def find_numberprocessors(addr_space, types): NumberOfProcessorsDict = dict() all_tasks = process_list(addr_space, types) for task in all_tasks: if not addr_space.is_valid_address(task): continue process_address_space = process_addr_space(addr_space, types, task, addr_space.base.fname) if process_address_space is None: continue peb = process_peb(addr_space, types, task) try: if not process_address_space.is_valid_address(peb): continue except: continue NumberOfProcessors = peb_number_processors(process_address_space, types, peb) if NumberOfProcessors in NumberOfProcessorsDict: NumberOfProcessorsDict[NumberOfProcessors] += 1 else: NumberOfProcessorsDict[NumberOfProcessors] = 1 MaxNumberOfProcessors = max([(NumberOfProcessorsDict[x], x) for x in NumberOfProcessorsDict])[1] return MaxNumberOfProcessors
def find_numberprocessors(addr_space, types): NumberOfProcessorsDict = dict() all_tasks = process_list(addr_space, types) for task in all_tasks: if not addr_space.is_valid_address(task): continue process_address_space = process_addr_space(addr_space, types, task, addr_space.base.fname) if process_address_space is None: continue peb = process_peb(addr_space, types, task) try: if not process_address_space.is_valid_address(peb): continue except: continue NumberOfProcessors = peb_number_processors(process_address_space, types, peb) if NumberOfProcessors in NumberOfProcessorsDict: NumberOfProcessorsDict[NumberOfProcessors] +=1 else: NumberOfProcessorsDict[NumberOfProcessors] = 1 MaxNumberOfProcessors =max([ (NumberOfProcessorsDict[x],x) for x in NumberOfProcessorsDict])[1] return MaxNumberOfProcessors
def execute(self): from vtypes import xpsp2types xpsp2types['_EPROCESS'][1]['Token'] = [0xc8, ['_EX_FAST_REF']] theProfile = Profile() theProfile.add_types(token_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) pslist = process_list(addr_space, types, symtab) for proc_addr in pslist: proc = Object("_EPROCESS", proc_addr, addr_space, profile=theProfile) if not proc.Token.is_valid(): name = process_imagename(addr_space, types, proc_addr) pid = process_pid(addr_space, types, proc_addr) print "%s (%d): Token unreadable" % (name, pid) continue tok_addr = proc.Token.Value & ~0x7 tok = Object('_TOKEN', tok_addr, proc.vm, None, profile=theProfile) sids = [] sid_addr = tok.UserAndGroups.offset sid_size = obj_size(token_types, '_SID_AND_ATTRIBUTES') for i in range(tok.UserAndGroupCount): sids.append( Object('_SID_AND_ATTRIBUTES', sid_addr, proc.vm, None, profile=theProfile)) sid_addr += sid_size for sa in sids: sid = sa.Sid.dereference_as('_SID') subauth_addr = sid.get_member_offset('SubAuthority') subauths = unpack( "<%dI" % sid.SubAuthorityCount, proc.vm.read(subauth_addr, sid.SubAuthorityCount * 4)) sid_string = "S-" + "-".join( str(i) for i in (sid.Revision, sid.IdentifierAuthority.Value[-1]) + subauths) if sid_string in well_known_sids: sid_name = " (%s)" % well_known_sids[sid_string] else: sid_name_re = find_sid_re(sid_string, well_known_sid_re) if sid_name_re: sid_name = " (%s)" % sid_name_re else: sid_name = "" print "%s (%d): %s%s" % (proc.ImageFileName, proc.UniqueProcessId.v(), sid_string, sid_name)
def execute(self): (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) pslist = process_list(addr_space, types, symtab) for proc_addr in pslist: proc = Object("_EPROCESS", proc_addr, addr_space, profile=Profile()) print "%#x %s (%d): %d" % (proc.offset, proc.ImageFileName, proc.UniqueProcessId.v(), proc.VirtualSize) print proc.Peb
def find_space(addr_space, types, symtab, addr): # short circuit if given one works if addr_space.is_valid_address(addr): return addr_space pslist = process_list(addr_space, types, symtab) for p in pslist: dtb = process_dtb(addr_space, types, p) space = create_addr_space(addr_space, dtb) if space.is_valid_address(addr): return space return None
def execute(self): (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) fieldfile = open(self.opts.fieldlist) pslist = process_list(addr_space, types, symtab) for line in fieldfile: line = line.strip() fields = line.split(".") try: fields = fields[:-1] + [int(fields[-1])] except ValueError: pass print line + "," + ",".join("%x" % read_obj(addr_space, types, ['_EPROCESS'] + fields, p) for p in pslist)
def execute(self): (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) theProfile = Profile() pslist = [ Object("_EPROCESS", p, addr_space, profile=theProfile) for p in process_list(addr_space, types, symtab) ] for p in pslist: for t in each_thread(p): print "********** %s (%x:%x) **********" % (p.ImageFileName, t.Cid.UniqueProcess.v(), t.Cid.UniqueThread.v()) for irp in each_irp(t): print_irp_info(irp)
def execute(self): from vtypes import xpsp2types xpsp2types["_ETHREAD"][1]["ThreadListEntry"] = [0x22C, ["_LIST_ENTRY"]] xpsp2types["_KTHREAD"][1]["Win32Thread"] = [0x130, ["pointer", ["_W32THREAD"]]] theProfile = Profile() theProfile.add_types(gdi_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) pslist = process_list(addr_space, types, symtab) pslist = [Object("_EPROCESS", p, addr_space, profile=theProfile) for p in pslist] for p in pslist: for t in get_threads(p): self.print_message_queue(t)
def find_top_window(self, process_address_space, types, symtab, theProfile): top_windows = [] windows = set() pslist = process_list(process_address_space, types, symtab) for p in pslist: proc = Object("_EPROCESS", p, process_address_space, profile=theProfile) win = None for thrd in get_threads(proc): win = self.get_desktop_window(thrd) if win: break if win and win not in windows: top_windows.append( (win, thrd, proc) ) windows.add(win) return top_windows
def execute(self): (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) fieldfile = open(self.opts.fieldlist) pslist = process_list(addr_space, types, symtab) for line in fieldfile: line = line.strip() fields = line.split(".") try: fields = fields[:-1] + [int(fields[-1])] except ValueError: pass print line + "," + ",".join( "%x" % read_obj(addr_space, types, ['_EPROCESS'] + fields, p) for p in pslist)
def find_top_window(self, process_address_space, types, symtab, theProfile): top_windows = [] windows = set() pslist = process_list(process_address_space, types, symtab) for p in pslist: proc = Object("_EPROCESS", p, process_address_space, profile=theProfile) win = None for thrd in get_threads(proc): win = self.get_desktop_window(thrd) if win: break if win and win not in windows: top_windows.append((win, thrd, proc)) windows.add(win) return top_windows
def execute(self): from vtypes import xpsp2types xpsp2types['_EPROCESS'][1]['Token'] = [ 0xc8, ['_EX_FAST_REF']] theProfile = Profile() theProfile.add_types(token_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) pslist = process_list(addr_space, types, symtab) for proc_addr in pslist: proc = Object("_EPROCESS", proc_addr, addr_space, profile=theProfile) if not proc.Token.is_valid(): name = process_imagename(addr_space, types, proc_addr) pid = process_pid(addr_space, types, proc_addr) print "%s (%d): Token unreadable" % (name,pid) continue tok_addr = proc.Token.Value & ~0x7 tok = Object('_TOKEN', tok_addr, proc.vm, None, profile=theProfile) sids = [] sid_addr = tok.UserAndGroups.offset sid_size = obj_size(token_types, '_SID_AND_ATTRIBUTES') for i in range(tok.UserAndGroupCount): sids.append(Object('_SID_AND_ATTRIBUTES', sid_addr, proc.vm, None, profile=theProfile)) sid_addr += sid_size for sa in sids: sid = sa.Sid.dereference_as('_SID') subauth_addr = sid.get_member_offset('SubAuthority') subauths = unpack("<%dI" % sid.SubAuthorityCount, proc.vm.read(subauth_addr, sid.SubAuthorityCount*4)) sid_string = "S-" + "-".join(str(i) for i in (sid.Revision,sid.IdentifierAuthority.Value[-1])+subauths) if sid_string in well_known_sids: sid_name = " (%s)" % well_known_sids[sid_string] else: sid_name_re = find_sid_re(sid_string, well_known_sid_re) if sid_name_re: sid_name = " (%s)" % sid_name_re else: sid_name= "" print "%s (%d): %s%s" % (proc.ImageFileName, proc.UniqueProcessId.v(), sid_string, sid_name)
def execute(self): from vtypes import xpsp2types xpsp2types['_ETHREAD'][1]['ThreadListEntry'] = [0x22c, ['_LIST_ENTRY']] xpsp2types['_KTHREAD'][1]['Win32Thread'] = [ 0x130, ['pointer', ['_W32THREAD']] ] theProfile = Profile() theProfile.add_types(gdi_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) pslist = process_list(addr_space, types, symtab) pslist = [ Object('_EPROCESS', p, addr_space, profile=theProfile) for p in pslist ] for p in pslist: for t in get_threads(p): self.print_message_queue(t)
def execute(self): from vtypes import xpsp2types xpsp2types['_ETHREAD'][1]['ThreadListEntry'] = [0x22c, ['_LIST_ENTRY']] xpsp2types['_KTHREAD'][1]['ServiceTable'] = [ 0xe0, ['pointer', ['_SERVICE_DESCRIPTOR_TABLE']] ] profile = Profile() profile.add_types(ssdt_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) pslist = process_list(addr_space, types, symtab) procs = [ Object("_EPROCESS", p, addr_space, profile=profile) for p in pslist ] modlist = modules_list(addr_space, types, symtab) mods = [ Object("_LDR_MODULE", m, addr_space, profile=profile) for m in modlist ] mods = dict((mod.BaseAddress.v(), mod) for mod in mods) mod_addrs = sorted(mods.keys()) # Gather up all SSDTs referenced by threads print "Gathering all referenced SSDTs from KTHREADs..." ssdts = set() for proc in procs: for thread in get_threads(proc): ssdts.add(thread.Tcb.ServiceTable) # Get a list of *unique* SSDT entries. Typically we see only two. tables = set() for ssdt in ssdts: for i, desc in enumerate(ssdt.Descriptors): if desc.is_valid() and desc.ServiceLimit != 0: tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit)) print "Finding appropriate address space for tables..." tables_with_vm = [] for idx, table, n in tables: found = False for p in procs: if p.vm.is_valid_address(table): tables_with_vm.append((idx, table, n, p.vm)) found = True break if not found: # Any VM is equally bad... tables_with_vm.append((idx, table, n, addr_space)) # Print out the entries for each table for idx, table, n, vm in sorted(tables_with_vm, key=itemgetter(0)): print "SSDT[%d] at %x with %d entries" % (idx, table, n) if vm.is_valid_address(table): for i in range(n): syscall_addr = Object('unsigned long', table + (i * 4), vm, profile=profile).v() try: syscall_name = xpsp2_syscalls[idx][i] except IndexError: syscall_name = "Unknown" syscall_mod = find_module(mods, mod_addrs, syscall_addr) if syscall_mod: syscall_modname = syscall_mod.ModuleName else: syscall_modname = "UNKNOWN" print " Entry %#06x: %#x (%s) owned by %s" % ( idx * 0x1000 + i, syscall_addr, syscall_name, syscall_modname) else: print " [SSDT not resident]"
def execute(self): from vtypes import xpsp2types xpsp2types['_ETHREAD'][1]['ThreadListEntry'] = [ 0x22c, ['_LIST_ENTRY']] xpsp2types['_KTHREAD'][1]['ServiceTable'] = [ 0xe0, ['pointer', ['_SERVICE_DESCRIPTOR_TABLE']]] profile = Profile() profile.add_types(ssdt_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) pslist = process_list(addr_space, types, symtab) procs = [ Object("_EPROCESS", p, addr_space, profile=profile) for p in pslist ] modlist = modules_list(addr_space, types, symtab) mods = [ Object("_LDR_MODULE", m, addr_space, profile=profile) for m in modlist ] mods = dict( (mod.BaseAddress.v(),mod) for mod in mods ) mod_addrs = sorted(mods.keys()) # Gather up all SSDTs referenced by threads print "Gathering all referenced SSDTs from KTHREADs..." ssdts = set() for proc in procs: for thread in get_threads(proc): ssdts.add(thread.Tcb.ServiceTable) # Get a list of *unique* SSDT entries. Typically we see only two. tables = set() for ssdt in ssdts: for i,desc in enumerate(ssdt.Descriptors): if desc.is_valid() and desc.ServiceLimit != 0: tables.add((i,desc.KiServiceTable.v(),desc.ServiceLimit)) print "Finding appropriate address space for tables..." tables_with_vm = [] for idx, table, n in tables: found = False for p in procs: if p.vm.is_valid_address(table): tables_with_vm.append( (idx, table, n, p.vm) ) found = True break if not found: # Any VM is equally bad... tables_with_vm.append( (idx, table, n, addr_space) ) # Print out the entries for each table for idx,table,n,vm in sorted(tables_with_vm, key=itemgetter(0)): print "SSDT[%d] at %x with %d entries" % (idx,table, n) if vm.is_valid_address(table): for i in range(n): syscall_addr = Object('unsigned long', table+(i*4), vm, profile=profile).v() try: syscall_name = xpsp2_syscalls[idx][i] except IndexError: syscall_name = "Unknown" syscall_mod = find_module(mods, mod_addrs, syscall_addr) if syscall_mod: syscall_modname = syscall_mod.ModuleName else: syscall_modname = "UNKNOWN" print " Entry %#06x: %#x (%s) owned by %s" % (idx*0x1000+i, syscall_addr, syscall_name, syscall_modname) else: print " [SSDT not resident]"
def execute(self): op = self.op opts = self.opts dbout = opts.outfd1 if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename temp = filename.replace("\\", "/").lower().split("/") imgname = temp[-1] if dbout is not None: conn = sqlite3.connect(dbout) cur = conn.cursor() try: cur.execute("select * from sids") except sqlite3.OperationalError: cur.execute( "create table sids (pname text, pid integer, sid_string text, sid_name text, memimage text)" ) conn.commit() from vtypes import xpsp2types xpsp2types["_EPROCESS"][1]["Token"] = [0xC8, ["_EX_FAST_REF"]] theProfile = Profile() theProfile.add_types(token_types) (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts) pslist = process_list(addr_space, types, symtab) for proc_addr in pslist: proc = Object("_EPROCESS", proc_addr, addr_space, profile=theProfile) if not proc.Token.is_valid(): name = process_imagename(addr_space, types, proc_addr) pid = process_pid(addr_space, types, proc_addr) print "%s (%d): Token unreadable" % (name, pid) continue tok_addr = proc.Token.Value & ~0x7 tok = Object("_TOKEN", tok_addr, proc.vm, None, profile=theProfile) sids = [] try: sid_addr = tok.UserAndGroups.offset sid_size = obj_size(token_types, "_SID_AND_ATTRIBUTES") for i in range(tok.UserAndGroupCount): sids.append(Object("_SID_AND_ATTRIBUTES", sid_addr, proc.vm, None, profile=theProfile)) sid_addr += sid_size except: pass for sa in sids: sid = sa.Sid.dereference_as("_SID") subauth_addr = sid.get_member_offset("SubAuthority") subauths = unpack("<%dI" % sid.SubAuthorityCount, proc.vm.read(subauth_addr, sid.SubAuthorityCount * 4)) sid_string = "S-" + "-".join( str(i) for i in (sid.Revision, sid.IdentifierAuthority.Value[-1]) + subauths ) if sid_string in well_known_sids: sid_name = "(%s)" % well_known_sids[sid_string] else: sid_name_re = find_sid_re(sid_string, well_known_sid_re) if sid_name_re: sid_name = "(%s)" % sid_name_re else: if not dbout == None: sid_name = "(none)" else: sid_name = "" if not dbout == None: cur.execute( "insert into sids values (?,?,?,?,?)", (proc.ImageFileName.lower(), proc.UniqueProcessId.v(), sid_string, sid_name.lower(), imgname), ) else: print "%s (%d): %s %s" % (proc.ImageFileName, proc.UniqueProcessId.v(), sid_string, sid_name) if not dbout == None: conn.commit() conn.close()