def __init__(self, ctx):
fe.log('in memdump constructor')
fe.set_name('memdump')
fe.log('getting memsize')
self.memsize = fe.get_memsize()
fe.log(f'memsize: {self.memsize}')
self.offset = 0
self.ttl = 100
#self.bound = fe.MAX_FIELD_SIZE - 1024
#self.bound = 8096
self.bound = 2**22
self.did = -1
fe.event_register({'event_type': fe.BE, 'callback': self.be_callback})
fe.event_register({
'event_type': fe.TIMER,
'time_value': 2.0,
'callback': self.timer_callback
})
self.ticks = 0
self.one_way = False
self.two_way = False
self.zco = zlib.compressobj()
fe.log('leaving memdump constructor')
def __init__(self, ctx):
fe.log("in pslist constructor")
fe.set_name("pslist")
self.lookups = {
"name_offset": fe.lookup_structure("task_struct", "comm"),
"pid_offset": fe.lookup_structure("task_struct", "pid"),
"tasks_offset": fe.lookup_structure("task_struct", "tasks"),
"init_task": fe.lookup_symbol("init_task"),
}
e = {"event_type": fe.BE, "callback": self.be_callback}
fe.event_register(e)
e = {
"event_type": fe.TIMER,
"time_value": 0.1, # seconds
"callback": self.timer_callback,
}
fe.event_register(e)
self.pslist = {}
self.log = []
self.calls = []
self.msgs = []
self.procs = []
fe.log("leaving pslist constructor")
def __init__(self, ctx):
fe.log("in memdump constructor")
fe.set_name("memdump")
fe.log("getting memsize")
self.memsize = fe.get_memsize()
fe.log(f"memsize: {self.memsize}")
self.offset = 0
self.ttl = 100
# self.bound = fe.MAX_FIELD_SIZE - 1024
# self.bound = 8096
self.bound = 2 ** 22
self.did = -1
fe.event_register({"event_type": fe.BE, "callback": self.be_callback})
fe.event_register(
{"event_type": fe.TIMER, "time_value": 2.0, "callback": self.timer_callback}
)
self.ticks = 0
self.one_way = False
self.two_way = False
self.zco = zlib.compressobj()
fe.log("leaving memdump constructor")
def __init__(self, ctx):
fe.log("in Example constructor")
fe.set_name("example")
self.cr3_ctr = 0
self.cr3_event = None
self.pslist = {}
self.lookups = {
"name_offset": fe.lookup_structure("task_struct", "comm"),
"pid_offset": fe.lookup_structure("task_struct", "pid"),
"tasks_offset": fe.lookup_structure("task_struct", "tasks"),
"init_task": fe.lookup_symbol("init_task"),
}
fe.events_start()
e = {
"event_type": fe.REG,
"reg_type": fe.CR3,
"sync": fe.ASYNC,
"callback": self.cr3_callback,
}
self.cr3_event = fe.event_register(e)
fe.log("registered CR3 event: {eid}".format(eid=self.cr3_event))
e = {
"event_type": fe.TIMER,
"time_value": 10.0, # seconds
"callback": self.timer_callback,
}
fe.event_register(e)
e = {"event_type": fe.BE, "callback": self.be_callback}
fe.event_register(e)
fe.log("leaving Example constructor")
def __init__(self, ctx):
fe.log("in arav constructor")
fe.set_name("arav")
self.l = {
"name_offset": fe.lookup_structure("task_struct", "comm"),
"pid_offset": fe.lookup_structure("task_struct", "pid"),
"tasks_offset": fe.lookup_structure("task_struct", "tasks"),
"mm_offset": fe.lookup_structure("task_struct", "mm"),
"pgd_offset": fe.lookup_structure("mm_struct", "pgd"),
"vm_file_offset": fe.lookup_structure("vm_area_struct", "vm_file"),
"vm_file_path_offset": fe.lookup_structure("file", "f_path"),
"path_dentry_offset": fe.lookup_structure("path", "dentry"),
"dentry_d_name_offset": fe.lookup_structure("dentry", "d_name"),
"dentry_d_parent_offset":
fe.lookup_structure("dentry", "d_parent"),
"d_name_str_offset": fe.lookup_structure("qstr", "name"),
"commit_creds": fe.lookup_symbol("commit_creds"),
}
e = {"event_type": fe.BE, "callback": self.be_callback}
fe.event_register(e)
e = {
"event_type": fe.TIMER,
"time_value": 2.0,
"callback": self.timer_callback
}
fe.event_register(e)
self.state = INIT
self.pslist = {}
self.events = {}
self.target_proc = {}
self.last = 0.0
self.tick = 0
self.symbol_string = ""
self.symbols = {}
self.fmts = []
self.users = []
self.load_symbols()
self.parse_symbols()
fe.events_start()
fe.log("leaving arav constructor")
def __init__(self, ctx):
fe.log("in syscalls constructor")
fe.set_name("syscalls")
e = {"event_type": fe.BE, "callback": self.be_callback}
fe.event_register(e)
e = {
"event_type": fe.TIMER,
"time_value": 2.0, # seconds
"callback": self.timer_callback,
}
fe.event_register(e)
self.ticks = 0
self.calls = 0
fe.log("leaving syscalls constructor")
def __init__(self, ctx):
fe.set_name("modlist")
self.pslist = {}
self.lookups = {
"name_offset": fe.lookup_structure("task_struct", "comm"),
"pid_offset": fe.lookup_structure("task_struct", "pid"),
"tasks_offset": fe.lookup_structure("task_struct", "tasks"),
"modules": fe.lookup_symbol("modules"),
}
e = {"event_type": fe.BE, "callback": self.be_callback}
fe.event_register(e)
self.do_modlist()
fe.exit()
def __init__(self, ctx):
fe.log("in pslist_dk constructor")
fe.set_name("pslist_dk")
e = {"event_type": fe.BE, "callback": self.be_callback}
fe.event_register(e)
self.pslist = {}
self.log = []
self.calls = []
self.msgs = []
self.procs = []
timeit_on = False
cprof = False
if cprof:
self.do_dk_pslist(pause=True) # zmq warmup
cProfile.runctx(
"self.do_dk_pslist()",
globals(),
locals(),
filename="/home/micah/femain.dk.profile",
)
if timeit_on:
self.do_dk_pslist(pause=True) # zmq warmup
fe.pause_vm()
t = timeit.Timer(lambda: self.do_dk_pslist()).timeit(number=100)
t = t / 100.0
fe.resume_vm()
fe.log("timeit pslist in {sec:.6f} seconds".format(sec=t))
else:
self.pslist = {}
gc.disable()
self.do_dk_pslist(pause=True)
gc.enable()
fe.log(self.pslist)
for l in self.log:
fe.log(l)
fe.log("calls: %s" % self.calls)
fe.log("procs: %s" % self.procs)
fe.log("msgs: %s" % self.msgs)
fe.log("leaving pslist_dk constructor")
fe.exit()
def __init__(self, ctx):
fe.log("in rekall constructor")
fe.set_name("rekall")
e = {"event_type": fe.BE, "callback": self.be_callback}
fe.event_register(e)
e = {
"event_type": fe.TIMER,
"time_value": 2.0, # seconds
"callback": self.timer_callback,
}
fe.event_register(e)
self.ticks = 0
self.one_way = False
self.two_way = False
fe.log("leaving rekall constructor")