예제 #1
0
    def __init__(self, ctx):
        fe.log('in memdump constructor')
        fe.set_name('memdump')

        fe.log('getting memsize')
        self.memsize = fe.get_memsize()
        fe.log(f'memsize: {self.memsize}')

        self.offset = 0
        self.ttl = 100
        #self.bound = fe.MAX_FIELD_SIZE - 1024
        #self.bound = 8096
        self.bound = 2**22
        self.did = -1

        fe.event_register({'event_type': fe.BE, 'callback': self.be_callback})
        fe.event_register({
            'event_type': fe.TIMER,
            'time_value': 2.0,
            'callback': self.timer_callback
        })

        self.ticks = 0
        self.one_way = False
        self.two_way = False

        self.zco = zlib.compressobj()

        fe.log('leaving memdump constructor')
예제 #2
0
    def __init__(self, ctx):
        fe.log("in pslist constructor")
        fe.set_name("pslist")

        self.lookups = {
            "name_offset": fe.lookup_structure("task_struct", "comm"),
            "pid_offset": fe.lookup_structure("task_struct", "pid"),
            "tasks_offset": fe.lookup_structure("task_struct", "tasks"),
            "init_task": fe.lookup_symbol("init_task"),
        }

        e = {"event_type": fe.BE, "callback": self.be_callback}
        fe.event_register(e)

        e = {
            "event_type": fe.TIMER,
            "time_value": 0.1,  # seconds
            "callback": self.timer_callback,
        }
        fe.event_register(e)

        self.pslist = {}
        self.log = []
        self.calls = []
        self.msgs = []
        self.procs = []

        fe.log("leaving pslist constructor")
예제 #3
0
    def __init__(self, ctx):
        fe.log("in memdump constructor")
        fe.set_name("memdump")

        fe.log("getting memsize")
        self.memsize = fe.get_memsize()
        fe.log(f"memsize: {self.memsize}")

        self.offset = 0
        self.ttl = 100
        # self.bound = fe.MAX_FIELD_SIZE - 1024
        # self.bound = 8096
        self.bound = 2 ** 22
        self.did = -1

        fe.event_register({"event_type": fe.BE, "callback": self.be_callback})
        fe.event_register(
            {"event_type": fe.TIMER, "time_value": 2.0, "callback": self.timer_callback}
        )

        self.ticks = 0
        self.one_way = False
        self.two_way = False

        self.zco = zlib.compressobj()

        fe.log("leaving memdump constructor")
예제 #4
0
    def __init__(self, ctx):
        fe.log("in Example constructor")
        fe.set_name("example")
        self.cr3_ctr = 0
        self.cr3_event = None
        self.pslist = {}

        self.lookups = {
            "name_offset": fe.lookup_structure("task_struct", "comm"),
            "pid_offset": fe.lookup_structure("task_struct", "pid"),
            "tasks_offset": fe.lookup_structure("task_struct", "tasks"),
            "init_task": fe.lookup_symbol("init_task"),
        }

        fe.events_start()
        e = {
            "event_type": fe.REG,
            "reg_type": fe.CR3,
            "sync": fe.ASYNC,
            "callback": self.cr3_callback,
        }
        self.cr3_event = fe.event_register(e)
        fe.log("registered CR3 event: {eid}".format(eid=self.cr3_event))

        e = {
            "event_type": fe.TIMER,
            "time_value": 10.0,  # seconds
            "callback": self.timer_callback,
        }
        fe.event_register(e)

        e = {"event_type": fe.BE, "callback": self.be_callback}
        fe.event_register(e)

        fe.log("leaving Example constructor")
예제 #5
0
    def __init__(self, ctx):
        fe.log("in arav constructor")
        fe.set_name("arav")

        self.l = {
            "name_offset": fe.lookup_structure("task_struct", "comm"),
            "pid_offset": fe.lookup_structure("task_struct", "pid"),
            "tasks_offset": fe.lookup_structure("task_struct", "tasks"),
            "mm_offset": fe.lookup_structure("task_struct", "mm"),
            "pgd_offset": fe.lookup_structure("mm_struct", "pgd"),
            "vm_file_offset": fe.lookup_structure("vm_area_struct", "vm_file"),
            "vm_file_path_offset": fe.lookup_structure("file", "f_path"),
            "path_dentry_offset": fe.lookup_structure("path", "dentry"),
            "dentry_d_name_offset": fe.lookup_structure("dentry", "d_name"),
            "dentry_d_parent_offset":
            fe.lookup_structure("dentry", "d_parent"),
            "d_name_str_offset": fe.lookup_structure("qstr", "name"),
            "commit_creds": fe.lookup_symbol("commit_creds"),
        }

        e = {"event_type": fe.BE, "callback": self.be_callback}
        fe.event_register(e)

        e = {
            "event_type": fe.TIMER,
            "time_value": 2.0,
            "callback": self.timer_callback
        }
        fe.event_register(e)

        self.state = INIT
        self.pslist = {}
        self.events = {}
        self.target_proc = {}
        self.last = 0.0
        self.tick = 0
        self.symbol_string = ""
        self.symbols = {}
        self.fmts = []
        self.users = []

        self.load_symbols()
        self.parse_symbols()
        fe.events_start()

        fe.log("leaving arav constructor")
예제 #6
0
    def __init__(self, ctx):
        fe.log("in syscalls constructor")
        fe.set_name("syscalls")

        e = {"event_type": fe.BE, "callback": self.be_callback}
        fe.event_register(e)

        e = {
            "event_type": fe.TIMER,
            "time_value": 2.0,  # seconds
            "callback": self.timer_callback,
        }
        fe.event_register(e)
        self.ticks = 0
        self.calls = 0

        fe.log("leaving syscalls constructor")
예제 #7
0
    def __init__(self, ctx):
        fe.set_name("modlist")
        self.pslist = {}

        self.lookups = {
            "name_offset": fe.lookup_structure("task_struct", "comm"),
            "pid_offset": fe.lookup_structure("task_struct", "pid"),
            "tasks_offset": fe.lookup_structure("task_struct", "tasks"),
            "modules": fe.lookup_symbol("modules"),
        }

        e = {"event_type": fe.BE, "callback": self.be_callback}
        fe.event_register(e)

        self.do_modlist()

        fe.exit()
예제 #8
0
    def __init__(self, ctx):
        fe.log("in pslist_dk constructor")
        fe.set_name("pslist_dk")

        e = {"event_type": fe.BE, "callback": self.be_callback}
        fe.event_register(e)
        self.pslist = {}
        self.log = []
        self.calls = []
        self.msgs = []
        self.procs = []

        timeit_on = False
        cprof = False

        if cprof:
            self.do_dk_pslist(pause=True)  # zmq warmup
            cProfile.runctx(
                "self.do_dk_pslist()",
                globals(),
                locals(),
                filename="/home/micah/femain.dk.profile",
            )

        if timeit_on:
            self.do_dk_pslist(pause=True)  # zmq warmup
            fe.pause_vm()
            t = timeit.Timer(lambda: self.do_dk_pslist()).timeit(number=100)
            t = t / 100.0
            fe.resume_vm()
            fe.log("timeit pslist in {sec:.6f} seconds".format(sec=t))
        else:
            self.pslist = {}
            gc.disable()
            self.do_dk_pslist(pause=True)
            gc.enable()
            fe.log(self.pslist)

        for l in self.log:
            fe.log(l)
        fe.log("calls: %s" % self.calls)
        fe.log("procs: %s" % self.procs)
        fe.log("msgs: %s" % self.msgs)
        fe.log("leaving pslist_dk constructor")
        fe.exit()
예제 #9
0
    def __init__(self, ctx):
        fe.log("in rekall constructor")
        fe.set_name("rekall")

        e = {"event_type": fe.BE, "callback": self.be_callback}
        fe.event_register(e)

        e = {
            "event_type": fe.TIMER,
            "time_value": 2.0,  # seconds
            "callback": self.timer_callback,
        }
        fe.event_register(e)
        self.ticks = 0
        self.one_way = False
        self.two_way = False

        fe.log("leaving rekall constructor")