def test_heaps(self):
''' look for heaps in pid 856'''
''' for x in mappings:
res = x.readStruct(x.start,winheap.HEAP)
if res.Signature == 0xeeffeeffL:
print x.start, "Signature:", hex(res.Signature)
0x190000L Signature: 0xeeffeeffL
0x90000L Signature: 0xeeffeeffL
0x1a0000L Signature: 0xeeffeeffL
0x350000L Signature: 0xeeffeeffL
0x3b0000L Signature: 0xeeffeeffL
0xc30000L Signature: 0xeeffeeffL
0xd60000L Signature: 0xeeffeeffL
0xe20000L Signature: 0xeeffeeffL
0xe80000L Signature: 0xeeffeeffL
0x7f6f0000L Signature: 0xeeffeeffL'''
heaps = [0x190000L,0x90000L,0x1a0000L,0x350000L,0x3b0000L,0xc30000L,
0xd60000L,0xe20000L,0xe80000L,0x7f6f0000L]
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 856
# PID 856 has 176 mappings
mapper = VolatilityProcessMapper(f, pid)
mappings = mapper.getMappings()
from haystack.structures.win32 import winheap
for mstart in heaps:
heap = mappings.get_mapping_for_address(mstart)
res = heap.readStruct(heap.start,winheap.HEAP)
self.assertTrue(res.isValid(mappings))
# testing that the list of heaps is always the same
self.assertEquals(set(heaps), set([m.start for m in mappings.get_heaps()]))
return
def test_number_of_mappings(self):
""" check the number of mappings on 3 processes """
#check vad numbers with
#vol.py -f /home/jal/outputs/vol/zeus.vmem -p 856 vadwalk |wc -l
#5 headers lines to be removed from count
#
#analysis here:
#https://malwarereversing.wordpress.com/2011/09/23/zeus-analysis-in-volatility-2-0/
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 856
# PID 856 has 176 _memory_handler
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 176)
# testing that we can use the Mapper twice in a row, without breaking
# volatility
pid = 676
# PID 676 has 118 _memory_handler
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 118)
pid = 1668
# PID 1668 has 159 _memory_handler
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 159)
def test_is_heaps_856(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 856
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
finder = memory_handler.get_heap_finder()
walkers = finder.list_heap_walkers()
self.assertEquals(len(walkers), len(zeus_856_svchost_exe.known_heaps))
for addr, size in zeus_856_svchost_exe.known_heaps:
heap_walker = finder.get_heap_walker(addr)
self.assertIsNotNone(heap_walker)
heap_addr = heap_walker.get_heap_address()
self.assertEqual(heap_addr, addr)
def test_is_heaps_856(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 856
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
finder = memory_handler.get_heap_finder()
walkers = finder.list_heap_walkers()
self.assertEquals(len(walkers), len(zeus_856_svchost_exe.known_heaps))
for addr, size in zeus_856_svchost_exe.known_heaps:
heap_walker = finder.get_heap_walker(addr)
self.assertIsNotNone(heap_walker)
heap_addr = heap_walker.get_heap_address()
self.assertEqual(heap_addr, addr)
def test_is_heaps_856(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 856
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
finder = memory_handler.get_heap_finder()
heaps = finder.get_heap_mappings()
self.assertEquals(len(heaps), len(zeus_856_svchost_exe.known_heaps))
for addr, size in zeus_856_svchost_exe.known_heaps:
heap = memory_handler.get_mapping_for_address(addr)
self.assertTrue(heap.is_marked_as_heap())
heap_addr = heap.get_marked_heap_address()
self.assertTrue(heap_addr is not None)
self.assertTrue(finder._is_heap(heap, heap_addr))
def test_is_heaps_856(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 856
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
finder = memory_handler.get_heap_finder()
heaps = finder.get_heap_mappings()
self.assertEquals(len(heaps), len(zeus_856_svchost_exe.known_heaps))
for addr, size in zeus_856_svchost_exe.known_heaps:
heap = memory_handler.get_mapping_for_address(addr)
self.assertTrue(heap.is_marked_as_heap())
heap_addr = heap.get_marked_heap_address()
self.assertTrue(heap_addr is not None)
self.assertTrue(finder._is_heap(heap, heap_addr))
def test_is_heaps_1168(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 1668
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
finder = memory_handler.get_heap_finder()
walkers = finder.list_heap_walkers()
self.assertEqual(len(walkers), len(zeus_1668_vmtoolsd_exe.known_heaps))
for addr, size in zeus_1668_vmtoolsd_exe.known_heaps:
heap_mapping = memory_handler.get_mapping_for_address(addr)
heap_walker = finder.get_heap_walker(heap_mapping)
self.assertIsNotNone(heap_walker)
heap_addr = heap_walker.get_heap_address()
self.assertEqual(heap_addr, addr)
def test_number_of_mappings(self):
""" check the number of mappings on 3 processes """
#check vad numbers with
#vol.py -f /home/jal/outputs/vol/zeus.vmem -p 856 vadwalk |wc -l
#5 headers lines to be removed from count
#
#analysis here:
#https://malwarereversing.wordpress.com/2011/09/23/zeus-analysis-in-volatility-2-0/
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 856
# PID 856 has 176 _memory_handler
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 176)
# testing that we can use the Mapper twice in a row, without breaking
# volatility
pid = 676
# PID 676 has 118 _memory_handler
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 118)
pid = 1668
# PID 1668 has 159 _memory_handler
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 159)
def test_read_mem(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 888 # wscntfy.exe
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 51)
self.assertEquals(memory_handler.get_target_platform().get_os_name(), 'winxp')
ctypes = memory_handler.get_target_platform().get_target_ctypes()
from haystack.allocators.win32 import winxp_32
#print ctypes
for m in memory_handler.get_mappings():
data = m.read_word(m.start + 8)
if data == 0xeeffeeff:
# we have a heap
x = m.read_struct(m.start, winxp_32.HEAP)
#print x
self.assertEquals(ctypes.sizeof(x), 1416)
# print x
finder = memory_handler.get_heap_finder()
heaps = finder.get_heap_mappings()
def test_init(self):
''' check vad numbers with
vol.py -f /home/jal/outputs/vol/zeus.vmem -p 856 vadwalk |wc -l
5 headers lines to be removed from count
analysis here:
https://malwarereversing.wordpress.com/2011/09/23/zeus-analysis-in-volatility-2-0/
'''
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 856
# PID 856 has 176 mappings
mapper = VolatilityProcessMapper(f, pid)
mappings = mapper.getMappings()
self.assertEquals(len(mappings), 176)
# testing that we can use the Mapper twice in a row, without breaking
# volatility
pid = 676
# PID 676 has 118 mappings
mapper = VolatilityProcessMapper(f, pid)
mappings = mapper.getMappings()
self.assertEquals(len(mappings), 118)
def test_read_mem(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 888 # wscntfy.exe
mapper = VolatilityProcessMapper(f, "WinXPSP2x86", pid)
memory_handler = mapper.make_memory_handler()
self.assertEquals(len(memory_handler.get_mappings()), 51)
self.assertEquals(memory_handler.get_target_platform().get_os_name(),
'winxp')
ctypes = memory_handler.get_target_platform().get_target_ctypes()
from haystack.allocators.win32 import winxp_32
#print ctypes
for m in memory_handler.get_mappings():
data = m.read_word(m.start + 8)
if data == 0xeeffeeff:
# we have a heap
x = m.read_struct(m.start, winxp_32.HEAP)
#print x
self.assertEquals(ctypes.sizeof(x), 1416)
# print x
finder = memory_handler.get_heap_finder()
walkers = finder.list_heap_walkers()
def test_read_mem(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 888 # wscntfy.exe
mapper = VolatilityProcessMapper(f, pid)
mappings = mapper.getMappings()
self.assertEquals(len(mappings), 51)
self.assertEquals(mappings.get_os_name(), 'winxp')
ctypes = mappings.config.ctypes
from haystack.structures.win32 import winheap
#print ctypes
import pefile
import code
for m in mappings.mappings:
data = m.readWord(m.start + 8)
if data == 0xeeffeeff:
# we have a heap
x = m.readStruct(m.start, winheap.HEAP)
print x
self.assertEquals( ctypes.sizeof(x), 1430)
# print x
heaps = mappings.get_heaps()
def _init_volatility(volname, profile, pid):
mapper = VolatilityProcessMapper(volname, profile, pid)
_memory_handler = mapper.make_memory_handler()
return _memory_handler
def test_read_mem(self):
f = '/home/jal/outputs/vol/zeus.vmem'
pid = 888 # wscntfy.exe
mapper = VolatilityProcessMapper(f, pid)
mappings = mapper.getMappings()
def initVolatility(self, volname, pid):
mapper = VolatilityProcessMapper(volname, pid)
mappings = mapper.getMappings()
return mappings
