def GenerateVADVolatilityResult(process_list):
volatility_response = rdfvalue.VolatilityResult()
section = rdfvalue.VolatilitySection()
section.table.headers.Append(print_name="Protection",
name="protection")
section.table.headers.Append(print_name="start", name="start_pfn")
section.table.headers.Append(print_name="Filename", name="filename")
for proc in process_list:
section.table.rows.Append(values=[
rdfvalue.VolatilityValue(type="__MMVAD_FLAGS",
name="VadFlags",
offset=0,
vm="None",
value=7,
svalue="EXECUTE_WRITECOPY"),
rdfvalue.VolatilityValue(value=42),
rdfvalue.VolatilityValue(
type="_UNICODE_STRING",
name="FileName",
offset=275427702111096,
vm="AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)",
value=275427702111096,
svalue=proc)
])
volatility_response.sections.Append(section)
return volatility_response
def testVolatilityResultToExportedVolatilityMutantConverter(self):
volatility_values_1 = rdfvalue.VolatilityValues(values=[
rdfvalue.VolatilityValue(value=50211728),
rdfvalue.VolatilityValue(value=1),
rdfvalue.VolatilityValue(value=1),
rdfvalue.VolatilityValue(value=1),
rdfvalue.VolatilityValue(value=0),
rdfvalue.VolatilityValue(svalue=""),
rdfvalue.VolatilityValue()])
volatility_values_2 = rdfvalue.VolatilityValues(values=[
rdfvalue.VolatilityValue(value=50740512),
rdfvalue.VolatilityValue(value=2),
rdfvalue.VolatilityValue(value=2),
rdfvalue.VolatilityValue(value=0),
rdfvalue.VolatilityValue(value=275427826012256),
rdfvalue.VolatilityValue(svalue="163255304:2168"),
rdfvalue.VolatilityValue(svalue="XYZLock")])
volatility_table = rdfvalue.VolatilityTable(
headers=[rdfvalue.VolatilityHeader(name="offset_p"),
rdfvalue.VolatilityHeader(name="ptr_count"),
rdfvalue.VolatilityHeader(name="hnd_count"),
rdfvalue.VolatilityHeader(name="mutant_signal"),
rdfvalue.VolatilityHeader(name="mutant_thread"),
rdfvalue.VolatilityHeader(name="cid"),
rdfvalue.VolatilityHeader(name="mutant_name")],
rows=[volatility_values_1,
volatility_values_2])
volatility_result = rdfvalue.VolatilityResult(
plugin="mutantscan",
sections=[rdfvalue.VolatilitySection(table=volatility_table)])
converter = export.VolatilityResultToExportedVolatilityMutantConverter()
results = list(converter.Convert(rdfvalue.ExportedMetadata(),
volatility_result,
token=self.token))
self.assertEqual(len(results), 2)
self.assertEqual(results[0].offset, 50211728)
self.assertEqual(results[0].ptr_count, 1)
self.assertEqual(results[0].handle_count, 1)
self.assertEqual(results[0].signal, 1)
self.assertEqual(results[0].thread, 0)
self.assertEqual(results[0].cid, "")
self.assertEqual(results[0].name, "")
self.assertEqual(results[1].offset, 50740512)
self.assertEqual(results[1].ptr_count, 2)
self.assertEqual(results[1].handle_count, 2)
self.assertEqual(results[1].signal, 0)
self.assertEqual(results[1].thread, 275427826012256)
self.assertEqual(results[1].cid, "163255304:2168")
self.assertEqual(results[1].name, "XYZLock")
def testVolatilityResultToExportedVolatilityHandleConverter(self):
volatility_values_1 = rdfvalue.VolatilityValues(values=[
rdfvalue.VolatilityValue(value=275427776305632),
rdfvalue.VolatilityValue(value=4),
rdfvalue.VolatilityValue(value=4),
rdfvalue.VolatilityValue(value=2097151),
rdfvalue.VolatilityValue(svalue="Process"),
rdfvalue.VolatilityValue(svalue="System(4)"),
rdfvalue.VolatilityValue()])
volatility_values_2 = rdfvalue.VolatilityValues(values=[
rdfvalue.VolatilityValue(value=273366078738336),
rdfvalue.VolatilityValue(value=4),
rdfvalue.VolatilityValue(value=8),
rdfvalue.VolatilityValue(value=131103),
rdfvalue.VolatilityValue(svalue="Key"),
rdfvalue.VolatilityValue(
svalue="MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\HIVELIST")])
volatility_table = rdfvalue.VolatilityTable(
headers=[rdfvalue.VolatilityHeader(name="offset_v"),
rdfvalue.VolatilityHeader(name="pid"),
rdfvalue.VolatilityHeader(name="handle"),
rdfvalue.VolatilityHeader(name="access"),
rdfvalue.VolatilityHeader(name="obj_type"),
rdfvalue.VolatilityHeader(name="details")],
rows=[volatility_values_1,
volatility_values_2])
volatility_result = rdfvalue.VolatilityResult(
plugin="mutantscan",
sections=[rdfvalue.VolatilitySection(table=volatility_table)])
converter = export.VolatilityResultToExportedVolatilityHandleConverter()
results = list(converter.Convert(rdfvalue.ExportedMetadata(),
volatility_result,
token=self.token))
self.assertEqual(len(results), 2)
self.assertEqual(results[0].offset, 275427776305632)
self.assertEqual(results[0].pid, 4)
self.assertEqual(results[0].handle, 4)
self.assertEqual(results[0].access, 2097151)
self.assertEqual(results[0].type, "Process")
self.assertEqual(results[0].path, "System(4)")
self.assertEqual(results[1].offset, 273366078738336)
self.assertEqual(results[1].pid, 4)
self.assertEqual(results[1].handle, 8)
self.assertEqual(results[1].access, 131103)
self.assertEqual(results[1].type, "Key")
self.assertEqual(results[1].path,
"MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\HIVELIST")
def VolatilityAction(self, _):
ps_list_file = os.path.join(config_lib.CONFIG["Test.data_dir"],
"vol_pslist_result.dat")
serialized_result = open(ps_list_file).read(100000)
return [rdfvalue.VolatilityResult(serialized_result)]
def __init__(self, **kwargs):
super(ProtobufRenderer, self).__init__(**kwargs)
self.response = rdfvalue.VolatilityResult()
self.active_section = None
self.mode = None