUOTA = major_functions[26].v() driverObj.IRP_MJ_PNP = major_functions[27].v() # Use DriverExtension struct to get some additional information try: driver_extension = driver_object.DriverExtension driverObj.ServiceKeyName = driver_extension.ServiceKeyName or '<UNAVAILABLE>' driverObj.DriverObj_Location = driver_object.obj_native_vm.vtop( driver_extension.DriverObject.v()) or 0 except: # I guess we just won't have this data driverObj.ServiceKeyName = '<UNAVAILABLE>' driverObj.DriverObj_Location = 0 #associated devices for device_name, device_object in devices: if device_object.obj_native_vm.vtop( device_object.DriverObject.v()) == driver_object.v(): deviceObj = driverObj.Driver_Device_List.Device.add( Name=device_name, DeviceObj_Location=device_object.v() or 0, DriverObj_Location=device_object.obj_native_vm.vtop( device_object.DriverObject.v() or 0) or 0, NextDeviceObj_Location=device_object.obj_native_vm. vtop(device_object.NextDevice.v() or 0) or 0, AttachedDeviceObj_Location=device_object.obj_native_vm. vtop(device_object.AttachedDevice.v() or 0) or 0) file = open(config.OUTPUT_PATH + "drivers.xml", "w") #file.write(driverObjList.SerializeToString()) file.write(proto2xml(driverObjList, indent=0)) logging.debug("Completed exporting the drivers on the system")
def doDrivers(self, config, drivers, devices): print "Doing DoDrivers" driverObjList = driverdatastructs.rootType() for driver_name, driver_object in drivers: driverObj = driverObjList.Driver.add(resultitemtype=5) #ResultDriverItem baseaddress = driver_object.DriverStart.v() module = find_module(config, baseaddress) driverObj.ImagePath=module.FullDllName.v() if module and module.FullDllName else '' driverObj.BaseAddress=baseaddress driverObj.Type=driver_object.Type.v() driverObj.DeviceObj_Location=driver_object.obj_native_vm.vtop(driver_object.DeviceObject.v()) or 0 driverObj.Driver_Init=driver_object.DriverInit.v() driverObj.Driver_StartIO=driver_object.DriverStartIo.v() driverObj.Driver_Unload=driver_object.DriverUnload.v() driverObj.StartTime='0000-00-00 00:00:00' # currently we don't have a reliable source for this info driverObj.Dependencies='' # this is a linux thing driverObj.Size=driver_object.DriverSize.v() driverObj.Instances=0 # this is a linux thing driverObj.Name=adutils.SmartUnicode(driver_object.DriverName.v() or "Unknown") driverObj.StartedAs='' driverObj.State=4 #running driverObj.RealState=-1 #unknown driverObj.StartMode=-1 #unknown driverObj.RealStartMode=-1 #unknown driverObj.RealType=0 #unknown driverObj.Path='' driverObj.plist='' driverObj.MD5=BLANK_MD5 driverObj.SHA1=BLANK_SHA1 #Leave out FuzzyHash for now #FuzzySize = #Fuzzy = #Fuzzy2X = driverObj.KFFStatus=0 #I guess we don't do this driverObj.processid=0 #meaningless for drivers major_functions = driver_object.MajorFunction driverObj.IRP_MJ_CREATE=major_functions[0].v() driverObj.IRP_MJ_CREATE_NAMED_PIPE=major_functions[1].v() driverObj.IRP_MJ_CLOSE=major_functions[2].v() driverObj.IRP_MJ_READ=major_functions[3].v() driverObj.IRP_MJ_WRITE=major_functions[4].v() driverObj.IRP_MJ_QUERY_INFORMATION=major_functions[5].v() driverObj.IRP_MJ_SET_INFORMATION=major_functions[6].v() driverObj.IRP_MJ_QUERY_EA=major_functions[7].v() driverObj.IRP_MJ_SET_EA=major_functions[8].v() driverObj.IRP_MJ_FLUSH_BUFFERS=major_functions[9].v() driverObj.IRP_MJ_QUERY_VOLUME_INFORMATION=major_functions[10].v() driverObj.IRP_MJ_SET_VOLUME_INFORMATION=major_functions[11].v() driverObj.IRP_MJ_DIRECTORY_CONTROL=major_functions[12].v() driverObj.IRP_MJ_FILE_SYSTEM_CONTROL=major_functions[13].v() driverObj.IRP_MJ_DEVICE_CONTROL=major_functions[14].v() driverObj.IRP_MJ_INTERNAL_DEVICE_CONTROL=major_functions[15].v() driverObj.IRP_MJ_SHUTDOWN=major_functions[16].v() driverObj.IRP_MJ_LOCK_CONTROL=major_functions[17].v() driverObj.IRP_MJ_CLEANUP=major_functions[18].v() driverObj.IRP_MJ_CREATE_MAILSLOT=major_functions[19].v() driverObj.IRP_MJ_QUERY_SECURITY=major_functions[20].v() driverObj.IRP_MJ_SET_SECURITY=major_functions[21].v() driverObj.IRP_MJ_POWER=major_functions[22].v() driverObj.IRP_MJ_SYSTEM_CONTROL=major_functions[23].v() driverObj.IRP_MJ_DEVICE_CHANGE=major_functions[24].v() driverObj.IRP_MJ_QUERY_QUOTA=major_functions[25].v() driverObj.IRP_MJ_SET_QUOTA=major_functions[26].v() driverObj.IRP_MJ_PNP=major_functions[27].v() # Use DriverExtension struct to get some additional information try: driver_extension = driver_object.DriverExtension driverObj.ServiceKeyName=driver_extension.ServiceKeyName or '<UNAVAILABLE>' driverObj.DriverObj_Location=driver_object.obj_native_vm.vtop(driver_extension.DriverObject.v()) or 0 except: # I guess we just won't have this data driverObj.ServiceKeyName='<UNAVAILABLE>' driverObj.DriverObj_Location=0 #associated devices for device_name, device_object in devices: if device_object.obj_native_vm.vtop(device_object.DriverObject.v()) == driver_object.v(): deviceObj = driverObj.Driver_Device_List.Device.add( Name=device_name, DeviceObj_Location=device_object.v() or 0, DriverObj_Location=device_object.obj_native_vm.vtop(device_object.DriverObject.v() or 0) or 0, NextDeviceObj_Location=device_object.obj_native_vm.vtop(device_object.NextDevice.v() or 0) or 0, AttachedDeviceObj_Location= device_object.obj_native_vm.vtop(device_object.AttachedDevice.v() or 0) or 0 ) file = open(config.OUTPUT_PATH + "drivers.xml", "w") #file.write(driverObjList.SerializeToString()) file.write(proto2xml(driverObjList,indent=0)) logging.debug("Completed exporting the drivers on the system")