def task_print(data_list):
#print '[+] Process List'
headerlist = [
"TASK_CNT", "OFFSET(P)", "REF_CNT", "Active", "Halt", "VM_MAP(V)",
"PID", "PROCESS", "USERNAME", ""
]
contentlist = []
for data in data_list:
line = ['%d' % data[0]] # count
line.append("0x%.8X" % data[1]) # offset
line.append('%d' % data[3][0]) # Number of references to me
line.append('%d' % data[3][1]) # task has not been terminated
line.append('%d' % data[3][2]) # task is being halted
line.append('0x%.8X' % data[3][3]) # VM_MAP
line.append('%s' % str(data[5])) # PID
line.append('%s' % data[6]) # Process Name
line.append('%s' % data[7]) # User Name
#line.append('%s'%data[8]) # proc.tasks -> Task ptr
#line.append('%s'%data[9]) # task.bsd_info -> proc ptr
#line.append('%s'%time.strftime("%a %b %d %H:%M:%S %Y", time.gmtime(data[14])))
line.append('')
contentlist.append(line)
# use optional max size list here to match default lsof output, otherwise specify
# lsof +c 0 on the command line to print full name of commands
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def task_print(data_list):
#print '[+] Process List'
headerlist = ["TASK_CNT", "OFFSET(P)", "REF_CNT", "Active", "Halt", "VM_MAP(V)", "PID", "PROCESS", "USERNAME", ""]
contentlist = []
for data in data_list:
line = ['%d'%data[0]] # count
line.append("0x%.8X"%data[1]) # offset
line.append('%d'%data[3][0]) # Number of references to me
line.append('%d'%data[3][1]) # task has not been terminated
line.append('%d'%data[3][2]) # task is being halted
line.append('0x%.8X'%data[3][3]) # VM_MAP
line.append('%s'%str(data[5])) # PID
line.append('%s'%data[6]) # Process Name
line.append('%s'%data[7]) # User Name
#line.append('%s'%data[8]) # proc.tasks -> Task ptr
#line.append('%s'%data[9]) # task.bsd_info -> proc ptr
#line.append('%s'%time.strftime("%a %b %d %H:%M:%S %Y", time.gmtime(data[14])))
line.append('')
contentlist.append(line)
# use optional max size list here to match default lsof output, otherwise specify
# lsof +c 0 on the command line to print full name of commands
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def proc_print(data_list, os_version):
print '[+] Process List'
if os_version >= 11:
headerlist = ["OFFSET(P)", "PID", "PPID", "PRIORITY", "NICE", "PROCESS_NAME", "USERNAME(UID,GID)", "CRED(UID,GID)", "CREATE_TIME (UTC+0)", ""]
else:
headerlist = ["OFFSET(P)", "PID", "PPID", "PRIORITY", "NICE", "PROCESS_NAME", "USERNAME", "CRED(UID,GID)", "CREATE_TIME (UTC+0)", ""]
contentlist = []
for data in data_list:
line = []
line.append("0x%.8X"%data[0]) # offset
line.append('%d'%data[1]) # pid
line.append('%d'%data[4]) # ppid
line.append('%d'%unsigned8(data[10])) # Priority
line.append('%d'%unsigned8(data[12])) # nice
line.append('%s'%data[14]) # Changed by CL to read null formatted strings
if os_version >= 11:
line.append('%s(%d,%d)'%(data[15], data[5], data[6]))
else:
line.append('%s'%(data[15]))
line.append('(%d,%d)'%(data[17], data[18]))
line.append('%s'%time.strftime("%a %b %d %H:%M:%S %Y", time.gmtime(data[16])))
line.append('')
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def print_sysctl(symbol_list, sysctllist, kextlist):
headerlist = ["Name", "MIB", "PERMISSION", "Handler", "Value"]
contentlist = []
for data in sysctllist:
if data[4] is 'Node':
continue
line = ['%s'%data[0]]
line.append('%s'%data[1])
line.append('%s'%data[2])
handler = data[3] & 0xffffffffffffffff
flag = False
for kext in kextlist:
if handler > kext[7] and handler < kext[7]+kext[8]:
flag = True
line.append(kext[3].split('\x00')[0] + "(%x)"%handler)
break
if not flag:
line.append('0x%08x'%(handler))
line.append('%s'%data[4])
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def print_fbt_syscall(data_list, symbol_list, base_address):
if len(data_list) == 0:
print 'No FBT Hook Function'
return
contentlist = []
headerlist = ["NUM","ARG_COUNT", "NAME", "CALL_PTR", "ARG_MUNGE32_PTR", "ARG_MUNGE64_PTR", "RET_TYPE", "ARG_BYTES", "FBT HOOK"]
sym_name_list = symbol_list.keys()
sym_addr_list = symbol_list.values()
count = 0
for data in data_list:
symflag = 0
line = ['%d'%count]
line.append('%d'%data[0])
i = 0
for sym_addr in sym_addr_list:
if data[1] == sym_addr+base_address:
line.append('%s'%sym_name_list[i])
symflag = 1
i += 1
if symflag != 1:
line.append('0x%.8X'%data[1])
line.append('0x%.8X'%data[1])
line.append('0x%.8X'%data[2])
line.append('0x%.8X'%data[3])
line.append('%d'%data[4])
line.append('%d'%data[5])
line.append('O')
count += 1
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def print_notifier_list(data_list, symbol_list, base_address, NotifierName):
sym_name_list = symbol_list.keys()
sym_addr_list = symbol_list.values()
print '%s Method Total Count : %d'%(NotifierName, len(data_list))
print '--------------------------------------------------------------------------------'
headerlist = ["NUM", "NAME", "CALL_PTR", "HOOK_FINDER"]
contentlist = []
count = 0
for data in data_list:
symflag = 0
line = ['%d'%count]
i = 0
for sym_addr in sym_addr_list:
if data == sym_addr+base_address:
line.append('%s'%sym_name_list[i])
symflag = 1
i += 1
if symflag != 1:
line.append('0x%.8X'%data)
line.append('0x%.8X'%data)
if symflag == 1:
line.append('True')
else:
line.append('Maybe hooked')
count += 1
contentlist.append(line)
mszlist = [-1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
print ''
def print_sysctl(symbol_list, sysctllist, kextlist):
headerlist = ["Name", "MIB", "PERMISSION", "Handler", "Value"]
contentlist = []
for data in sysctllist:
if data[4] is 'Node':
continue
line = ['%s' % data[0]]
line.append('%s' % data[1])
line.append('%s' % data[2])
handler = data[3] & 0xffffffffffffffff
flag = False
for kext in kextlist:
if handler > kext[7] and handler < kext[7] + kext[8]:
flag = True
line.append(kext[3].split('\x00')[0] + "(%x)" % handler)
break
if not flag:
line.append('0x%08x' % (handler))
line.append('%s' % data[4])
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def main():
parser = argparse.ArgumentParser(description='utmpx Parser by @n0fate.')
parser.add_argument('-f', '--file', nargs=1, help='utmpx file(/var/run/utmpx)', required=True)
args = parser.parse_args()
strtype = ''
headerlist = ["user", "session", "terminal", "pid", "start time(utc+0)", "status", "ip", ""]
contentlist = []
entries = who(args.file[0])
for _utmpx in entries:
if ut_type[int(_utmpx.ut_type)] == 'BOOT_TIME':
_utmpx.ut_user = '******'
_utmpx.ut_id = '~'
strtype = '~'
elif ut_type[int(_utmpx.ut_type)] == 'USER_PROCESS':
strtype = 'still logged in'
lotime = strftime("%a %b %d %H:%M:%S",time.gmtime(float(_utmpx.ut_sec)))
line = ['%s'%_utmpx.ut_user]
line.append('%s'%_utmpx.ut_id)
line.append('%s'%_utmpx.ut_line)
line.append('%d'%int(_utmpx.ut_pid))
line.append('%s.%03d'%(lotime, int(_utmpx.ut_usec)/1000))
line.append('%s'%strtype)
line.append('%s'%_utmpx.ut_host)
line.append('')
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def print_kext_list(kext_list):
print '[+] Kernel Extention List'
headerlist = ["OFFSET(P)", "INFO", "KID", "KEXT_NAME", "VERSION", "REFER_COUNT", "REFER_LIST", "ADDRESS", "SIZE", "HDRSIZE", "START_PTR" ,"STOP_PTR"]
contentlist = []
print_kext(headerlist, contentlist, kext_list)
# use optional max size list here to match default lsof output, otherwise specify
# lsof +c 0 on the command line to print full name of commands
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def print_mount_list(mount_list):
print '[+] Mount List'
headerlist = ["NEXT ENTRY", "FS TYPE", "MOUNT ON NAME", "MOUNT FROM NAME"]
contentlist = []
for data in mount_list:
line = ['0x%.8X'%data[0]]
line.append('%s'%data[1].strip('\x00').upper()) # char[16]
line.append('%s'%data[2].strip('\x00')) # char[1024]
line.append('%s'%data[3].strip('\x00')) # char[1024]
contentlist.append(line)
mszlist = [-1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def print_table(self, dic):
for k, v in dic.iteritems():
decColumn = []
mszlist = [] # optional max size list
decColumn = DecodeColumn(k)
max_len = len(decColumn)
offsetlst = []
#print decColumn
count = 0
# add column type
for coltype in decColumn:
if coltype == 'BLOB': # for remove blob data on stdout
offsetlst.append(count) # add column number on offsetlst
mszlist.append(-1)
count += 1
#print decColumn
contentlist = []
for row in v:
line = []
for l in range(0, max_len):
if decColumn[l] == 'INTEGER':
try:
line.append('%d' % row[l])
except TypeError:
line.append('%s' % row[l])
elif decColumn[l] == 'TEXT':
sqlitetext = ''
try:
sqlitetext = str(row[l]).decode('utf8').replace(
'\n', ' ').encode('utf8')
except:
sqlitetext = str(row[l]).replace('\n', '')
line.append('%s' % sqlitetext)
else: # blob
line.append('')
contentlist.append(line)
#print row
columnprint(decColumn, contentlist, mszlist)
print ''
def print_table(self, dic):
for k, v in dic.iteritems():
decColumn = []
mszlist = [] # optional max size list
decColumn = DecodeColumn(k)
max_len = len(decColumn)
offsetlst = []
#print decColumn
count = 0
# add column type
for coltype in decColumn:
if coltype == 'BLOB': # for remove blob data on stdout
offsetlst.append(count) # add column number on offsetlst
mszlist.append(-1)
count += 1
#print decColumn
contentlist = []
for row in v:
line = []
for l in range(0, max_len):
if decColumn[l] == 'INTEGER':
try:
line.append('%d'%row[l])
except TypeError:
line.append('%s'%row[l])
elif decColumn[l] == 'TEXT':
sqlitetext = ''
try:
sqlitetext = str(row[l]).decode('utf8').replace('\n', ' ').encode('utf8')
except:
sqlitetext = str(row[l]).replace('\n', '')
line.append('%s'%sqlitetext)
else: # blob
line.append('')
contentlist.append(line)
#print row
columnprint(decColumn, contentlist, mszlist)
print ''
def print_bash_history(bash_history_list):
headerlist = ["PID", "PROCESS", "TIME (UTC+0)", "CMD"]
contentlist = []
for bash_history in bash_history_list:
if len(bash_history_list) == 0:
print '[*] Can not found bash history'
return
for history in bash_history[2]:
line = ['%s'%bash_history[0]] # count
line.append(bash_history[1])
line.append('%s'%time.strftime("%a %b %d %H:%M:%S %Y", time.gmtime(history[0])))
line.append('%s'%history[1])
contentlist.append(line)
# use optional max size list here to match default lsof output, otherwise specify
# lsof +c 0 on the command line to print full name of commands
mszlist = [-1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def print_syscall_table(data_list, symbol_list, base_address):
#data_list = m_volafox.systab(symbol_list['_nsysent'])
sym_name_list = symbol_list.keys()
sym_addr_list = symbol_list.values()
print '[+] Syscall List'
headerlist = [
"NUM", "ARG_COUNT", "NAME", "CALL_PTR", "ARG_MUNGE32_PTR",
"ARG_MUNGE64_PTR", "RET_TYPE", "ARG_BYTES", "HOOK_FINDER"
]
contentlist = []
count = 0
for data in data_list:
symflag = 0
line = ['%d' % count]
line.append('%d' % data[0])
i = 0
for sym_addr in sym_addr_list:
if data[1] == sym_addr + base_address:
line.append('%s' % sym_name_list[i])
symflag = 1
i += 1
if symflag != 1:
line.append('0x%.8X' % data[1])
line.append('0x%.8X' % data[1])
line.append('0x%.8X' % data[2])
line.append('0x%.8X' % data[3])
try:
line.append('%s' % sy_return_type[data[4]])
except:
line.append('%d' % data[4])
line.append('%d' % data[5])
if symflag == 1:
line.append('True')
else:
line.append('Maybe hooked')
count += 1
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def print_mac_policy_list(data_list, mac_policy, kext_list):
print '[+] TrustedBSD MAC Framework on Darwin'
print 'Loaded Policy Count: %d, Max Count: %d, Current Policy Count: %d' % (
mac_policy[0], mac_policy[1], mac_policy[2])
print '--------------------------------------------------------------------------------'
for data in data_list:
print 'Name: %s, Full Name: %s' % (data[0], data[1])
print 'Loadtime : %s, Runtime: %s' % (data[2], data[3])
print '--------------------------------------------------------------------------------'
kext = []
headerlist = ["Entrypoint", "Virtual Address", "Physical Address", ""]
contentlist = []
for mac_ops in data[4]:
line = ['%s' % mac_ops[0]]
line.append('0x%.8X' % mac_ops[1])
line.append('0x%.8X' % mac_ops[2])
contentlist.append(line)
#print '%s, VA: 0x%.8x, PA: 0x%.8x'%(mac_ops[0], mac_ops[1], mac_ops[2])
if len(kext) == 0:
for data in kext_list:
if (mac_ops[1] >= data[7]) and (mac_ops[1] <=
data[7] + data[8]):
kext.append(data[3]) # name
kext.append(data[7]) # address
kext.append(data[8]) # size
kext.append(data[2])
break
line.append('')
mszlist = [-1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
print '--------------------------------------------------------------------------------'
if len(kext) == 4:
print '[+] Associated KEXT : %s (0x%.8x-0x%.8x) - ID: %d' % (
kext[0], kext[1], kext[1] + kext[2], kext[3])
else:
print 'Can not find associated KEXT!!'
print '--------------------------------------------------------------------------------'
print ''
print 'If you want to dump associated KEXT, please to use "kextstat" with "-x ID"'
def print_syscall_table(data_list, symbol_list, base_address):
#data_list = m_volafox.systab(symbol_list['_nsysent'])
sym_name_list = symbol_list.keys()
sym_addr_list = symbol_list.values()
print '[+] Syscall List'
headerlist = ["NUM","ARG_COUNT", "NAME", "CALL_PTR", "ARG_MUNGE32_PTR", "ARG_MUNGE64_PTR", "RET_TYPE", "ARG_BYTES", "HOOK_FINDER"]
contentlist = []
count = 0
for data in data_list:
symflag = 0
line = ['%d'%count]
line.append('%d'%data[0])
i = 0
for sym_addr in sym_addr_list:
if data[1] == sym_addr+base_address:
line.append('%s'%sym_name_list[i])
symflag = 1
i += 1
if symflag != 1:
line.append('0x%.8X'%data[1])
line.append('0x%.8X'%data[1])
line.append('0x%.8X'%data[2])
line.append('0x%.8X'%data[3])
try:
line.append('%s'%sy_return_type[data[4]])
except:
line.append('%d'%data[4])
line.append('%d'%data[5])
if symflag == 1:
line.append('True')
else:
line.append('Maybe hooked')
count += 1
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def print_mac_policy_list(data_list, mac_policy, kext_list):
print '[+] TrustedBSD MAC Framework on Darwin'
print 'Loaded Policy Count: %d, Max Count: %d, Current Policy Count: %d'%(mac_policy[0], mac_policy[1], mac_policy[2])
print '--------------------------------------------------------------------------------'
for data in data_list:
print 'Name: %s, Full Name: %s'%(data[0], data[1])
print 'Loadtime : %s, Runtime: %s'%(data[2], data[3])
print '--------------------------------------------------------------------------------'
kext = []
headerlist = ["Entrypoint", "Virtual Address", "Physical Address", ""]
contentlist = []
for mac_ops in data[4]:
line = ['%s'%mac_ops[0]]
line.append('0x%.8X'%mac_ops[1])
line.append('0x%.8X'%mac_ops[2])
contentlist.append(line)
#print '%s, VA: 0x%.8x, PA: 0x%.8x'%(mac_ops[0], mac_ops[1], mac_ops[2])
if len(kext) == 0:
for data in kext_list:
if (mac_ops[1] >= data[7]) and (mac_ops[1] <= data[7]+data[8]):
kext.append(data[3]) # name
kext.append(data[7]) # address
kext.append(data[8]) # size
kext.append(data[2])
break
line.append('')
mszlist = [-1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
print '--------------------------------------------------------------------------------'
if len(kext) == 4:
print '[+] Associated KEXT : %s (0x%.8x-0x%.8x) - ID: %d'%(kext[0], kext[1], kext[1] + kext[2], kext[3])
else:
print 'Can not find associated KEXT!!'
print '--------------------------------------------------------------------------------'
print ''
print 'If you want to dump associated KEXT, please to use "kextstat" with "-x ID"'
def main():
parser = argparse.ArgumentParser(description='utmpx Parser by @n0fate.')
parser.add_argument('-f',
'--file',
nargs=1,
help='utmpx file(/var/run/utmpx)',
required=True)
args = parser.parse_args()
strtype = ''
headerlist = [
"user", "session", "terminal", "pid", "start time(utc+0)", "status",
"ip", ""
]
contentlist = []
entries = who(args.file[0])
for _utmpx in entries:
if ut_type[int(_utmpx.ut_type)] == 'BOOT_TIME':
_utmpx.ut_user = '******'
_utmpx.ut_id = '~'
strtype = '~'
elif ut_type[int(_utmpx.ut_type)] == 'USER_PROCESS':
strtype = 'still logged in'
lotime = strftime("%a %b %d %H:%M:%S",
time.gmtime(float(_utmpx.ut_sec)))
line = ['%s' % _utmpx.ut_user]
line.append('%s' % _utmpx.ut_id)
line.append('%s' % _utmpx.ut_line)
line.append('%d' % int(_utmpx.ut_pid))
line.append('%s.%03d' % (lotime, int(_utmpx.ut_usec) / 1000))
line.append('%s' % strtype)
line.append('%s' % _utmpx.ut_host)
line.append('')
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def proc_print(data_list, os_version):
print '[+] Process List'
if os_version >= 11:
headerlist = [
"OFFSET(P)", "PID", "PPID", "PRIORITY", "NICE", "PROCESS_NAME",
"USERNAME(UID,GID)", "CRED(UID,GID)", "CREATE_TIME (UTC+0)", ""
]
else:
headerlist = [
"OFFSET(P)", "PID", "PPID", "PRIORITY", "NICE", "PROCESS_NAME",
"USERNAME", "CRED(UID,GID)", "CREATE_TIME (UTC+0)", ""
]
contentlist = []
for data in data_list:
line = []
line.append("0x%.8X" % data[0]) # offset
line.append('%d' % data[1]) # pid
line.append('%d' % data[4]) # ppid
line.append('%d' % unsigned8(data[10])) # Priority
line.append('%d' % unsigned8(data[12])) # nice
line.append('%s' %
data[14]) # Changed by CL to read null formatted strings
if os_version >= 11:
line.append('%s(%d,%d)' % (data[15], data[5], data[6]))
else:
line.append('%s' % (data[15]))
line.append('(%d,%d)' % (data[17], data[18]))
line.append(
'%s' %
time.strftime("%a %b %d %H:%M:%S %Y", time.gmtime(data[16])))
line.append('')
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def print_network_list(tcp_network_list, udp_network_list):
print '[+] NETWORK INFORMATION (hashbase)'
headerlist = ["Proto", "Local Address", "Foreign Address", "(state)"]
contentlist = []
for network in tcp_network_list:
data = ['tcp']
data.append('%s:%d'%(network[1], network[3]))
data.append('%s:%d'%(network[2], network[4]))
data.append('')
#data.append('%s'%NETWORK_STATES[network[0]])
#print '[TCP] Local Address: %s:%d, Foreign Address: %s:%d, flag: %x'%(network[1], network[3], network[2], network[4], network[0])
contentlist.append(data)
for network in udp_network_list:
data = ['udp']
data.append('%s:%d'%(network[1], network[3]))
data.append('%s:%d'%(network[2], network[4]))
data.append('')
#print '[UDP] Local Address: %s:%d, Foreign Address: %s:%d, flag: %x'%(network[1], network[3], network[2], network[4], network[0])
contentlist.append(data)
mszlist = [-1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
entries[i]['id'] = '~'
strtype = '~'
elif ut_type[iuttype] == 'USER_PROCESS':
strtype = 'still logged in'
else:
strtype = ''
except IndexError:
strtype = ''
strtype = ''
lotime = strftime("%Y %m %d %H:%M:%S",time.gmtime(float(entries[i]['sec'])))
#eline = entries[i]['user']+'\t'+entries[i]['id']+'\t'+entries[i]['line']+'\t'+entries[i]['pid']+'\t'+ut_type[int(entries[i]['type'])]+'\t'+lotime+'\t'+entries[i]['usec']+'\t'+entries[i]['ipaddress']
line = ['%s'%entries[i]['user']]
line.append('%s'%entries[i]['id'])
line.append('%d'%int(entries[i]['session']))
try:
line.append('%s'%ut_type[iuttype])
except IndexError:
line.append('')
line.append('%s'%entries[i]['line'])
line.append('%d'%int(entries[i]['pid']))
line.append('%s.%03d'%(lotime, int(entries[i]['usec'])/1000))
line.append('%s'%strtype)
line.append('%s'%(entries[i]['ipaddress']))
line.append('')
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
#EOF
def print_mach_trap_table(data_list, symbol_list, os_version, base_address):
sym_name_list = symbol_list.keys()
sym_addr_list = symbol_list.values()
if os_version == 10:
print '[+] Mach Trap Table'
headerlist = ["NUM","ARG_COUNT", "CALL_NAME", "CALL_PTR", "ARG_MUNGE32_PTR", "ARG_MUNGE64_PTR", "HOOK_FINDER"]
contentlist = []
count = 0
for data in data_list:
symflag = 0
line = ['%d'%count]
line.append('%d'%data[0])
i = 0
for sym_addr in sym_addr_list:
if data[1] == sym_addr:
line.append('%s'%sym_name_list[i])
symflag = 1
break
i += 1
if symflag != 1:
line.append('0x%.8X'%data[1])
line.append('0x%.8X'%data[1])
line.append('0x%.8X'%data[2])
line.append('0x%.8X'%data[3])
if symflag == 1:
line.append('True')
else:
line.append('Maybe hooked')
count -= 1
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
else:
print '[+] Mach Trap Table'
headerlist = ["NUM","ARG_COUNT", "CALL_NAME", "CALL_PTR", "HOOK_FINDER"]
contentlist = []
count = 0
for data in data_list:
symflag = 0
line = ['%d'%count]
line.append('%d'%data[0])
i = 0
for sym_addr in sym_addr_list:
if data[1] == sym_addr + base_address:
line.append('%s'%sym_name_list[i])
symflag = 1
break
i += 1
if symflag != 1:
line.append('0x%.8X'%data[1])
line.append('0x%.8X'%data[1])
if symflag == 1:
line.append('True')
else:
line.append('Maybe hooked')
count -= 1
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
def main():
print 'Call History Decryptor for OS X Yosemite (Written by n0fate)'
print 'It can decrypt a call-history in OS X.'
print 'Continuity in OS X : https://www.apple.com/osx/continuity/'
parser = ArgumentParser()
parser.add_argument("-k", "--key", dest="keyvalue", help="Decoded key as Call History User Data Key in Keychain")
parser.add_argument("-f", "--file", dest="dbname", help="Call history database (CallHistory.storedata")
args = parser.parse_args()
if not(args.keyvalue and args.dbname):
parser.error('[+] Error : add -k and -f option')
try:
key = base64.decodestring(args.keyvalue)
except:
print '[+] Error : key format is not base64 encoded'
return
print '[+] Key is %s'%key.encode('hex')
dbname = args.dbname
print '[+] Open the database : %s'%dbname
decryptor = CallHistoryDecryptor()
decryptor.open(dbname)
ret = decryptor.open(dbname)
if ret is False:
print '[+] Error : Invalid db file'
return
print '[+] Get a list of table'
tablelist = decryptor.gettablelist()
#print tablelist
print '[+] Get a list of columns in %s table'%tablelist[1]
column, ret = decryptor.getcolumnnamebytable(tablelist[1])
#print column
print '[+] Get a list of records in %s table'%tablelist[1]
records, ret = decryptor.getrecordsbytable(tablelist[1])
if ret is False:
return
#print records
decryptor.setkey(key)
d = datetime.datetime.strptime("01-01-2001", "%m-%d-%Y")
from tableprint import columnprint
print '[+] Result'
header = ['Time(UTC+0)','Answered','Sent','Type','Phone Number', '']
rows = []
for record in records:
time = record[column.index('ZDATE')]
time_osx = d + datetime.timedelta(seconds=time)
time_converted = time_osx.strftime("%a, %d %b %Y %H:%M:%S")
ans = record[column.index('ZANSWERED')]
decrypted = decryptor.decryptcallhistorydb(record[column.index('ZADDRESS')])
row = [time_converted, 'Yes' if int(ans) == 1 else 'No', 'Yes' if int(record[column.index('ZORIGINATED')]) == 1 else 'No', 'CellPhone' if int(record[column.index('ZCALLTYPE')]) == 1 else 'FaceTime', str(decrypted), '']
rows.append(row)
mszlist = [-1, -1, -1, -1, -1, -1]
columnprint(header, rows, mszlist)
def main():
print('Call History Decryptor for OS X Yosemite (Written by n0fate)')
print('It can decrypt a call-history in OS X.')
print('Continuity in OS X : https://www.apple.com/osx/continuity/')
parser = ArgumentParser()
parser.add_argument("-k", "--key", dest="keyvalue", help="Decoded key as Call History User Data Key in Keychain")
parser.add_argument("-f", "--file", dest="dbname", help="Call history database (CallHistory.storedata")
args = parser.parse_args()
if not(args.keyvalue and args.dbname):
parser.error('[+] Error : add -k and -f option')
try:
key = base64.decodebytes(args.keyvalue.encode('utf-8'))
except Exception as e:
print(e)
print('[+] Error : key format is not base64 encoded')
return
print('[+] Key is %s'%key.hex())
dbname = args.dbname
print('[+] Open the database : %s'%dbname)
decryptor = CallHistoryDecryptor()
decryptor.open(dbname)
ret = decryptor.open(dbname)
if ret is False:
print('[+] Error : Invalid db file')
return
print('[+] Get a list of table')
tablelist = decryptor.gettablelist()
#print tablelist
print('[+] Get a list of columns in %s table'%tablelist[1])
column, ret = decryptor.getcolumnnamebytable(tablelist[1])
#print column
print('[+] Get a list of records in %s table'%tablelist[1])
records, ret = decryptor.getrecordsbytable(tablelist[1])
if ret is False:
return
#print records
decryptor.setkey(key)
d = datetime.datetime.strptime("01-01-2001", "%m-%d-%Y")
from tableprint import columnprint
print('[+] Result')
header = ['Time(UTC+0)','Answered','Sent','Type','Phone Number', 'Location', 'Duration', '']
rows = []
for record in records:
time = record[column.index('ZDATE')]
time_osx = d + datetime.timedelta(seconds=time)
time_converted = time_osx.strftime("%a, %d %b %Y %H:%M:%S")
ans = record[column.index('ZANSWERED')]
decrypted = decryptor.decryptcallhistorydb(record[column.index('ZADDRESS')]).decode('utf-8')
row = [
time_converted,
'Yes' if int(ans) == 1 else 'No',
'Yes' if int(record[column.index('ZORIGINATED')]) == 1 else 'No',
'CellPhone' if int(record[column.index('ZCALLTYPE')]) == 1 else 'FaceTime',
str(decrypted),
str(record[column.index('ZLOCATION')]),
str(round(record[column.index('ZDURATION')] / 60, 1)),
''
]
rows.append(row)
# print(decrypted)
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1]
columnprint(header, rows, mszlist)
entries[i]['id'] = '~'
strtype = '~'
elif ut_type[iuttype] == 'USER_PROCESS':
strtype = 'still logged in'
else:
strtype = ''
except IndexError:
strtype = ''
strtype = ''
lotime = strftime("%Y %m %d %H:%M:%S",
time.gmtime(float(entries[i]['sec'])))
#eline = entries[i]['user']+'\t'+entries[i]['id']+'\t'+entries[i]['line']+'\t'+entries[i]['pid']+'\t'+ut_type[int(entries[i]['type'])]+'\t'+lotime+'\t'+entries[i]['usec']+'\t'+entries[i]['ipaddress']
line = ['%s' % entries[i]['user']]
line.append('%s' % entries[i]['id'])
line.append('%d' % int(entries[i]['session']))
try:
line.append('%s' % ut_type[iuttype])
except IndexError:
line.append('')
line.append('%s' % entries[i]['line'])
line.append('%d' % int(entries[i]['pid']))
line.append('%s.%03d' % (lotime, int(entries[i]['usec']) / 1000))
line.append('%s' % strtype)
line.append('%s' % (entries[i]['ipaddress']))
line.append('')
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
#EOF
def print_mach_trap_table(data_list, symbol_list, os_version, base_address):
sym_name_list = symbol_list.keys()
sym_addr_list = symbol_list.values()
if os_version == 10:
print '[+] Mach Trap Table'
headerlist = [
"NUM", "ARG_COUNT", "CALL_NAME", "CALL_PTR", "ARG_MUNGE32_PTR",
"ARG_MUNGE64_PTR", "HOOK_FINDER"
]
contentlist = []
count = 0
for data in data_list:
symflag = 0
line = ['%d' % count]
line.append('%d' % data[0])
i = 0
for sym_addr in sym_addr_list:
if data[1] == sym_addr:
line.append('%s' % sym_name_list[i])
symflag = 1
break
i += 1
if symflag != 1:
line.append('0x%.8X' % data[1])
line.append('0x%.8X' % data[1])
line.append('0x%.8X' % data[2])
line.append('0x%.8X' % data[3])
if symflag == 1:
line.append('True')
else:
line.append('Maybe hooked')
count -= 1
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
else:
print '[+] Mach Trap Table'
headerlist = [
"NUM", "ARG_COUNT", "CALL_NAME", "CALL_PTR", "HOOK_FINDER"
]
contentlist = []
count = 0
for data in data_list:
symflag = 0
line = ['%d' % count]
line.append('%d' % data[0])
i = 0
for sym_addr in sym_addr_list:
if data[1] == sym_addr + base_address:
line.append('%s' % sym_name_list[i])
symflag = 1
break
i += 1
if symflag != 1:
line.append('0x%.8X' % data[1])
line.append('0x%.8X' % data[1])
if symflag == 1:
line.append('True')
else:
line.append('Maybe hooked')
count -= 1
contentlist.append(line)
mszlist = [-1, -1, -1, -1, -1]
columnprint(headerlist, contentlist, mszlist)
