def root_kit_scan(name):
if name == None:
return 0
else:
hash_file_read = open("./config/" + name + "_hash", "r")
read_data = hash_file_read.readlines()
# initialize vm
vm = pyvmi.init(name, "complete")
if vm == None:
return 0
else:
kernel_start = vm.translate_ksym2v("_stext")
kernel_end = vm.translate_ksym2v("_etext")
count = 0
for i in read_data:
hash_val_array = i.split()
sym_name = hash_val_array[0]
hash_val = hash_val_array[1]
sym_va = vm.read_addr_ksym(sym_name)
if sym_va <= kernel_end or sym_va >= kernel_start:
string = vm.read_str_ksym(sym_name)
re_hash_val = hashlib.md5(string).hexdigest()
if (re_hash_val != hash_val):
count = count + 1
continue
else:
continue
else:
count = count + 1
if count > 0:
return count
else:
return count
def kernel_check(name):
if name == None:
return 0
else:
string = ""
vm = pyvmi.init(name, "complete")
kernel_start = vm.translate_ksym2v("_stext")
kernel_end = vm.translate_ksym2v("_etext")
i = kernel_start
while i < kernel_end:
memory = vm.read_va(i, 0, 512)
string = string + memory
i = i + 512
# time to hash it
final_hash = hashlib.md5(string).hexdigest()
init_kernel = open("./config/" + name + "_kernel", "r")
while True:
kernel_initial = init_kernel.readline().split()
if kernel_initial[1] == name:
init_hash = kernel_initial[2]
break
else:
continue
if (final_hash != init_hash):
init_kernel.close()
return 1
else:
init_kernel.close()
return 0
def main(self, *a, **kw):
# Setup physical memory
if hasattr(self, "domain"):
self.vm = pyvmi.init(self.domain, "partial")
else:
self.parser.error("PyVmiFS: must provide a Xen domain to mount")
Fuse.main(self, *a, **kw)
def main(self, *a, **kw):
# Setup physical memory
if hasattr(self, "domain"):
self.vm = pyvmi.init(self.domain, "partial")
else:
self.parser.error("PyVmiFS: must provide a Xen domain to mount")
Fuse.main(self, *a, **kw)
def write_sys_tab_hash(name):
if name == None:
return 0
else:
vm = pyvmi.init(name, "complete")
if (vm == None):
print "Failed to start libvmi"
return 0
else:
# to create symbol file
file = open("./guest_sysmap/" + name + "/" + name, "r")
file2 = open("./config/" + name + "_hash", "w")
sym_array = file.readlines()
for i in sym_array:
sym_split = i.split()
sym_name = sym_split[2]
sym_check = sym_name.split("_")
if sym_check[0] == "sys":
content = vm.read_str_ksym(sym_name)
addr = vm.read_addr_ksym(sym_name)
hash = hashlib.md5(content).hexdigest()
file2.write(sym_name + " " + hash + "\n")
elif sym_check == "":
sys.exit(0)
else:
continue
file.close()
file2.close()
return 1
def __init__(self, base, config, layered = False, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, "Must be first Address Space")
self.as_assert(config.LOCATION.startswith("vmi://"), "Location doesn't start with vmi://")
self.name = urllib.url2pathname(config.LOCATION[6:])
self.vmi = pyvmi.init(self.name, "partial")
self.as_assert(not self.vmi is None, "VM not found")
self.dtb = self.get_cr3()
def init_pyvmi_config(self, config):
sanitized_config = {}
for k, v in config.iteritems():
san_v = v
if isinstance(v, unicode):
san_v = str(v)
sanitized_config[str(k)] = san_v
self.vmi = pyvmi.init(sanitized_config)
return True
def vmiInit(vmstrings):
global vmList,VMIList
VMIList=[]
vmList=vmstrings.split(' ')
print "vmi init: ",vmList
for i in range(len(vmList)):
if(vmList[i]!=''):
print "vmi init ", vmList[i]
VMIList+=[pyvmi.init(vmList[i], "complete")]
def __init__(self, base, config, layered=False, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, "Must be first Address Space")
self.as_assert(config.LOCATION.startswith("vmi://"),
"Location doesn't start with vmi://")
self.name = urllib.url2pathname(config.LOCATION[6:])
self.vmi = pyvmi.init(self.name, "partial")
self.as_assert(not self.vmi is None, "VM not found")
self.dtb = self.get_cr3()
def main(argv):
vmi = pyvmi.init(argv[1], "complete")
if vmi.get_access_mode() == 'file':
print("Process listing for File {}".format(vmi.get_name()))
else:
print("Process listing for VM {}".format(vmi.get_name()))
for pid, procname in processes(vmi):
print "[%5d] %s" % (pid, procname)
def main(argv):
vmi = pyvmi.init(argv[1], "complete")
if vmi.get_access_mode() == 'file':
print("Process listing for File {}".format(vmi.get_name()))
else:
print("Process listing for VM {}".format(vmi.get_name()))
for pid, procname in processes(vmi):
print "[%5d] %s" % (pid, procname)
def __init__(self, base, config, layered=False, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, "Must be first Address Space")
self.as_assert(config.LOCATION.startswith("vmi://"),
"Location doesn't start with vmi://")
self.config = dict(inittype="partial")
if config.LOCATION.find("domid/") == 6:
self.domid = int(urllib.url2pathname(config.LOCATION[12:]))
self.config['domid'] = self.domid
elif config.LOCATION.find("name/") == 6:
self.name = urllib.url2pathname(config.LOCATION[11:])
self.config['name'] = self.name
else:
self.name = urllib.url2pathname(config.LOCATION[6:])
self.config['name'] = self.name
self.vmi = pyvmi.init(self.config)
self.as_assert(not self.vmi is None, "VM not found")
self.dtb = self.get_cr3()
def GET(self, uuid, command):
print uuid, command
web.header('Access-Control-Allow-Origin', '*')
(win, name, profile) = profiles[uuid]
if command == 'libvmi_pslist':
vmi = pyvmi.init(name, "complete")
pslist = get_processes(vmi, win)
res = ''
for pid, procname in pslist:
res += "[%5d] %s" % (pid, procname) + '\n'
res = command + '\n\n' + res
return res
else:
cmd = 'python vol.py -l vmi://%s --profile=%s %s' % (name, profile,
command)
res = os.popen(cmd).read()
res = command + '\n\n' + res
return res
def __init__(self, base, config, layered=False, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, "Must be first Address Space")
self.as_assert(
config.LOCATION.startswith("vmi://"),
"Location doesn't start with vmi://")
self.config = dict(inittype="partial")
if config.LOCATION.find("domid/") == 6:
self.domid = int(urllib.url2pathname(config.LOCATION[12:]))
self.config['domid']=self.domid
elif config.LOCATION.find("name/") == 6:
self.name = urllib.url2pathname(config.LOCATION[11:])
self.config['name'] = self.name
else:
self.name = urllib.url2pathname(config.LOCATION[6:])
self.config['name'] = self.name
self.vmi = pyvmi.init(self.config)
self.as_assert(not self.vmi is None, "VM not found")
self.dtb = self.get_cr3()
def list_modules(vmname):
vm = pyvmi.init(vmname, "complete")
if vm == None:
return 0
else:
next_module = vm.translate_ksym2v("modules")
list_head = next_module
while True:
tmp_next = vm.read_addr_va(next_module, 0)
if list_head == tmp_next:
break
else:
if (vm.get_page_mode() == 'ia32e'):
modname = vm.read_str_va(next_module + 16, 0)
else:
modname = vm.read_str_va(next_module + 8, 0)
print modname
next_module = tmp_next
def main(argv):
print("The pid for this process is: {}".format(os.getpid()))
try:
vmi = pyvmi.init(MEM_PATH, "complete")
except ValueError:
print("Please check your VMI config for {}".format(MEM_PATH))
exit(1)
procs_pyvmi = dict({x.pid:x for x in pyvmi_get_processes(vmi)})
procs_debugfs = dict({(x.pid, x) for x in debugfs_get_processes()})
attr_verify = ["uid", "gid", "ppid"]
for pid, proc_pyvmi in procs_pyvmi.iteritems():
if pid in procs_debugfs:
proc_debugfs = procs_debugfs[pid]
if not proc_debugfs == proc_pyvmi:
try:
check_privilege_escalation(proc_pyvmi,
proc_debugfs, attr_verify)
except AssertionError as e:
print(str(e))
def process_list(vmname):
vmi = pyvmi.init(vmname, "complete")
taskoffset, nameoffset, pidoffset, init_task_va = get_offsets(vmi)
processes = vmi.read_addr_va(init_task_va + taskoffset, 0)
current_process = processes
while True:
pid = vmi.read_32_va(current_process + pidoffset - taskoffset, 0)
procname = vmi.read_str_va(current_process + nameoffset - taskoffset,
0)
yield pid, procname
current_process = vmi.read_addr_va(current_process, 0)
if current_process == processes:
break
return
def kernel_config(name):
if (name == None):
return 0
else:
# get kernel hash value
vm = pyvmi.init(name, "complete")
if vm == None:
return 0
else:
kernel_start = vm.translate_ksym2v("_stext")
kernel_end = vm.translate_ksym2v("_etext")
file_input = open("./config/" + name + "_kernel", "w+")
i = kernel_start
kernel_string = ""
while i < kernel_end:
memory = vm.read_va(i, 0, 512)
kernel_string = kernel_string + memory
i = i + 512
hash = hashlib.md5(kernel_string).hexdigest()
file_input.write("kernel_hash " + name + " " + hash)
file_input.close()
print "Kernel_hash for " + name + " configured"
return 1
def init_pyvmi_name(self, name):
self.vmi = pyvmi.init(name, 'complete')
return True
def main (argv):
vmi = pyvmi.init(argv[1], "complete")
process_list(vmi)
import pyvmi
import sys
vmi = pyvmi.init("VM2-ovs", "complete")
#vmi = pyvmi.init(sys.argv[0], "complete")
def list_processes(vmi):
tasksOffset = vmi.get_offset("linux_tasks")
nameOffset = vmi.get_offset("linux_name")
pidOffset = vmi.get_offset("linux_pid")
init_task_va = vmi.translate_ksym2v("init_task")
processes = vmi.read_addr_va(init_task_va+tasksOffset, 0)
current_process = processes
while True:
pid = vmi.read_32_va(current_process+pidOffset-tasksOffset, 0)
procname = vmi.read_str_va(current_process+nameOffset-tasksOffset, 0)
yield pid, procname
current_process = vmi.read_addr_va(current_process,0)
if current_process == processes:
break
return
for i in range(100):
for pid, procname in list_processes(vmi):
print "%d, %s" % ( pid, procname )
print "i = ", i
def main(argv):
vmi = pyvmi.init(argv[1], "complete")
get_processes(vmi)
def main(argv):
vmi = pyvmi.init(argv[1], "complete")
for pid, procname in get_processes(vmi):
print "[%5d] %s" % (pid, procname)
def main(argv): vmi = pyvmi.init(argv[1], "complete") get_processes(vmi)
def vmiInit(VMName):
print "init ", VMName
global VMIList
VMIList[VMName]=pyvmi.init(VMName, "complete")
print VMIList
def main(argv):
vmi = pyvmi.init(argv[1], "complete")
for pid, procname in get_processes(vmi):
print "[%5d] %s" % (pid, procname)
