コード例 #1
0
    def testAllProcessMemoryWithFilesOnDisk(self):
        validator = MemoryValidatorClass()
        validator.Initialize('c:\\mem\\user\\')
        CounterMonitor.Start()
        with UpdateCounterForScope('main'):
            addr_space = utils.load_as(config)
            processList = tasks.pslist(addr_space)
            for processIndex, eprocess in enumerate(processList):
                imagename = str(eprocess.ImageFileName).lower()
                logging.info("---------------------------------------------")
                validator.Message = "ImageFileName:{0} UniqueProcessId:{1} DirectoryTableBase:{2}".format(
                    eprocess.ImageFileName, eprocess.UniqueProcessId,
                    eprocess.Pcb.DirectoryTableBase)
                if not any(s in imagename for s in self.PROCESS_TO_SCAN):
                    continue
                validator.ImageName = imagename
                print '------process {} {}-------'.format(
                    processIndex, imagename)
                config.process_id = eprocess.UniqueProcessId
                config.dtb = eprocess.Pcb.DirectoryTableBase

                task_space = eprocess.get_process_address_space()
                if not task_space:
                    logging.error("Cannot acquire process AS")
                    continue

                all_mods = list(eprocess.get_load_modules())
                # PEB is paged out or no DLLs loaded
                if not all_mods:
                    logging.error("Cannot load DLLs in process AS")
                    continue
                validator.BuildLoadedModuleAddressesFromVol(all_mods)
                totalMods = len(all_mods)
                for modIndex, mod in enumerate(all_mods):
                    print 'module {}/{} {}'.format(modIndex, totalMods,
                                                   str(mod.BaseDllName))
                    with validator.ExceptionHandler(
                            'Failed comparing {0}'.format(imagename)):
                        validator.InitializeModuleInfoFromVol(mod)
                        if not task_space.is_valid_address(validator.DllBase):
                            logging.error("Address is not valid in process AS")
                            continue
                        memoryData = task_space.zread(validator.DllBase,
                                                      validator.SizeOfImage)
                        if not memoryData:
                            validator.Warn('failed to read memory data')
                            continue
                        validator.CompareExe(memoryData, validator.FullDllPath)
        CounterMonitor.Stop()
        validator.DumpFinalStats()
コード例 #2
0
 def testRunningProcesses(self):
     validator = MemoryValidatorClass()
     validator.Initialize('c:\\mem\\user\\')
     CounterMonitor.Start()
     System.request_debug_privileges()
     with UpdateCounterForScope('main'):
         system = System()
         system.scan_processes()
         totalProcesses = system.get_process_count()
         for processIndex, process in enumerate(system.iter_processes()):
             fileName = getattr(process, 'fileName')
             pid = getattr(process, 'dwProcessId')
             if not fileName or not pid:
                 continue
             validator.ImageName = fileName
             logging.info("---------------------------------------------")
             validator.Message = "[{}] fileName:{} pid:{}".format(processIndex, fileName, pid)
             logging.info(validator.Message)
             if not any(s in fileName for s in self.PROCESS_TO_SCAN):
                 continue
             print '------process {}/{} {}-------'.format(processIndex, totalProcesses, fileName)
             with validator.ExceptionHandler('Failed comparing {0}'.format(fileName)):
                 process.scan_modules()
                 mods = {}
                 for module in process.iter_modules():
                     baseDllName = ntpath.basename(module.get_filename().lower())
                     mod = {
                         'BaseDllName' : baseDllName,
                         'FullDllName' : module.get_filename().lower(),
                         'StartAddr' : module.get_base(),
                         'EndAddr' : module.get_base() + module.get_size(),
                         'SizeOfImage' : module.get_size()
                     }
                     if not mods.get(baseDllName):
                         mods[baseDllName] = []
                     mods[baseDllName].append(mod)
                 validator.BuildLoadedModuleAddressesFromWinAppDbg(mods)
                 totalMods = len(mods)
                 for modIndex, modList in enumerate(mods.itervalues()):
                     print 'module {}/{} {}'.format(modIndex, totalMods, modList[0]['BaseDllName'])
                     for modIndex, mod in enumerate(modList):
                         validator.InitializeModuleInfoFromWinAppDbg(mod)
                         with validator.ExceptionHandler('failed comparing {0}'.format(mod)):
                             memoryData = process.read(validator.DllBase, validator.SizeOfImage)
                             if not memoryData:
                                 validator.Warn('failed to read memory data')
                                 continue
                             validator.CompareExe(memoryData, validator.FullDllPath)
     CounterMonitor.Stop()
     validator.DumpFinalStats()
コード例 #3
0
 def testAllKernelModulesInMemoryToFilesOnDisk(self):
     validator = MemoryValidatorClass()
     validator.Initialize('c:\\mem\\kernel\\')
     CounterMonitor.Start()
     with UpdateCounterForScope('main'):
         addr_space = utils.load_as(config)
         all_mods = modules.Modules(config).calculate()
         validator.BuildLoadedModuleAddressesFromVol(all_mods)
         for mod in all_mods:
             with validator.ExceptionHandler(
                     'Failed comparing {0}'.format(mod)):
                 validator.InitializeModuleInfoFromVol(mod)
                 #bytearray is fast but screwing up pefile
                 #memoryData = bytearray(addr_space.zread(self.DllBase, self.size_to_read))
                 memoryData = addr_space.zread(validator.DllBase,
                                               validator.SizeOfImage)
                 if not memoryData:
                     logging.error(
                         'failed to read memory data for {0}'.format(
                             validator.FullDllPath))
                     continue
                 validator.CompareExe(memoryData, validator.FullDllPath)
     CounterMonitor.Stop()
     validator.DumpFinalStats()