def _get_functions_addresses(self, task): lib = self._config.DLL.lower() if not lib.endswith("dll"): lib += ".dll" dlls = (lib, str(task.ImageFileName)) modules = [] task_space = task.get_process_address_space() for mod in task.get_load_modules(): if str(mod.BaseDllName).startswith(dlls): modules.append(mod) apis = impscan.ImpScan.enum_apis(modules) base_address = modules[0].DllBase size_to_read = modules[0].SizeOfImage data = task_space.zread(base_address, size_to_read) calls_imported = dict( (iat, call) for (_, iat, call) in impscan.ImpScan(self._config).call_scan( task_space, base_address, data) if call in apis) for iat, call in sorted(calls_imported.items()): if apis[call][1].lower().startswith( self._config.API_FUNCTION.lower()): yield hex(iat), apis[call][1] return
def _get_function_addresses(self, task): dlls = ("kernel32.dll", "user32.dll", "ntdll.dll", str(task.ImageFileName)) modules = [] task_space = task.get_process_address_space() for mod in task.get_load_modules(): if str(mod.BaseDllName).startswith(dlls): modules.append(mod) apis = impscan.ImpScan.enum_apis(modules) base_address = modules[0].DllBase size_to_read = modules[0].SizeOfImage data = task_space.zread(base_address, size_to_read) calls_imported = dict( (iat, call) for (_, iat, call) in impscan.ImpScan(self._config).call_scan( task_space, base_address, data) if call in apis) for iat, call in sorted(calls_imported.items()): if apis[call][1].lower().startswith(self._anti_analysis_functions): yield hex(iat), apis[call][1] return
def calculate(self): addr_space = utils.load_as(self._config) if not self.is_valid_profile(addr_space.profile): debug.error("This command does not support the selected profile.") for task in self.filter_tasks(tasks.pslist(addr_space)): task_space = task.get_process_address_space() # We must have a process AS if not task_space: continue winsock = None # Locate the winsock DLL for mod in task.get_load_modules(): if str(mod.BaseDllName or '').lower() == "ws2_32.dll": winsock = mod break if not winsock: continue # Resolve the closesocket API closesocket = winsock.getprocaddress("closesocket") if not closesocket: continue for vad, process_space in task.get_vads( vad_filter=self._zeus_filter, ): if obj.Object("_IMAGE_DOS_HEADER", offset=vad.Start, vm=process_space).e_magic != 0x5A4D: continue data = process_space.zread(vad.Start, vad.Length) scanner = impscan.ImpScan(self._config).call_scan calls = list(scanner(task_space, vad.Start, data)) for (_, iat_loc, call_dest) in calls: if call_dest != closesocket: continue # Read the DWORD directly after closesocket struct_base = obj.Object('Pointer', offset=iat_loc + 4, vm=task_space) # To be valid, it must point within the vad segment if (struct_base < vad.Start or struct_base > (vad.Start + vad.End)): continue # Grab the key data key = task_space.read(struct_base + 0x2a, RC4_KEYSIZE) # Greg's sanity check if len(key) != RC4_KEYSIZE or key[-2:] != "\x00\x00": continue yield task, struct_base, key