Python DiscontigYaraScannerの例、volatility.plugins.malware.malfind.DiscontigYaraScanner Pythonの例

コード例 #1

0

ファイルを表示

    def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error(
                "Please install Yara from code.google.com/p/yara-project")

        ## leveraged from the windows yarascan plugin
        rules = self._compile_rules()

        ## set the linux plugin address spaces
        linux_common.set_plugin_members(self)

        if self._config.KERNEL:
            ## the start of kernel memory taken from VolatilityLinuxIntelValidAS
            if self.addr_space.profile.metadata.get('memory_model',
                                                    '32bit') == "32bit":
                kernel_start = 0xc0000000
            else:
                kernel_start = 0xffffffff80000000

            scanner = malfind.DiscontigYaraScanner(
                rules=rules, address_space=self.addr_space)

            for hit, address in scanner.scan(start_offset=kernel_start):
                yield (None, address, hit,
                       scanner.address_space.zread(address, 64))
        else:
            for task in pslist.linux_pslist(self._config).calculate():
                scanner = VmaYaraScanner(task=task, rules=rules)
                for hit, address in scanner.scan():
                    yield (task, address, hit,
                           scanner.address_space.zread(address, 64))

コード例 #2

0

ファイルを表示

    def calculate(self):
        addr_space = utils.load_as(self._config)

        if not has_yara:
            debug.error("You must install yara to use this plugin")

        if not self._config.DUMP_DIR:
            debug.error("You must supply a --dump-dir parameter")

        if self._config.PHYSICAL:
            # Find the FileAddressSpace
            while addr_space.__class__.__name__ != "FileAddressSpace":
                addr_space = addr_space.base
            scanner = malfind.DiscontigYaraScanner(address_space=addr_space,
                                                   rules=DumpCerts.rules)
            for hit, address in scanner.scan():
                cert = obj.Object(
                    DumpCerts.type_map.get(hit.rule),
                    vm=scanner.address_space,
                    offset=address,
                )
                if cert.is_valid():
                    yield None, cert
        else:
            for process in self.filter_tasks(tasks.pslist(addr_space)):
                scanner = malfind.VadYaraScanner(task=process,
                                                 rules=DumpCerts.rules)
                for hit, address in scanner.scan():
                    cert = obj.Object(
                        DumpCerts.type_map.get(hit.rule),
                        vm=scanner.address_space,
                        offset=address,
                    )
                    if cert.is_valid():
                        yield process, cert

コード例 #3

0

ファイルを表示

ファイル: netscan.py プロジェクト: 0x2A/volatility_3

    def calculate(self):
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        linux_common.set_plugin_members(self)

        ## the start of kernel memory taken from VolatilityLinuxIntelValidAS
        if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
            kernel_start = 0xc0000000
            pack_size    = 4
            pack_fmt     = "<I"
        else:
            kernel_start = 0xffff880000000000
            pack_size    = 8
            pack_fmt     = "<Q"
        
        checks = [self.check_family, self.check_proto, self.check_socket_back_pointer, self.check_pointers]

        destruct_offset = self.addr_space.profile.get_obj_offset("sock", "sk_destruct")

        # sk_destruct pointer value of sock
        func_addr = self.addr_space.profile.get_symbol("inet_sock_destruct")

        vals = struct.pack(pack_fmt, func_addr)

        s = "{ " + " ".join(["%.02x" % ord(v) for v in vals]) + " }"

        rules = yara.compile(sources = { 'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}' })
        
        scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space) 
        for _, address in scanner.scan(start_offset = kernel_start):
            base_address = address - destruct_offset
    
            i = obj.Object("inet_sock", offset = base_address, vm = self.addr_space)

            valid = True
            for check in checks:
                if check(i) == False:
                    valid = False
                    break

            if valid:
                state  = i.state if i.protocol == "TCP" else ""
                family = i.sk.__sk_common.skc_family #pylint: disable-msg=W0212

                sport = i.src_port 
                dport = i.dst_port 
                saddr = i.src_addr
                daddr = i.dst_addr

                if str(saddr) == "0.0.0.0" and str(daddr) == "0.0.0.0" and sport == 6 and dport == 0:
                    continue

                yield (i, i.protocol, saddr, sport, daddr, dport, state)

コード例 #4

0

ファイルを表示

    def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error(
                "Please install Yara from https://plusvic.github.io/yara/"
            )

        ## leveraged from the windows yarascan plugin
        rules = self._compile_rules()

        ## set the linux plugin address spaces
        linux_common.set_plugin_members(self)

        if self._config.KERNEL:
            ## the start of kernel memory taken from VolatilityLinuxIntelValidAS
            if (
                self.addr_space.profile.metadata.get('memory_model', '32bit')
                == "32bit"
            ):
                kernel_start = 0xC0000000
            else:
                kernel_start = 0xFFFFFFFF80000000

            scanner = malfind.DiscontigYaraScanner(
                rules=rules, address_space=self.addr_space
            )

            for hit, address in scanner.scan(start_offset=kernel_start):
                yield (
                    None,
                    address - self._config.REVERSE,
                    hit,
                    scanner.address_space.zread(
                        address - self._config.REVERSE, self._config.SIZE
                    ),
                )
        else:
            tasks = self.filter_tasks()
            for task in tasks:
                scanner = VmaYaraScanner(task=task, rules=rules)
                for hit, address in scanner.scan():
                    yield (
                        task,
                        address - self._config.REVERSE,
                        hit,
                        scanner.address_space.zread(
                            address - self._config.REVERSE, self._config.SIZE
                        ),
                    )

コード例 #5

0

ファイルを表示

    def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error(
                "Please install Yara from https://plusvic.github.io/yara/")

        ## leveraged from the windows yarascan plugin
        rules = self._compile_rules()

        ## set the linux plugin address spaces
        common.set_plugin_members(self)

        if self._config.KERNEL:
            ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
            if self.addr_space.profile.metadata.get('memory_model',
                                                    '32bit') == "32bit":
                if not common.is_64bit_capable(self.addr_space):
                    kernel_start = 0
                else:
                    kernel_start = 0xc0000000
            else:
                vm_addr = self.addr_space.profile.get_symbol(
                    "_vm_min_kernel_address")
                kernel_start = obj.Object("unsigned long",
                                          offset=vm_addr,
                                          vm=self.addr_space)

            scanner = malfind.DiscontigYaraScanner(
                rules=rules, address_space=self.addr_space)

            for hit, address in scanner.scan(start_offset=kernel_start):
                yield (None, address, hit,
                       scanner.address_space.zread(
                           address - self._config.REVERSE, self._config.SIZE))
        else:
            # Scan each process memory block
            tasks = self.filter_tasks()
            for task in tasks:
                # skip kernel_task
                if task.p_pid == 0:
                    continue
                scanner = MapYaraScanner(task=task, rules=rules)
                for hit, address in scanner.scan(
                        max_size=self._config.MAX_SIZE):
                    yield (task, address, hit,
                           scanner.address_space.zread(
                               address - self._config.REVERSE,
                               self._config.SIZE))

コード例 #6

0

ファイルを表示

ファイル: dumpcerts.py プロジェクト: 5l1v3r1/volatility-1

    def calculate(self):
        addr_space = utils.load_as(self._config)

        if not has_yara:
            debug.error("You must install yara to use this plugin")

        if not self._config.DUMP_DIR:
            debug.error("You must supply a --dump-dir parameter")

        # Wildcard signatures to scan for
        rules = yara.compile(
            sources={
                'x509':
                'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}',
                'pkcs':
                'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}',
            })

        # These signature names map to these data structures
        type_map = {
            'x509': '_X509_PUBLIC_CERT',
            'pkcs': '_PKCS_PRIVATE_CERT',
        }

        if self._config.PHYSICAL:
            # Find the FileAddressSpace
            while addr_space.__class__.__name__ != "FileAddressSpace":
                addr_space = addr_space.base
            scanner = malfind.DiscontigYaraScanner(address_space=addr_space,
                                                   rules=rules)
            for hit, address in scanner.scan():
                cert = obj.Object(
                    type_map.get(hit.rule),
                    vm=scanner.address_space,
                    offset=address,
                )
                if cert.is_valid():
                    yield None, cert
        else:
            for process in self.filter_tasks(tasks.pslist(addr_space)):
                scanner = malfind.VadYaraScanner(task=process, rules=rules)
                for hit, address in scanner.scan():
                    cert = obj.Object(
                        type_map.get(hit.rule),
                        vm=scanner.address_space,
                        offset=address,
                    )
                    if cert.is_valid():
                        yield process, cert

コード例 #7

0

ファイルを表示

ファイル: win10_memcompression.py プロジェクト: dmikushin/volatility

    def _yara_scan(self, addrspace, rule, start, end):
        rules = yara.compile(
            sources={
                'n': 'rule r1 {strings: $a = ' + rule + ' condition: $a}'
            })

        scanner = malfind.DiscontigYaraScanner(address_space=addrspace,
                                               rules=rules)

        scan_results = scanner.scan(start_offset=start, maxlen=end)

        try:
            hit, addr = next(scan_results)
        except StopIteration:
            return None, None

        return hit, addr

コード例 #8

0

ファイルを表示

    def calculate(self):
        if not has_yara:
            debug.error(
                "Please install Yara from code.google.com/p/yara-project")
        addr_space = utils.load_as(self._config)
        rules = yara.compile(sources=ghost_sig)
        decrypted_data = None
        mal_proc = {}

        kdbg = tasks.get_kdbg(addr_space)
        start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
        mods = dict((addr_space.address_mask(mod.DllBase), mod)
                    for mod in modules.lsmod(addr_space))
        mod_addrs = sorted(mods.keys())
        sessions = []
        for proc in tasks.pslist(addr_space):
            sid = proc.SessionId

            if sid == None or sid in sessions:
                continue
            session_space = proc.get_process_address_space()
            if session_space == None:
                continue
            sessions.append(sid)
            scanner = malfind.DiscontigYaraScanner(address_space=session_space,
                                                   rules=rules)
            for hit, address in scanner.scan(start_offset=start):
                module = tasks.find_module(mods, mod_addrs,
                                           addr_space.address_mask(address))
                content = session_space.zread(address, 1024)
                header_size = content.find("\x78\x9c")
                magic_header_size = header_size - 8
                magic_keyword = content[:magic_header_size]
                comp_uncomp_size = content[magic_header_size:header_size]
                s = struct.Struct("I I")
                comp_size, uncomp_size = s.unpack(comp_uncomp_size)
                enc_data = content[0:comp_size]
                to_decrypt = content[header_size:comp_size]
                dec_data = self.decrypt_communication(to_decrypt)
                if not mal_proc:
                    self.get_ghost_process(magic_keyword, mal_proc, addr_space)
                    os_version = self.get_os_version(addr_space)
                yield (mal_proc, address, magic_keyword, enc_data, dec_data,
                       os_version)

コード例 #9

0

ファイルを表示

ファイル: mac_yarascan.py プロジェクト: 5l1v3r1/volatility-1

    def calculate(self):

        ## we need this module imported
        if not has_yara:
            debug.error(
                "Please install Yara from code.google.com/p/yara-project")

        ## leveraged from the windows yarascan plugin
        rules = self._compile_rules()

        ## set the linux plugin address spaces
        common.set_plugin_members(self)

        if self._config.KERNEL:
            ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
            if self.addr_space.profile.metadata.get('memory_model',
                                                    '32bit') == "32bit":
                if not common.is_64bit_capable(self.addr_space):
                    kernel_start = 0
                else:
                    kernel_start = 0xc0000000
            else:
                kernel_start = 0xffffff8000000000

            scanner = malfind.DiscontigYaraScanner(
                rules=rules, address_space=self.addr_space)

            for hit, address in scanner.scan(start_offset=kernel_start):
                yield (None, address, hit,
                       scanner.address_space.zread(address, 64))
        else:
            # Scan each process memory block
            for task in pstasks.mac_tasks(self._config).calculate():
                scanner = MapYaraScanner(task=task, rules=rules)
                for hit, address in scanner.scan():
                    yield (task, address, hit,
                           scanner.address_space.zread(address, 64))

コード例 #10

0

ファイルを表示

    def calculate(self):
        linux_common.set_plugin_members(self)

        ## the start of kernel memory taken from VolatilityLinuxIntelValidAS
        if self.addr_space.profile.metadata.get('memory_model',
                                                '32bit') == "32bit":
            kernel_start = 0xc0000000
            pack_size = 4
            pack_fmt = "<I"
        else:
            kernel_start = 0xffffffff80000000
            pack_size = 8
            pack_fmt = "<Q"

        checks = [
            self.check_family, self.check_proto,
            self.check_socket_back_pointer, self.check_pointers
        ]

        destruct_offset = self.addr_space.profile.get_obj_offset(
            "sock", "sk_destruct")

        # sk_destruct pointer value of sock
        func_addr = self.addr_space.profile.get_symbol("inet_sock_destruct")

        vals = []

        # convert address into a yara hex rule
        for bit in range(pack_size):
            idx = (pack_size - bit - 1) * 8
            mask = 0xff << idx
            val = ((func_addr & mask) >> idx) & 0xff

            vals.insert(0, val)

        s = "{" + " ".join(["%.02x" % v for v in vals]) + " }"

        rules = yara.compile(
            sources={'n': 'rule r1 {strings: $a = ' + s + ' condition: $a}'})

        scanner = malfind.DiscontigYaraScanner(rules=rules,
                                               address_space=self.addr_space)
        for _, address in scanner.scan(start_offset=kernel_start):
            base_address = address - destruct_offset

            i = obj.Object("inet_sock",
                           offset=base_address,
                           vm=self.addr_space)

            valid = True
            for check in checks:
                if check(i) == False:
                    valid = False
                    break

            if valid:
                state = i.state if i.protocol == "TCP" else ""
                family = i.sk.__sk_common.skc_family  #pylint: disable-msg=W0212

                sport = i.src_port
                dport = i.dst_port
                saddr = i.src_addr
                daddr = i.dst_addr

                yield (i, i.protocol, saddr, sport, daddr, dport, state)