def generator(self, data): for reg, key in data: if key: subkeys = list(rawreg.subkeys(key)) values = list(rawreg.values(key)) yield (0, [ str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), "-", "-", "-", "-", "-", "-" ]) if subkeys: for s in subkeys: if s.Name == None: yield (0, [ str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), str("Unknown subkey: {0}".format( s.Name.reason)), "-", "-", "-", "-", "-" ]) else: yield (0, [ str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), str("{0}".format(s.Name)), str("{0:3s}".format(self.voltext(s))), "-", "-", "-", "-" ]) if values: for v in values: tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = Bytes(dat) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') yield (0, [ str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), "-", "-", str(tp), str("{0}".format(v.Name)), str("{0:3s}".format(self.voltext(v))), str(dat) ])
def generator(self, data): if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for o, addr, hit, content in data: owner = "Owner: (Unknown Kernel Memory)" if o == None: filename = "kernel.{0:#x}.dmp".format(addr) elif o.obj_name == "_EPROCESS": owner = "{0}: (Pid {1})".format(o.ImageFileName, o.UniqueProcessId) filename = "process.{0:#x}.{1:#x}.dmp".format( o.obj_offset, addr) else: owner = "{0}".format(o.BaseDllName) filename = "kernel.{0:#x}.{1:#x}.dmp".format( o.obj_offset, addr) # Dump the data if --dump-dir was supplied if self._config.DUMP_DIR: path = os.path.join(self._config.DUMP_DIR, filename) fh = open(path, "wb") fh.write(content) fh.close() yield (0, [str(hit.rule), owner, Address(addr), Bytes(content)])
def generator(self, data): if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR): debug.error(self._config.DUMP_DIR + " is not a directory") for task in data: for vad, address_space in task.get_vads( vad_filter=task._injection_filter): if self._is_vad_empty(vad, address_space): continue content = address_space.zread(vad.Start, 64) yield (0, [ str(task.ImageFileName), int(task.UniqueProcessId), Address(vad.Start), str(vad.Tag), str( vadinfo.PROTECT_FLAGS.get(vad.VadFlags.Protection.v(), "")), str(vad.VadFlags), Bytes(content) ]) # Dump the data if --dump-dir was supplied if self._config.DUMP_DIR: filename = os.path.join( self._config.DUMP_DIR, "process.{0:#x}.{1:#x}.dmp".format( task.obj_offset, vad.Start)) self.dump_vad(filename, vad, address_space)
def generator(self, data): for process, module, hook in data: if not self._config.NO_WHITELIST: process_name = "" if process: process_name = str(process.ImageFileName) if self.whitelist(hook.hook_mode | hook.hook_type, process_name, hook.VictimModule, hook.HookModule, hook.Function): continue procname = "N/A" pid = -1 if process: procname = str(process.ImageFileName) pid = int(process.UniqueProcessId) for n, info in enumerate(hook.disassembled_hops): (address, data) = info yield (0, [str(hook.Mode), str(hook.Type), procname, pid, str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')), Address(module.DllBase), Hex(module.DllBase + module.SizeOfImage), str(hook.Detail), Address(hook.hook_address), str(hook.HookModule), Address(address), Bytes(data)])
def generator(self, data): for process, cert in data: if cert.obj_name == "_X509_PUBLIC_CERT": ext = ".crt" else: ext = ".key" if process: file_name = "{0}-{1:x}{2}".format(process.UniqueProcessId, cert.obj_offset, ext) else: file_name = "phys.{0:x}{1}".format(cert.obj_offset, ext) full_path = os.path.join(self._config.DUMP_DIR, file_name) with open(full_path, "wb") as cert_file: cert_file.write(cert.object_as_string()) parsed_subject = "" if self._config.SSL: openssl_string = cert.as_openssl(full_path) parsed_subject = '/'.join( [v[1] for v in self.get_parsed_fields(openssl_string)]) yield (0, [ int(process.UniqueProcessId if process else -1), str(process.ImageFileName if process else "-"), Address(cert.obj_offset), str(cert.obj_name), int(cert.Size), str(file_name), str(parsed_subject), Bytes(cert.object_as_string()) ])
def generator(self, data): for key_type, key_name, key in data: pem = PvkToPem().convert(key) yield (0, [str(key_type), str(key_name), Bytes(key), str(pem).replace('\n', '\\n')])
def generator(self, data): for process_name, pid, vad, vad_bytes in data: scan_result, where = self.is_malicious(vad, vad_bytes) if scan_result: vad_protection = vadinfo.PROTECT_FLAGS.get(vad.VadFlags.Protection.v(), '') yield (0, [str(process_name), int(pid), Address(vad.Start), Address(vad.End), str(vad.Tag), str(vad_protection), str(vad.VadFlags), str(scan_result), Bytes(vad_bytes[where:where+64])])
def generator(self, data): for session, wndsta, clip, handle in data: # If no tagCLIP is provided, we do not know the format if not clip: fmt = obj.NoneObject("Format unknown") else: # Try to get the format name, but failing that, print # the format number in hex instead. if clip.fmt.v() in consts.CLIPBOARD_FORMAT_ENUM: fmt = str(clip.fmt) else: fmt = hex(clip.fmt.v()) # Try to get the handle from tagCLIP first, but # fall back to using _HANDLEENTRY.phead. Note: this can # be a value like DUMMY_TEXT_HANDLE (1) etc. if clip: handle_value = clip.hData else: handle_value = handle.phead.h clip_data = "" if handle: try: clip_data = ''.join( [chr(c) for c in handle.reference_object().abData]) except AttributeError: pass yield ( 0, [ int(session.SessionId), str(wndsta.Name), str(fmt), Hex(handle_value), Address(handle.phead.v()), Bytes(clip_data), ], )
def generator(self, data): for reg, key in data: if key: subkeys = list(rawreg.subkeys(key)) values = list(rawreg.values(key)) yield ( 0, [ f"{reg}", f"{key.Name}", f"{self.voltext(key):3s}", f"{key.LastWriteTime}", "-", "-", "-", "-", "-", "-", ], ) if subkeys: for s in subkeys: if s.Name == None: yield ( 0, [ f"{reg}", f"{key.Name}", f"{self.voltext(key):3s}", f"{key.LastWriteTime}", f"Unknown subkey: {s.Name.reason}", "-", "-", "-", "-", "-", ], ) else: yield ( 0, [ f"{reg}", f"{key.Name}", f"{self.voltext(key):3s}", f"{key.LastWriteTime}", f"{s.Name}", f"{self.voltext(s):3s}", "-", "-", "-", "-", ], ) if values: for v in values: tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = Bytes(dat) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') yield ( 0, [ f"{reg}", f"{key.Name}", f"{self.voltext(key):3s}", f"{key.LastWriteTime}", "-", "-", f"{tp}", f"{v.Name}", f"{self.voltext(v):3s}", f"{dat}", ], )
def generator(self, data): if self._config.DISOFFSET: dis = self._config.DISOFFSET for offset, PARTITION_TABLE, boot_code in data: entry1 = PARTITION_TABLE.Entry1.dereference_as('PARTITION_ENTRY') entry2 = PARTITION_TABLE.Entry2.dereference_as('PARTITION_ENTRY') entry3 = PARTITION_TABLE.Entry3.dereference_as('PARTITION_ENTRY') entry4 = PARTITION_TABLE.Entry4.dereference_as('PARTITION_ENTRY') have_bootable = entry1.is_bootable_and_used( ) or entry2.is_bootable_and_used() or entry3.is_bootable_and_used( ) or entry4.is_bootable_and_used() if not self._config.NOCHECK and not have_bootable: # it doesn't really make sense to have a partition that is bootable, but empty or invalid # but we only skip MBRs with these types of partitions if we are checking continue distance = 0 h = hashlib.md5() f = hashlib.md5() h.update(self.code_data) f.update(boot_code) if self._config.HASH: hash = "{0}".format(h.hexdigest()) if hash.lower() != self._config.HASH.lower(): continue elif self._config.FULLHASH: hash = "{0}".format(f.hexdigest()) if hash.lower() != self._config.FULLHASH.lower(): continue if self.disk_mbr: distance = self.levenshtein( self._get_instructions(self.disk_mbr), self._get_instructions(boot_code)) if self._config.MAXDISTANCE != None and distance > self._config.MAXDISTANCE: continue disksig = "{0:02x}-{1:02x}-{2:02x}-{3:02x}".format( PARTITION_TABLE.DiskSignature[0], PARTITION_TABLE.DiskSignature[1], PARTITION_TABLE.DiskSignature[2], PARTITION_TABLE.DiskSignature[3]) yield (0, [ Address(offset), disksig, str(h.hexdigest()), str(f.hexdigest()), int(distance), "{0:#x} {1}".format( entry1.get_value(entry1.BootableFlag), "(Bootable)" if entry1.is_bootable() else ""), "{0:#x} ({1})".format(entry1.get_value(entry1.PartitionType), entry1.get_type()), Hex(entry1.StartingLBA), "Cylinder: {0} Head: {1} Sector: {2}".format( entry1.StartingCylinder(), entry1.StartingCHS[0], entry1.StartingSector()), "Cylinder: {0} Head: {1} Sector: {2}".format( entry1.EndingCylinder(), entry1.EndingCHS[0], entry1.EndingSector()), Hex(entry1.SizeInSectors), "{0:#x} {1}".format( entry2.get_value(entry2.BootableFlag), "(Bootable)" if entry2.is_bootable() else ""), "{0:#x} ({1})".format(entry2.get_value(entry2.PartitionType), entry2.get_type()), Hex(entry2.StartingLBA), "Cylinder: {0} Head: {1} Sector: {2}".format( entry2.StartingCylinder(), entry2.StartingCHS[0], entry2.StartingSector()), "Cylinder: {0} Head: {1} Sector: {2}".format( entry2.EndingCylinder(), entry2.EndingCHS[0], entry2.EndingSector()), Hex(entry2.SizeInSectors), "{0:#x} {1}".format( entry3.get_value(entry3.BootableFlag), "(Bootable)" if entry3.is_bootable() else ""), "{0:#x} ({1})".format(entry3.get_value(entry3.PartitionType), entry3.get_type()), Hex(entry3.StartingLBA), "Cylinder: {0} Head: {1} Sector: {2}".format( entry3.StartingCylinder(), entry3.StartingCHS[0], entry3.StartingSector()), "Cylinder: {0} Head: {1} Sector: {2}".format( entry3.EndingCylinder(), entry3.EndingCHS[0], entry3.EndingSector()), Hex(entry3.SizeInSectors), "{0:#x} {1}".format( entry4.get_value(entry4.BootableFlag), "(Bootable)" if entry4.is_bootable() else ""), "{0:#x} ({1})".format(entry4.get_value(entry4.PartitionType), entry4.get_type()), Hex(entry4.StartingLBA), "Cylinder: {0} Head: {1} Sector: {2}".format( entry4.StartingCylinder(), entry4.StartingCHS[0], entry4.StartingSector()), "Cylinder: {0} Head: {1} Sector: {2}".format( entry4.EndingCylinder(), entry4.EndingCHS[0], entry4.EndingSector()), Hex(entry4.SizeInSectors), Bytes(boot_code) ])
def generator(self, data): for reg, key in data: if key: subkeys = list(rawreg.subkeys(key)) values = list(rawreg.values(key)) yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), "-", "-", "-", "-", "-", "-"]) if subkeys: for s in subkeys: if s.Name == None: yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), str("Unknown subkey: {0}".format(s.Name.reason)), "-", "-", "-", "-", "-"]) else: yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), str("{0}".format(s.Name)), str("{0:3s}".format(self.voltext(s))), "-", "-", "-", "-"]) if values: for v in values: tp, dat = rawreg.value_data(v) if tp == 'REG_BINARY' or tp == 'REG_NONE': dat = Bytes(dat) if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']: dat = dat.encode("ascii", 'backslashreplace') if tp == 'REG_MULTI_SZ': for i in range(len(dat)): dat[i] = dat[i].encode("ascii", 'backslashreplace') yield (0, [str("{0}".format(reg)), str("{0}".format(key.Name)), str("{0:3s}".format(self.voltext(key))), str("{0}".format(key.LastWriteTime)), "-", "-", str(tp), str("{0}".format(v.Name)), str("{0:3s}".format(self.voltext(v))), str(dat)])
def generator(self, data): for k in data: yield (0, [str(k), Bytes(data[k])])