Example #1
0
 def execute(self):
     meta_info.set_datatypes(types)
     scanners = []
     space = FileAddressSpace(self.opts.filename)
     #search_space = WindowedAddressSpace(space, 0x0223f020 - 0x1000, 0x2000) 
     search_space = space
     print "PID    PPID   Time created             Time exited              Offset     PDB        Remarks\n"+ \
           "------ ------ ------------------------ ------------------------ ---------- ---------- ----------------";
     scanners.append((ProcessScanFast3(search_space)))
     scan_addr_space(search_space,scanners)
Example #2
0
 def execute(self):
     meta_info.set_datatypes(types)
     scanners = []
     space = FileAddressSpace(self.opts.filename)
     #search_space = WindowedAddressSpace(space, 0x0223f020 - 0x1000, 0x2000)
     search_space = space
     print "PID    PPID   Time created             Time exited              Offset     PDB        Remarks\n"+ \
           "------ ------ ------------------------ ------------------------ ---------- ---------- ----------------"
     scanners.append((ProcessScanFast3(search_space)))
     scan_addr_space(search_space, scanners)
Example #3
0
    def execute(self):

        op = self.op
        opts = self.opts
    
        global imgname

        if (opts.filename is None) or (not os.path.isfile(opts.filename)):
            op.error("File is required")
        else:
            filename = opts.filename
            temp = filename.replace("\\", "/").lower().split("/")
            imgname = temp[-1]

        global outfd 
        if not opts.outfd1 == None:
            outfd = opts.outfd1

            conn = sqlite3.connect(outfd)
            cur = conn.cursor()

            try:
                cur.execute("select * from psscan3")
            except sqlite3.OperationalError:
                cur.execute("create table psscan3(pid integer, ppid integer, ctime text, etime text, offset text, pdb text, pname text, memimage text)")
                conn.commit()
    
            conn.close()

        else:
            outfd = None
            
        from vtypes import xpsp2types
        xpsp2types['_FAST_MUTEX'][1]['Count'] = [ 0x0, ['long']]
        xpsp2types['_EPROCESS'][1]['GrantedAccess'] = [ 0x1a4, ['unsigned long']]
        xpsp2types['_EPROCESS'][1]['Vm'] = [ 0x1f8, ['_MMSUPPORT']]
        xpsp2types['_KPROCESS'][1]['ThreadListHead'] = [ 0x50, ['_LIST_ENTRY']]
        xpsp2types['_KPROCESS'][1]['ReadyListHead'] = [ 0x40, ['_LIST_ENTRY']]
        xpsp2types['_MMSUPPORT'] = [ 0x40, {'VmWorkingSetList' : [ 0x20, ['pointer', ['_MMWSL']]]} ]

        meta_info.set_datatypes(xpsp2types)

        scanners = []
        space = FileAddressSpace(self.opts.filename)
        search_space = space
        print "PID    PPID   Time created             Time exited              Offset     PDB        Remarks\n"+ \
              "------ ------ ------------------------ ------------------------ ---------- ---------- ----------------";
        scanners.append((ProcessScanFast3(search_space)))
        scan_addr_space(search_space,scanners)
Example #4
0
    def execute(self):

        op = self.op
        opts = self.opts

        if (opts.filename is None) or (not os.path.isfile(opts.filename)):
            op.error("File is required")
        else:
            filename = opts.filename

        try:
            flat_address_space = FileAddressSpace(filename,fast=True)
        except:
            op.error("Unable to open image file %s" % (filename))

        meta_info.set_datatypes(types)

        # Determine the applicable address space (ie hiber, crash)
        search_address_space = find_addr_space(flat_address_space, types)

        # Find a dtb value
        if opts.base is None:
            sysdtb = get_dtb(search_address_space, types)
        else:
            try:
                sysdtb = int(opts.base, 16)
            except:
                op.error("Directory table base must be a hexidecimal number.")
        meta_info.set_dtb(sysdtb)

        # Set the kernel address space
        kaddr_space = load_pae_address_space(filename, sysdtb)
        if kaddr_space is None:
             kaddr_space = load_nopae_address_space(filename, sysdtb)
        meta_info.set_kas(kaddr_space)

        scanners = [PoolScanHiveFast2(search_address_space)]
        objs = scan_addr_space(search_address_space, scanners)
        for obj in objs:
	    print len(obj.matches)
            for m in obj.matches:
                print m
Example #5
0
    def execute(self):

        op = self.op
        opts = self.opts

        if (opts.filename is None) or (not os.path.isfile(opts.filename)):
            op.error("File is required")
        else:
            filename = opts.filename

        try:
            flat_address_space = FileAddressSpace(filename, fast=True)
        except:
            op.error("Unable to open image file %s" % (filename))

        meta_info.set_datatypes(types)

        # Determine the applicable address space (ie hiber, crash)
        search_address_space = find_addr_space(flat_address_space, types)

        # Find a dtb value
        if opts.base is None:
            sysdtb = get_dtb(search_address_space, types)
        else:
            try:
                sysdtb = int(opts.base, 16)
            except:
                op.error("Directory table base must be a hexidecimal number.")
        meta_info.set_dtb(sysdtb)

        # Set the kernel address space
        kaddr_space = load_pae_address_space(filename, sysdtb)
        if kaddr_space is None:
            kaddr_space = load_nopae_address_space(filename, sysdtb)
        meta_info.set_kas(kaddr_space)

        scanners = [PoolScanHiveFast2(search_address_space)]
        objs = scan_addr_space(search_address_space, scanners)
        for obj in objs:
            print len(obj.matches)
            for m in obj.matches:
                print m
Example #6
0
    def execute(self):
        # In general it's not recommended to update the global types on the fly,
        # but I'm special and I know what I'm doing ;)
        types.update(regtypes)

        op = self.op
        opts = self.opts

        if (opts.filename is None) or (not os.path.isfile(opts.filename)):
            op.error("File is required")
        else:
            filename = opts.filename

        try:
            flat_address_space = FileAddressSpace(filename,fast=True)
        except:
            op.error("Unable to open image file %s" % (filename))

        meta_info.set_datatypes(types)

        # Determine the applicable address space (ie hiber, crash)
        search_address_space = find_addr_space(flat_address_space, types)

        # Find a dtb value
        if opts.base is None:
            sysdtb = get_dtb(search_address_space, types)
        else:
            try:
                sysdtb = int(opts.base, 16)
            except:
                op.error("Directory table base must be a hexidecimal number.")
        meta_info.set_dtb(sysdtb)

        # Set the kernel address space
        kaddr_space = load_pae_address_space(filename, sysdtb)
        if kaddr_space is None:
             kaddr_space = load_nopae_address_space(filename, sysdtb)
        meta_info.set_kas(kaddr_space)

        print "%-15s %-15s" % ("Offset", "(hex)")
        scanners = [PoolScanHiveFast2(search_address_space)]
        objs = scan_addr_space(search_address_space, scanners)
Example #7
0
    def execute(self):

        scanners = [] 
        op = self.op
        opts = self.opts

        global imgname

        if (opts.filename is None) or (not os.path.isfile(opts.filename)):
            op.error("File is required")
        else:
            filename = opts.filename
            temp = filename.replace("\\", "/").lower().split("/")
            imgname = temp[-1]

        global outfd
        if not opts.outfd1 == None:
            outfd = opts.outfd1

            conn = sqlite3.connect(outfd)
            cur = conn.cursor()

            try:
                cur.execute("select * from modscan2")
            except sqlite3.OperationalError:
                cur.execute("create table modscan2 (file text, base text, size text, name text, memimage text)")
                conn.commit()

            conn.close()

        else:
            outfd = None

        try: 
            flat_address_space = FileAddressSpace(filename,fast=True)
        except:
            op.error("Unable to open image file %s" % (filename))
    
        meta_info.set_datatypes(types)

        # Determine the applicable address space
        search_address_space = find_addr_space(flat_address_space, types)

        # Find a dtb value
        if opts.base is None:
            sysdtb = get_dtb(search_address_space, types)
        else:
            try: 
                sysdtb = int(opts.base, 16)
            except:
                op.error("Directory table base must be a hexidecimal number.")

        meta_info.set_dtb(sysdtb)
        kaddr_space = load_pae_address_space(filename, sysdtb)
        if kaddr_space is None:
            kaddr_space = load_nopae_address_space(filename, sysdtb)
        meta_info.set_kas(kaddr_space)

        print "%-50s %-12s %-8s %s \n"%('File','Base', 'Size', 'Name')

        scanners.append((PoolScanModuleFast2SQL(search_address_space)))
        scan_addr_space(search_address_space,scanners)
Example #8
0
    def execute(self):
        op = self.op
        opts = self.opts

        global imgname

        if (opts.filename is None) or (not os.path.isfile(opts.filename)):
            op.error("File is required")
        else:
            filename = opts.filename
            temp = filename.replace("\\", "/").lower().split("/")
            imgname = temp[-1]

        global outfd
        if not opts.outfd1 == None:
            outfd = opts.outfd1
            print outfd

            conn = sqlite3.connect(outfd)
            cur = conn.cursor()

            try:
                cur.execute("select * from sockscan2")
            except sqlite3.OperationalError:
                cur.execute("create table sockscan2(pid integer, port integer, proto text, ctime text, offset text, memimage text)")
                conn.commit()
    
            conn.close()

        else:
            outfd = None
 
        scanners = [] 

        try: 
            flat_address_space = FileAddressSpace(filename,fast=True)
        except:
            op.error("Unable to open image file %s" % (filename))
    
        meta_info.set_datatypes(types)

        # Determine the applicable address space
        search_address_space = find_addr_space(flat_address_space, types)

        # Find a dtb value
        if opts.base is None:
            sysdtb = get_dtb(search_address_space, types)
        else:
            try: 
                sysdtb = int(opts.base, 16)
            except:
                op.error("Directory table base must be a hexidecimal number.")

        meta_info.set_dtb(sysdtb)
        kaddr_space = load_pae_address_space(filename, sysdtb)
        if kaddr_space is None:
            kaddr_space = load_nopae_address_space(filename, sysdtb)
        meta_info.set_kas(kaddr_space)

        print "PID    Port   Proto  Create Time                Offset \n"+ \
            "------ ------ ------ -------------------------- ----------\n";

        scanners.append(PoolScanSockFast2SQL(search_address_space))
        scan_addr_space(search_address_space,scanners)