def IOSFrames(coredumpFilename, filenameIOMEM, filenamePCAP, options): oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': print(oIOSCoreDump.error) return addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP() if memoryHeap == None: print('Heap region not found') return oIOSMemoryParserHeap = naft_impf.cIOSMemoryParser(memoryHeap) oIOSMemoryParserHeap.ResolveNames(oIOSCoreDump) dataIOMEM = naft_uf.File2Data(filenameIOMEM) oIOSMemoryParserIOMEM = naft_impf.cIOSMemoryParser(dataIOMEM) addressIOMEM = oIOSMemoryParserIOMEM.baseAddress if addressIOMEM == None: print('Error parsing IOMEM') return oFrames = naft_pfef.cFrames() print(naft_impf.cIOSMemoryBlockHeader.ShowHeader) for oIOSMemoryBlockHeader in oIOSMemoryParserHeap.Headers: if oIOSMemoryBlockHeader.AllocNameResolved == '*Packet Header*': frameAddress = struct.unpack('>I', oIOSMemoryBlockHeader.GetData()[40:44])[0] frameSize = struct.unpack('>H', oIOSMemoryBlockHeader.GetData()[72:74])[0] if frameAddress != 0 and frameSize != 0: print(oIOSMemoryBlockHeader.ShowLine()) naft_uf.DumpBytes(dataIOMEM[frameAddress - addressIOMEM : frameAddress - addressIOMEM + frameSize], frameAddress) oFrames.AddFrame(frameAddress - addressIOMEM, dataIOMEM[frameAddress - addressIOMEM : frameAddress - addressIOMEM + frameSize], True) oFrames.WritePCAP(filenamePCAP)
def IOSRegions(coredumpFilename, options): oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': print(oIOSCoreDump.error) else: print('Start End Size Name') for region in oIOSCoreDump.regions: if region[2] != None: print('0x%08X 0x%08X %10d %s' % (region[1], region[1] + region[2] - 1, region[2], region[0])) if options.write: naft_uf.Data2File(oIOSCoreDump.Region(region[0])[1], '%s-%s-0x%08X' % (coredumpFilename, region[0], region[1])) else: print('0x%08X %s %s' % (region[1], ' ' * 21, region[0])) addressBSS, dataBSS = oIOSCoreDump.RegionBSS()
def IOSIntegrityText(coredumpFilename, options): returnString = '' oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': returnString += (oIOSCoreDump.error) return returnString addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP() if memoryHeap == None: returnString += ('Heap region not found') return returnString oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap) returnString += ('Check start magic:<br>') hit = False for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: if oIOSMemoryBlockHeader.GetRawData( )[0:4] != naft_impf.cCiscoMagic.STR_BLOCK_BEGIN: returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>' hit = True if not hit: returnString += ('OK<br>') returnString += ('Check end magic:<br>') hit = False for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: if struct.unpack( '>I', oIOSMemoryBlockHeader.GetRawData()[-4:] )[0] != naft_impf.cCiscoMagic.INT_BLOCK_CANARY and oIOSMemoryBlockHeader.RefCnt > 0: returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>' hit = True if not hit: returnString += ('OK<br>') returnString += ('Check previous block:<br>') hit = False for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[1:]: if oIOSMemoryBlockHeader.PrevBlock == 0: returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>' hit = True if not hit: returnString += ('OK<br>') returnString += ('Check next block: <br>') hit = False for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[:-1]: if oIOSMemoryBlockHeader.NextBlock == 0: returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>' hit = True if not hit: returnString += ('OK<br>') return returnString
def IOSCWStrings(coredumpFilename, options): if options.raw: coredump = naft_uf.File2Data(coredumpFilename) if coredump == None: print('Error reading file %s' % coredumpFilename) else: IOSCWStringsSub(coredump) else: oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': print(oIOSCoreDump.error) return addressData, memoryData = oIOSCoreDump.RegionDATA() if memoryData == None: print('Data region not found') return IOSCWStringsSub(memoryData)
def IOSRegions(coredumpFilename, options): oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': print(oIOSCoreDump.error) else: print('Start End Size Name') for region in oIOSCoreDump.regions: if region[2] != None: print('0x%08X 0x%08X %10d %s' % (region[1], region[1] + region[2] - 1, region[2], region[0])) if options.write: naft_uf.Data2File( oIOSCoreDump.Region(region[0])[1], '%s-%s-0x%08X' % (coredumpFilename, region[0], region[1])) else: print('0x%08X %s %s' % (region[1], ' ' * 21, region[0])) addressBSS, dataBSS = oIOSCoreDump.RegionBSS()
def FilterInitBlocksForString(coredumpFilename, searchTerm): oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': print(oIOSCoreDump.error) return [] addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP() if memoryHeap == None: print('Heap region not found') return [] oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap) oIOSMemoryParser.ResolveNames(oIOSCoreDump) found = [] for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: if oIOSMemoryBlockHeader.AllocNameResolved == 'Init': dStrings = naft_uf.SearchASCIIStrings(oIOSMemoryBlockHeader.GetData()) for value in dStrings.values(): if value.find(searchTerm) >= 0: found.append(value) return found
def IOSRegions(coredumpFilename): oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) returnString = '' if oIOSCoreDump.error != '': returnString += (oIOSCoreDump.error) else: returnString += ('Start End Size Name <br>') for region in oIOSCoreDump.regions: if region[2] != None: returnString += ('0x%08X 0x%08X %10d %s <br>' % (region[1], region[1] + region[2] - 1, region[2], region[0])) #if options.write: # naft_uf.Data2File(oIOSCoreDump.Region(region[0])[1], '%s-%s-0x%08X' % (coredumpFilename, region[0], region[1])) else: returnString += ('0x%08X %s %s <br>' % (region[1], ' ' * 21, region[0])) addressBSS, dataBSS = oIOSCoreDump.RegionBSS() return returnString
def IOSCWStrings(coredumpFilename): returnString = '' # if options.raw: # coredump = naft_uf.File2Data(coredumpFilename) # if coredump == None: # print('Error reading file %s' % coredumpFilename) # else: # IOSCWStringsSub(coredump) oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': returnString += (oIOSCoreDump.error) return addressData, memoryData = oIOSCoreDump.RegionDATA() if memoryData == None: returnString += ('Data region not found') return returnString += IOSCWStringsSub(memoryData) return returnString
def IOSIntegrityText(coredumpFilename, options): oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': print(oIOSCoreDump.error) return addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP() if memoryHeap == None: print('Heap region not found') return oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap) print('Check start magic:') hit = False for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: if oIOSMemoryBlockHeader.GetRawData()[0:4] != naft_impf.cCiscoMagic.STR_BLOCK_BEGIN: print(oIOSMemoryBlockHeader.ShowLine()) hit = True if not hit: print('OK') print('Check end magic:') hit = False for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: if struct.unpack('>I', oIOSMemoryBlockHeader.GetRawData()[-4:])[0] != naft_impf.cCiscoMagic.INT_BLOCK_CANARY and oIOSMemoryBlockHeader.RefCnt > 0: print(oIOSMemoryBlockHeader.ShowLine()) hit = True if not hit: print('OK') print('Check previous block:') hit = False for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[1:]: if oIOSMemoryBlockHeader.PrevBlock == 0: print(oIOSMemoryBlockHeader.ShowLine()) hit = True if not hit: print('OK') print('Check next block:') hit = False for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[:-1]: if oIOSMemoryBlockHeader.NextBlock == 0: print(oIOSMemoryBlockHeader.ShowLine()) hit = True if not hit: print('OK')
def FilterInitBlocksForString(coredumpFilename, searchTerm): oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': #print(oIOSCoreDump.error) return [] addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP() if memoryHeap == None: print('Heap region not found') return [] oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap) oIOSMemoryParser.ResolveNames(oIOSCoreDump) found = [] for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: if oIOSMemoryBlockHeader.AllocNameResolved == 'Init': dStrings = naft_uf.SearchASCIIStrings( oIOSMemoryBlockHeader.GetData()) for value in dStrings.values(): if value.find(searchTerm) >= 0: found.append(value) return found
def IOSFrames(coredumpFilename, filenameIOMEM, filenamePCAP, options): oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': print(oIOSCoreDump.error) return addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP() if memoryHeap == None: print('Heap region not found') return oIOSMemoryParserHeap = naft_impf.cIOSMemoryParser(memoryHeap) oIOSMemoryParserHeap.ResolveNames(oIOSCoreDump) dataIOMEM = naft_uf.File2Data(filenameIOMEM) oIOSMemoryParserIOMEM = naft_impf.cIOSMemoryParser(dataIOMEM) addressIOMEM = oIOSMemoryParserIOMEM.baseAddress if addressIOMEM == None: print('Error parsing IOMEM') return oFrames = naft_pfef.cFrames() print(naft_impf.cIOSMemoryBlockHeader.ShowHeader) for oIOSMemoryBlockHeader in oIOSMemoryParserHeap.Headers: if oIOSMemoryBlockHeader.AllocNameResolved == '*Packet Header*': frameAddress = struct.unpack( '>I', oIOSMemoryBlockHeader.GetData()[40:44])[0] frameSize = struct.unpack( '>H', oIOSMemoryBlockHeader.GetData()[72:74])[0] if frameSize <= 1: frameSize = struct.unpack( '>H', oIOSMemoryBlockHeader.GetData()[68:70])[0] if frameAddress != 0 and frameSize != 0: print(oIOSMemoryBlockHeader.ShowLine()) naft_uf.DumpBytes( dataIOMEM[frameAddress - addressIOMEM:frameAddress - addressIOMEM + frameSize], frameAddress) oFrames.AddFrame( frameAddress - addressIOMEM, dataIOMEM[frameAddress - addressIOMEM:frameAddress - addressIOMEM + frameSize], True) oFrames.WritePCAP(filenamePCAP)
def IOSHeap(coredumpFilename, options): oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': print(oIOSCoreDump.error) return addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP() if memoryHeap == None: print('Heap region not found') return oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap) if options.resolve or options.filter != '': oIOSMemoryParser.ResolveNames(oIOSCoreDump) if options.filter == '': oIOSMemoryParser.Show() else: print(naft_impf.cIOSMemoryBlockHeader.ShowHeader) for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: if oIOSMemoryBlockHeader.AllocNameResolved == options.filter: if not options.strings: print(oIOSMemoryBlockHeader.ShowLine()) if options.strings: dStrings = naft_uf.SearchASCIIStrings(oIOSMemoryBlockHeader.GetData()) if options.grep != '': printHeader = True for key, value in dStrings.items(): if value.find(options.grep) >= 0: if printHeader: print(oIOSMemoryBlockHeader.ShowLine()) printHeader = False print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value)) elif options.minimum == 0 or len(dStrings) >= options.minimum: print(oIOSMemoryBlockHeader.ShowLine()) for key, value in dStrings.items(): print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value)) if options.dump: naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetData(), oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.headerSize)
def IOSCheckText(coredumpFilename, imageFilename, options): oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': print(oIOSCoreDump.error) return else: textAddress, textCoredump = oIOSCoreDump.RegionTEXT() if textCoredump == None: print('Error extracting text region from coredump %s' % coredumpFilename) return sysdescrCoredump = '' dataAddress, dataCoredump = oIOSCoreDump.RegionDATA() if dataCoredump != None: oCWStrings = naft_impf.cCiscoCWStrings(dataCoredump) if oCWStrings.error == '' and 'CW_SYSDESCR' in oCWStrings.dCWStrings: sysdescrCoredump = oCWStrings.dCWStrings['CW_SYSDESCR'] image = naft_uf.File2Data(imageFilename) if image == None: print('Error reading image %s' % imageFilename) return oIOSImage = naft_iipf.cIOSImage(image) if oIOSImage.error != 0: return sysdescrImage = '' if oIOSImage.oCWStrings != None and oIOSImage.oCWStrings.error == '' and 'CW_SYSDESCR' in oIOSImage.oCWStrings.dCWStrings: sysdescrImage = oIOSImage.oCWStrings.dCWStrings['CW_SYSDESCR'] if sysdescrCoredump != '' or sysdescrImage != '': if sysdescrCoredump == sysdescrImage: print('CW_SYSDESCR are identical:\n') print(sysdescrCoredump) elif sysdescrCoredump == sysdescrImage.replace('-MZ', '-M', 1): print('CW_SYSDESCR are equivalent:\n') print(sysdescrCoredump) else: print('CW_SYSDESCR are different:\n') print(sysdescrCoredump) print print(sysdescrImage) print oELF = naft_iipf.cELF(oIOSImage.imageUncompressed) if oELF.error != 0: print('ELF parsing error %d.' % oELF.error) return countSectionExecutableInstructions = 0 for oSectionHeader in oELF.sections: if oSectionHeader.flags & 4: # SHF_EXECINSTR executable instructions textSectionData = oSectionHeader.sectionData countSectionExecutableInstructions += 1 if countSectionExecutableInstructions != 1: print('Error executable sections in image: found %d sections, expected 1' % countSectionExecutableInstructions) return start = textAddress & 0xFF # to be further researched textImage = textSectionData[start:start + len(textCoredump)] if len(textCoredump) != len(textImage): print('the text region is longer than the text section') countBytesDifferent = 0 shortestLength = min(len(textCoredump), len(textImage)) for iIter in range(shortestLength): if textCoredump[iIter] != textImage[iIter]: if countBytesDifferent == 0: print('text region and section are different starting 0x%08X in coredump (iter = 0x%08X)' % ((textAddress + iIter), iIter)) countBytesDifferent += 1 if countBytesDifferent == 0: print('text region and section are identical') else: print('number of different bytes: %d (%.2f%%)' % (countBytesDifferent, (countBytesDifferent * 100.0) / shortestLength))
def IOSHeap(coredumpFilename, options): global decoders decoders = [] LoadDecoders(options.decoders, True) returnString = '' if options.yara != None: if not 'yara' in sys.modules: print('Error: option yara requires the YARA Python module.') return returnString rules = YARACompile(options.yara) oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': returnString += (oIOSCoreDump.error) return returnString addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP() if memoryHeap == None: returnString += ('Heap region not found') return returnString oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap) if options.resolve or options.filter != '': oIOSMemoryParser.ResolveNames(oIOSCoreDump) if options.filter == '': if options.write: print(naft_impf.cIOSMemoryBlockHeader.ShowHeader) for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: print(oIOSMemoryBlockHeader.ShowLine()) naft_uf.Data2File( oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' % (coredumpFilename, oIOSMemoryBlockHeader.address)) elif options.yara: print(naft_impf.cIOSMemoryBlockHeader.ShowHeader) for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: linePrinted = False oDecoders = [cIdentity(oIOSMemoryBlockHeader.GetData(), None)] for cDecoder in decoders: try: oDecoder = cDecoder(oIOSMemoryBlockHeader.GetData(), options.decoderoptions) oDecoders.append(oDecoder) except Exception as e: print('Error instantiating decoder: %s' % cDecoder.name) raise e for oDecoder in oDecoders: while oDecoder.Available(): for result in rules.match(data=oDecoder.Decode()): if not linePrinted: print(oIOSMemoryBlockHeader.ShowLine()) linePrinted = True print(' YARA rule%s: %s' % (IFF( oDecoder.Name() == '', '', ' (decoder: %s)' % oDecoder.Name()), result.rule)) if options.yarastrings: for stringdata in result.strings: print(' %06x %s:' % (stringdata[0], stringdata[1])) print(' %s' % binascii.hexlify(stringdata[2])) print(' %s' % repr(stringdata[2])) else: returnString += oIOSMemoryParser.Show() else: returnString += (naft_impf.cIOSMemoryBlockHeader.ShowHeader) + '<br>' for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: if oIOSMemoryBlockHeader.AllocNameResolved == options.filter: if not options.strings: returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>' if options.strings: dStrings = naft_uf.SearchASCIIStrings( oIOSMemoryBlockHeader.GetData()) if options.grep != '': printHeader = True for key, value in dStrings.items(): if value.find(options.grep) >= 0: if printHeader: returnString += (oIOSMemoryBlockHeader. ShowLine()) + '<br>' printHeader = False returnString += ( ' %08X: %s<br>' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value)) elif options.minimum == 0 or len( dStrings) >= options.minimum: returnString += ( oIOSMemoryBlockHeader.ShowLine()) + '<br>' for key, value in dStrings.items(): returnString += ( ' %08X: %s<br>' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value)) if options.dump: naft_uf.DumpBytes( oIOSMemoryBlockHeader.GetData(), oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.headerSize) if options.dumpraw: naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetRawData(), oIOSMemoryBlockHeader.address) if options.write: naft_uf.Data2File( oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' % (coredumpFilename, oIOSMemoryBlockHeader.address)) return returnString
def IOSCheckText(coredumpFilename, imageFilename, options): returnString = '' oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': returnString += (oIOSCoreDump.error) + '<br>' return returnString else: textAddress, textCoredump = oIOSCoreDump.RegionTEXT() if textCoredump == None: returnString += ( 'Error extracting text region from coredump %s<br>' % coredumpFilename) return returnString sysdescrCoredump = '' dataAddress, dataCoredump = oIOSCoreDump.RegionDATA() if dataCoredump != None: oCWStrings = naft_impf.cCiscoCWStrings(dataCoredump) if oCWStrings.error == '' and 'CW_SYSDESCR' in oCWStrings.dCWStrings: sysdescrCoredump = oCWStrings.dCWStrings['CW_SYSDESCR'] image = naft_uf.File2Data(imageFilename) if image == None: returnString += ('Error reading image %s' % imageFilename) return returnString oIOSImage = naft_iipf.cIOSImage(image) if oIOSImage.error != 0: return sysdescrImage = '' if oIOSImage.oCWStrings != None and oIOSImage.oCWStrings.error == '' and 'CW_SYSDESCR' in oIOSImage.oCWStrings.dCWStrings: sysdescrImage = oIOSImage.oCWStrings.dCWStrings['CW_SYSDESCR'] if sysdescrCoredump != '' or sysdescrImage != '': if sysdescrCoredump == sysdescrImage: returnString += ('CW_SYSDESCR are identical:<br>') returnString += (sysdescrCoredump) + '<br>' elif sysdescrCoredump == sysdescrImage.replace('-MZ', '-M', 1): returnString += ('CW_SYSDESCR are equivalent:<br>') returnString += (sysdescrCoredump) + '<br>' else: returnString += ('CW_SYSDESCR are different:<br>') returnString += (sysdescrCoredump) + '<br>' returnString += '<br>' returnString += (sysdescrImage) + '<br>' returnString += '<br>' oELF = naft_iipf.cELF(oIOSImage.imageUncompressed) if oELF.error != 0: returnString += ('ELF parsing error %d.' % oELF.error) return returnString countSectionExecutableInstructions = 0 countSectionSRELOC = 0 for oSectionHeader in oELF.sections: if oSectionHeader.flags & 4: # SHF_EXECINSTR executable instructions textSectionData = oSectionHeader.sectionData countSectionExecutableInstructions += 1 if oSectionHeader.nameIndexString == 'sreloc': countSectionSRELOC += 1 if countSectionExecutableInstructions != 1: returnString += ( 'Error executable sections in image: found %d sections, expected 1' % countSectionExecutableInstructions) return returnString if countSectionSRELOC != 0: returnString += ( 'Error found %d sreloc section in image: checktext command does not support relocation' % countSectionSRELOC) return returnString start = textAddress & 0xFF # to be further researched textImage = textSectionData[start:start + len(textCoredump)] if len(textCoredump) != len(textImage): returnString += ('the text region is longer than the text section<br>') returnString += ('len(textCoredump) = %d<br>' % len(textCoredump)) returnString += ('len(textImage) = %d<br>' % len(textImage)) countBytesDifferent = 0 shortestLength = min(len(textCoredump), len(textImage)) for iIter in range(shortestLength): if textCoredump[iIter] != textImage[iIter]: if countBytesDifferent == 0: returnString += ( 'text region and section are different starting 0x%08X in coredump (iter = 0x%08X)<br>' % ((textAddress + iIter), iIter)) countBytesDifferent += 1 if countBytesDifferent == 0: returnString += ('text region and section are identical <br>') else: returnString += ('number of different bytes: %d (%.2f%%)<br>' % (countBytesDifferent, (countBytesDifferent * 100.0) / shortestLength)) return returnString
def IOSHeap(coredumpFilename, options): global decoders decoders = [] LoadDecoders(options.decoders, True) if options.yara != None: if not 'yara' in sys.modules: print('Error: option yara requires the YARA Python module.') return rules = YARACompile(options.yara) oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': print(oIOSCoreDump.error) return addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP() if memoryHeap == None: print('Heap region not found') return oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap) if options.resolve or options.filter != '': oIOSMemoryParser.ResolveNames(oIOSCoreDump) if options.filter == '': if options.write: print(naft_impf.cIOSMemoryBlockHeader.ShowHeader) for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: print(oIOSMemoryBlockHeader.ShowLine()) naft_uf.Data2File(oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' % (coredumpFilename, oIOSMemoryBlockHeader.address)) elif options.yara: print(naft_impf.cIOSMemoryBlockHeader.ShowHeader) for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: linePrinted = False oDecoders = [cIdentity(oIOSMemoryBlockHeader.GetData(), None)] for cDecoder in decoders: try: oDecoder = cDecoder(oIOSMemoryBlockHeader.GetData(), options.decoderoptions) oDecoders.append(oDecoder) except Exception as e: print('Error instantiating decoder: %s' % cDecoder.name) raise e for oDecoder in oDecoders: while oDecoder.Available(): for result in rules.match(data=oDecoder.Decode()): if not linePrinted: print(oIOSMemoryBlockHeader.ShowLine()) linePrinted = True print(' YARA rule%s: %s' % (IFF(oDecoder.Name() == '', '', ' (decoder: %s)' % oDecoder.Name()), result.rule)) if options.yarastrings: for stringdata in result.strings: print(' %06x %s:' % (stringdata[0], stringdata[1])) print(' %s' % binascii.hexlify(stringdata[2])) print(' %s' % repr(stringdata[2])) else: oIOSMemoryParser.Show() else: print(naft_impf.cIOSMemoryBlockHeader.ShowHeader) for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: if oIOSMemoryBlockHeader.AllocNameResolved == options.filter: if not options.strings: print(oIOSMemoryBlockHeader.ShowLine()) if options.strings: dStrings = naft_uf.SearchASCIIStrings(oIOSMemoryBlockHeader.GetData()) if options.grep != '': printHeader = True for key, value in dStrings.items(): if value.find(options.grep) >= 0: if printHeader: print(oIOSMemoryBlockHeader.ShowLine()) printHeader = False print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value)) elif options.minimum == 0 or len(dStrings) >= options.minimum: print(oIOSMemoryBlockHeader.ShowLine()) for key, value in dStrings.items(): print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value)) if options.dump: naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetData(), oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.headerSize) if options.dumpraw: naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetRawData(), oIOSMemoryBlockHeader.address) if options.write: naft_uf.Data2File(oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' % (coredumpFilename, oIOSMemoryBlockHeader.address))