def root_kit_scan(name): if name == None: return 0 else: hash_file_read = open("./config/" + name + "_hash", "r") read_data = hash_file_read.readlines() # initialize vm vm = pyvmi.init(name, "complete") if vm == None: return 0 else: kernel_start = vm.translate_ksym2v("_stext") kernel_end = vm.translate_ksym2v("_etext") count = 0 for i in read_data: hash_val_array = i.split() sym_name = hash_val_array[0] hash_val = hash_val_array[1] sym_va = vm.read_addr_ksym(sym_name) if sym_va <= kernel_end or sym_va >= kernel_start: string = vm.read_str_ksym(sym_name) re_hash_val = hashlib.md5(string).hexdigest() if (re_hash_val != hash_val): count = count + 1 continue else: continue else: count = count + 1 if count > 0: return count else: return count
def kernel_check(name): if name == None: return 0 else: string = "" vm = pyvmi.init(name, "complete") kernel_start = vm.translate_ksym2v("_stext") kernel_end = vm.translate_ksym2v("_etext") i = kernel_start while i < kernel_end: memory = vm.read_va(i, 0, 512) string = string + memory i = i + 512 # time to hash it final_hash = hashlib.md5(string).hexdigest() init_kernel = open("./config/" + name + "_kernel", "r") while True: kernel_initial = init_kernel.readline().split() if kernel_initial[1] == name: init_hash = kernel_initial[2] break else: continue if (final_hash != init_hash): init_kernel.close() return 1 else: init_kernel.close() return 0
def main(self, *a, **kw): # Setup physical memory if hasattr(self, "domain"): self.vm = pyvmi.init(self.domain, "partial") else: self.parser.error("PyVmiFS: must provide a Xen domain to mount") Fuse.main(self, *a, **kw)
def write_sys_tab_hash(name): if name == None: return 0 else: vm = pyvmi.init(name, "complete") if (vm == None): print "Failed to start libvmi" return 0 else: # to create symbol file file = open("./guest_sysmap/" + name + "/" + name, "r") file2 = open("./config/" + name + "_hash", "w") sym_array = file.readlines() for i in sym_array: sym_split = i.split() sym_name = sym_split[2] sym_check = sym_name.split("_") if sym_check[0] == "sys": content = vm.read_str_ksym(sym_name) addr = vm.read_addr_ksym(sym_name) hash = hashlib.md5(content).hexdigest() file2.write(sym_name + " " + hash + "\n") elif sym_check == "": sys.exit(0) else: continue file.close() file2.close() return 1
def __init__(self, base, config, layered = False, **kwargs): addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs) self.as_assert(base == None or layered, "Must be first Address Space") self.as_assert(config.LOCATION.startswith("vmi://"), "Location doesn't start with vmi://") self.name = urllib.url2pathname(config.LOCATION[6:]) self.vmi = pyvmi.init(self.name, "partial") self.as_assert(not self.vmi is None, "VM not found") self.dtb = self.get_cr3()
def init_pyvmi_config(self, config): sanitized_config = {} for k, v in config.iteritems(): san_v = v if isinstance(v, unicode): san_v = str(v) sanitized_config[str(k)] = san_v self.vmi = pyvmi.init(sanitized_config) return True
def vmiInit(vmstrings): global vmList,VMIList VMIList=[] vmList=vmstrings.split(' ') print "vmi init: ",vmList for i in range(len(vmList)): if(vmList[i]!=''): print "vmi init ", vmList[i] VMIList+=[pyvmi.init(vmList[i], "complete")]
def __init__(self, base, config, layered=False, **kwargs): addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs) self.as_assert(base == None or layered, "Must be first Address Space") self.as_assert(config.LOCATION.startswith("vmi://"), "Location doesn't start with vmi://") self.name = urllib.url2pathname(config.LOCATION[6:]) self.vmi = pyvmi.init(self.name, "partial") self.as_assert(not self.vmi is None, "VM not found") self.dtb = self.get_cr3()
def main(argv): vmi = pyvmi.init(argv[1], "complete") if vmi.get_access_mode() == 'file': print("Process listing for File {}".format(vmi.get_name())) else: print("Process listing for VM {}".format(vmi.get_name())) for pid, procname in processes(vmi): print "[%5d] %s" % (pid, procname)
def __init__(self, base, config, layered=False, **kwargs): addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs) self.as_assert(base == None or layered, "Must be first Address Space") self.as_assert(config.LOCATION.startswith("vmi://"), "Location doesn't start with vmi://") self.config = dict(inittype="partial") if config.LOCATION.find("domid/") == 6: self.domid = int(urllib.url2pathname(config.LOCATION[12:])) self.config['domid'] = self.domid elif config.LOCATION.find("name/") == 6: self.name = urllib.url2pathname(config.LOCATION[11:]) self.config['name'] = self.name else: self.name = urllib.url2pathname(config.LOCATION[6:]) self.config['name'] = self.name self.vmi = pyvmi.init(self.config) self.as_assert(not self.vmi is None, "VM not found") self.dtb = self.get_cr3()
def GET(self, uuid, command): print uuid, command web.header('Access-Control-Allow-Origin', '*') (win, name, profile) = profiles[uuid] if command == 'libvmi_pslist': vmi = pyvmi.init(name, "complete") pslist = get_processes(vmi, win) res = '' for pid, procname in pslist: res += "[%5d] %s" % (pid, procname) + '\n' res = command + '\n\n' + res return res else: cmd = 'python vol.py -l vmi://%s --profile=%s %s' % (name, profile, command) res = os.popen(cmd).read() res = command + '\n\n' + res return res
def __init__(self, base, config, layered=False, **kwargs): addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs) self.as_assert(base == None or layered, "Must be first Address Space") self.as_assert( config.LOCATION.startswith("vmi://"), "Location doesn't start with vmi://") self.config = dict(inittype="partial") if config.LOCATION.find("domid/") == 6: self.domid = int(urllib.url2pathname(config.LOCATION[12:])) self.config['domid']=self.domid elif config.LOCATION.find("name/") == 6: self.name = urllib.url2pathname(config.LOCATION[11:]) self.config['name'] = self.name else: self.name = urllib.url2pathname(config.LOCATION[6:]) self.config['name'] = self.name self.vmi = pyvmi.init(self.config) self.as_assert(not self.vmi is None, "VM not found") self.dtb = self.get_cr3()
def list_modules(vmname): vm = pyvmi.init(vmname, "complete") if vm == None: return 0 else: next_module = vm.translate_ksym2v("modules") list_head = next_module while True: tmp_next = vm.read_addr_va(next_module, 0) if list_head == tmp_next: break else: if (vm.get_page_mode() == 'ia32e'): modname = vm.read_str_va(next_module + 16, 0) else: modname = vm.read_str_va(next_module + 8, 0) print modname next_module = tmp_next
def main(argv): print("The pid for this process is: {}".format(os.getpid())) try: vmi = pyvmi.init(MEM_PATH, "complete") except ValueError: print("Please check your VMI config for {}".format(MEM_PATH)) exit(1) procs_pyvmi = dict({x.pid:x for x in pyvmi_get_processes(vmi)}) procs_debugfs = dict({(x.pid, x) for x in debugfs_get_processes()}) attr_verify = ["uid", "gid", "ppid"] for pid, proc_pyvmi in procs_pyvmi.iteritems(): if pid in procs_debugfs: proc_debugfs = procs_debugfs[pid] if not proc_debugfs == proc_pyvmi: try: check_privilege_escalation(proc_pyvmi, proc_debugfs, attr_verify) except AssertionError as e: print(str(e))
def process_list(vmname): vmi = pyvmi.init(vmname, "complete") taskoffset, nameoffset, pidoffset, init_task_va = get_offsets(vmi) processes = vmi.read_addr_va(init_task_va + taskoffset, 0) current_process = processes while True: pid = vmi.read_32_va(current_process + pidoffset - taskoffset, 0) procname = vmi.read_str_va(current_process + nameoffset - taskoffset, 0) yield pid, procname current_process = vmi.read_addr_va(current_process, 0) if current_process == processes: break return
def kernel_config(name): if (name == None): return 0 else: # get kernel hash value vm = pyvmi.init(name, "complete") if vm == None: return 0 else: kernel_start = vm.translate_ksym2v("_stext") kernel_end = vm.translate_ksym2v("_etext") file_input = open("./config/" + name + "_kernel", "w+") i = kernel_start kernel_string = "" while i < kernel_end: memory = vm.read_va(i, 0, 512) kernel_string = kernel_string + memory i = i + 512 hash = hashlib.md5(kernel_string).hexdigest() file_input.write("kernel_hash " + name + " " + hash) file_input.close() print "Kernel_hash for " + name + " configured" return 1
def init_pyvmi_name(self, name): self.vmi = pyvmi.init(name, 'complete') return True
def main (argv): vmi = pyvmi.init(argv[1], "complete") process_list(vmi)
import pyvmi import sys vmi = pyvmi.init("VM2-ovs", "complete") #vmi = pyvmi.init(sys.argv[0], "complete") def list_processes(vmi): tasksOffset = vmi.get_offset("linux_tasks") nameOffset = vmi.get_offset("linux_name") pidOffset = vmi.get_offset("linux_pid") init_task_va = vmi.translate_ksym2v("init_task") processes = vmi.read_addr_va(init_task_va+tasksOffset, 0) current_process = processes while True: pid = vmi.read_32_va(current_process+pidOffset-tasksOffset, 0) procname = vmi.read_str_va(current_process+nameOffset-tasksOffset, 0) yield pid, procname current_process = vmi.read_addr_va(current_process,0) if current_process == processes: break return for i in range(100): for pid, procname in list_processes(vmi): print "%d, %s" % ( pid, procname ) print "i = ", i
def main(argv): vmi = pyvmi.init(argv[1], "complete") get_processes(vmi)
def main(argv): vmi = pyvmi.init(argv[1], "complete") for pid, procname in get_processes(vmi): print "[%5d] %s" % (pid, procname)
def vmiInit(VMName): print "init ", VMName global VMIList VMIList[VMName]=pyvmi.init(VMName, "complete") print VMIList