def find_numberprocessors(addr_space, types):
NumberOfProcessorsDict = dict()
all_tasks = process_list(addr_space, types)
for task in all_tasks:
if not addr_space.is_valid_address(task):
continue
process_address_space = process_addr_space(addr_space, types, task,
addr_space.base.fname)
if process_address_space is None:
continue
peb = process_peb(addr_space, types, task)
try:
if not process_address_space.is_valid_address(peb):
continue
except:
continue
NumberOfProcessors = peb_number_processors(process_address_space,
types, peb)
if NumberOfProcessors in NumberOfProcessorsDict:
NumberOfProcessorsDict[NumberOfProcessors] += 1
else:
NumberOfProcessorsDict[NumberOfProcessors] = 1
MaxNumberOfProcessors = max([(NumberOfProcessorsDict[x], x)
for x in NumberOfProcessorsDict])[1]
return MaxNumberOfProcessors
def find_numberprocessors(addr_space, types):
NumberOfProcessorsDict = dict()
all_tasks = process_list(addr_space, types)
for task in all_tasks:
if not addr_space.is_valid_address(task):
continue
process_address_space = process_addr_space(addr_space, types, task, addr_space.base.fname)
if process_address_space is None:
continue
peb = process_peb(addr_space, types, task)
try:
if not process_address_space.is_valid_address(peb):
continue
except:
continue
NumberOfProcessors = peb_number_processors(process_address_space, types, peb)
if NumberOfProcessors in NumberOfProcessorsDict:
NumberOfProcessorsDict[NumberOfProcessors] +=1
else:
NumberOfProcessorsDict[NumberOfProcessors] = 1
MaxNumberOfProcessors =max([ (NumberOfProcessorsDict[x],x) for x in NumberOfProcessorsDict])[1]
return MaxNumberOfProcessors
def execute(self):
from vtypes import xpsp2types
xpsp2types['_EPROCESS'][1]['Token'] = [0xc8, ['_EX_FAST_REF']]
theProfile = Profile()
theProfile.add_types(token_types)
(addr_space, symtab,
types) = load_and_identify_image(self.op, self.opts)
pslist = process_list(addr_space, types, symtab)
for proc_addr in pslist:
proc = Object("_EPROCESS",
proc_addr,
addr_space,
profile=theProfile)
if not proc.Token.is_valid():
name = process_imagename(addr_space, types, proc_addr)
pid = process_pid(addr_space, types, proc_addr)
print "%s (%d): Token unreadable" % (name, pid)
continue
tok_addr = proc.Token.Value & ~0x7
tok = Object('_TOKEN', tok_addr, proc.vm, None, profile=theProfile)
sids = []
sid_addr = tok.UserAndGroups.offset
sid_size = obj_size(token_types, '_SID_AND_ATTRIBUTES')
for i in range(tok.UserAndGroupCount):
sids.append(
Object('_SID_AND_ATTRIBUTES',
sid_addr,
proc.vm,
None,
profile=theProfile))
sid_addr += sid_size
for sa in sids:
sid = sa.Sid.dereference_as('_SID')
subauth_addr = sid.get_member_offset('SubAuthority')
subauths = unpack(
"<%dI" % sid.SubAuthorityCount,
proc.vm.read(subauth_addr, sid.SubAuthorityCount * 4))
sid_string = "S-" + "-".join(
str(i)
for i in (sid.Revision,
sid.IdentifierAuthority.Value[-1]) + subauths)
if sid_string in well_known_sids:
sid_name = " (%s)" % well_known_sids[sid_string]
else:
sid_name_re = find_sid_re(sid_string, well_known_sid_re)
if sid_name_re:
sid_name = " (%s)" % sid_name_re
else:
sid_name = ""
print "%s (%d): %s%s" % (proc.ImageFileName,
proc.UniqueProcessId.v(), sid_string,
sid_name)
def execute(self):
(addr_space, symtab, types) = load_and_identify_image(self.op,
self.opts)
pslist = process_list(addr_space, types, symtab)
for proc_addr in pslist:
proc = Object("_EPROCESS", proc_addr, addr_space, profile=Profile())
print "%#x %s (%d): %d" % (proc.offset, proc.ImageFileName, proc.UniqueProcessId.v(), proc.VirtualSize)
print proc.Peb
def find_space(addr_space, types, symtab, addr):
# short circuit if given one works
if addr_space.is_valid_address(addr): return addr_space
pslist = process_list(addr_space, types, symtab)
for p in pslist:
dtb = process_dtb(addr_space, types, p)
space = create_addr_space(addr_space, dtb)
if space.is_valid_address(addr):
return space
return None
def execute(self):
(addr_space, symtab, types) = load_and_identify_image(self.op, self.opts)
fieldfile = open(self.opts.fieldlist)
pslist = process_list(addr_space, types, symtab)
for line in fieldfile:
line = line.strip()
fields = line.split(".")
try:
fields = fields[:-1] + [int(fields[-1])]
except ValueError:
pass
print line + "," + ",".join("%x" % read_obj(addr_space, types, ['_EPROCESS'] + fields, p) for p in pslist)
def execute(self):
(addr_space, symtab,
types) = load_and_identify_image(self.op, self.opts)
pslist = process_list(addr_space, types, symtab)
for proc_addr in pslist:
proc = Object("_EPROCESS",
proc_addr,
addr_space,
profile=Profile())
print "%#x %s (%d): %d" % (proc.offset, proc.ImageFileName,
proc.UniqueProcessId.v(),
proc.VirtualSize)
print proc.Peb
def execute(self):
(addr_space, symtab, types) = load_and_identify_image(self.op,
self.opts)
theProfile = Profile()
pslist = [ Object("_EPROCESS", p, addr_space, profile=theProfile)
for p in process_list(addr_space, types, symtab) ]
for p in pslist:
for t in each_thread(p):
print "********** %s (%x:%x) **********" % (p.ImageFileName,
t.Cid.UniqueProcess.v(),
t.Cid.UniqueThread.v())
for irp in each_irp(t):
print_irp_info(irp)
def execute(self):
from vtypes import xpsp2types
xpsp2types["_ETHREAD"][1]["ThreadListEntry"] = [0x22C, ["_LIST_ENTRY"]]
xpsp2types["_KTHREAD"][1]["Win32Thread"] = [0x130, ["pointer", ["_W32THREAD"]]]
theProfile = Profile()
theProfile.add_types(gdi_types)
(addr_space, symtab, types) = load_and_identify_image(self.op, self.opts)
pslist = process_list(addr_space, types, symtab)
pslist = [Object("_EPROCESS", p, addr_space, profile=theProfile) for p in pslist]
for p in pslist:
for t in get_threads(p):
self.print_message_queue(t)
def find_top_window(self, process_address_space, types, symtab, theProfile):
top_windows = []
windows = set()
pslist = process_list(process_address_space, types, symtab)
for p in pslist:
proc = Object("_EPROCESS", p, process_address_space, profile=theProfile)
win = None
for thrd in get_threads(proc):
win = self.get_desktop_window(thrd)
if win: break
if win and win not in windows:
top_windows.append( (win, thrd, proc) )
windows.add(win)
return top_windows
def execute(self):
(addr_space, symtab,
types) = load_and_identify_image(self.op, self.opts)
fieldfile = open(self.opts.fieldlist)
pslist = process_list(addr_space, types, symtab)
for line in fieldfile:
line = line.strip()
fields = line.split(".")
try:
fields = fields[:-1] + [int(fields[-1])]
except ValueError:
pass
print line + "," + ",".join(
"%x" % read_obj(addr_space, types, ['_EPROCESS'] + fields, p)
for p in pslist)
def find_top_window(self, process_address_space, types, symtab, theProfile):
top_windows = []
windows = set()
pslist = process_list(process_address_space, types, symtab)
for p in pslist:
proc = Object("_EPROCESS", p, process_address_space, profile=theProfile)
win = None
for thrd in get_threads(proc):
win = self.get_desktop_window(thrd)
if win:
break
if win and win not in windows:
top_windows.append((win, thrd, proc))
windows.add(win)
return top_windows
def execute(self):
from vtypes import xpsp2types
xpsp2types['_EPROCESS'][1]['Token'] = [ 0xc8, ['_EX_FAST_REF']]
theProfile = Profile()
theProfile.add_types(token_types)
(addr_space, symtab, types) = load_and_identify_image(self.op,
self.opts)
pslist = process_list(addr_space, types, symtab)
for proc_addr in pslist:
proc = Object("_EPROCESS", proc_addr, addr_space, profile=theProfile)
if not proc.Token.is_valid():
name = process_imagename(addr_space, types, proc_addr)
pid = process_pid(addr_space, types, proc_addr)
print "%s (%d): Token unreadable" % (name,pid)
continue
tok_addr = proc.Token.Value & ~0x7
tok = Object('_TOKEN', tok_addr, proc.vm, None, profile=theProfile)
sids = []
sid_addr = tok.UserAndGroups.offset
sid_size = obj_size(token_types, '_SID_AND_ATTRIBUTES')
for i in range(tok.UserAndGroupCount):
sids.append(Object('_SID_AND_ATTRIBUTES', sid_addr, proc.vm, None, profile=theProfile))
sid_addr += sid_size
for sa in sids:
sid = sa.Sid.dereference_as('_SID')
subauth_addr = sid.get_member_offset('SubAuthority')
subauths = unpack("<%dI" % sid.SubAuthorityCount, proc.vm.read(subauth_addr, sid.SubAuthorityCount*4))
sid_string = "S-" + "-".join(str(i) for i in (sid.Revision,sid.IdentifierAuthority.Value[-1])+subauths)
if sid_string in well_known_sids:
sid_name = " (%s)" % well_known_sids[sid_string]
else:
sid_name_re = find_sid_re(sid_string, well_known_sid_re)
if sid_name_re:
sid_name = " (%s)" % sid_name_re
else:
sid_name= ""
print "%s (%d): %s%s" % (proc.ImageFileName, proc.UniqueProcessId.v(), sid_string, sid_name)
def execute(self):
from vtypes import xpsp2types
xpsp2types['_ETHREAD'][1]['ThreadListEntry'] = [0x22c, ['_LIST_ENTRY']]
xpsp2types['_KTHREAD'][1]['Win32Thread'] = [
0x130, ['pointer', ['_W32THREAD']]
]
theProfile = Profile()
theProfile.add_types(gdi_types)
(addr_space, symtab,
types) = load_and_identify_image(self.op, self.opts)
pslist = process_list(addr_space, types, symtab)
pslist = [
Object('_EPROCESS', p, addr_space, profile=theProfile)
for p in pslist
]
for p in pslist:
for t in get_threads(p):
self.print_message_queue(t)
def execute(self):
from vtypes import xpsp2types
xpsp2types['_ETHREAD'][1]['ThreadListEntry'] = [0x22c, ['_LIST_ENTRY']]
xpsp2types['_KTHREAD'][1]['ServiceTable'] = [
0xe0, ['pointer', ['_SERVICE_DESCRIPTOR_TABLE']]
]
profile = Profile()
profile.add_types(ssdt_types)
(addr_space, symtab,
types) = load_and_identify_image(self.op, self.opts)
pslist = process_list(addr_space, types, symtab)
procs = [
Object("_EPROCESS", p, addr_space, profile=profile) for p in pslist
]
modlist = modules_list(addr_space, types, symtab)
mods = [
Object("_LDR_MODULE", m, addr_space, profile=profile)
for m in modlist
]
mods = dict((mod.BaseAddress.v(), mod) for mod in mods)
mod_addrs = sorted(mods.keys())
# Gather up all SSDTs referenced by threads
print "Gathering all referenced SSDTs from KTHREADs..."
ssdts = set()
for proc in procs:
for thread in get_threads(proc):
ssdts.add(thread.Tcb.ServiceTable)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt in ssdts:
for i, desc in enumerate(ssdt.Descriptors):
if desc.is_valid() and desc.ServiceLimit != 0:
tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit))
print "Finding appropriate address space for tables..."
tables_with_vm = []
for idx, table, n in tables:
found = False
for p in procs:
if p.vm.is_valid_address(table):
tables_with_vm.append((idx, table, n, p.vm))
found = True
break
if not found:
# Any VM is equally bad...
tables_with_vm.append((idx, table, n, addr_space))
# Print out the entries for each table
for idx, table, n, vm in sorted(tables_with_vm, key=itemgetter(0)):
print "SSDT[%d] at %x with %d entries" % (idx, table, n)
if vm.is_valid_address(table):
for i in range(n):
syscall_addr = Object('unsigned long',
table + (i * 4),
vm,
profile=profile).v()
try:
syscall_name = xpsp2_syscalls[idx][i]
except IndexError:
syscall_name = "Unknown"
syscall_mod = find_module(mods, mod_addrs, syscall_addr)
if syscall_mod:
syscall_modname = syscall_mod.ModuleName
else:
syscall_modname = "UNKNOWN"
print " Entry %#06x: %#x (%s) owned by %s" % (
idx * 0x1000 + i, syscall_addr, syscall_name,
syscall_modname)
else:
print " [SSDT not resident]"
def execute(self):
from vtypes import xpsp2types
xpsp2types['_ETHREAD'][1]['ThreadListEntry'] = [ 0x22c, ['_LIST_ENTRY']]
xpsp2types['_KTHREAD'][1]['ServiceTable'] = [ 0xe0, ['pointer', ['_SERVICE_DESCRIPTOR_TABLE']]]
profile = Profile()
profile.add_types(ssdt_types)
(addr_space, symtab, types) = load_and_identify_image(self.op,
self.opts)
pslist = process_list(addr_space, types, symtab)
procs = [ Object("_EPROCESS", p, addr_space, profile=profile)
for p in pslist ]
modlist = modules_list(addr_space, types, symtab)
mods = [ Object("_LDR_MODULE", m, addr_space, profile=profile)
for m in modlist ]
mods = dict( (mod.BaseAddress.v(),mod) for mod in mods )
mod_addrs = sorted(mods.keys())
# Gather up all SSDTs referenced by threads
print "Gathering all referenced SSDTs from KTHREADs..."
ssdts = set()
for proc in procs:
for thread in get_threads(proc):
ssdts.add(thread.Tcb.ServiceTable)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt in ssdts:
for i,desc in enumerate(ssdt.Descriptors):
if desc.is_valid() and desc.ServiceLimit != 0:
tables.add((i,desc.KiServiceTable.v(),desc.ServiceLimit))
print "Finding appropriate address space for tables..."
tables_with_vm = []
for idx, table, n in tables:
found = False
for p in procs:
if p.vm.is_valid_address(table):
tables_with_vm.append( (idx, table, n, p.vm) )
found = True
break
if not found:
# Any VM is equally bad...
tables_with_vm.append( (idx, table, n, addr_space) )
# Print out the entries for each table
for idx,table,n,vm in sorted(tables_with_vm, key=itemgetter(0)):
print "SSDT[%d] at %x with %d entries" % (idx,table, n)
if vm.is_valid_address(table):
for i in range(n):
syscall_addr = Object('unsigned long', table+(i*4), vm, profile=profile).v()
try:
syscall_name = xpsp2_syscalls[idx][i]
except IndexError:
syscall_name = "Unknown"
syscall_mod = find_module(mods, mod_addrs, syscall_addr)
if syscall_mod:
syscall_modname = syscall_mod.ModuleName
else:
syscall_modname = "UNKNOWN"
print " Entry %#06x: %#x (%s) owned by %s" % (idx*0x1000+i,
syscall_addr,
syscall_name,
syscall_modname)
else:
print " [SSDT not resident]"
def execute(self):
op = self.op
opts = self.opts
dbout = opts.outfd1
if (opts.filename is None) or (not os.path.isfile(opts.filename)):
op.error("File is required")
else:
filename = opts.filename
temp = filename.replace("\\", "/").lower().split("/")
imgname = temp[-1]
if dbout is not None:
conn = sqlite3.connect(dbout)
cur = conn.cursor()
try:
cur.execute("select * from sids")
except sqlite3.OperationalError:
cur.execute(
"create table sids (pname text, pid integer, sid_string text, sid_name text, memimage text)"
)
conn.commit()
from vtypes import xpsp2types
xpsp2types["_EPROCESS"][1]["Token"] = [0xC8, ["_EX_FAST_REF"]]
theProfile = Profile()
theProfile.add_types(token_types)
(addr_space, symtab, types) = load_and_identify_image(self.op, self.opts)
pslist = process_list(addr_space, types, symtab)
for proc_addr in pslist:
proc = Object("_EPROCESS", proc_addr, addr_space, profile=theProfile)
if not proc.Token.is_valid():
name = process_imagename(addr_space, types, proc_addr)
pid = process_pid(addr_space, types, proc_addr)
print "%s (%d): Token unreadable" % (name, pid)
continue
tok_addr = proc.Token.Value & ~0x7
tok = Object("_TOKEN", tok_addr, proc.vm, None, profile=theProfile)
sids = []
try:
sid_addr = tok.UserAndGroups.offset
sid_size = obj_size(token_types, "_SID_AND_ATTRIBUTES")
for i in range(tok.UserAndGroupCount):
sids.append(Object("_SID_AND_ATTRIBUTES", sid_addr, proc.vm, None, profile=theProfile))
sid_addr += sid_size
except:
pass
for sa in sids:
sid = sa.Sid.dereference_as("_SID")
subauth_addr = sid.get_member_offset("SubAuthority")
subauths = unpack("<%dI" % sid.SubAuthorityCount, proc.vm.read(subauth_addr, sid.SubAuthorityCount * 4))
sid_string = "S-" + "-".join(
str(i) for i in (sid.Revision, sid.IdentifierAuthority.Value[-1]) + subauths
)
if sid_string in well_known_sids:
sid_name = "(%s)" % well_known_sids[sid_string]
else:
sid_name_re = find_sid_re(sid_string, well_known_sid_re)
if sid_name_re:
sid_name = "(%s)" % sid_name_re
else:
if not dbout == None:
sid_name = "(none)"
else:
sid_name = ""
if not dbout == None:
cur.execute(
"insert into sids values (?,?,?,?,?)",
(proc.ImageFileName.lower(), proc.UniqueProcessId.v(), sid_string, sid_name.lower(), imgname),
)
else:
print "%s (%d): %s %s" % (proc.ImageFileName, proc.UniqueProcessId.v(), sid_string, sid_name)
if not dbout == None:
conn.commit()
conn.close()
