def _get_functions_addresses(self, task):
lib = self._config.DLL.lower()
if not lib.endswith("dll"):
lib += ".dll"
dlls = (lib, str(task.ImageFileName))
modules = []
task_space = task.get_process_address_space()
for mod in task.get_load_modules():
if str(mod.BaseDllName).startswith(dlls):
modules.append(mod)
apis = impscan.ImpScan.enum_apis(modules)
base_address = modules[0].DllBase
size_to_read = modules[0].SizeOfImage
data = task_space.zread(base_address, size_to_read)
calls_imported = dict(
(iat, call)
for (_, iat, call) in impscan.ImpScan(self._config).call_scan(
task_space, base_address, data) if call in apis)
for iat, call in sorted(calls_imported.items()):
if apis[call][1].lower().startswith(
self._config.API_FUNCTION.lower()):
yield hex(iat), apis[call][1]
return
def _get_function_addresses(self, task):
dlls = ("kernel32.dll", "user32.dll", "ntdll.dll",
str(task.ImageFileName))
modules = []
task_space = task.get_process_address_space()
for mod in task.get_load_modules():
if str(mod.BaseDllName).startswith(dlls):
modules.append(mod)
apis = impscan.ImpScan.enum_apis(modules)
base_address = modules[0].DllBase
size_to_read = modules[0].SizeOfImage
data = task_space.zread(base_address, size_to_read)
calls_imported = dict(
(iat, call)
for (_, iat, call) in impscan.ImpScan(self._config).call_scan(
task_space, base_address, data) if call in apis)
for iat, call in sorted(calls_imported.items()):
if apis[call][1].lower().startswith(self._anti_analysis_functions):
yield hex(iat), apis[call][1]
return
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
for task in self.filter_tasks(tasks.pslist(addr_space)):
task_space = task.get_process_address_space()
# We must have a process AS
if not task_space:
continue
winsock = None
# Locate the winsock DLL
for mod in task.get_load_modules():
if str(mod.BaseDllName or '').lower() == "ws2_32.dll":
winsock = mod
break
if not winsock:
continue
# Resolve the closesocket API
closesocket = winsock.getprocaddress("closesocket")
if not closesocket:
continue
for vad, process_space in task.get_vads(
vad_filter=self._zeus_filter, ):
if obj.Object("_IMAGE_DOS_HEADER",
offset=vad.Start,
vm=process_space).e_magic != 0x5A4D:
continue
data = process_space.zread(vad.Start, vad.Length)
scanner = impscan.ImpScan(self._config).call_scan
calls = list(scanner(task_space, vad.Start, data))
for (_, iat_loc, call_dest) in calls:
if call_dest != closesocket:
continue
# Read the DWORD directly after closesocket
struct_base = obj.Object('Pointer',
offset=iat_loc + 4,
vm=task_space)
# To be valid, it must point within the vad segment
if (struct_base < vad.Start or struct_base >
(vad.Start + vad.End)):
continue
# Grab the key data
key = task_space.read(struct_base + 0x2a, RC4_KEYSIZE)
# Greg's sanity check
if len(key) != RC4_KEYSIZE or key[-2:] != "\x00\x00":
continue
yield task, struct_base, key