def doProcessors(config):
''' Retrieve IDT data. '''
physical_address_space = utils.load_as(config)
kernel_address_space = utils.load_as(config,astype='kernel')
processors_obj = datastruct.rootType()
proc_num = 0
for kpcr in FindKPCR(physical_address_space):
processor_obj = processors_obj.Processor.add()
processor_obj.ID = proc_num
proc_num += 1
IdtBase = kpcr.IdtBase
IDTs = obj.Array(None,physical_address_space.address_mask(IdtBase.v()),physical_address_space,count=256,target=IdtBase.target)
for idt in IDTs:
entry_obj = processor_obj.InterruptDescriptorTable.IDTEntry.add()
iswin32 = not idt.m('OffsetMiddle')
if iswin32:
idttype = idt.Access & 0x1f
if idt.Access >= 256 or (idt.Access & 0x80) != 0x80:
entry_obj.InvalidGate = ''
elif idttype==0x5:
entry_obj.TaskGate = ''
elif idttype==0x6 or idttype==0xe:
entry_obj.InterruptGate = ''
elif idttype==0x7 or idttype==0xf:
entry_obj.TrapGate = ''
else:
entry_obj.InvalidGate = ''
entry_obj.Address = (idt.ExtendedOffset << 16) | idt.Offset
entry_obj.Attributes = idt.Access
else:
idttype = idt.Type
if idt.Reserved0!=0 or idt.Reserved1!=0 or idt.Present==0:
entry_obj.InvalidGate = ''
elif idttype==0x5:
entry_obj.TaskGate = ''
elif idttype==0xe:
entry_obj.InterruptGate = ''
elif idttype==0xf:
entry_obj.TrapGate = ''
else:
entry_obj.InvalidGate = ''
entry_obj.Address = ((idt.OffsetHigh & 0xffffffff) << 32) | ((idt.OffsetMiddle & 0xffff) << 16) | (idt.OffsetLow & 0xffff)
entry_obj.Attributes = (idt.IstIndex << 13) | (idt.Type << 3) | (idt.Dpl<<1) | idt.Present
entry_obj.Selector = idt.Selector.v()
module = find_module(config,entry_obj.Address)
if module:
entry_obj.Module = module.FullDllName.v()
return processors_obj
def doDrivers(self, config, drivers, devices):
print "Doing DoDrivers"
driverObjList = driverdatastructs.rootType()
for driver_name, driver_object in drivers:
driverObj = driverObjList.Driver.add(
resultitemtype=5) #ResultDriverItem
baseaddress = driver_object.DriverStart.v()
module = find_module(config, baseaddress)
driverObj.ImagePath = module.FullDllName.v(
) if module and module.FullDllName else ''
driverObj.BaseAddress = baseaddress
driverObj.Type = driver_object.Type.v()
driverObj.DeviceObj_Location = driver_object.obj_native_vm.vtop(
driver_object.DeviceObject.v()) or 0
driverObj.Driver_Init = driver_object.DriverInit.v()
driverObj.Driver_StartIO = driver_object.DriverStartIo.v()
driverObj.Driver_Unload = driver_object.DriverUnload.v()
driverObj.StartTime = '0000-00-00 00:00:00' # currently we don't have a reliable source for this info
driverObj.Dependencies = '' # this is a linux thing
driverObj.Size = driver_object.DriverSize.v()
driverObj.Instances = 0 # this is a linux thing
driverObj.Name = driver_object.DriverName.v()
driverObj.StartedAs = ''
driverObj.State = 4 #running
driverObj.RealState = -1 #unknown
driverObj.StartMode = -1 #unknown
driverObj.RealStartMode = -1 #unknown
driverObj.RealType = 0 #unknown
driverObj.Path = ''
driverObj.plist = ''
driverObj.MD5 = BLANK_MD5
driverObj.SHA1 = BLANK_SHA1
#Leave out FuzzyHash for now
#FuzzySize =
#Fuzzy =
#Fuzzy2X =
driverObj.KFFStatus = 0 #I guess we don't do this
driverObj.processid = 0 #meaningless for drivers
major_functions = driver_object.MajorFunction
driverObj.IRP_MJ_CREATE = major_functions[0].v()
driverObj.IRP_MJ_CREATE_NAMED_PIPE = major_functions[1].v()
driverObj.IRP_MJ_CLOSE = major_functions[2].v()
driverObj.IRP_MJ_READ = major_functions[3].v()
driverObj.IRP_MJ_WRITE = major_functions[4].v()
driverObj.IRP_MJ_QUERY_INFORMATION = major_functions[5].v()
driverObj.IRP_MJ_SET_INFORMATION = major_functions[6].v()
driverObj.IRP_MJ_QUERY_EA = major_functions[7].v()
driverObj.IRP_MJ_SET_EA = major_functions[8].v()
driverObj.IRP_MJ_FLUSH_BUFFERS = major_functions[9].v()
driverObj.IRP_MJ_QUERY_VOLUME_INFORMATION = major_functions[10].v()
driverObj.IRP_MJ_SET_VOLUME_INFORMATION = major_functions[11].v()
driverObj.IRP_MJ_DIRECTORY_CONTROL = major_functions[12].v()
driverObj.IRP_MJ_FILE_SYSTEM_CONTROL = major_functions[13].v()
driverObj.IRP_MJ_DEVICE_CONTROL = major_functions[14].v()
driverObj.IRP_MJ_INTERNAL_DEVICE_CONTROL = major_functions[15].v()
driverObj.IRP_MJ_SHUTDOWN = major_functions[16].v()
driverObj.IRP_MJ_LOCK_CONTROL = major_functions[17].v()
driverObj.IRP_MJ_CLEANUP = major_functions[18].v()
driverObj.IRP_MJ_CREATE_MAILSLOT = major_functions[19].v()
driverObj.IRP_MJ_QUERY_SECURITY = major_functions[20].v()
driverObj.IRP_MJ_SET_SECURITY = major_functions[21].v()
driverObj.IRP_MJ_POWER = major_functions[22].v()
driverObj.IRP_MJ_SYSTEM_CONTROL = major_functions[23].v()
driverObj.IRP_MJ_DEVICE_CHANGE = major_functions[24].v()
driverObj.IRP_MJ_QUERY_QUOTA = major_functions[25].v()
driverObj.IRP_MJ_SET_QUOTA = major_functions[26].v()
driverObj.IRP_MJ_PNP = major_functions[27].v()
# Use DriverExtension struct to get some additional information
try:
driver_extension = driver_object.DriverExtension
driverObj.ServiceKeyName = driver_extension.ServiceKeyName or '<UNAVAILABLE>'
driverObj.DriverObj_Location = driver_object.obj_native_vm.vtop(
driver_extension.DriverObject.v()) or 0
except:
# I guess we just won't have this data
driverObj.ServiceKeyName = '<UNAVAILABLE>'
driverObj.DriverObj_Location = 0
#associated devices
for device_name, device_object in devices:
if device_object.obj_native_vm.vtop(
device_object.DriverObject.v()) == driver_object.v():
deviceObj = driverObj.Driver_Device_List.Device.add(
Name=device_name,
DeviceObj_Location=device_object.v() or 0,
DriverObj_Location=device_object.obj_native_vm.vtop(
device_object.DriverObject.v() or 0) or 0,
NextDeviceObj_Location=device_object.obj_native_vm.
vtop(device_object.NextDevice.v() or 0) or 0,
AttachedDeviceObj_Location=device_object.obj_native_vm.
vtop(device_object.AttachedDevice.v() or 0) or 0)
file = open(config.OUTPUT_PATH + "drivers.xml", "w")
#file.write(driverObjList.SerializeToString())
file.write(proto2xml(driverObjList, indent=0))
logging.debug("Completed exporting the drivers on the system")
def doDrivers(self, config, drivers, devices):
print "Doing DoDrivers"
driverObjList = driverdatastructs.rootType()
for driver_name, driver_object in drivers:
driverObj = driverObjList.Driver.add(resultitemtype=5) #ResultDriverItem
baseaddress = driver_object.DriverStart.v()
module = find_module(config, baseaddress)
driverObj.ImagePath=module.FullDllName.v() if module and module.FullDllName else ''
driverObj.BaseAddress=baseaddress
driverObj.Type=driver_object.Type.v()
driverObj.DeviceObj_Location=driver_object.obj_native_vm.vtop(driver_object.DeviceObject.v()) or 0
driverObj.Driver_Init=driver_object.DriverInit.v()
driverObj.Driver_StartIO=driver_object.DriverStartIo.v()
driverObj.Driver_Unload=driver_object.DriverUnload.v()
driverObj.StartTime='0000-00-00 00:00:00' # currently we don't have a reliable source for this info
driverObj.Dependencies='' # this is a linux thing
driverObj.Size=driver_object.DriverSize.v()
driverObj.Instances=0 # this is a linux thing
driverObj.Name=adutils.SmartUnicode(driver_object.DriverName.v() or "Unknown")
driverObj.StartedAs=''
driverObj.State=4 #running
driverObj.RealState=-1 #unknown
driverObj.StartMode=-1 #unknown
driverObj.RealStartMode=-1 #unknown
driverObj.RealType=0 #unknown
driverObj.Path=''
driverObj.plist=''
driverObj.MD5=BLANK_MD5
driverObj.SHA1=BLANK_SHA1
#Leave out FuzzyHash for now
#FuzzySize =
#Fuzzy =
#Fuzzy2X =
driverObj.KFFStatus=0 #I guess we don't do this
driverObj.processid=0 #meaningless for drivers
major_functions = driver_object.MajorFunction
driverObj.IRP_MJ_CREATE=major_functions[0].v()
driverObj.IRP_MJ_CREATE_NAMED_PIPE=major_functions[1].v()
driverObj.IRP_MJ_CLOSE=major_functions[2].v()
driverObj.IRP_MJ_READ=major_functions[3].v()
driverObj.IRP_MJ_WRITE=major_functions[4].v()
driverObj.IRP_MJ_QUERY_INFORMATION=major_functions[5].v()
driverObj.IRP_MJ_SET_INFORMATION=major_functions[6].v()
driverObj.IRP_MJ_QUERY_EA=major_functions[7].v()
driverObj.IRP_MJ_SET_EA=major_functions[8].v()
driverObj.IRP_MJ_FLUSH_BUFFERS=major_functions[9].v()
driverObj.IRP_MJ_QUERY_VOLUME_INFORMATION=major_functions[10].v()
driverObj.IRP_MJ_SET_VOLUME_INFORMATION=major_functions[11].v()
driverObj.IRP_MJ_DIRECTORY_CONTROL=major_functions[12].v()
driverObj.IRP_MJ_FILE_SYSTEM_CONTROL=major_functions[13].v()
driverObj.IRP_MJ_DEVICE_CONTROL=major_functions[14].v()
driverObj.IRP_MJ_INTERNAL_DEVICE_CONTROL=major_functions[15].v()
driverObj.IRP_MJ_SHUTDOWN=major_functions[16].v()
driverObj.IRP_MJ_LOCK_CONTROL=major_functions[17].v()
driverObj.IRP_MJ_CLEANUP=major_functions[18].v()
driverObj.IRP_MJ_CREATE_MAILSLOT=major_functions[19].v()
driverObj.IRP_MJ_QUERY_SECURITY=major_functions[20].v()
driverObj.IRP_MJ_SET_SECURITY=major_functions[21].v()
driverObj.IRP_MJ_POWER=major_functions[22].v()
driverObj.IRP_MJ_SYSTEM_CONTROL=major_functions[23].v()
driverObj.IRP_MJ_DEVICE_CHANGE=major_functions[24].v()
driverObj.IRP_MJ_QUERY_QUOTA=major_functions[25].v()
driverObj.IRP_MJ_SET_QUOTA=major_functions[26].v()
driverObj.IRP_MJ_PNP=major_functions[27].v()
# Use DriverExtension struct to get some additional information
try:
driver_extension = driver_object.DriverExtension
driverObj.ServiceKeyName=driver_extension.ServiceKeyName or '<UNAVAILABLE>'
driverObj.DriverObj_Location=driver_object.obj_native_vm.vtop(driver_extension.DriverObject.v()) or 0
except:
# I guess we just won't have this data
driverObj.ServiceKeyName='<UNAVAILABLE>'
driverObj.DriverObj_Location=0
#associated devices
for device_name, device_object in devices:
if device_object.obj_native_vm.vtop(device_object.DriverObject.v()) == driver_object.v():
deviceObj = driverObj.Driver_Device_List.Device.add(
Name=device_name,
DeviceObj_Location=device_object.v() or 0,
DriverObj_Location=device_object.obj_native_vm.vtop(device_object.DriverObject.v() or 0) or 0,
NextDeviceObj_Location=device_object.obj_native_vm.vtop(device_object.NextDevice.v() or 0) or 0,
AttachedDeviceObj_Location= device_object.obj_native_vm.vtop(device_object.AttachedDevice.v() or 0) or 0
)
file = open(config.OUTPUT_PATH + "drivers.xml", "w")
#file.write(driverObjList.SerializeToString())
file.write(proto2xml(driverObjList,indent=0))
logging.debug("Completed exporting the drivers on the system")
