예제 #1
0
    def test_heaps(self):
        ''' look for heaps in pid 856'''
        ''' for x in mappings:
                res = x.readStruct(x.start,winheap.HEAP)
                if res.Signature == 0xeeffeeffL:
                    print x.start, "Signature:", hex(res.Signature)
0x190000L Signature: 0xeeffeeffL
0x90000L Signature: 0xeeffeeffL
0x1a0000L Signature: 0xeeffeeffL
0x350000L Signature: 0xeeffeeffL
0x3b0000L Signature: 0xeeffeeffL
0xc30000L Signature: 0xeeffeeffL
0xd60000L Signature: 0xeeffeeffL
0xe20000L Signature: 0xeeffeeffL
0xe80000L Signature: 0xeeffeeffL
0x7f6f0000L Signature: 0xeeffeeffL'''
        heaps = [0x190000L,0x90000L,0x1a0000L,0x350000L,0x3b0000L,0xc30000L,
                 0xd60000L,0xe20000L,0xe80000L,0x7f6f0000L]
        f = '/home/jal/outputs/vol/zeus.vmem'
        pid = 856
        # PID 856 has 176 mappings
        mapper = VolatilityProcessMapper(f, pid)
        mappings = mapper.getMappings()

        from haystack.structures.win32 import winheap
        for mstart in heaps:
            heap = mappings.get_mapping_for_address(mstart)
            res = heap.readStruct(heap.start,winheap.HEAP)
            self.assertTrue(res.isValid(mappings))

        # testing that the list of heaps is always the same
        self.assertEquals(set(heaps), set([m.start for m in mappings.get_heaps()]))
        return
예제 #2
0
    def test_init(self):
        ''' check vad numbers with 
        vol.py -f /home/jal/outputs/vol/zeus.vmem -p 856 vadwalk |wc -l 
        5 headers lines to be removed from count
        
        analysis here:
        https://malwarereversing.wordpress.com/2011/09/23/zeus-analysis-in-volatility-2-0/
        '''
        f = '/home/jal/outputs/vol/zeus.vmem'
        pid = 856
        # PID 856 has 176 mappings
        mapper = VolatilityProcessMapper(f, pid)
        mappings = mapper.getMappings()
        self.assertEquals(len(mappings), 176)

        # testing that we can use the Mapper twice in a row, without breaking
        # volatility
        pid = 676
        # PID 676 has 118 mappings
        mapper = VolatilityProcessMapper(f, pid)
        mappings = mapper.getMappings()
        self.assertEquals(len(mappings), 118)
예제 #3
0
    def test_read_mem(self):
        f = '/home/jal/outputs/vol/zeus.vmem'
        pid = 888  # wscntfy.exe
        mapper = VolatilityProcessMapper(f, pid)
        mappings = mapper.getMappings()
        self.assertEquals(len(mappings), 51)
        self.assertEquals(mappings.get_os_name(), 'winxp')

        ctypes = mappings.config.ctypes
        from haystack.structures.win32 import winheap
        #print ctypes
        import pefile
        import code
        for m in mappings.mappings:
            data = m.readWord(m.start + 8)
            if data == 0xeeffeeff:
                # we have a heap
                x = m.readStruct(m.start, winheap.HEAP)
                print x

        self.assertEquals( ctypes.sizeof(x), 1430)
        # print x

        heaps = mappings.get_heaps()
예제 #4
0
 def test_read_mem(self):
     f = '/home/jal/outputs/vol/zeus.vmem'
     pid = 888  # wscntfy.exe
     mapper = VolatilityProcessMapper(f, pid)
     mappings = mapper.getMappings()
예제 #5
0
 def initVolatility(self, volname, pid):
     mapper = VolatilityProcessMapper(volname, pid)
     mappings = mapper.getMappings()
     return mappings