def _generator(self):
kernel = self.context.modules[self.config['kernel']]
collection = ssdt.SSDT.build_module_collection(self.context, kernel.layer_name, kernel.symbol_table_name)
for driver in driverscan.DriverScan.scan_drivers(self.context, kernel.layer_name, kernel.symbol_table_name):
try:
driver_name = driver.get_driver_name()
except (ValueError, exceptions.InvalidAddressException):
driver_name = renderers.NotApplicableValue()
for i, address in enumerate(driver.MajorFunction):
module_symbols = collection.get_module_symbols_by_absolute_location(address)
for module_name, symbol_generator in module_symbols:
symbols_found = False
for symbol in symbol_generator:
symbols_found = True
yield (0, (format_hints.Hex(driver.vol.offset), driver_name, MAJOR_FUNCTIONS[i],
format_hints.Hex(address), module_name, symbol.split(constants.BANG)[1]))
if not symbols_found:
yield (0, (format_hints.Hex(driver.vol.offset), driver_name, MAJOR_FUNCTIONS[i],
format_hints.Hex(address), module_name, renderers.NotAvailableValue()))
def _generator(self):
kernel = contexts.Module(self._context, self.config['darwin'],
self.config['primary'], 0)
mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
self.config['darwin'])
handlers = mac.MacUtilities.generate_kernel_handler_info(
self.context, self.config['primary'], kernel, mods)
table = kernel.object_from_symbol(symbol_name="mach_trap_table")
for i, ent in enumerate(table):
try:
call_addr = ent.mach_trap_function.dereference().vol.offset
except exceptions.InvalidAddressException:
continue
if not call_addr or call_addr == 0:
continue
module_name, symbol_name = mac.MacUtilities.lookup_module_address(
self.context, handlers, call_addr)
yield (0, (format_hints.Hex(table.vol.offset), "TrapTable", i,
format_hints.Hex(call_addr), module_name, symbol_name))
def _generator(self):
kernel = self.context.modules[self.config['kernel']]
for driver in self.scan_drivers(self.context, kernel.layer_name,
kernel.symbol_table_name):
try:
driver_name = driver.get_driver_name()
except (ValueError, exceptions.InvalidAddressException):
driver_name = renderers.NotApplicableValue()
try:
service_key = driver.DriverExtension.ServiceKeyName.String
except exceptions.InvalidAddressException:
service_key = renderers.NotApplicableValue()
try:
name = driver.DriverName.String
except exceptions.InvalidAddressException:
name = renderers.NotApplicableValue()
yield (0, (format_hints.Hex(driver.vol.offset),
format_hints.Hex(driver.DriverStart),
format_hints.Hex(driver.DriverSize), service_key,
driver_name, name))
def _generator(self):
filter_func = pslist.PsList.create_pid_filter(
self.config.get('pid', None))
for task_name, pid, socket in self.list_sockets(
self.context,
self.config['primary'],
self.config['darwin'],
filter_func=filter_func):
family = socket.get_family()
if family == 1:
try:
upcb = socket.so_pcb.dereference().cast("unpcb")
path = utility.array_to_string(upcb.unp_addr.sun_path)
except exceptions.InvalidAddressException:
continue
yield (0, (format_hints.Hex(socket.vol.offset), "UNIX", path,
0, "", 0, "", "{}/{:d}".format(task_name, pid)))
elif family in [2, 30]:
state = socket.get_state()
proto = socket.get_protocol_as_string()
vals = socket.get_converted_connection_info()
if vals:
(lip, lport, rip, rport) = vals
yield (0, (format_hints.Hex(socket.vol.offset), proto, lip,
lport, rip, rport, state,
"{}/{:d}".format(task_name, pid)))
def _generator(self):
kernel = contexts.Module(self.context, self.config['darwin'],
self.config['primary'], 0)
mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
self.config['darwin'])
handlers = mac.MacUtilities.generate_kernel_handler_info(
self.context, self.config['primary'], kernel, mods)
for scope in self.list_kauth_scopes(self.context,
self.config['primary'],
self.config['darwin']):
callback = scope.ks_callback
if callback == 0:
continue
module_name, symbol_name = mac.MacUtilities.lookup_module_address(
self.context, handlers, callback)
identifier = utility.pointer_to_string(scope.ks_identifier, 128)
yield (0, (identifier, format_hints.Hex(scope.ks_idata),
len([l for l in scope.get_listeners()]),
format_hints.Hex(callback), module_name, symbol_name))
def _generator(self):
kernel = self.context.modules[self.config['kernel']]
mods = lsmod.Lsmod.list_modules(self.context, self.config['kernel'])
handlers = mac.MacUtilities.generate_kernel_handler_info(self.context, kernel.layer_name, kernel, mods)
members_to_check = [
"sf_unregistered", "sf_attach", "sf_detach", "sf_notify", "sf_getpeername", "sf_getsockname", "sf_data_in",
"sf_data_out", "sf_connect_in", "sf_connect_out", "sf_bind", "sf_setoption", "sf_getoption", "sf_listen",
"sf_ioctl"
]
filter_list = kernel.object_from_symbol(symbol_name = "sock_filter_head")
for filter_container in mac.MacUtilities.walk_tailq(filter_list, "sf_global_next"):
current_filter = filter_container.sf_filter
filter_name = utility.pointer_to_string(current_filter.sf_name, count = 128)
try:
filter_socket = filter_container.sf_entry_head.sfe_socket.vol.offset
except exceptions.InvalidAddressException:
filter_socket = 0
for member in members_to_check:
check_addr = current_filter.member(attr = member)
if check_addr == 0:
continue
module_name, symbol_name = mac.MacUtilities.lookup_module_address(self.context, handlers, check_addr)
yield (0, (format_hints.Hex(current_filter.vol.offset), filter_name, member, \
format_hints.Hex(filter_socket), format_hints.Hex(check_addr), module_name, symbol_name))
def _generator(self):
"""
Enumerates the listeners for each kauth scope
"""
kernel = contexts.Module(self.context, self.config['darwin'],
self.config['primary'], 0)
mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
self.config['darwin'])
handlers = mac.MacUtilities.generate_kernel_handler_info(
self.context, self.config['primary'], kernel, mods)
for scope in kauth_scopes.Kauth_scopes.list_kauth_scopes(
self.context, self.config['primary'], self.config['darwin']):
scope_name = utility.pointer_to_string(scope.ks_identifier, 128)
for listener in scope.get_listeners():
callback = listener.kll_callback
if callback == 0:
continue
module_name, symbol_name = mac.MacUtilities.lookup_module_address(
self.context, handlers, callback)
yield (0, (scope_name, format_hints.Hex(listener.kll_idata),
format_hints.Hex(callback), module_name,
symbol_name))
def _generator(self, tasks):
# determine if we're on a 32 or 64 bit kernel
if self.context.symbol_space.get_type(self.config["vmlinux"] +
constants.BANG +
"pointer").size == 4:
is_32bit_arch = True
else:
is_32bit_arch = False
for task in tasks:
process_name = utility.array_to_string(task.comm)
for vma, data in self._list_injections(task):
if is_32bit_arch:
architecture = "intel"
else:
architecture = "intel64"
disasm = interfaces.renderers.Disassembly(
data, vma.vm_start, architecture)
yield (0, (task.pid, process_name,
format_hints.Hex(vma.vm_start),
format_hints.Hex(vma.vm_end), vma.get_protection(),
format_hints.HexBytes(data), disasm))
def _generator(self):
pe_table_name = intermed.IntermediateSymbolTable.create(
self.context,
self.config_path,
"windows",
"pe",
class_types=pe.class_types)
for mod in self.list_modules(self.context, self.config['primary'],
self.config['nt_symbols']):
try:
BaseDllName = mod.BaseDllName.get_string()
except exceptions.InvalidAddressException:
BaseDllName = ""
try:
FullDllName = mod.FullDllName.get_string()
except exceptions.InvalidAddressException:
FullDllName = ""
file_output = "Disabled"
if self.config['dump']:
file_handle = dlllist.DllList.dump_pe(self.context,
pe_table_name, mod,
self.open)
file_output = "Error outputting file"
if file_handle:
file_handle.close()
file_output = file_handle.preferred_filename
yield (0, (format_hints.Hex(mod.vol.offset),
format_hints.Hex(mod.DllBase),
format_hints.Hex(mod.SizeOfImage), BaseDllName,
FullDllName, file_output))
def _generator(self, tasks):
for task in tasks:
if not task.mm:
continue
name = utility.array_to_string(task.comm)
for vma in task.mm.get_mmap_iter():
flags = vma.get_protection()
page_offset = vma.get_page_offset()
major = 0
minor = 0
inode = 0
if vma.vm_file != 0:
dentry = vma.vm_file.get_dentry()
if dentry != 0:
inode_object = dentry.d_inode
major = inode_object.i_sb.major
minor = inode_object.i_sb.minor
inode = inode_object.i_ino
path = vma.get_name(self.context, task)
yield (0, (task.pid, name, format_hints.Hex(vma.vm_start),
format_hints.Hex(vma.vm_end), flags,
format_hints.Hex(page_offset), major, minor, inode,
path))
def _generator(self, procs):
type_map = self.get_type_map(context=self.context,
layer_name=self.config["primary"],
symbol_table=self.config["nt_symbols"])
cookie = self.find_cookie(context=self.context,
layer_name=self.config["primary"],
symbol_table=self.config["nt_symbols"])
for proc in procs:
try:
object_table = proc.ObjectTable
except exceptions.InvalidAddressException:
vollog.log(
constants.LOGLEVEL_VVV,
"Cannot access _EPROCESS.ObjectType at {0:#x}".format(
proc.vol.offset))
continue
process_name = utility.array_to_string(proc.ImageFileName)
for entry in self.handles(object_table):
try:
obj_type = entry.get_object_type(type_map, cookie)
if obj_type is None:
continue
if obj_type == "File":
item = entry.Body.cast("_FILE_OBJECT")
obj_name = item.file_name_with_device()
elif obj_type == "Process":
item = entry.Body.cast("_EPROCESS")
obj_name = "{} Pid {}".format(
utility.array_to_string(proc.ImageFileName),
item.UniqueProcessId)
elif obj_type == "Thread":
item = entry.Body.cast("_ETHREAD")
obj_name = "Tid {} Pid {}".format(
item.Cid.UniqueThread, item.Cid.UniqueProcess)
elif obj_type == "Key":
item = entry.Body.cast("_CM_KEY_BODY")
obj_name = item.get_full_key_name()
else:
try:
obj_name = entry.NameInfo.Name.String
except (ValueError,
exceptions.InvalidAddressException):
obj_name = ""
except (exceptions.InvalidAddressException):
vollog.log(
constants.LOGLEVEL_VVV,
"Cannot access _OBJECT_HEADER at {0:#x}".format(
entry.vol.offset))
continue
yield (0, (proc.UniqueProcessId, process_name,
format_hints.Hex(entry.Body.vol.offset),
format_hints.Hex(entry.HandleValue), obj_type,
format_hints.Hex(entry.GrantedAccess), obj_name))
def _generator(self):
vmlinux = contexts.Module(self.context, self.config['vmlinux'],
self.config['primary'], 0)
ptr_sz = vmlinux.get_type("pointer").size
if ptr_sz == 4:
table_name = "32bit"
else:
table_name = "64bit"
try:
table_info = self._get_table_info(vmlinux, "sys_call_table",
ptr_sz)
except exceptions.SymbolError:
vollog.error("Unable to find the system call table. Exiting.")
return
tables = [(table_name, table_info)]
# this table is only present on 64 bit systems with 32 bit emulation
# enabled in order to support 32 bit programs and libraries
# if the symbol isn't there then the support isn't in the kernel and so we skip it
try:
ia32_symbol = self.context.symbol_space.get_symbol(
vmlinux.name + constants.BANG + "ia32_sys_call_table")
except exceptions.SymbolError:
ia32_symbol = None
if ia32_symbol != None:
ia32_info = self._get_table_info(vmlinux, "ia32_sys_call_table",
ptr_sz)
tables.append(("32bit", ia32_info))
for (table_name, (tableaddr, tblsz)) in tables:
table = vmlinux.object(object_type="array",
subtype=vmlinux.get_type("pointer"),
offset=tableaddr,
count=tblsz)
for (i, call_addr) in enumerate(table):
if not call_addr:
continue
symbols = list(
self.context.symbol_space.get_symbols_by_location(
call_addr))
if len(symbols) > 0:
sym_name = str(symbols[0].split(constants.BANG)[1]) if constants.BANG in symbols[0] else \
str(symbols[0])
else:
sym_name = "UNKNOWN"
yield (0, (format_hints.Hex(tableaddr), table_name, i,
format_hints.Hex(call_addr), sym_name))
def _generator(self):
kernel = self.context.modules[self.config['kernel']]
callback_table_name = self.create_callback_table(
self.context, kernel.symbol_table_name, self.config_path)
collection = ssdt.SSDT.build_module_collection(
self.context, kernel.layer_name, kernel.symbol_table_name)
callback_methods = (self.list_notify_routines,
self.list_bugcheck_callbacks,
self.list_bugcheck_reason_callbacks,
self.list_registry_callbacks)
for callback_method in callback_methods:
for callback_type, callback_address, callback_detail in callback_method(
self.context, kernel.layer_name, kernel.symbol_table_name,
callback_table_name):
if callback_detail is None:
detail = renderers.NotApplicableValue()
else:
detail = callback_detail
module_symbols = list(
collection.get_module_symbols_by_absolute_location(
callback_address))
if module_symbols:
for module_name, symbol_generator in module_symbols:
symbols_found = False
# we might have multiple symbols pointing to the same location
for symbol in symbol_generator:
symbols_found = True
yield (0,
(callback_type,
format_hints.Hex(callback_address),
module_name,
symbol.split(constants.BANG)[1], detail))
# no symbols, but we at least can report the module name
if not symbols_found:
yield (0, (callback_type,
format_hints.Hex(callback_address),
module_name,
renderers.NotAvailableValue(), detail))
else:
# no module was found at the absolute location
yield (0, (callback_type,
format_hints.Hex(callback_address),
renderers.NotAvailableValue(),
renderers.NotAvailableValue(), detail))
def _generator(self) -> Iterator[Tuple[int, Tuple[int, int, Any, Any]]]:
layer_name = self.config['primary']
collection = self.build_module_collection(self.context, self.config["primary"], self.config["nt_symbols"])
kvo = self.context.layers[layer_name].config['kernel_virtual_offset']
ntkrnlmp = self.context.module(self.config["nt_symbols"], layer_name = layer_name, offset = kvo)
# this is just one way to enumerate the native (NT) service table.
# to do the same thing for the Win32K service table, we would need Win32K.sys symbol support
## we could also find nt!KeServiceDescriptorTable (NT) and KeServiceDescriptorTableShadow (NT, Win32K)
service_table_address = ntkrnlmp.get_symbol("KiServiceTable").address
service_limit_address = ntkrnlmp.get_symbol("KiServiceLimit").address
service_limit = ntkrnlmp.object(object_type = "int", offset = service_limit_address)
# on 32-bit systems the table indexes are 32-bits and contain pointers (unsigned)
# on 64-bit systems the indexes are also 32-bits but they're offsets from the
# base address of the table and can be negative, so we need a signed data type
is_kernel_64 = symbols.symbol_table_is_64bit(self.context, self.config["nt_symbols"])
if is_kernel_64:
array_subtype = "long"
def kvo_calulator(func: int) -> int:
return kvo + service_table_address + (func >> 4)
find_address = kvo_calulator
else:
array_subtype = "unsigned long"
def passthrough(func: int) -> int:
return func
find_address = passthrough
functions = ntkrnlmp.object(object_type = "array",
offset = service_table_address,
subtype = ntkrnlmp.get_type(array_subtype),
count = service_limit)
for idx, function_obj in enumerate(functions):
function = find_address(function_obj)
module_symbols = collection.get_module_symbols_by_absolute_location(function)
for module_name, symbol_generator in module_symbols:
symbols_found = False
for symbol in symbol_generator:
symbols_found = True
yield (0, (idx, format_hints.Hex(function), module_name, symbol.split(constants.BANG)[1]))
if not symbols_found:
yield (0, (idx, format_hints.Hex(function), module_name, renderers.NotAvailableValue()))
def _generator(self, tasks):
for task in tasks:
process_name = utility.array_to_string(task.p_comm)
process_pid = task.p_pid
for vma in task.get_map_iter():
path = vma.get_path(self.context, self.config['darwin'])
if path == "":
path = vma.get_special_path()
yield (0, (process_pid, process_name,
format_hints.Hex(vma.links.start),
format_hints.Hex(vma.links.end), vma.get_perms(),
path))
def _generator(self, procs):
# determine if we're on a 32 or 64 bit kernel
kernel = self.context.modules[self.config['kernel']]
is_32bit_arch = not symbols.symbol_table_is_64bit(
self.context, kernel.symbol_table_name)
for proc in procs:
process_name = utility.array_to_string(proc.ImageFileName)
for vad, data in self.list_injections(self.context,
kernel.layer_name,
kernel.symbol_table_name,
proc):
# if we're on a 64 bit kernel, we may still need 32 bit disasm due to wow64
if is_32bit_arch or proc.get_is_wow64():
architecture = "intel"
else:
architecture = "intel64"
disasm = interfaces.renderers.Disassembly(
data, vad.get_start(), architecture)
file_output = "Disabled"
if self.config['dump']:
file_output = "Error outputting to file"
try:
file_handle = vadinfo.VadInfo.vad_dump(
self.context, proc, vad, self.open)
file_handle.close()
file_output = file_handle.preferred_filename
except (exceptions.InvalidAddressException,
OverflowError) as excp:
vollog.debug(
"Unable to dump PE with pid {0}.{1:#x}: {2}".
format(proc.UniqueProcessId, vad.get_start(),
excp))
yield (0, (proc.UniqueProcessId, process_name,
format_hints.Hex(vad.get_start()),
format_hints.Hex(vad.get_end()), vad.get_tag(),
vad.get_protection(
vadinfo.VadInfo.protect_values(
self.context, kernel.layer_name,
kernel.symbol_table_name),
vadinfo.winnt_protections),
vad.get_commit_charge(), vad.get_private_memory(),
file_output, format_hints.HexBytes(data), disasm))
def _generator(self):
kernel = self.context.modules[self.config['kernel']]
mods = lsmod.Lsmod.list_modules(self.context, self.config['kernel'])
handlers = mac.MacUtilities.generate_kernel_handler_info(
self.context, kernel.layer_name, kernel, mods)
real_ncpus = kernel.object_from_symbol(symbol_name="real_ncpus")
cpu_data_ptrs_ptr = kernel.get_symbol("cpu_data_ptr").address
# Returns the a pointer to the absolute address
cpu_data_ptrs_addr = kernel.object(
object_type="pointer",
offset=cpu_data_ptrs_ptr,
subtype=kernel.get_type('long unsigned int'))
cpu_data_ptrs = kernel.object(object_type="array",
offset=cpu_data_ptrs_addr,
absolute=True,
subtype=kernel.get_type('cpu_data'),
count=real_ncpus)
for cpu_data_ptr in cpu_data_ptrs:
try:
queue = cpu_data_ptr.rtclock_timer.queue.head
except exceptions.InvalidAddressException:
break
for timer in queue.walk_list(queue, "q_link", "call_entry"):
try:
handler = timer.func.dereference().vol.offset
except exceptions.InvalidAddressException:
continue
if timer.has_member("entry_time"):
entry_time = timer.entry_time
else:
entry_time = -1
module_name, symbol_name = mac.MacUtilities.lookup_module_address(
self.context, handlers, handler, self.config['kernel'])
yield (0, (format_hints.Hex(handler),
format_hints.Hex(timer.param0),
format_hints.Hex(timer.param1), timer.deadline,
entry_time, module_name, symbol_name))
def _generator(self):
kernel = contexts.Module(self._context, self.config['darwin'],
self.config['primary'], 0)
mods = lsmod.Lsmod.list_modules(self.context, self.config['primary'],
self.config['darwin'])
handlers = mac.MacUtilities.generate_kernel_handler_info(
self.context, self.config['primary'], kernel, mods)
sysctl_list = kernel.object_from_symbol(symbol_name="sysctl__children")
for sysctl, name, val in self._process_sysctl_list(
kernel, sysctl_list):
try:
check_addr = sysctl.oid_handler
except exceptions.InvalidAddressException:
continue
module_name, symbol_name = mac.MacUtilities.lookup_module_address(
self.context, handlers, check_addr)
yield (0, (name, sysctl.oid_number, sysctl.get_perms(),
format_hints.Hex(check_addr), val, module_name,
symbol_name))
def _get_task_fields(
self,
task: interfaces.objects.ObjectInterface,
decorate_comm: bool = False) -> Tuple[int, int, int, str]:
"""Extract the fields needed for the final output
Args:
task: A task object from where to get the fields.
decorate_comm: If True, it decorates the comm string of
- User threads: in curly brackets,
- Kernel threads: in square brackets
Defaults to False.
Returns:
A tuple with the fields to show in the plugin output.
"""
pid = task.tgid
tid = task.pid
ppid = task.parent.tgid if task.parent else 0
name = utility.array_to_string(task.comm)
if decorate_comm:
if task.is_kernel_thread:
name = f"[{name}]"
elif task.is_user_thread:
name = f"{{{name}}}"
task_fields = (format_hints.Hex(task.vol.offset), pid, tid, ppid, name)
return task_fields
def _generator(self) -> Iterator[Tuple[int, Tuple[int, str]]]: # , str, int]]]:
if self.config.get("tags"):
tags = [tag for tag in self.config["tags"].split(',')]
else:
tags = None
for big_pool in self.list_big_pools(context = self.context,
layer_name = self.config["primary"],
symbol_table = self.config["nt_symbols"],
tags = tags):
num_bytes = big_pool.get_number_of_bytes()
if not isinstance(num_bytes, interfaces.renderers.BaseAbsentValue):
num_bytes = format_hints.Hex(num_bytes)
yield (0, (format_hints.Hex(big_pool.Va), big_pool.get_key(), big_pool.get_pool_type(), num_bytes))
def get_record_tuple(service_record: interfaces.objects.ObjectInterface):
return (format_hints.Hex(service_record.vol.offset),
service_record.Order, service_record.get_pid(),
service_record.Start.description,
service_record.State.description, service_record.get_type(),
service_record.get_name(), service_record.get_display(),
service_record.get_binary())
def _generator(self):
vmlinux = contexts.Module(self.context, self.config['vmlinux'],
self.config['primary'], 0)
modules = lsmod.Lsmod.list_modules(self.context,
self.config['primary'],
self.config['vmlinux'])
handlers = linux.LinuxUtilities.generate_kernel_handler_info(
self.context, self.config['primary'], self.config['vmlinux'],
modules)
try:
knl_addr = vmlinux.object_from_symbol("keyboard_notifier_list")
except exceptions.SymbolError:
knl_addr = None
if not knl_addr:
raise TypeError(
"This plugin requires the keyboard_notifier_list structure. "
"This structure is not present in the supplied symbol table. "
"This means you are either analyzing an unsupported kernel version or that your symbol table is corrupt."
)
knl = vmlinux.object(object_type="atomic_notifier_head",
offset=knl_addr.vol.offset)
for call_back in linux.LinuxUtilities.walk_internal_list(
vmlinux, "notifier_block", "next", knl.head):
call_addr = call_back.notifier_call
module_name, symbol_name = linux.LinuxUtilities.lookup_module_address(
self.context, handlers, call_addr)
yield (0, [format_hints.Hex(call_addr), module_name, symbol_name])
def _generator(self):
kernel = self.context.modules[self.config['kernel']]
for hive in self.scan_hives(self.context, kernel.layer_name,
kernel.symbol_table_name):
yield (0, (format_hints.Hex(hive.vol.offset), ))
def _generator(self):
rules = self.process_yara_options(dict(self.config))
layer = self.context.layers[self.config['primary']]
for offset, rule_name, name, value in layer.scan(
context=self.context, scanner=YaraScanner(rules=rules)):
yield 0, (format_hints.Hex(offset), rule_name, name, value)
def _generator(self):
pe_table_name = intermed.IntermediateSymbolTable.create(self.context,
self.config_path,
"windows",
"pe",
class_types = pe.class_types)
memory = self.context.layers[self.config['primary']]
if not isinstance(memory, layers.intel.Intel):
raise TypeError("Primary layer is not an intel layer")
for proc in self.list_processes(self.context,
self.config['primary'],
self.config['nt_symbols'],
filter_func = self.create_pid_filter(self.config.get('pid', None))):
if not self.config.get('physical', self.PHYSICAL_DEFAULT):
offset = proc.vol.offset
else:
(_, _, offset, _, _) = list(memory.mapping(offset = proc.vol.offset, length = 0))[0]
file_output = "Disabled"
if self.config['dump']:
file_handle = self.process_dump(self.context, self.config['nt_symbols'], pe_table_name, proc, self.open)
file_output = "Error outputting file"
if file_handle:
file_handle.close()
file_output = str(file_handle.preferred_filename)
yield (0, (proc.UniqueProcessId, proc.InheritedFromUniqueProcessId,
proc.ImageFileName.cast("string", max_length = proc.ImageFileName.vol.count, errors = 'replace'),
format_hints.Hex(offset), proc.ActiveThreads, proc.get_handle_count(), proc.get_session_id(),
proc.get_is_wow64(), proc.get_create_time(), proc.get_exit_time(), file_output))
def _generator(self, mods: Iterator[Any]):
kernel = contexts.Module(self._context, self.config['darwin'], self.config['primary'], 0)
handlers = mac.MacUtilities.generate_kernel_handler_info(self.context, self.config['primary'], kernel, mods)
policy_list = kernel.object_from_symbol(symbol_name = "mac_policy_list").cast("mac_policy_list")
entries = kernel.object(object_type = "array",
offset = policy_list.entries.dereference().vol.offset,
subtype = kernel.get_type('mac_policy_list_element'),
count = policy_list.staticmax + 1)
for i, ent in enumerate(entries):
# I don't know how this can happen, but the kernel makes this check all over the place
# the policy isn't useful without any ops so a rootkit can't abuse this
try:
mpc = ent.mpc.dereference()
ops = mpc.mpc_ops.dereference()
except exceptions.InvalidAddressException:
continue
try:
ent_name = utility.pointer_to_string(mpc.mpc_name, 255)
except exceptions.InvalidAddressException:
ent_name = "N/A"
for check in ops.vol.members:
call_addr = getattr(ops, check)
if call_addr is None or call_addr == 0:
continue
module_name, symbol_name = mac.MacUtilities.lookup_module_address(self.context, handlers, call_addr)
yield (0, (check, ent_name, format_hints.Hex(call_addr), module_name, symbol_name))
def _generator(self):
for module in self.list_modules(self.context, self.config['kernel']):
mod_name = utility.array_to_string(module.name)
mod_size = module.size
yield 0, (format_hints.Hex(module.vol.offset), mod_name, mod_size)
def _generator(self) -> Generator[Tuple, None, None]:
"""Generates results from a strings file."""
revmap = self.generate_mapping(self.config['primary'])
accessor = resources.ResourceAccessor()
strings_fp = accessor.open(self.config['strings_file'], "rb")
strings_size = path.getsize(strings_fp.file.name)
line = strings_fp.readline()
last_prog = 0
while line:
try:
offset, string = self._parse_line(line)
try:
revmap_list = [
name + ":" + hex(offset)
for (name, offset) in revmap[offset >> 12]
]
except (IndexError, KeyError):
revmap_list = ["FREE MEMORY"]
yield (0, (str(string, 'latin-1'), format_hints.Hex(offset),
", ".join(revmap_list)))
except ValueError:
vollog.error("Strings file is in the wrong format")
return
line = strings_fp.readline()
prog = strings_fp.tell() / strings_size * 100
if round(prog, 1) > last_prog:
last_prog = round(prog, 1)
self._progress_callback(prog, "Matching strings in memory")
def _generator(self):
vmlinux = contexts.Module(self.context, self.config['vmlinux'],
self.config['primary'], 0)
op_members = vmlinux.get_type('file_operations').members
seq_members = vmlinux.get_type('seq_operations').members
tcp = ("tcp_seq_afinfo", ["tcp6_seq_afinfo", "tcp4_seq_afinfo"])
udp = ("udp_seq_afinfo", [
"udplite6_seq_afinfo", "udp6_seq_afinfo", "udplite4_seq_afinfo",
"udp4_seq_afinfo"
])
protocols = [tcp, udp]
for (struct_type, global_vars) in protocols:
for global_var_name in global_vars:
# this will lookup fail for the IPv6 protocols on kernels without IPv6 support
try:
global_var = vmlinux.get_symbol(global_var_name)
except exceptions.SymbolError:
continue
global_var = vmlinux.object(object_type=struct_type,
offset=global_var.address)
for name, member, address in self._check_afinfo(
global_var_name, global_var, op_members, seq_members):
yield 0, (name, member, format_hints.Hex(address))
def _generator(self):
kernel = self.context.modules[self.config['kernel']]
session_layers = list(
self.get_session_layers(self.context, kernel.layer_name,
kernel.symbol_table_name))
pe_table_name = intermed.IntermediateSymbolTable.create(
self.context,
self.config_path,
"windows",
"pe",
class_types=pe.class_types)
for mod in self.scan_modules(self.context, kernel.layer_name,
kernel.symbol_table_name):
try:
BaseDllName = mod.BaseDllName.get_string()
except exceptions.InvalidAddressException:
BaseDllName = ""
try:
FullDllName = mod.FullDllName.get_string()
except exceptions.InvalidAddressException:
FullDllName = ""
file_output = "Disabled"
if self.config['dump']:
session_layer_name = self.find_session_layer(
self.context, session_layers, mod.DllBase)
file_output = f"Cannot find a viable session layer for {mod.DllBase:#x}"
if session_layer_name:
file_handle = dlllist.DllList.dump_pe(
self.context,
pe_table_name,
mod,
self.open,
layer_name=session_layer_name)
file_output = "Error outputting file"
if file_handle:
file_output = file_handle.preferred_filename
yield (0, (format_hints.Hex(mod.vol.offset),
format_hints.Hex(mod.DllBase),
format_hints.Hex(mod.SizeOfImage), BaseDllName,
FullDllName, file_output))