Example #1
0
    def _generator(self):
        kernel = self.context.modules[self.config['kernel']]

        collection = ssdt.SSDT.build_module_collection(self.context, kernel.layer_name, kernel.symbol_table_name)

        for driver in driverscan.DriverScan.scan_drivers(self.context, kernel.layer_name, kernel.symbol_table_name):

            try:
                driver_name = driver.get_driver_name()
            except (ValueError, exceptions.InvalidAddressException):
                driver_name = renderers.NotApplicableValue()

            for i, address in enumerate(driver.MajorFunction):
                module_symbols = collection.get_module_symbols_by_absolute_location(address)

                for module_name, symbol_generator in module_symbols:
                    symbols_found = False

                    for symbol in symbol_generator:
                        symbols_found = True
                        yield (0, (format_hints.Hex(driver.vol.offset), driver_name, MAJOR_FUNCTIONS[i],
                                   format_hints.Hex(address), module_name, symbol.split(constants.BANG)[1]))

                    if not symbols_found:
                        yield (0, (format_hints.Hex(driver.vol.offset), driver_name, MAJOR_FUNCTIONS[i],
                                   format_hints.Hex(address), module_name, renderers.NotAvailableValue()))
Example #2
0
    def _generator(self):
        kernel = contexts.Module(self._context, self.config['darwin'],
                                 self.config['primary'], 0)

        mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
                                        self.config['darwin'])

        handlers = mac.MacUtilities.generate_kernel_handler_info(
            self.context, self.config['primary'], kernel, mods)

        table = kernel.object_from_symbol(symbol_name="mach_trap_table")

        for i, ent in enumerate(table):
            try:
                call_addr = ent.mach_trap_function.dereference().vol.offset
            except exceptions.InvalidAddressException:
                continue

            if not call_addr or call_addr == 0:
                continue

            module_name, symbol_name = mac.MacUtilities.lookup_module_address(
                self.context, handlers, call_addr)

            yield (0, (format_hints.Hex(table.vol.offset), "TrapTable", i,
                       format_hints.Hex(call_addr), module_name, symbol_name))
Example #3
0
    def _generator(self):
        kernel = self.context.modules[self.config['kernel']]

        for driver in self.scan_drivers(self.context, kernel.layer_name,
                                        kernel.symbol_table_name):

            try:
                driver_name = driver.get_driver_name()
            except (ValueError, exceptions.InvalidAddressException):
                driver_name = renderers.NotApplicableValue()

            try:
                service_key = driver.DriverExtension.ServiceKeyName.String
            except exceptions.InvalidAddressException:
                service_key = renderers.NotApplicableValue()

            try:
                name = driver.DriverName.String
            except exceptions.InvalidAddressException:
                name = renderers.NotApplicableValue()

            yield (0, (format_hints.Hex(driver.vol.offset),
                       format_hints.Hex(driver.DriverStart),
                       format_hints.Hex(driver.DriverSize), service_key,
                       driver_name, name))
Example #4
0
    def _generator(self):
        filter_func = pslist.PsList.create_pid_filter(
            self.config.get('pid', None))

        for task_name, pid, socket in self.list_sockets(
                self.context,
                self.config['primary'],
                self.config['darwin'],
                filter_func=filter_func):

            family = socket.get_family()

            if family == 1:
                try:
                    upcb = socket.so_pcb.dereference().cast("unpcb")
                    path = utility.array_to_string(upcb.unp_addr.sun_path)
                except exceptions.InvalidAddressException:
                    continue

                yield (0, (format_hints.Hex(socket.vol.offset), "UNIX", path,
                           0, "", 0, "", "{}/{:d}".format(task_name, pid)))

            elif family in [2, 30]:
                state = socket.get_state()
                proto = socket.get_protocol_as_string()

                vals = socket.get_converted_connection_info()

                if vals:
                    (lip, lport, rip, rport) = vals

                    yield (0, (format_hints.Hex(socket.vol.offset), proto, lip,
                               lport, rip, rport, state,
                               "{}/{:d}".format(task_name, pid)))
Example #5
0
    def _generator(self):
        kernel = contexts.Module(self.context, self.config['darwin'],
                                 self.config['primary'], 0)

        mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
                                        self.config['darwin'])

        handlers = mac.MacUtilities.generate_kernel_handler_info(
            self.context, self.config['primary'], kernel, mods)

        for scope in self.list_kauth_scopes(self.context,
                                            self.config['primary'],
                                            self.config['darwin']):

            callback = scope.ks_callback
            if callback == 0:
                continue

            module_name, symbol_name = mac.MacUtilities.lookup_module_address(
                self.context, handlers, callback)

            identifier = utility.pointer_to_string(scope.ks_identifier, 128)

            yield (0, (identifier, format_hints.Hex(scope.ks_idata),
                       len([l for l in scope.get_listeners()]),
                       format_hints.Hex(callback), module_name, symbol_name))
Example #6
0
    def _generator(self):
        kernel = self.context.modules[self.config['kernel']]

        mods = lsmod.Lsmod.list_modules(self.context, self.config['kernel'])

        handlers = mac.MacUtilities.generate_kernel_handler_info(self.context, kernel.layer_name, kernel, mods)

        members_to_check = [
            "sf_unregistered", "sf_attach", "sf_detach", "sf_notify", "sf_getpeername", "sf_getsockname", "sf_data_in",
            "sf_data_out", "sf_connect_in", "sf_connect_out", "sf_bind", "sf_setoption", "sf_getoption", "sf_listen",
            "sf_ioctl"
        ]

        filter_list = kernel.object_from_symbol(symbol_name = "sock_filter_head")

        for filter_container in mac.MacUtilities.walk_tailq(filter_list, "sf_global_next"):
            current_filter = filter_container.sf_filter

            filter_name = utility.pointer_to_string(current_filter.sf_name, count = 128)

            try:
                filter_socket = filter_container.sf_entry_head.sfe_socket.vol.offset
            except exceptions.InvalidAddressException:
                filter_socket = 0

            for member in members_to_check:
                check_addr = current_filter.member(attr = member)
                if check_addr == 0:
                    continue

                module_name, symbol_name = mac.MacUtilities.lookup_module_address(self.context, handlers, check_addr)

                yield (0, (format_hints.Hex(current_filter.vol.offset), filter_name, member, \
                           format_hints.Hex(filter_socket), format_hints.Hex(check_addr), module_name, symbol_name))
Example #7
0
    def _generator(self):
        """
        Enumerates the listeners for each kauth scope
        """
        kernel = contexts.Module(self.context, self.config['darwin'],
                                 self.config['primary'], 0)

        mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
                                        self.config['darwin'])

        handlers = mac.MacUtilities.generate_kernel_handler_info(
            self.context, self.config['primary'], kernel, mods)

        for scope in kauth_scopes.Kauth_scopes.list_kauth_scopes(
                self.context, self.config['primary'], self.config['darwin']):

            scope_name = utility.pointer_to_string(scope.ks_identifier, 128)

            for listener in scope.get_listeners():
                callback = listener.kll_callback
                if callback == 0:
                    continue

                module_name, symbol_name = mac.MacUtilities.lookup_module_address(
                    self.context, handlers, callback)

                yield (0, (scope_name, format_hints.Hex(listener.kll_idata),
                           format_hints.Hex(callback), module_name,
                           symbol_name))
Example #8
0
    def _generator(self, tasks):
        # determine if we're on a 32 or 64 bit kernel
        if self.context.symbol_space.get_type(self.config["vmlinux"] +
                                              constants.BANG +
                                              "pointer").size == 4:
            is_32bit_arch = True
        else:
            is_32bit_arch = False

        for task in tasks:
            process_name = utility.array_to_string(task.comm)

            for vma, data in self._list_injections(task):
                if is_32bit_arch:
                    architecture = "intel"
                else:
                    architecture = "intel64"

                disasm = interfaces.renderers.Disassembly(
                    data, vma.vm_start, architecture)

                yield (0, (task.pid, process_name,
                           format_hints.Hex(vma.vm_start),
                           format_hints.Hex(vma.vm_end), vma.get_protection(),
                           format_hints.HexBytes(data), disasm))
Example #9
0
    def _generator(self):
        pe_table_name = intermed.IntermediateSymbolTable.create(
            self.context,
            self.config_path,
            "windows",
            "pe",
            class_types=pe.class_types)

        for mod in self.list_modules(self.context, self.config['primary'],
                                     self.config['nt_symbols']):

            try:
                BaseDllName = mod.BaseDllName.get_string()
            except exceptions.InvalidAddressException:
                BaseDllName = ""

            try:
                FullDllName = mod.FullDllName.get_string()
            except exceptions.InvalidAddressException:
                FullDllName = ""

            file_output = "Disabled"
            if self.config['dump']:
                file_handle = dlllist.DllList.dump_pe(self.context,
                                                      pe_table_name, mod,
                                                      self.open)
                file_output = "Error outputting file"
                if file_handle:
                    file_handle.close()
                    file_output = file_handle.preferred_filename

            yield (0, (format_hints.Hex(mod.vol.offset),
                       format_hints.Hex(mod.DllBase),
                       format_hints.Hex(mod.SizeOfImage), BaseDllName,
                       FullDllName, file_output))
Example #10
0
    def _generator(self, tasks):
        for task in tasks:
            if not task.mm:
                continue

            name = utility.array_to_string(task.comm)

            for vma in task.mm.get_mmap_iter():
                flags = vma.get_protection()
                page_offset = vma.get_page_offset()
                major = 0
                minor = 0
                inode = 0

                if vma.vm_file != 0:
                    dentry = vma.vm_file.get_dentry()
                    if dentry != 0:
                        inode_object = dentry.d_inode
                        major = inode_object.i_sb.major
                        minor = inode_object.i_sb.minor
                        inode = inode_object.i_ino

                path = vma.get_name(self.context, task)

                yield (0, (task.pid, name, format_hints.Hex(vma.vm_start),
                           format_hints.Hex(vma.vm_end), flags,
                           format_hints.Hex(page_offset), major, minor, inode,
                           path))
Example #11
0
    def _generator(self, procs):

        type_map = self.get_type_map(context=self.context,
                                     layer_name=self.config["primary"],
                                     symbol_table=self.config["nt_symbols"])

        cookie = self.find_cookie(context=self.context,
                                  layer_name=self.config["primary"],
                                  symbol_table=self.config["nt_symbols"])

        for proc in procs:
            try:
                object_table = proc.ObjectTable
            except exceptions.InvalidAddressException:
                vollog.log(
                    constants.LOGLEVEL_VVV,
                    "Cannot access _EPROCESS.ObjectType at {0:#x}".format(
                        proc.vol.offset))
                continue

            process_name = utility.array_to_string(proc.ImageFileName)

            for entry in self.handles(object_table):
                try:
                    obj_type = entry.get_object_type(type_map, cookie)
                    if obj_type is None:
                        continue
                    if obj_type == "File":
                        item = entry.Body.cast("_FILE_OBJECT")
                        obj_name = item.file_name_with_device()
                    elif obj_type == "Process":
                        item = entry.Body.cast("_EPROCESS")
                        obj_name = "{} Pid {}".format(
                            utility.array_to_string(proc.ImageFileName),
                            item.UniqueProcessId)
                    elif obj_type == "Thread":
                        item = entry.Body.cast("_ETHREAD")
                        obj_name = "Tid {} Pid {}".format(
                            item.Cid.UniqueThread, item.Cid.UniqueProcess)
                    elif obj_type == "Key":
                        item = entry.Body.cast("_CM_KEY_BODY")
                        obj_name = item.get_full_key_name()
                    else:
                        try:
                            obj_name = entry.NameInfo.Name.String
                        except (ValueError,
                                exceptions.InvalidAddressException):
                            obj_name = ""

                except (exceptions.InvalidAddressException):
                    vollog.log(
                        constants.LOGLEVEL_VVV,
                        "Cannot access _OBJECT_HEADER at {0:#x}".format(
                            entry.vol.offset))
                    continue

                yield (0, (proc.UniqueProcessId, process_name,
                           format_hints.Hex(entry.Body.vol.offset),
                           format_hints.Hex(entry.HandleValue), obj_type,
                           format_hints.Hex(entry.GrantedAccess), obj_name))
Example #12
0
    def _generator(self):
        vmlinux = contexts.Module(self.context, self.config['vmlinux'],
                                  self.config['primary'], 0)

        ptr_sz = vmlinux.get_type("pointer").size
        if ptr_sz == 4:
            table_name = "32bit"
        else:
            table_name = "64bit"

        try:
            table_info = self._get_table_info(vmlinux, "sys_call_table",
                                              ptr_sz)
        except exceptions.SymbolError:
            vollog.error("Unable to find the system call table. Exiting.")
            return

        tables = [(table_name, table_info)]

        # this table is only present on 64 bit systems with 32 bit emulation
        # enabled in order to support 32 bit programs and libraries
        # if the symbol isn't there then the support isn't in the kernel and so we skip it
        try:
            ia32_symbol = self.context.symbol_space.get_symbol(
                vmlinux.name + constants.BANG + "ia32_sys_call_table")
        except exceptions.SymbolError:
            ia32_symbol = None

        if ia32_symbol != None:
            ia32_info = self._get_table_info(vmlinux, "ia32_sys_call_table",
                                             ptr_sz)
            tables.append(("32bit", ia32_info))

        for (table_name, (tableaddr, tblsz)) in tables:
            table = vmlinux.object(object_type="array",
                                   subtype=vmlinux.get_type("pointer"),
                                   offset=tableaddr,
                                   count=tblsz)

            for (i, call_addr) in enumerate(table):
                if not call_addr:
                    continue

                symbols = list(
                    self.context.symbol_space.get_symbols_by_location(
                        call_addr))

                if len(symbols) > 0:
                    sym_name = str(symbols[0].split(constants.BANG)[1]) if constants.BANG in symbols[0] else \
                        str(symbols[0])
                else:
                    sym_name = "UNKNOWN"

                yield (0, (format_hints.Hex(tableaddr), table_name, i,
                           format_hints.Hex(call_addr), sym_name))
Example #13
0
    def _generator(self):

        kernel = self.context.modules[self.config['kernel']]

        callback_table_name = self.create_callback_table(
            self.context, kernel.symbol_table_name, self.config_path)

        collection = ssdt.SSDT.build_module_collection(
            self.context, kernel.layer_name, kernel.symbol_table_name)

        callback_methods = (self.list_notify_routines,
                            self.list_bugcheck_callbacks,
                            self.list_bugcheck_reason_callbacks,
                            self.list_registry_callbacks)

        for callback_method in callback_methods:
            for callback_type, callback_address, callback_detail in callback_method(
                    self.context, kernel.layer_name, kernel.symbol_table_name,
                    callback_table_name):

                if callback_detail is None:
                    detail = renderers.NotApplicableValue()
                else:
                    detail = callback_detail

                module_symbols = list(
                    collection.get_module_symbols_by_absolute_location(
                        callback_address))

                if module_symbols:
                    for module_name, symbol_generator in module_symbols:
                        symbols_found = False

                        # we might have multiple symbols pointing to the same location
                        for symbol in symbol_generator:
                            symbols_found = True
                            yield (0,
                                   (callback_type,
                                    format_hints.Hex(callback_address),
                                    module_name,
                                    symbol.split(constants.BANG)[1], detail))

                        # no symbols, but we at least can report the module name
                        if not symbols_found:
                            yield (0, (callback_type,
                                       format_hints.Hex(callback_address),
                                       module_name,
                                       renderers.NotAvailableValue(), detail))
                else:
                    # no module was found at the absolute location
                    yield (0, (callback_type,
                               format_hints.Hex(callback_address),
                               renderers.NotAvailableValue(),
                               renderers.NotAvailableValue(), detail))
Example #14
0
    def _generator(self) -> Iterator[Tuple[int, Tuple[int, int, Any, Any]]]:

        layer_name = self.config['primary']
        collection = self.build_module_collection(self.context, self.config["primary"], self.config["nt_symbols"])

        kvo = self.context.layers[layer_name].config['kernel_virtual_offset']
        ntkrnlmp = self.context.module(self.config["nt_symbols"], layer_name = layer_name, offset = kvo)

        # this is just one way to enumerate the native (NT) service table.
        # to do the same thing for the Win32K service table, we would need Win32K.sys symbol support
        ## we could also find nt!KeServiceDescriptorTable (NT) and KeServiceDescriptorTableShadow (NT, Win32K)
        service_table_address = ntkrnlmp.get_symbol("KiServiceTable").address
        service_limit_address = ntkrnlmp.get_symbol("KiServiceLimit").address
        service_limit = ntkrnlmp.object(object_type = "int", offset = service_limit_address)

        # on 32-bit systems the table indexes are 32-bits and contain pointers (unsigned)
        # on 64-bit systems the indexes are also 32-bits but they're offsets from the
        # base address of the table and can be negative, so we need a signed data type
        is_kernel_64 = symbols.symbol_table_is_64bit(self.context, self.config["nt_symbols"])
        if is_kernel_64:
            array_subtype = "long"

            def kvo_calulator(func: int) -> int:
                return kvo + service_table_address + (func >> 4)

            find_address = kvo_calulator
        else:
            array_subtype = "unsigned long"

            def passthrough(func: int) -> int:
                return func

            find_address = passthrough

        functions = ntkrnlmp.object(object_type = "array",
                                    offset = service_table_address,
                                    subtype = ntkrnlmp.get_type(array_subtype),
                                    count = service_limit)

        for idx, function_obj in enumerate(functions):

            function = find_address(function_obj)
            module_symbols = collection.get_module_symbols_by_absolute_location(function)

            for module_name, symbol_generator in module_symbols:
                symbols_found = False

                for symbol in symbol_generator:
                    symbols_found = True
                    yield (0, (idx, format_hints.Hex(function), module_name, symbol.split(constants.BANG)[1]))

                if not symbols_found:
                    yield (0, (idx, format_hints.Hex(function), module_name, renderers.NotAvailableValue()))
Example #15
0
    def _generator(self, tasks):
        for task in tasks:
            process_name = utility.array_to_string(task.p_comm)
            process_pid = task.p_pid

            for vma in task.get_map_iter():
                path = vma.get_path(self.context, self.config['darwin'])
                if path == "":
                    path = vma.get_special_path()

                yield (0, (process_pid, process_name,
                           format_hints.Hex(vma.links.start),
                           format_hints.Hex(vma.links.end), vma.get_perms(),
                           path))
Example #16
0
    def _generator(self, procs):
        # determine if we're on a 32 or 64 bit kernel
        kernel = self.context.modules[self.config['kernel']]

        is_32bit_arch = not symbols.symbol_table_is_64bit(
            self.context, kernel.symbol_table_name)

        for proc in procs:
            process_name = utility.array_to_string(proc.ImageFileName)

            for vad, data in self.list_injections(self.context,
                                                  kernel.layer_name,
                                                  kernel.symbol_table_name,
                                                  proc):

                # if we're on a 64 bit kernel, we may still need 32 bit disasm due to wow64
                if is_32bit_arch or proc.get_is_wow64():
                    architecture = "intel"
                else:
                    architecture = "intel64"

                disasm = interfaces.renderers.Disassembly(
                    data, vad.get_start(), architecture)

                file_output = "Disabled"
                if self.config['dump']:
                    file_output = "Error outputting to file"
                    try:
                        file_handle = vadinfo.VadInfo.vad_dump(
                            self.context, proc, vad, self.open)
                        file_handle.close()
                        file_output = file_handle.preferred_filename
                    except (exceptions.InvalidAddressException,
                            OverflowError) as excp:
                        vollog.debug(
                            "Unable to dump PE with pid {0}.{1:#x}: {2}".
                            format(proc.UniqueProcessId, vad.get_start(),
                                   excp))

                yield (0, (proc.UniqueProcessId, process_name,
                           format_hints.Hex(vad.get_start()),
                           format_hints.Hex(vad.get_end()), vad.get_tag(),
                           vad.get_protection(
                               vadinfo.VadInfo.protect_values(
                                   self.context, kernel.layer_name,
                                   kernel.symbol_table_name),
                               vadinfo.winnt_protections),
                           vad.get_commit_charge(), vad.get_private_memory(),
                           file_output, format_hints.HexBytes(data), disasm))
Example #17
0
    def _generator(self):
        kernel = self.context.modules[self.config['kernel']]

        mods = lsmod.Lsmod.list_modules(self.context, self.config['kernel'])

        handlers = mac.MacUtilities.generate_kernel_handler_info(
            self.context, kernel.layer_name, kernel, mods)

        real_ncpus = kernel.object_from_symbol(symbol_name="real_ncpus")

        cpu_data_ptrs_ptr = kernel.get_symbol("cpu_data_ptr").address

        # Returns the a pointer to the absolute address
        cpu_data_ptrs_addr = kernel.object(
            object_type="pointer",
            offset=cpu_data_ptrs_ptr,
            subtype=kernel.get_type('long unsigned int'))

        cpu_data_ptrs = kernel.object(object_type="array",
                                      offset=cpu_data_ptrs_addr,
                                      absolute=True,
                                      subtype=kernel.get_type('cpu_data'),
                                      count=real_ncpus)

        for cpu_data_ptr in cpu_data_ptrs:
            try:
                queue = cpu_data_ptr.rtclock_timer.queue.head
            except exceptions.InvalidAddressException:
                break

            for timer in queue.walk_list(queue, "q_link", "call_entry"):
                try:
                    handler = timer.func.dereference().vol.offset
                except exceptions.InvalidAddressException:
                    continue

                if timer.has_member("entry_time"):
                    entry_time = timer.entry_time
                else:
                    entry_time = -1

                module_name, symbol_name = mac.MacUtilities.lookup_module_address(
                    self.context, handlers, handler, self.config['kernel'])

                yield (0, (format_hints.Hex(handler),
                           format_hints.Hex(timer.param0),
                           format_hints.Hex(timer.param1), timer.deadline,
                           entry_time, module_name, symbol_name))
Example #18
0
    def _generator(self):
        kernel = contexts.Module(self._context, self.config['darwin'],
                                 self.config['primary'], 0)

        mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
                                        self.config['darwin'])

        handlers = mac.MacUtilities.generate_kernel_handler_info(
            self.context, self.config['primary'], kernel, mods)

        sysctl_list = kernel.object_from_symbol(symbol_name="sysctl__children")

        for sysctl, name, val in self._process_sysctl_list(
                kernel, sysctl_list):
            try:
                check_addr = sysctl.oid_handler
            except exceptions.InvalidAddressException:
                continue

            module_name, symbol_name = mac.MacUtilities.lookup_module_address(
                self.context, handlers, check_addr)

            yield (0, (name, sysctl.oid_number, sysctl.get_perms(),
                       format_hints.Hex(check_addr), val, module_name,
                       symbol_name))
Example #19
0
    def _get_task_fields(
            self,
            task: interfaces.objects.ObjectInterface,
            decorate_comm: bool = False) -> Tuple[int, int, int, str]:
        """Extract the fields needed for the final output

        Args:
            task: A task object from where to get the fields.
            decorate_comm: If True, it decorates the comm string of
                            - User threads: in curly brackets,
                            - Kernel threads: in square brackets
                           Defaults to False.
        Returns:
            A tuple with the fields to show in the plugin output.
        """
        pid = task.tgid
        tid = task.pid
        ppid = task.parent.tgid if task.parent else 0
        name = utility.array_to_string(task.comm)
        if decorate_comm:
            if task.is_kernel_thread:
                name = f"[{name}]"
            elif task.is_user_thread:
                name = f"{{{name}}}"

        task_fields = (format_hints.Hex(task.vol.offset), pid, tid, ppid, name)
        return task_fields
Example #20
0
    def _generator(self) -> Iterator[Tuple[int, Tuple[int, str]]]:  # , str, int]]]:
        if self.config.get("tags"):
            tags = [tag for tag in self.config["tags"].split(',')]
        else:
            tags = None

        for big_pool in self.list_big_pools(context = self.context,
                                            layer_name = self.config["primary"],
                                            symbol_table = self.config["nt_symbols"],
                                            tags = tags):

            num_bytes = big_pool.get_number_of_bytes()
            if not isinstance(num_bytes, interfaces.renderers.BaseAbsentValue):
                num_bytes = format_hints.Hex(num_bytes)

            yield (0, (format_hints.Hex(big_pool.Va), big_pool.get_key(), big_pool.get_pool_type(), num_bytes))
Example #21
0
 def get_record_tuple(service_record: interfaces.objects.ObjectInterface):
     return (format_hints.Hex(service_record.vol.offset),
             service_record.Order, service_record.get_pid(),
             service_record.Start.description,
             service_record.State.description, service_record.get_type(),
             service_record.get_name(), service_record.get_display(),
             service_record.get_binary())
Example #22
0
    def _generator(self):
        vmlinux = contexts.Module(self.context, self.config['vmlinux'],
                                  self.config['primary'], 0)

        modules = lsmod.Lsmod.list_modules(self.context,
                                           self.config['primary'],
                                           self.config['vmlinux'])

        handlers = linux.LinuxUtilities.generate_kernel_handler_info(
            self.context, self.config['primary'], self.config['vmlinux'],
            modules)

        try:
            knl_addr = vmlinux.object_from_symbol("keyboard_notifier_list")
        except exceptions.SymbolError:
            knl_addr = None

        if not knl_addr:
            raise TypeError(
                "This plugin requires the keyboard_notifier_list structure. "
                "This structure is not present in the supplied symbol table. "
                "This means you are either analyzing an unsupported kernel version or that your symbol table is corrupt."
            )

        knl = vmlinux.object(object_type="atomic_notifier_head",
                             offset=knl_addr.vol.offset)

        for call_back in linux.LinuxUtilities.walk_internal_list(
                vmlinux, "notifier_block", "next", knl.head):
            call_addr = call_back.notifier_call

            module_name, symbol_name = linux.LinuxUtilities.lookup_module_address(
                self.context, handlers, call_addr)

            yield (0, [format_hints.Hex(call_addr), module_name, symbol_name])
Example #23
0
    def _generator(self):
        kernel = self.context.modules[self.config['kernel']]

        for hive in self.scan_hives(self.context, kernel.layer_name,
                                    kernel.symbol_table_name):

            yield (0, (format_hints.Hex(hive.vol.offset), ))
Example #24
0
    def _generator(self):
        rules = self.process_yara_options(dict(self.config))

        layer = self.context.layers[self.config['primary']]
        for offset, rule_name, name, value in layer.scan(
                context=self.context, scanner=YaraScanner(rules=rules)):
            yield 0, (format_hints.Hex(offset), rule_name, name, value)
Example #25
0
    def _generator(self):
        pe_table_name = intermed.IntermediateSymbolTable.create(self.context,
                                                                self.config_path,
                                                                "windows",
                                                                "pe",
                                                                class_types = pe.class_types)

        memory = self.context.layers[self.config['primary']]
        if not isinstance(memory, layers.intel.Intel):
            raise TypeError("Primary layer is not an intel layer")

        for proc in self.list_processes(self.context,
                                        self.config['primary'],
                                        self.config['nt_symbols'],
                                        filter_func = self.create_pid_filter(self.config.get('pid', None))):

            if not self.config.get('physical', self.PHYSICAL_DEFAULT):
                offset = proc.vol.offset
            else:
                (_, _, offset, _, _) = list(memory.mapping(offset = proc.vol.offset, length = 0))[0]

            file_output = "Disabled"
            if self.config['dump']:
                file_handle = self.process_dump(self.context, self.config['nt_symbols'], pe_table_name, proc, self.open)
                file_output = "Error outputting file"
                if file_handle:
                    file_handle.close()
                    file_output = str(file_handle.preferred_filename)

            yield (0, (proc.UniqueProcessId, proc.InheritedFromUniqueProcessId,
                       proc.ImageFileName.cast("string", max_length = proc.ImageFileName.vol.count, errors = 'replace'),
                       format_hints.Hex(offset), proc.ActiveThreads, proc.get_handle_count(), proc.get_session_id(),
                       proc.get_is_wow64(), proc.get_create_time(), proc.get_exit_time(), file_output))
Example #26
0
    def _generator(self, mods: Iterator[Any]):
        kernel = contexts.Module(self._context, self.config['darwin'], self.config['primary'], 0)

        handlers = mac.MacUtilities.generate_kernel_handler_info(self.context, self.config['primary'], kernel, mods)

        policy_list = kernel.object_from_symbol(symbol_name = "mac_policy_list").cast("mac_policy_list")

        entries = kernel.object(object_type = "array",
                                offset = policy_list.entries.dereference().vol.offset,
                                subtype = kernel.get_type('mac_policy_list_element'),
                                count = policy_list.staticmax + 1)

        for i, ent in enumerate(entries):
            # I don't know how this can happen, but the kernel makes this check all over the place
            # the policy isn't useful without any ops so a rootkit can't abuse this
            try:
                mpc = ent.mpc.dereference()
                ops = mpc.mpc_ops.dereference()
            except exceptions.InvalidAddressException:
                continue

            try:
                ent_name = utility.pointer_to_string(mpc.mpc_name, 255)
            except exceptions.InvalidAddressException:
                ent_name = "N/A"

            for check in ops.vol.members:
                call_addr = getattr(ops, check)

                if call_addr is None or call_addr == 0:
                    continue

                module_name, symbol_name = mac.MacUtilities.lookup_module_address(self.context, handlers, call_addr)

                yield (0, (check, ent_name, format_hints.Hex(call_addr), module_name, symbol_name))
Example #27
0
    def _generator(self):
        for module in self.list_modules(self.context, self.config['kernel']):

            mod_name = utility.array_to_string(module.name)
            mod_size = module.size

            yield 0, (format_hints.Hex(module.vol.offset), mod_name, mod_size)
Example #28
0
    def _generator(self) -> Generator[Tuple, None, None]:
        """Generates results from a strings file."""
        revmap = self.generate_mapping(self.config['primary'])

        accessor = resources.ResourceAccessor()
        strings_fp = accessor.open(self.config['strings_file'], "rb")
        strings_size = path.getsize(strings_fp.file.name)

        line = strings_fp.readline()
        last_prog = 0
        while line:
            try:
                offset, string = self._parse_line(line)
                try:
                    revmap_list = [
                        name + ":" + hex(offset)
                        for (name, offset) in revmap[offset >> 12]
                    ]
                except (IndexError, KeyError):
                    revmap_list = ["FREE MEMORY"]
                yield (0, (str(string, 'latin-1'), format_hints.Hex(offset),
                           ", ".join(revmap_list)))
            except ValueError:
                vollog.error("Strings file is in the wrong format")
                return
            line = strings_fp.readline()
            prog = strings_fp.tell() / strings_size * 100
            if round(prog, 1) > last_prog:
                last_prog = round(prog, 1)
                self._progress_callback(prog, "Matching strings in memory")
Example #29
0
    def _generator(self):
        vmlinux = contexts.Module(self.context, self.config['vmlinux'],
                                  self.config['primary'], 0)

        op_members = vmlinux.get_type('file_operations').members
        seq_members = vmlinux.get_type('seq_operations').members

        tcp = ("tcp_seq_afinfo", ["tcp6_seq_afinfo", "tcp4_seq_afinfo"])
        udp = ("udp_seq_afinfo", [
            "udplite6_seq_afinfo", "udp6_seq_afinfo", "udplite4_seq_afinfo",
            "udp4_seq_afinfo"
        ])
        protocols = [tcp, udp]

        for (struct_type, global_vars) in protocols:
            for global_var_name in global_vars:
                # this will lookup fail for the IPv6 protocols on kernels without IPv6 support
                try:
                    global_var = vmlinux.get_symbol(global_var_name)
                except exceptions.SymbolError:
                    continue

                global_var = vmlinux.object(object_type=struct_type,
                                            offset=global_var.address)

                for name, member, address in self._check_afinfo(
                        global_var_name, global_var, op_members, seq_members):
                    yield 0, (name, member, format_hints.Hex(address))
Example #30
0
    def _generator(self):
        kernel = self.context.modules[self.config['kernel']]

        session_layers = list(
            self.get_session_layers(self.context, kernel.layer_name,
                                    kernel.symbol_table_name))
        pe_table_name = intermed.IntermediateSymbolTable.create(
            self.context,
            self.config_path,
            "windows",
            "pe",
            class_types=pe.class_types)

        for mod in self.scan_modules(self.context, kernel.layer_name,
                                     kernel.symbol_table_name):

            try:
                BaseDllName = mod.BaseDllName.get_string()
            except exceptions.InvalidAddressException:
                BaseDllName = ""

            try:
                FullDllName = mod.FullDllName.get_string()
            except exceptions.InvalidAddressException:
                FullDllName = ""

            file_output = "Disabled"
            if self.config['dump']:

                session_layer_name = self.find_session_layer(
                    self.context, session_layers, mod.DllBase)
                file_output = f"Cannot find a viable session layer for {mod.DllBase:#x}"
                if session_layer_name:
                    file_handle = dlllist.DllList.dump_pe(
                        self.context,
                        pe_table_name,
                        mod,
                        self.open,
                        layer_name=session_layer_name)
                    file_output = "Error outputting file"
                    if file_handle:
                        file_output = file_handle.preferred_filename

            yield (0, (format_hints.Hex(mod.vol.offset),
                       format_hints.Hex(mod.DllBase),
                       format_hints.Hex(mod.SizeOfImage), BaseDllName,
                       FullDllName, file_output))