def testAllProcessMemoryWithFilesOnDisk(self): validator = MemoryValidatorClass() validator.Initialize('c:\\mem\\user\\') CounterMonitor.Start() with UpdateCounterForScope('main'): addr_space = utils.load_as(config) processList = tasks.pslist(addr_space) for processIndex, eprocess in enumerate(processList): imagename = str(eprocess.ImageFileName).lower() logging.info("---------------------------------------------") validator.Message = "ImageFileName:{0} UniqueProcessId:{1} DirectoryTableBase:{2}".format( eprocess.ImageFileName, eprocess.UniqueProcessId, eprocess.Pcb.DirectoryTableBase) if not any(s in imagename for s in self.PROCESS_TO_SCAN): continue validator.ImageName = imagename print '------process {} {}-------'.format( processIndex, imagename) config.process_id = eprocess.UniqueProcessId config.dtb = eprocess.Pcb.DirectoryTableBase task_space = eprocess.get_process_address_space() if not task_space: logging.error("Cannot acquire process AS") continue all_mods = list(eprocess.get_load_modules()) # PEB is paged out or no DLLs loaded if not all_mods: logging.error("Cannot load DLLs in process AS") continue validator.BuildLoadedModuleAddressesFromVol(all_mods) totalMods = len(all_mods) for modIndex, mod in enumerate(all_mods): print 'module {}/{} {}'.format(modIndex, totalMods, str(mod.BaseDllName)) with validator.ExceptionHandler( 'Failed comparing {0}'.format(imagename)): validator.InitializeModuleInfoFromVol(mod) if not task_space.is_valid_address(validator.DllBase): logging.error("Address is not valid in process AS") continue memoryData = task_space.zread(validator.DllBase, validator.SizeOfImage) if not memoryData: validator.Warn('failed to read memory data') continue validator.CompareExe(memoryData, validator.FullDllPath) CounterMonitor.Stop() validator.DumpFinalStats()
def testRunningProcesses(self): validator = MemoryValidatorClass() validator.Initialize('c:\\mem\\user\\') CounterMonitor.Start() System.request_debug_privileges() with UpdateCounterForScope('main'): system = System() system.scan_processes() totalProcesses = system.get_process_count() for processIndex, process in enumerate(system.iter_processes()): fileName = getattr(process, 'fileName') pid = getattr(process, 'dwProcessId') if not fileName or not pid: continue validator.ImageName = fileName logging.info("---------------------------------------------") validator.Message = "[{}] fileName:{} pid:{}".format(processIndex, fileName, pid) logging.info(validator.Message) if not any(s in fileName for s in self.PROCESS_TO_SCAN): continue print '------process {}/{} {}-------'.format(processIndex, totalProcesses, fileName) with validator.ExceptionHandler('Failed comparing {0}'.format(fileName)): process.scan_modules() mods = {} for module in process.iter_modules(): baseDllName = ntpath.basename(module.get_filename().lower()) mod = { 'BaseDllName' : baseDllName, 'FullDllName' : module.get_filename().lower(), 'StartAddr' : module.get_base(), 'EndAddr' : module.get_base() + module.get_size(), 'SizeOfImage' : module.get_size() } if not mods.get(baseDllName): mods[baseDllName] = [] mods[baseDllName].append(mod) validator.BuildLoadedModuleAddressesFromWinAppDbg(mods) totalMods = len(mods) for modIndex, modList in enumerate(mods.itervalues()): print 'module {}/{} {}'.format(modIndex, totalMods, modList[0]['BaseDllName']) for modIndex, mod in enumerate(modList): validator.InitializeModuleInfoFromWinAppDbg(mod) with validator.ExceptionHandler('failed comparing {0}'.format(mod)): memoryData = process.read(validator.DllBase, validator.SizeOfImage) if not memoryData: validator.Warn('failed to read memory data') continue validator.CompareExe(memoryData, validator.FullDllPath) CounterMonitor.Stop() validator.DumpFinalStats()
def testAllKernelModulesInMemoryToFilesOnDisk(self): validator = MemoryValidatorClass() validator.Initialize('c:\\mem\\kernel\\') CounterMonitor.Start() with UpdateCounterForScope('main'): addr_space = utils.load_as(config) all_mods = modules.Modules(config).calculate() validator.BuildLoadedModuleAddressesFromVol(all_mods) for mod in all_mods: with validator.ExceptionHandler( 'Failed comparing {0}'.format(mod)): validator.InitializeModuleInfoFromVol(mod) #bytearray is fast but screwing up pefile #memoryData = bytearray(addr_space.zread(self.DllBase, self.size_to_read)) memoryData = addr_space.zread(validator.DllBase, validator.SizeOfImage) if not memoryData: logging.error( 'failed to read memory data for {0}'.format( validator.FullDllPath)) continue validator.CompareExe(memoryData, validator.FullDllPath) CounterMonitor.Stop() validator.DumpFinalStats()