def _generator(self):
pe_table_name = intermed.IntermediateSymbolTable.create(
self.context,
self.config_path,
"windows",
"pe",
class_types=extensions.pe.class_types)
for mod in self.scan_modules(self.context, self.config['primary'],
self.config['nt_symbols']):
try:
BaseDllName = mod.BaseDllName.get_string()
except exceptions.InvalidAddressException:
BaseDllName = ""
try:
FullDllName = mod.FullDllName.get_string()
except exceptions.InvalidAddressException:
FullDllName = ""
dumped = False
if self.config['dump']:
filedata = dlllist.DllList.dump_pe(self.context, pe_table_name,
mod)
if filedata:
self.produce_file(filedata)
dumped = True
yield (0, (format_hints.Hex(mod.vol.offset),
format_hints.Hex(mod.DllBase),
format_hints.Hex(mod.SizeOfImage), BaseDllName,
FullDllName, dumped))
def _generator(self, procs):
# determine if we're on a 32 or 64 bit kernel
is_32bit_arch = not symbols.symbol_table_is_64bit(
self.context, self.config["nt_symbols"])
for proc in procs:
process_name = utility.array_to_string(proc.ImageFileName)
for vad, data in self.list_injections(self.context,
self.config["nt_symbols"],
proc):
# if we're on a 64 bit kernel, we may still need 32 bit disasm due to wow64
if is_32bit_arch or proc.get_is_wow64():
architecture = "intel"
else:
architecture = "intel64"
disasm = interfaces.renderers.Disassembly(
data, vad.get_start(), architecture)
yield (0, (proc.UniqueProcessId, process_name,
format_hints.Hex(vad.get_start()),
format_hints.Hex(vad.get_end()), vad.get_tag(),
vad.get_protection(
vadinfo.VadInfo.protect_values(
self.context, proc.vol.layer_name,
self.config["nt_symbols"]),
vadinfo.winnt_protections),
vad.get_commit_charge(), vad.get_private_memory(),
format_hints.HexBytes(data), disasm))
def _generator(self, procs):
def passthrough(_: interfaces.objects.ObjectInterface) -> bool:
return False
filter_func = passthrough
if self.config.get('address', None) is not None:
def filter_function(x: interfaces.objects.ObjectInterface) -> bool:
return x.get_start() not in [self.config['address']]
filter_func = filter_function
for proc in procs:
process_name = utility.array_to_string(proc.ImageFileName)
for vad in self.list_vads(proc, filter_func = filter_func):
file_output = "Disabled"
if self.config['dump']:
file_handle = self.vad_dump(self.context, proc, vad, self.open)
file_output = "Error outputting file"
if file_handle:
file_handle.close()
file_output = file_handle.preferred_filename
yield (0, (proc.UniqueProcessId, process_name, format_hints.Hex(vad.vol.offset),
format_hints.Hex(vad.get_start()), format_hints.Hex(vad.get_end()), vad.get_tag(),
vad.get_protection(
self.protect_values(self.context, self.config['primary'], self.config['nt_symbols']),
winnt_protections), vad.get_commit_charge(), vad.get_private_memory(),
format_hints.Hex(vad.get_parent()), vad.get_file_name(), file_output))
def _generator(self, procs):
pe_table_name = intermed.IntermediateSymbolTable.create(
self.context,
self.config_path,
"windows",
"pe",
class_types=pe.class_types)
kuser = info.Info.get_kuser_structure(self.context,
self.config['primary'],
self.config['nt_symbols'])
nt_major_version = int(kuser.NtMajorVersion)
nt_minor_version = int(kuser.NtMinorVersion)
# LoadTime only applies to versions higher or equal to Window 7 (6.1 and higher)
dll_load_time_field = (nt_major_version > 6) or (
nt_major_version == 6 and nt_minor_version >= 1)
for proc in procs:
proc_id = proc.UniqueProcessId
proc_layer_name = proc.add_process_layer()
for entry in proc.load_order_modules():
BaseDllName = FullDllName = renderers.UnreadableValue()
try:
BaseDllName = entry.BaseDllName.get_string()
# We assume that if the BaseDllName points to an invalid buffer, so will FullDllName
FullDllName = entry.FullDllName.get_string()
except exceptions.InvalidAddressException:
pass
if dll_load_time_field:
# Versions prior to 6.1 won't have the LoadTime attribute
# and 32bit version shouldn't have the Quadpart according to MSDN
try:
DllLoadTime = conversion.wintime_to_datetime(
entry.LoadTime.QuadPart)
except exceptions.InvalidAddressException:
DllLoadTime = renderers.UnreadableValue()
else:
DllLoadTime = renderers.NotApplicableValue()
dumped = False
if self.config['dump']:
filedata = self.dump_pe(self.context, pe_table_name, entry,
proc_layer_name)
if filedata:
filedata.preferred_filename = "pid.{0}.".format(
proc_id) + filedata.preferred_filename
dumped = True
self.produce_file(filedata)
yield (0, (proc.UniqueProcessId,
proc.ImageFileName.cast(
"string",
max_length=proc.ImageFileName.vol.count,
errors='replace'),
format_hints.Hex(entry.DllBase),
format_hints.Hex(entry.SizeOfImage), BaseDllName,
FullDllName, DllLoadTime, dumped))
def _generator(self):
"""
Enumerates the listeners for each kauth scope
"""
kernel = contexts.Module(self.context, self.config['darwin'],
self.config['primary'], 0)
mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
self.config['darwin'])
handlers = mac.MacUtilities.generate_kernel_handler_info(
self.context, self.config['primary'], kernel, mods)
for scope in kauth_scopes.Kauth_scopes.list_kauth_scopes(
self.context, self.config['primary'], self.config['darwin']):
scope_name = utility.pointer_to_string(scope.ks_identifier, 128)
for listener in scope.get_listeners():
callback = listener.kll_callback
if callback == 0:
continue
module_name, symbol_name = mac.MacUtilities.lookup_module_address(
self.context, handlers, callback)
yield (0, (scope_name, format_hints.Hex(listener.kll_idata),
format_hints.Hex(callback), module_name,
symbol_name))
def _generator(self, tasks):
# determine if we're on a 32 or 64 bit kernel
if self.context.symbol_space.get_type(self.config["vmlinux"] +
constants.BANG +
"pointer").size == 4:
is_32bit_arch = True
else:
is_32bit_arch = False
for task in tasks:
process_name = utility.array_to_string(task.comm)
for vma, data in self._list_injections(task):
if is_32bit_arch:
architecture = "intel"
else:
architecture = "intel64"
disasm = interfaces.renderers.Disassembly(
data, vma.vm_start, architecture)
yield (0, (task.pid, process_name,
format_hints.Hex(vma.vm_start),
format_hints.Hex(vma.vm_end), vma.get_protection(),
format_hints.HexBytes(data), disasm))
def _generator(self):
mac.MacUtilities.aslr_mask_symbol_table(self.context,
self.config['darwin'],
self.config['primary'])
kernel = contexts.Module(self._context, self.config['darwin'],
self.config['primary'], 0)
table = kernel.object_from_symbol(symbol_name="mach_trap_table")
for i, ent in enumerate(table):
try:
call_addr = ent.mach_trap_function.dereference().vol.offset
except exceptions.InvalidPagedAddressException:
continue
if not call_addr or call_addr == 0:
continue
symbols = list(
self.context.symbol_space.get_symbols_by_location(call_addr))
if len(symbols) > 0:
sym_name = str(symbols[0].split(constants.BANG)[1]) if constants.BANG in symbols[0] else \
str(symbols[0])
else:
sym_name = "UNKNOWN"
yield (0, (format_hints.Hex(table.vol.offset), "TrapTable", i,
format_hints.Hex(call_addr), sym_name))
def _generator(self):
kernel = contexts.Module(self.context, self.config['darwin'],
self.config['primary'], 0)
mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
self.config['darwin'])
handlers = mac.MacUtilities.generate_kernel_handler_info(
self.context, self.config['primary'], kernel, mods)
for scope in self.list_kauth_scopes(self.context,
self.config['primary'],
self.config['darwin']):
callback = scope.ks_callback
if callback == 0:
continue
module_name, symbol_name = mac.MacUtilities.lookup_module_address(
self.context, handlers, callback)
identifier = utility.pointer_to_string(scope.ks_identifier, 128)
yield (0, (identifier, format_hints.Hex(scope.ks_idata),
len([l for l in scope.get_listeners()]),
format_hints.Hex(callback), module_name, symbol_name))
def _generator(self):
kernel = contexts.Module(self._context, self.config['darwin'],
self.config['primary'], 0)
mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
self.config['darwin'])
handlers = mac.MacUtilities.generate_kernel_handler_info(
self.context, self.config['primary'], kernel, mods)
nsysent = kernel.object_from_symbol(symbol_name="nsysent")
table = kernel.object_from_symbol(symbol_name="sysent")
# smear help
num_ents = min(nsysent, table.count)
if num_ents > 1024:
num_ents = 1024
for (i, ent) in enumerate(table):
try:
call_addr = ent.sy_call.dereference().vol.offset
except exceptions.InvalidAddressException:
continue
if not call_addr or call_addr == 0:
continue
module_name, symbol_name = mac.MacUtilities.lookup_module_address(
self.context, handlers, call_addr)
yield (0, (format_hints.Hex(table.vol.offset), "SysCall", i,
format_hints.Hex(call_addr), module_name, symbol_name))
def _generator(self, tasks):
for task in tasks:
if not task.mm:
continue
name = utility.array_to_string(task.comm)
for vma in task.mm.get_mmap_iter():
flags = vma.get_protection()
page_offset = vma.get_page_offset()
major = 0
minor = 0
inode = 0
if vma.vm_file != 0:
dentry = vma.vm_file.get_dentry()
if dentry != 0:
inode_object = dentry.d_inode
major = inode_object.i_sb.major
minor = inode_object.i_sb.minor
inode = inode_object.i_ino
path = vma.get_name(self.context, task)
yield (0, (task.pid, name, format_hints.Hex(vma.vm_start),
format_hints.Hex(vma.vm_end), flags,
format_hints.Hex(page_offset), major, minor, inode,
path))
def _generator(self):
pe_table_name = intermed.IntermediateSymbolTable.create(
self.context,
self.config_path,
"windows",
"pe",
class_types=pe.class_types)
for mod in self.list_modules(self.context, self.config['primary'],
self.config['nt_symbols']):
try:
BaseDllName = mod.BaseDllName.get_string()
except exceptions.InvalidAddressException:
BaseDllName = ""
try:
FullDllName = mod.FullDllName.get_string()
except exceptions.InvalidAddressException:
FullDllName = ""
file_output = "Disabled"
if self.config['dump']:
file_handle = dlllist.DllList.dump_pe(self.context,
pe_table_name, mod,
self.open)
file_output = "Error outputting file"
if file_handle:
file_handle.close()
file_output = file_handle.preferred_filename
yield (0, (format_hints.Hex(mod.vol.offset),
format_hints.Hex(mod.DllBase),
format_hints.Hex(mod.SizeOfImage), BaseDllName,
FullDllName, file_output))
def _generator(self, procs):
type_map = self.get_type_map(context=self.context,
layer_name=self.config["primary"],
symbol_table=self.config["nt_symbols"])
cookie = self.find_cookie(context=self.context,
layer_name=self.config["primary"],
symbol_table=self.config["nt_symbols"])
for proc in procs:
try:
object_table = proc.ObjectTable
except exceptions.InvalidAddressException:
vollog.log(
constants.LOGLEVEL_VVV,
"Cannot access _EPROCESS.ObjectType at {0:#x}".format(
proc.vol.offset))
continue
process_name = utility.array_to_string(proc.ImageFileName)
for entry in self.handles(object_table):
try:
obj_type = entry.get_object_type(type_map, cookie)
if obj_type is None:
continue
if obj_type == "File":
item = entry.Body.cast("_FILE_OBJECT")
obj_name = item.file_name_with_device()
elif obj_type == "Process":
item = entry.Body.cast("_EPROCESS")
obj_name = "{} Pid {}".format(
utility.array_to_string(proc.ImageFileName),
item.UniqueProcessId)
elif obj_type == "Thread":
item = entry.Body.cast("_ETHREAD")
obj_name = "Tid {} Pid {}".format(
item.Cid.UniqueThread, item.Cid.UniqueProcess)
elif obj_type == "Key":
item = entry.Body.cast("_CM_KEY_BODY")
obj_name = item.get_full_key_name()
else:
try:
obj_name = entry.NameInfo.Name.String
except (ValueError,
exceptions.InvalidAddressException):
obj_name = ""
except (exceptions.InvalidAddressException):
vollog.log(
constants.LOGLEVEL_VVV,
"Cannot access _OBJECT_HEADER at {0:#x}".format(
entry.vol.offset))
continue
yield (0, (proc.UniqueProcessId, process_name,
format_hints.Hex(entry.Body.vol.offset),
format_hints.Hex(entry.HandleValue), obj_type,
format_hints.Hex(entry.GrantedAccess), obj_name))
def _generator(self):
filter_func = tasks.Tasks.create_pid_filter([self.config.get('pid', None)])
for task_name, pid, socket in self.list_sockets(self.context,
self.config['primary'],
self.config['darwin'],
filter_func = filter_func):
family = socket.get_family()
if family == 1:
try:
upcb = socket.so_pcb.dereference().cast("unpcb")
path = utility.array_to_string(upcb.unp_addr.sun_path)
except exceptions.InvalidAddressException:
continue
yield (0, (format_hints.Hex(socket.vol.offset), "UNIX", path, 0, "", 0, "",
"{}/{:d}".format(task_name, pid)))
elif family in [2, 30]:
state = socket.get_state()
proto = socket.get_protocol_as_string()
vals = socket.get_converted_connection_info()
if vals:
(lip, lport, rip, rport) = vals
yield (0, (format_hints.Hex(socket.vol.offset), proto, lip, lport, rip, rport, state,
"{}/{:d}".format(task_name, pid)))
def _generator(self):
collection = ssdt.SSDT.build_module_collection(
self.context, self.config['primary'], self.config['nt_symbols'])
for driver in driverscan.DriverScan.scan_drivers(
self.context, self.config['primary'],
self.config['nt_symbols']):
try:
driver_name = driver.get_driver_name()
except exceptions.InvalidAddressException:
driver_name = renderers.NotApplicableValue()
for i, address in enumerate(driver.MajorFunction):
module_symbols = collection.get_module_symbols_by_absolute_location(
address)
for module_name, symbol_generator in module_symbols:
symbols_found = False
for symbol in symbol_generator:
symbols_found = True
yield (0, (format_hints.Hex(driver.vol.offset),
driver_name, MAJOR_FUNCTIONS[i],
format_hints.Hex(address), module_name,
symbol.split(constants.BANG)[1]))
if not symbols_found:
yield (0, (format_hints.Hex(driver.vol.offset),
driver_name, MAJOR_FUNCTIONS[i],
format_hints.Hex(address), module_name,
renderers.NotAvailableValue()))
def _generator(self):
kernel = contexts.Module(self._context, self.config['darwin'],
self.config['primary'], 0)
mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
self.config['darwin'])
handlers = mac.MacUtilities.generate_kernel_handler_info(
self.context, self.config['primary'], kernel, mods)
table = kernel.object_from_symbol(symbol_name="mach_trap_table")
for i, ent in enumerate(table):
try:
call_addr = ent.mach_trap_function.dereference().vol.offset
except exceptions.InvalidAddressException:
continue
if not call_addr or call_addr == 0:
continue
module_name, symbol_name = mac.MacUtilities.lookup_module_address(
self.context, handlers, call_addr)
yield (0, (format_hints.Hex(table.vol.offset), "TrapTable", i,
format_hints.Hex(call_addr), module_name, symbol_name))
def _generator(self, procs):
def passthrough(_: 'interfaces.objects.ObjectInterface') -> bool:
return False
filter_func = passthrough
if self.config.get('address', None) is not None:
def filter_function(
x: 'interfaces.objects.ObjectInterface') -> bool:
return x.get_start() not in [self.config['address']]
filter_func = filter_function
for proc in procs:
process_name = utility.array_to_string(proc.ImageFileName)
for vad in self.list_vads(proc, filter_func=filter_func):
yield (0, (proc.UniqueProcessId, process_name,
format_hints.Hex(vad.vol.offset),
format_hints.Hex(vad.get_start()),
format_hints.Hex(vad.get_end()), vad.get_tag(),
vad.get_protection(
self.protect_values(self.context,
self.config['primary'],
self.config['nt_symbols']),
winnt_protections), vad.get_commit_charge(),
vad.get_private_memory(),
format_hints.Hex(vad.get_parent()),
vad.get_file_name()))
def _generator(self):
vmlinux = contexts.Module(self.context, self.config['vmlinux'], self.config['primary'], 0)
modules = lsmod.Lsmod.list_modules(self.context, self.config['primary'], self.config['vmlinux'])
handlers = linux.LinuxUtilities.generate_kernel_handler_info(self.context, self.config['primary'],
self.config['vmlinux'], modules)
is_32bit = not symbols.symbol_table_is_64bit(self.context, self.config["vmlinux"])
idt_table_size = 256
address_mask = self.context.layers[self.config['primary']].address_mask
# hw handlers + system call
check_idxs = list(range(0, 20)) + [128]
if is_32bit:
if vmlinux.has_type("gate_struct"):
idt_type = "gate_struct"
else:
idt_type = "desc_struct"
else:
if vmlinux.has_type("gate_struct64"):
idt_type = "gate_struct64"
elif vmlinux.has_type("gate_struct"):
idt_type = "gate_struct"
else:
idt_type = "idt_desc"
addrs = vmlinux.object_from_symbol("idt_table")
table = vmlinux.object(object_type = 'array', offset = addrs.vol.offset, subtype = vmlinux.get_type(idt_type),
count = idt_table_size)
for i in check_idxs:
ent = table[i]
if not ent:
continue
if hasattr(ent, "Address"):
idt_addr = ent.Address
else:
low = ent.offset_low
middle = ent.offset_middle
if hasattr(ent, "offset_high"):
high = ent.offset_high
else:
high = 0
idt_addr = (high << 32) | (middle << 16) | low
idt_addr = idt_addr & address_mask
module_name, symbol_name = linux.LinuxUtilities.lookup_module_address(self.context, handlers, idt_addr)
yield (0, [format_hints.Hex(i), format_hints.Hex(idt_addr), module_name, symbol_name])
def _generator(self):
linux.LinuxUtilities.aslr_mask_symbol_table(self.context,
self.config['vmlinux'],
self.config['primary'])
vmlinux = contexts.Module(self.context, self.config['vmlinux'],
self.config['primary'], 0)
ptr_sz = vmlinux.get_type("pointer").size
if ptr_sz == 4:
table_name = "32bit"
else:
table_name = "64bit"
try:
table_info = self._get_table_info(vmlinux, "sys_call_table",
ptr_sz)
except exceptions.SymbolError:
vollog.error("Unable to find the system call table. Exiting.")
return
tables = [(table_name, table_info)]
# this table is only present on 64 bit systems with 32 bit emulation
# enabled in order to support 32 bit programs and libraries
# if the symbol isn't there then the support isn't in the kernel and so we skip it
try:
ia32_symbol = self.context.symbol_space.get_symbol(
vmlinux.name + constants.BANG + "ia32_sys_call_table")
except exceptions.SymbolError:
ia32_symbol = None
if ia32_symbol != None:
ia32_info = self._get_table_info(vmlinux, "ia32_sys_call_table",
ptr_sz)
tables.append(("32bit", ia32_info))
for (table_name, (tableaddr, tblsz)) in tables:
table = vmlinux.object(object_type="array",
subtype=vmlinux.get_type("pointer"),
offset=tableaddr,
count=tblsz)
for (i, call_addr) in enumerate(table):
if not call_addr:
continue
symbols = list(
self.context.symbol_space.get_symbols_by_location(
call_addr))
if len(symbols) > 0:
sym_name = str(symbols[0].split(constants.BANG)[1]) if constants.BANG in symbols[0] else \
str(symbols[0])
else:
sym_name = "UNKNOWN"
yield (0, (format_hints.Hex(tableaddr), table_name, i,
format_hints.Hex(call_addr), sym_name))
def _generator(self, show_corrupt_results: Optional[bool] = None):
""" Generates the network objects for use in rendering. """
netscan_symbol_table = self.create_netscan_symbol_table(self.context, self.config["primary"],
self.config["nt_symbols"], self.config_path)
for netw_obj in self.scan(self.context, self.config['primary'], self.config['nt_symbols'],
netscan_symbol_table):
vollog.debug("Found netw obj @ 0x{:2x} of assumed type {}".format(netw_obj.vol.offset, type(netw_obj)))
# objects passed pool header constraints. check for additional constraints if strict flag is set.
if not show_corrupt_results and not netw_obj.is_valid():
continue
if isinstance(netw_obj, network._UDP_ENDPOINT):
vollog.debug("Found UDP_ENDPOINT @ 0x{:2x}".format(netw_obj.vol.offset))
# For UdpA, the state is always blank and the remote end is asterisks
for ver, laddr, _ in netw_obj.dual_stack_sockets():
yield (0, (format_hints.Hex(netw_obj.vol.offset), "UDP" + ver, laddr, netw_obj.Port, "*", 0, "",
netw_obj.get_owner_pid() or renderers.UnreadableValue(), netw_obj.get_owner_procname()
or renderers.UnreadableValue(), netw_obj.get_create_time()
or renderers.UnreadableValue()))
elif isinstance(netw_obj, network._TCP_ENDPOINT):
vollog.debug("Found _TCP_ENDPOINT @ 0x{:2x}".format(netw_obj.vol.offset))
if netw_obj.get_address_family() == network.AF_INET:
proto = "TCPv4"
elif netw_obj.get_address_family() == network.AF_INET6:
proto = "TCPv6"
else:
proto = "TCPv?"
try:
state = netw_obj.State.description
except ValueError:
state = renderers.UnreadableValue()
yield (0, (format_hints.Hex(netw_obj.vol.offset), proto, netw_obj.get_local_address()
or renderers.UnreadableValue(), netw_obj.LocalPort, netw_obj.get_remote_address()
or renderers.UnreadableValue(), netw_obj.RemotePort, state, netw_obj.get_owner_pid()
or renderers.UnreadableValue(), netw_obj.get_owner_procname() or renderers.UnreadableValue(),
netw_obj.get_create_time() or renderers.UnreadableValue()))
# check for isinstance of tcp listener last, because all other objects are inherited from here
elif isinstance(netw_obj, network._TCP_LISTENER):
vollog.debug("Found _TCP_LISTENER @ 0x{:2x}".format(netw_obj.vol.offset))
# For TcpL, the state is always listening and the remote port is zero
for ver, laddr, raddr in netw_obj.dual_stack_sockets():
yield (0, (format_hints.Hex(netw_obj.vol.offset), "TCP" + ver, laddr, netw_obj.Port, raddr, 0,
"LISTENING", netw_obj.get_owner_pid() or renderers.UnreadableValue(),
netw_obj.get_owner_procname() or renderers.UnreadableValue(), netw_obj.get_create_time()
or renderers.UnreadableValue()))
else:
# this should not happen therefore we log it.
vollog.debug("Found network object unsure of its type: {} of type {}".format(netw_obj, type(netw_obj)))
def _generator(self, tasks):
for task in tasks:
process_name = utility.array_to_string(task.p_comm)
process_pid = task.p_pid
for vma in task.get_map_iter():
path = vma.get_path(self.context, self.config['darwin'])
if path == "":
path = vma.get_special_path()
yield (0, (process_pid, process_name, format_hints.Hex(vma.links.start),
format_hints.Hex(vma.links.end), vma.get_perms(), path))
def _generator(self):
mac.MacUtilities.aslr_mask_symbol_table(self.context,
self.config['darwin'],
self.config['primary'])
kernel = contexts.Module(self._context, self.config['darwin'],
self.config['primary'], 0)
real_ncpus = kernel.object_from_symbol(symbol_name="real_ncpus")
cpu_data_ptrs_ptr = kernel.get_symbol("cpu_data_ptr").address
cpu_data_ptrs_addr = kernel.object(
object_type="pointer",
offset=cpu_data_ptrs_ptr,
subtype=kernel.get_type('long unsigned int'))
cpu_data_ptrs = kernel.object(object_type="array",
offset=cpu_data_ptrs_addr,
subtype=kernel.get_type('cpu_data'),
count=real_ncpus)
for cpu_data_ptr in cpu_data_ptrs:
try:
queue = cpu_data_ptr.rtclock_timer.queue.head
except exceptions.InvalidAddressException:
break
for timer in queue.walk_list(queue, "q_link", "call_entry"):
try:
handler = timer.func
except exceptions.InvalidAddressException:
continue
symbols = list(
self.context.symbol_space.get_symbols_by_location(handler))
if len(symbols) > 0:
sym_name = str(symbols[0].split(constants.BANG)[1]) if constants.BANG in symbols[0] else \
str(symbols[0])
else:
sym_name = "UNKNOWN"
if hasattr(timer, "entry_time"):
entry_time = timer.entry_time
else:
entry_time = -1
yield (0, (format_hints.Hex(handler),
format_hints.Hex(timer.param0),
format_hints.Hex(timer.param1), timer.deadline,
entry_time, "kernel", sym_name))
def _generator(self):
callback_table_name = self.create_callback_table(
self.context, self.config["nt_symbols"], self.config_path)
collection = ssdt.SSDT.build_module_collection(
self.context, self.config['primary'], self.config['nt_symbols'])
callback_methods = (self.list_notify_routines,
self.list_bugcheck_callbacks,
self.list_bugcheck_reason_callbacks,
self.list_registry_callbacks)
for callback_method in callback_methods:
for callback_type, callback_address, callback_detail in callback_method(
self.context, self.config['primary'],
self.config['nt_symbols'], callback_table_name):
if callback_detail is None:
detail = renderers.NotApplicableValue()
else:
detail = callback_detail
module_symbols = list(
collection.get_module_symbols_by_absolute_location(
callback_address))
if module_symbols:
for module_name, symbol_generator in module_symbols:
symbols_found = False
# we might have multiple symbols pointing to the same location
for symbol in symbol_generator:
symbols_found = True
yield (0,
(callback_type,
format_hints.Hex(callback_address),
module_name,
symbol.split(constants.BANG)[1], detail))
# no symbols, but we at least can report the module name
if not symbols_found:
yield (0, (callback_type,
format_hints.Hex(callback_address),
module_name,
renderers.NotAvailableValue(), detail))
else:
# no module was found at the absolute location
yield (0, (callback_type,
format_hints.Hex(callback_address),
renderers.NotAvailableValue(),
renderers.NotAvailableValue(), detail))
def _generator(self):
mac.MacUtilities.aslr_mask_symbol_table(self.context,
self.config['darwin'],
self.config['primary'])
kernel = contexts.Module(self.context, self.config['darwin'],
self.config['primary'], 0)
mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
self.config['darwin'])
handlers = mac.MacUtilities.generate_kernel_handler_info(
self.context, self.config['primary'], kernel, mods)
real_ncpus = kernel.object_from_symbol(symbol_name="real_ncpus")
cpu_data_ptrs_ptr = kernel.get_symbol("cpu_data_ptr").address
cpu_data_ptrs_addr = kernel.object(
object_type="pointer",
offset=cpu_data_ptrs_ptr,
subtype=kernel.get_type('long unsigned int'))
cpu_data_ptrs = kernel.object(object_type="array",
offset=cpu_data_ptrs_addr,
subtype=kernel.get_type('cpu_data'),
count=real_ncpus)
for cpu_data_ptr in cpu_data_ptrs:
try:
queue = cpu_data_ptr.rtclock_timer.queue.head
except exceptions.InvalidAddressException:
break
for timer in queue.walk_list(queue, "q_link", "call_entry"):
try:
handler = timer.func.dereference().vol.offset
except exceptions.InvalidAddressException:
continue
if timer.has_member("entry_time"):
entry_time = timer.entry_time
else:
entry_time = -1
module_name, symbol_name = mac.MacUtilities.lookup_module_address(
self.context, handlers, handler)
yield (0, (format_hints.Hex(handler), format_hints.Hex(timer.param0), format_hints.Hex(timer.param1), \
timer.deadline, entry_time, module_name, symbol_name))
def _generator(self):
layer = self.context.layers[self.config['primary']]
rules = None
if self.config.get('yara_rules', None) is not None:
rule = self.config['yara_rules']
if rule[0] not in ["{", "/"]:
rule = '"{}"'.format(rule)
if self.config.get('case', False):
rule += " nocase"
if self.config.get('wide', False):
rule += " wide ascii"
rules = yara.compile(sources={
'n':
'rule r1 {{strings: $a = {} condition: $a}}'.format(rule)
})
elif self.config.get('yara_file', None) is not None:
rules = yara.compile(file=resources.ResourceAccessor().open(
self.config['yara_file'], "rb"))
else:
vollog.error("No yara rules, nor yara rules file were specified")
for offset, name, value in layer.scan(
context=self.context, scanner=YaraScanner(rules=rules)):
yield (0, (format_hints.Hex(offset), name, value))
def _generator(self) -> Iterator[Tuple[int, Tuple[int, str]]]: # , str, int]]]:
if self.config.get("tags"):
tags = [tag for tag in self.config["tags"].split(',')]
else:
tags = None
for big_pool in self.list_big_pools(context = self.context,
layer_name = self.config["primary"],
symbol_table = self.config["nt_symbols"],
tags = tags):
num_bytes = big_pool.get_number_of_bytes()
if not isinstance(num_bytes, interfaces.renderers.BaseAbsentValue):
num_bytes = format_hints.Hex(num_bytes)
yield (0, (format_hints.Hex(big_pool.Va), big_pool.get_key(), big_pool.get_pool_type(), num_bytes))
def _generator(self):
vmlinux = contexts.Module(self.context, self.config['vmlinux'],
self.config['primary'], 0)
modules = lsmod.Lsmod.list_modules(self.context,
self.config['primary'],
self.config['vmlinux'])
handlers = linux.LinuxUtilities.generate_kernel_handler_info(
self.context, self.config['primary'], self.config['vmlinux'],
modules)
try:
knl_addr = vmlinux.object_from_symbol("keyboard_notifier_list")
except exceptions.SymbolError:
knl_addr = None
if not knl_addr:
raise TypeError(
"This plugin requires the keyboard_notifier_list structure. "
"This structure is not present in the supplied symbol table. "
"This means you are either analyzing an unsupported kernel version or that your symbol table is corrupt."
)
knl = vmlinux.object(object_type="atomic_notifier_head",
offset=knl_addr.vol.offset)
for call_back in linux.LinuxUtilities.walk_internal_list(
vmlinux, "notifier_block", "next", knl.head):
call_addr = call_back.notifier_call
module_name, symbol_name = linux.LinuxUtilities.lookup_module_address(
self.context, handlers, call_addr)
yield (0, [format_hints.Hex(call_addr), module_name, symbol_name])
def _generator(self):
vmlinux = contexts.Module(self.context, self.config['vmlinux'],
self.config['primary'], 0)
op_members = vmlinux.get_type('file_operations').members
seq_members = vmlinux.get_type('seq_operations').members
tcp = ("tcp_seq_afinfo", ["tcp6_seq_afinfo", "tcp4_seq_afinfo"])
udp = ("udp_seq_afinfo", [
"udplite6_seq_afinfo", "udp6_seq_afinfo", "udplite4_seq_afinfo",
"udp4_seq_afinfo"
])
protocols = [tcp, udp]
for (struct_type, global_vars) in protocols:
for global_var_name in global_vars:
# this will lookup fail for the IPv6 protocols on kernels without IPv6 support
try:
global_var = vmlinux.get_symbol(global_var_name)
except exceptions.SymbolError:
continue
global_var = vmlinux.object(object_type=struct_type,
offset=global_var.address)
for name, member, address in self._check_afinfo(
global_var_name, global_var, op_members, seq_members):
yield 0, (name, member, format_hints.Hex(address))
def _generator(self):
mac.MacUtilities.aslr_mask_symbol_table(self.context,
self.config['darwin'],
self.config['primary'])
kernel = contexts.Module(self._context, self.config['darwin'],
self.config['primary'], 0)
sysctl_list = kernel.object_from_symbol(symbol_name="sysctl__children")
for sysctl, name, val in self._process_sysctl_list(
kernel, sysctl_list):
check_addr = sysctl.oid_handler
if check_addr == 0:
sym_name = "<No Handler>"
else:
symbols = list(
self.context.symbol_space.get_symbols_by_location(
check_addr))
if len(symbols) > 0:
sym_name = str(symbols[0].split(constants.BANG)[1]) if constants.BANG in symbols[0] else \
str(symbols[0])
else:
sym_name = "UNKNOWN"
yield (0, (name, sysctl.oid_number, sysctl.get_perms(),
format_hints.Hex(check_addr), val, sym_name))
def get_record_tuple(service_record: interfaces.objects.ObjectInterface):
return (format_hints.Hex(service_record.vol.offset),
service_record.Order, service_record.get_pid(),
service_record.Start.description,
service_record.State.description, service_record.get_type(),
service_record.get_name(), service_record.get_display(),
service_record.get_binary())
def _generator(self):
symbol_table = self.config["nt_symbols"]
constraints = self.builtin_constraints(symbol_table)
for constraint, mem_object, header in self.generate_pool_scan(
self.context, self.config["primary"], symbol_table,
constraints):
# generate some type-specific info for sanity checking
if constraint.object_type == "Process":
name = mem_object.ImageFileName.cast(
"string",
max_length=mem_object.ImageFileName.vol.count,
errors="replace")
elif constraint.object_type == "File":
try:
name = mem_object.FileName.String
except exceptions.InvalidAddressException:
vollog.log(
constants.LOGLEVEL_VVV,
"Skipping file at {0:#x}".format(
mem_object.vol.offset))
continue
else:
name = renderers.NotApplicableValue()
yield (0,
(constraint.type_name, format_hints.Hex(header.vol.offset),
header.vol.layer_name, name))
