def render_scan_physical(self, renderer): """This method scans the physical memory.""" for rule, address, _, _ in self.generate_hits( self.physical_address_space): renderer.format("Rule: {0}\n", rule) context = self.physical_address_space.read(address, 0x40) utils.WriteHexdump(renderer, context, base=address)
def render(self, renderer): for entity in self.session.entities.find( query=("Buffer/purpose is 'zones' and " "any Buffer/context matches " " (AllocationZone/name is {zone_name})"), query_params=dict(zone_name=self.zone_name)): utils.WriteHexdump(renderer=renderer, data=entity["Buffer/contents"], base=entity["Buffer/address"][0])
def render_task_scan(self, renderer, task): task_as = task.get_process_address_space() for rule, address, _, _ in self.generate_hits(task_as): renderer.format("Rule: {0}\n", rule) renderer.format("Owner: {0}\n", task.ImageFileName) context = task_as.read(address, 0x40) utils.WriteHexdump(renderer, context, base=address)
def render_kernel_scan(self, renderer): for rule, address, _, _ in self.generate_hits( self.kernel_address_space): renderer.format("Rule: {0}\n", rule) owner = self.session.address_resolver.format_address(address) if not owner: owner = "Unknown" renderer.format("Owner: {0}\n", owner) context = self.kernel_address_space.read(address, 0x40) utils.WriteHexdump(renderer, context, base=address)
def render_task_scan(self, renderer, task): """Scan a task's address space.""" end = self.session.GetParameter("highest_usermode_address") task_as = task.get_process_address_space() for rule, address, _, _ in self.generate_hits(task_as, end=end): renderer.format("Rule: {0}\n", rule) renderer.format( "Owner: {0} ({1})\n", task, self.session.address_resolver.format_address(address)) context = task_as.read(address, 0x40) utils.WriteHexdump(renderer, context, base=address)
def render_task_scan_vad(self, renderer, task): """This method scans the process memory using the VAD.""" task_as = task.get_process_address_space() scanner = VadYaraScanner( session=self.session, rules=self.rules, task=task) for rule, address, _, hit in scanner.scan(): renderer.format("Rule: {0}\n", rule) renderer.format("Owner: {0}\n", task.ImageFileName) context = task_as.read(address, 0x40) utils.WriteHexdump(renderer, context, base=address)
def render_kernel_scan(self, renderer): modules = self.session.plugins.modules() for rule, address, _, _ in self.generate_hits( self.kernel_address_space): renderer.format("Rule: {0}\n", rule) # Find out who owns this hit. owner = modules.find_module(address) if owner: renderer.format("Owner: {0}\n", owner.BaseDllName) else: renderer.format("Owner: (Unknown Kernel Memory)\n") context = self.kernel_address_space.read(address, 0x40) utils.WriteHexdump(renderer, context, base=address)
def testEncoderCache(self): # Make the string long enough so that parts of it are garbage # collected. If the encoded uses id() to deduplicate it will fail since # id() might reuse across GCed objects. test_string = ("this_is_a_very_long_sentence" * 10) parts = [ test_string[x:x + 16] for x in xrange(0, len(test_string), 16) ] with data_export.DataExportRenderer( session=self.session, output=StringIO.StringIO()).start() as renderer: utils.WriteHexdump(renderer, test_string) rows = [] for row in renderer.data: if row[0] == "r": rows.append(row[1]["data"]) self.assertEqual(rows, parts)
def render_kernel_scan(self, renderer): modules = self.session.plugins.lsmod() for rule, address, _, hit in self.generate_hits( self.kernel_address_space): renderer.format("Rule: {0}\n", rule) # Find out who owns this hit. owner = modules.find_module(address) if owner: renderer.format("Owner: {0}\n", owner.name) filename = "kernel.{0:#x}.{1:#x}.dmp".format( owner.obj_offset, address) else: filename = "kernel.{0:#x}.dmp".format(address) renderer.format("Owner: (Unknown Kernel Memory)\n") context = self.kernel_address_space.read(address, 0x40) utils.WriteHexdump(renderer, context, base=address)
def render(self, outfd): for reg, key in self.find_count_keys(): if not key: continue outfd.write("----------------------------\n") outfd.write("Registry: {0}\n".format(reg.Name)) outfd.write("Key path: {0}\n".format(key.Path)) outfd.write("Last updated: {0}\n".format(key.LastWriteTime)) outfd.write("\n") outfd.write("Subkeys:\n") for subkey in key.subkeys(): outfd.write(" {0}\n".format(subkey.Name)) outfd.write("\n") outfd.write("Values:\n") for value in key.values(): # In windows 7, folder names are replaced by guids. value_name = str(value.Name).decode("rot13") value_name = self._resolve_gui_folders(value_name) outfd.write("\n{0:13} {1:15} :\n".format( value.Type, value_name)) # Decode the data if value.Type == "REG_BINARY": # Does this look like a userassist record? if value.DataLength == self.ua_profile.get_obj_size( "_VOLUSER_ASSIST_TYPES"): # Use the specialized profile to instantiate this object. uadata = self.ua_profile.Object( "_VOLUSER_ASSIST_TYPES", offset=value.Data, vm=value.obj_vm) self._render_assist_type(outfd, uadata) # Show a hexdump of the value as well. utils.WriteHexdump(outfd, value.DecodedData)
def render(self, renderer): renderer.format("Legend: (S) = Stable (V) = Volatile\n\n") for reg, key in self.list_keys(): self.session.report_progress("Printing %s", lambda key=key: key.Path) if key: renderer.format("----------------------------\n") renderer.format("Registry: {0}\n", reg.Name) renderer.format("Key name: {0} {1} @ {2:addrpad}\n", key.Name, self.voltext(key), key.obj_vm.vtop(int(key))) renderer.format("Last updated: {0}\n", key.LastWriteTime) renderer.format("\n") renderer.format("Subkeys:\n") for subkey in key.subkeys(): if not subkey.Name: renderer.format(" Unknown subkey: {0}\n", subkey.Name.reason) else: renderer.format(u" {1} {0}\n", subkey.Name, self.voltext(subkey)) renderer.format("\n") renderer.format("Values:\n") for value in key.values(): renderer.format("{0:addrpad} ", value.obj_vm.vtop(value)) if value.Type == 'REG_BINARY': data = value.DecodedData if isinstance(data, basestring): renderer.format( u"{0:width=13} {1:width=15} : {2}\n", value.Type, value.Name, self.voltext(value)) utils.WriteHexdump(renderer, value.DecodedData) else: renderer.format( u"{0:width=13} {1:width=15} : {2} {3}\n", value.Type, value.Name, self.voltext(value), utils.SmartUnicode(value.DecodedData).strip())
def render(self, outfd): for k, v in self.calculate(): outfd.write(k + "\n") utils.WriteHexdump(outfd, v) outfd.write("\n")