def calculate(self):
"""
Use the volatility registry API to enumerate the
Services registry key based on the last modified time stamp
:return:
"""
# Set up our registry api instance
reg_api = registryapi.RegistryApi(self._config)
key = "ControlSet001\\Services"
# Pull the ControlSet001\Services registry sub-keys
sub_keys = reg_api.reg_get_all_subkeys("system", key)
services = dict((s.Name, int(s.LastWriteTime)) for s in sub_keys)
# Sort them by their last modified timestamp, in descending order
times = sorted(set(services.values()), reverse=True)
# Pull the service info from the registry using SvcScanner
svc_scanner = svcscan.SvcScan(self._config)
service_info = svc_scanner.get_service_info(reg_api)
# only return a subset of the Service last write times
top_five = times[0:5]
return [top_five, services, service_info]
def calculate(self):
"""
Use the volatility registry API to enumerate the
Services registry key based on the last modified time stamp
:return [top_five, services, service_info]:
"""
# Set up our registry api instance
reg_api = registryapi.RegistryApi(self._config)
key = "ControlSet001\\Services"
# Pull the ControlSet001\Services registry sub-keys
sub_keys = reg_api.reg_get_all_subkeys("system", key)
# collect the name and the last write timestamp of the service
services = dict((s.Name, int(s.LastWriteTime)) for s in sub_keys)
# De-duped list of times from the Service registry sub keys
times = sorted(set([ts for ts in services.values()]))
# confirm that the start timestamp is within the timeline
start = 0
# Did the user provide a time window?
if self._config.START_TIME:
try:
start = int(
time.mktime(
datetime.datetime.strptime(self._config.START_TIME,
"%m/%d/%Y").timetuple()))
except ValueError:
print("Please enter date in correct format: mm/dd/YYYY")
sys.exit(1)
# Start time outside of the provided range?
if start <= times[0]:
start = times[0]
elif start >= times[len(times) - 1]:
start = times[len(times) - 1]
# Get timestamps only on the provided day
times = [
t for t in times if time.gmtime(t)[7] == time.gmtime(start)[7]
]
# Pull the service info from the registry using SvcScanner
svc_scanner = svcscan.SvcScan(self._config)
service_info = svc_scanner.get_service_info(reg_api)
# grab only the top five (or top n) timestamps from the services dict
if self._config.N_TIMES:
n = self._config.N_TIMES
if n > len(times):
n = len(times)
top_five = sorted(times, reverse=True)[0:n]
else:
top_five = sorted(times, reverse=True)[0:5]
return [top_five, services, service_info, start]
def calculate(self):
addr_space = utils.load_as(self._config)
tasks = win32.tasks.pslist(addr_space)
scanner = svcscan.SvcScan(self._config)
for service in scanner.calculate():
yield service
def get_scan(self):
'''
Mimics volatiltiy's svcscan - scans the memory image carving out objects
which look like Windows processes.
'''
import volatility.plugins.malware.svcscan as svcscan
import volatility.plugins.registry.registryapi as registryapi
regapi = registryapi.RegistryApi(self.vol.config)
ccs = regapi.reg_get_currentcontrolset()
for rec in svcscan.SvcScan(self.vol.config).calculate():
svcdll = regapi.reg_get_value(
hive_name = "system",
key = "{0}\\services\\{1}\\Parameters".format(ccs, rec.ServiceName.dereference()),
value = "ServiceDll")
yield Service(rec, svcdll, str(hex(rec.obj_offset)))
def calculate(self):
addr_space = utils.load_as(self._config)
# we currently don't use this on x64 because for some reason the
# x64 version actually doesn't create a DisplayVersion value
memory_model = addr_space.profile.metadata.get('memory_model')
if memory_model == '32bit':
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
regapi.set_current(hive_name = "software")
x86key = "Microsoft\\Windows\\CurrentVersion\\Uninstall"
x64key = "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
for subkey in regapi.reg_get_all_subkeys(None, key = x86key):
if str(subkey.Name) == "TrueCrypt":
subpath = x86key + "\\" + subkey.Name
version = regapi.reg_get_value("software",
key = subpath,
value = "DisplayVersion")
if version:
yield "Registry Version", "{0} Version {1}".format(
str(subkey.Name),
version)
scanner = TrueCryptPassphrase(self._config)
for offset, passphrase in scanner.calculate():
yield "Password", "{0} at offset {1:#x}".format(
passphrase, offset)
for proc in tasks.pslist(addr_space):
if str(proc.ImageFileName).lower() == "truecrypt.exe":
yield "Process", "{0} at {1:#x} pid {2}".format(
proc.ImageFileName,
proc.obj_offset,
proc.UniqueProcessId)
scanner = svcscan.SvcScan(self._config)
for service in scanner.calculate():
name = str(service.ServiceName.dereference())
if name == "truecrypt":
yield "Service", "{0} state {1}".format(
name,
service.State)
for mod in modules.lsmod(addr_space):
basename = str(mod.BaseDllName or '').lower()
fullname = str(mod.FullDllName or '').lower()
if (basename.endswith("truecrypt.sys") or
fullname.endswith("truecrypt.sys")):
yield "Kernel Module", "{0} at {1:#x} - {2:#x}".format(
mod.BaseDllName,
mod.DllBase,
mod.DllBase + mod.SizeOfImage)
scanner = filescan.SymLinkScan(self._config)
for symlink in scanner.calculate():
object_header = symlink.get_object_header()
if "TrueCryptVolume" in str(symlink.LinkTarget or ''):
yield "Symbolic Link", "{0} -> {1} mounted {2}".format(
str(object_header.NameInfo.Name or ''),
str(symlink.LinkTarget or ''),
str(symlink.CreationTime or ''))
scanner = filescan.FileScan(self._config)
for fileobj in scanner.calculate():
filename = str(fileobj.file_name_with_device() or '')
if "TrueCryptVolume" in filename:
yield "File Object", "{0} at {1:#x}".format(
filename,
fileobj.obj_offset)
scanner = filescan.DriverScan(self._config)
for driver in scanner.calculate():
object_header = driver.get_object_header()
driverext = driver.DriverExtension
drivername = str(driver.DriverName or '')
servicekey = str(driverext.ServiceKeyName or '')
if (drivername.endswith("truecrypt") or
servicekey.endswith("truecrypt")):
yield "Driver", "{0} at {1:#x} range {2:#x} - {3:#x}".format(
drivername,
driver.obj_offset,
driver.DriverStart,
driver.DriverStart + driver.DriverSize)
for device in driver.devices():
header = device.get_object_header()
devname = str(header.NameInfo.Name or '')
type = devicetree.DEVICE_CODES.get(device.DeviceType.v())
yield "Device", "{0} at {1:#x} type {2}".format(
devname or "<HIDDEN>",
device.obj_offset,
type or "UNKNOWN")
if type == "FILE_DEVICE_DISK":
data = addr_space.read(device.DeviceExtension, 2000)
## the file-hosted container path. no other fields in
## the struct are character based, so we should not
## hit false positives on this scan.
offset = data.find("\\\x00?\x00?\x00\\\x00")
if offset == -1:
container = "<HIDDEN>"
else:
container = obj.Object("String", length = 255,
offset = device.DeviceExtension + offset,
encoding = "utf16",
vm = addr_space)
yield "Container", "Path: {0}".format(container)