def execute(self): meta_info.set_datatypes(types) scanners = [] space = FileAddressSpace(self.opts.filename) #search_space = WindowedAddressSpace(space, 0x0223f020 - 0x1000, 0x2000) search_space = space print "PID PPID Time created Time exited Offset PDB Remarks\n"+ \ "------ ------ ------------------------ ------------------------ ---------- ---------- ----------------"; scanners.append((ProcessScanFast3(search_space))) scan_addr_space(search_space,scanners)
def execute(self): meta_info.set_datatypes(types) scanners = [] space = FileAddressSpace(self.opts.filename) #search_space = WindowedAddressSpace(space, 0x0223f020 - 0x1000, 0x2000) search_space = space print "PID PPID Time created Time exited Offset PDB Remarks\n"+ \ "------ ------ ------------------------ ------------------------ ---------- ---------- ----------------" scanners.append((ProcessScanFast3(search_space))) scan_addr_space(search_space, scanners)
def execute(self): op = self.op opts = self.opts global imgname if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename temp = filename.replace("\\", "/").lower().split("/") imgname = temp[-1] global outfd if not opts.outfd1 == None: outfd = opts.outfd1 conn = sqlite3.connect(outfd) cur = conn.cursor() try: cur.execute("select * from psscan3") except sqlite3.OperationalError: cur.execute("create table psscan3(pid integer, ppid integer, ctime text, etime text, offset text, pdb text, pname text, memimage text)") conn.commit() conn.close() else: outfd = None from vtypes import xpsp2types xpsp2types['_FAST_MUTEX'][1]['Count'] = [ 0x0, ['long']] xpsp2types['_EPROCESS'][1]['GrantedAccess'] = [ 0x1a4, ['unsigned long']] xpsp2types['_EPROCESS'][1]['Vm'] = [ 0x1f8, ['_MMSUPPORT']] xpsp2types['_KPROCESS'][1]['ThreadListHead'] = [ 0x50, ['_LIST_ENTRY']] xpsp2types['_KPROCESS'][1]['ReadyListHead'] = [ 0x40, ['_LIST_ENTRY']] xpsp2types['_MMSUPPORT'] = [ 0x40, {'VmWorkingSetList' : [ 0x20, ['pointer', ['_MMWSL']]]} ] meta_info.set_datatypes(xpsp2types) scanners = [] space = FileAddressSpace(self.opts.filename) search_space = space print "PID PPID Time created Time exited Offset PDB Remarks\n"+ \ "------ ------ ------------------------ ------------------------ ---------- ---------- ----------------"; scanners.append((ProcessScanFast3(search_space))) scan_addr_space(search_space,scanners)
def execute(self): op = self.op opts = self.opts if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename try: flat_address_space = FileAddressSpace(filename,fast=True) except: op.error("Unable to open image file %s" % (filename)) meta_info.set_datatypes(types) # Determine the applicable address space (ie hiber, crash) search_address_space = find_addr_space(flat_address_space, types) # Find a dtb value if opts.base is None: sysdtb = get_dtb(search_address_space, types) else: try: sysdtb = int(opts.base, 16) except: op.error("Directory table base must be a hexidecimal number.") meta_info.set_dtb(sysdtb) # Set the kernel address space kaddr_space = load_pae_address_space(filename, sysdtb) if kaddr_space is None: kaddr_space = load_nopae_address_space(filename, sysdtb) meta_info.set_kas(kaddr_space) scanners = [PoolScanHiveFast2(search_address_space)] objs = scan_addr_space(search_address_space, scanners) for obj in objs: print len(obj.matches) for m in obj.matches: print m
def execute(self): op = self.op opts = self.opts if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename try: flat_address_space = FileAddressSpace(filename, fast=True) except: op.error("Unable to open image file %s" % (filename)) meta_info.set_datatypes(types) # Determine the applicable address space (ie hiber, crash) search_address_space = find_addr_space(flat_address_space, types) # Find a dtb value if opts.base is None: sysdtb = get_dtb(search_address_space, types) else: try: sysdtb = int(opts.base, 16) except: op.error("Directory table base must be a hexidecimal number.") meta_info.set_dtb(sysdtb) # Set the kernel address space kaddr_space = load_pae_address_space(filename, sysdtb) if kaddr_space is None: kaddr_space = load_nopae_address_space(filename, sysdtb) meta_info.set_kas(kaddr_space) scanners = [PoolScanHiveFast2(search_address_space)] objs = scan_addr_space(search_address_space, scanners) for obj in objs: print len(obj.matches) for m in obj.matches: print m
def execute(self): # In general it's not recommended to update the global types on the fly, # but I'm special and I know what I'm doing ;) types.update(regtypes) op = self.op opts = self.opts if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename try: flat_address_space = FileAddressSpace(filename,fast=True) except: op.error("Unable to open image file %s" % (filename)) meta_info.set_datatypes(types) # Determine the applicable address space (ie hiber, crash) search_address_space = find_addr_space(flat_address_space, types) # Find a dtb value if opts.base is None: sysdtb = get_dtb(search_address_space, types) else: try: sysdtb = int(opts.base, 16) except: op.error("Directory table base must be a hexidecimal number.") meta_info.set_dtb(sysdtb) # Set the kernel address space kaddr_space = load_pae_address_space(filename, sysdtb) if kaddr_space is None: kaddr_space = load_nopae_address_space(filename, sysdtb) meta_info.set_kas(kaddr_space) print "%-15s %-15s" % ("Offset", "(hex)") scanners = [PoolScanHiveFast2(search_address_space)] objs = scan_addr_space(search_address_space, scanners)
def execute(self): scanners = [] op = self.op opts = self.opts global imgname if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename temp = filename.replace("\\", "/").lower().split("/") imgname = temp[-1] global outfd if not opts.outfd1 == None: outfd = opts.outfd1 conn = sqlite3.connect(outfd) cur = conn.cursor() try: cur.execute("select * from modscan2") except sqlite3.OperationalError: cur.execute("create table modscan2 (file text, base text, size text, name text, memimage text)") conn.commit() conn.close() else: outfd = None try: flat_address_space = FileAddressSpace(filename,fast=True) except: op.error("Unable to open image file %s" % (filename)) meta_info.set_datatypes(types) # Determine the applicable address space search_address_space = find_addr_space(flat_address_space, types) # Find a dtb value if opts.base is None: sysdtb = get_dtb(search_address_space, types) else: try: sysdtb = int(opts.base, 16) except: op.error("Directory table base must be a hexidecimal number.") meta_info.set_dtb(sysdtb) kaddr_space = load_pae_address_space(filename, sysdtb) if kaddr_space is None: kaddr_space = load_nopae_address_space(filename, sysdtb) meta_info.set_kas(kaddr_space) print "%-50s %-12s %-8s %s \n"%('File','Base', 'Size', 'Name') scanners.append((PoolScanModuleFast2SQL(search_address_space))) scan_addr_space(search_address_space,scanners)
def execute(self): op = self.op opts = self.opts global imgname if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename temp = filename.replace("\\", "/").lower().split("/") imgname = temp[-1] global outfd if not opts.outfd1 == None: outfd = opts.outfd1 print outfd conn = sqlite3.connect(outfd) cur = conn.cursor() try: cur.execute("select * from sockscan2") except sqlite3.OperationalError: cur.execute("create table sockscan2(pid integer, port integer, proto text, ctime text, offset text, memimage text)") conn.commit() conn.close() else: outfd = None scanners = [] try: flat_address_space = FileAddressSpace(filename,fast=True) except: op.error("Unable to open image file %s" % (filename)) meta_info.set_datatypes(types) # Determine the applicable address space search_address_space = find_addr_space(flat_address_space, types) # Find a dtb value if opts.base is None: sysdtb = get_dtb(search_address_space, types) else: try: sysdtb = int(opts.base, 16) except: op.error("Directory table base must be a hexidecimal number.") meta_info.set_dtb(sysdtb) kaddr_space = load_pae_address_space(filename, sysdtb) if kaddr_space is None: kaddr_space = load_nopae_address_space(filename, sysdtb) meta_info.set_kas(kaddr_space) print "PID Port Proto Create Time Offset \n"+ \ "------ ------ ------ -------------------------- ----------\n"; scanners.append(PoolScanSockFast2SQL(search_address_space)) scan_addr_space(search_address_space,scanners)