def execute(self): from vtypes import xpsp2types xpsp2types['_EPROCESS'][1]['Token'] = [0xc8, ['_EX_FAST_REF']] theProfile = Profile() theProfile.add_types(token_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) pslist = process_list(addr_space, types, symtab) for proc_addr in pslist: proc = Object("_EPROCESS", proc_addr, addr_space, profile=theProfile) if not proc.Token.is_valid(): name = process_imagename(addr_space, types, proc_addr) pid = process_pid(addr_space, types, proc_addr) print "%s (%d): Token unreadable" % (name, pid) continue tok_addr = proc.Token.Value & ~0x7 tok = Object('_TOKEN', tok_addr, proc.vm, None, profile=theProfile) sids = [] sid_addr = tok.UserAndGroups.offset sid_size = obj_size(token_types, '_SID_AND_ATTRIBUTES') for i in range(tok.UserAndGroupCount): sids.append( Object('_SID_AND_ATTRIBUTES', sid_addr, proc.vm, None, profile=theProfile)) sid_addr += sid_size for sa in sids: sid = sa.Sid.dereference_as('_SID') subauth_addr = sid.get_member_offset('SubAuthority') subauths = unpack( "<%dI" % sid.SubAuthorityCount, proc.vm.read(subauth_addr, sid.SubAuthorityCount * 4)) sid_string = "S-" + "-".join( str(i) for i in (sid.Revision, sid.IdentifierAuthority.Value[-1]) + subauths) if sid_string in well_known_sids: sid_name = " (%s)" % well_known_sids[sid_string] else: sid_name_re = find_sid_re(sid_string, well_known_sid_re) if sid_name_re: sid_name = " (%s)" % sid_name_re else: sid_name = "" print "%s (%d): %s%s" % (proc.ImageFileName, proc.UniqueProcessId.v(), sid_string, sid_name)
def execute(self): from vtypes import xpsp2types xpsp2types['_EPROCESS'][1]['Token'] = [ 0xc8, ['_EX_FAST_REF']] theProfile = Profile() theProfile.add_types(token_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) pslist = process_list(addr_space, types, symtab) for proc_addr in pslist: proc = Object("_EPROCESS", proc_addr, addr_space, profile=theProfile) if not proc.Token.is_valid(): name = process_imagename(addr_space, types, proc_addr) pid = process_pid(addr_space, types, proc_addr) print "%s (%d): Token unreadable" % (name,pid) continue tok_addr = proc.Token.Value & ~0x7 tok = Object('_TOKEN', tok_addr, proc.vm, None, profile=theProfile) sids = [] sid_addr = tok.UserAndGroups.offset sid_size = obj_size(token_types, '_SID_AND_ATTRIBUTES') for i in range(tok.UserAndGroupCount): sids.append(Object('_SID_AND_ATTRIBUTES', sid_addr, proc.vm, None, profile=theProfile)) sid_addr += sid_size for sa in sids: sid = sa.Sid.dereference_as('_SID') subauth_addr = sid.get_member_offset('SubAuthority') subauths = unpack("<%dI" % sid.SubAuthorityCount, proc.vm.read(subauth_addr, sid.SubAuthorityCount*4)) sid_string = "S-" + "-".join(str(i) for i in (sid.Revision,sid.IdentifierAuthority.Value[-1])+subauths) if sid_string in well_known_sids: sid_name = " (%s)" % well_known_sids[sid_string] else: sid_name_re = find_sid_re(sid_string, well_known_sid_re) if sid_name_re: sid_name = " (%s)" % sid_name_re else: sid_name= "" print "%s (%d): %s%s" % (proc.ImageFileName, proc.UniqueProcessId.v(), sid_string, sid_name)
def execute(self): op = self.op opts = self.opts dbout = opts.outfd1 if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename temp = filename.replace("\\", "/").lower().split("/") imgname = temp[-1] if dbout is not None: conn = sqlite3.connect(dbout) cur = conn.cursor() try: cur.execute("select * from sids") except sqlite3.OperationalError: cur.execute( "create table sids (pname text, pid integer, sid_string text, sid_name text, memimage text)" ) conn.commit() from vtypes import xpsp2types xpsp2types["_EPROCESS"][1]["Token"] = [0xC8, ["_EX_FAST_REF"]] theProfile = Profile() theProfile.add_types(token_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) pslist = process_list(addr_space, types, symtab) for proc_addr in pslist: proc = Object("_EPROCESS", proc_addr, addr_space, profile=theProfile) if not proc.Token.is_valid(): name = process_imagename(addr_space, types, proc_addr) pid = process_pid(addr_space, types, proc_addr) print "%s (%d): Token unreadable" % (name, pid) continue tok_addr = proc.Token.Value & ~0x7 tok = Object("_TOKEN", tok_addr, proc.vm, None, profile=theProfile) sids = [] try: sid_addr = tok.UserAndGroups.offset sid_size = obj_size(token_types, "_SID_AND_ATTRIBUTES") for i in range(tok.UserAndGroupCount): sids.append(Object("_SID_AND_ATTRIBUTES", sid_addr, proc.vm, None, profile=theProfile)) sid_addr += sid_size except: pass for sa in sids: sid = sa.Sid.dereference_as("_SID") subauth_addr = sid.get_member_offset("SubAuthority") subauths = unpack("<%dI" % sid.SubAuthorityCount, proc.vm.read(subauth_addr, sid.SubAuthorityCount * 4)) sid_string = "S-" + "-".join( str(i) for i in (sid.Revision, sid.IdentifierAuthority.Value[-1]) + subauths ) if sid_string in well_known_sids: sid_name = "(%s)" % well_known_sids[sid_string] else: sid_name_re = find_sid_re(sid_string, well_known_sid_re) if sid_name_re: sid_name = "(%s)" % sid_name_re else: if not dbout == None: sid_name = "(none)" else: sid_name = "" if not dbout == None: cur.execute( "insert into sids values (?,?,?,?,?)", (proc.ImageFileName.lower(), proc.UniqueProcessId.v(), sid_string, sid_name.lower(), imgname), ) else: print "%s (%d): %s %s" % (proc.ImageFileName, proc.UniqueProcessId.v(), sid_string, sid_name) if not dbout == None: conn.commit() conn.close()