def task_print(data_list): #print '[+] Process List' headerlist = [ "TASK_CNT", "OFFSET(P)", "REF_CNT", "Active", "Halt", "VM_MAP(V)", "PID", "PROCESS", "USERNAME", "" ] contentlist = [] for data in data_list: line = ['%d' % data[0]] # count line.append("0x%.8X" % data[1]) # offset line.append('%d' % data[3][0]) # Number of references to me line.append('%d' % data[3][1]) # task has not been terminated line.append('%d' % data[3][2]) # task is being halted line.append('0x%.8X' % data[3][3]) # VM_MAP line.append('%s' % str(data[5])) # PID line.append('%s' % data[6]) # Process Name line.append('%s' % data[7]) # User Name #line.append('%s'%data[8]) # proc.tasks -> Task ptr #line.append('%s'%data[9]) # task.bsd_info -> proc ptr #line.append('%s'%time.strftime("%a %b %d %H:%M:%S %Y", time.gmtime(data[14]))) line.append('') contentlist.append(line) # use optional max size list here to match default lsof output, otherwise specify # lsof +c 0 on the command line to print full name of commands mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def task_print(data_list): #print '[+] Process List' headerlist = ["TASK_CNT", "OFFSET(P)", "REF_CNT", "Active", "Halt", "VM_MAP(V)", "PID", "PROCESS", "USERNAME", ""] contentlist = [] for data in data_list: line = ['%d'%data[0]] # count line.append("0x%.8X"%data[1]) # offset line.append('%d'%data[3][0]) # Number of references to me line.append('%d'%data[3][1]) # task has not been terminated line.append('%d'%data[3][2]) # task is being halted line.append('0x%.8X'%data[3][3]) # VM_MAP line.append('%s'%str(data[5])) # PID line.append('%s'%data[6]) # Process Name line.append('%s'%data[7]) # User Name #line.append('%s'%data[8]) # proc.tasks -> Task ptr #line.append('%s'%data[9]) # task.bsd_info -> proc ptr #line.append('%s'%time.strftime("%a %b %d %H:%M:%S %Y", time.gmtime(data[14]))) line.append('') contentlist.append(line) # use optional max size list here to match default lsof output, otherwise specify # lsof +c 0 on the command line to print full name of commands mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def proc_print(data_list, os_version): print '[+] Process List' if os_version >= 11: headerlist = ["OFFSET(P)", "PID", "PPID", "PRIORITY", "NICE", "PROCESS_NAME", "USERNAME(UID,GID)", "CRED(UID,GID)", "CREATE_TIME (UTC+0)", ""] else: headerlist = ["OFFSET(P)", "PID", "PPID", "PRIORITY", "NICE", "PROCESS_NAME", "USERNAME", "CRED(UID,GID)", "CREATE_TIME (UTC+0)", ""] contentlist = [] for data in data_list: line = [] line.append("0x%.8X"%data[0]) # offset line.append('%d'%data[1]) # pid line.append('%d'%data[4]) # ppid line.append('%d'%unsigned8(data[10])) # Priority line.append('%d'%unsigned8(data[12])) # nice line.append('%s'%data[14]) # Changed by CL to read null formatted strings if os_version >= 11: line.append('%s(%d,%d)'%(data[15], data[5], data[6])) else: line.append('%s'%(data[15])) line.append('(%d,%d)'%(data[17], data[18])) line.append('%s'%time.strftime("%a %b %d %H:%M:%S %Y", time.gmtime(data[16]))) line.append('') contentlist.append(line) mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def print_sysctl(symbol_list, sysctllist, kextlist): headerlist = ["Name", "MIB", "PERMISSION", "Handler", "Value"] contentlist = [] for data in sysctllist: if data[4] is 'Node': continue line = ['%s'%data[0]] line.append('%s'%data[1]) line.append('%s'%data[2]) handler = data[3] & 0xffffffffffffffff flag = False for kext in kextlist: if handler > kext[7] and handler < kext[7]+kext[8]: flag = True line.append(kext[3].split('\x00')[0] + "(%x)"%handler) break if not flag: line.append('0x%08x'%(handler)) line.append('%s'%data[4]) contentlist.append(line) mszlist = [-1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def print_fbt_syscall(data_list, symbol_list, base_address): if len(data_list) == 0: print 'No FBT Hook Function' return contentlist = [] headerlist = ["NUM","ARG_COUNT", "NAME", "CALL_PTR", "ARG_MUNGE32_PTR", "ARG_MUNGE64_PTR", "RET_TYPE", "ARG_BYTES", "FBT HOOK"] sym_name_list = symbol_list.keys() sym_addr_list = symbol_list.values() count = 0 for data in data_list: symflag = 0 line = ['%d'%count] line.append('%d'%data[0]) i = 0 for sym_addr in sym_addr_list: if data[1] == sym_addr+base_address: line.append('%s'%sym_name_list[i]) symflag = 1 i += 1 if symflag != 1: line.append('0x%.8X'%data[1]) line.append('0x%.8X'%data[1]) line.append('0x%.8X'%data[2]) line.append('0x%.8X'%data[3]) line.append('%d'%data[4]) line.append('%d'%data[5]) line.append('O') count += 1 contentlist.append(line) mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def print_notifier_list(data_list, symbol_list, base_address, NotifierName): sym_name_list = symbol_list.keys() sym_addr_list = symbol_list.values() print '%s Method Total Count : %d'%(NotifierName, len(data_list)) print '--------------------------------------------------------------------------------' headerlist = ["NUM", "NAME", "CALL_PTR", "HOOK_FINDER"] contentlist = [] count = 0 for data in data_list: symflag = 0 line = ['%d'%count] i = 0 for sym_addr in sym_addr_list: if data == sym_addr+base_address: line.append('%s'%sym_name_list[i]) symflag = 1 i += 1 if symflag != 1: line.append('0x%.8X'%data) line.append('0x%.8X'%data) if symflag == 1: line.append('True') else: line.append('Maybe hooked') count += 1 contentlist.append(line) mszlist = [-1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist) print ''
def print_sysctl(symbol_list, sysctllist, kextlist): headerlist = ["Name", "MIB", "PERMISSION", "Handler", "Value"] contentlist = [] for data in sysctllist: if data[4] is 'Node': continue line = ['%s' % data[0]] line.append('%s' % data[1]) line.append('%s' % data[2]) handler = data[3] & 0xffffffffffffffff flag = False for kext in kextlist: if handler > kext[7] and handler < kext[7] + kext[8]: flag = True line.append(kext[3].split('\x00')[0] + "(%x)" % handler) break if not flag: line.append('0x%08x' % (handler)) line.append('%s' % data[4]) contentlist.append(line) mszlist = [-1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def main(): parser = argparse.ArgumentParser(description='utmpx Parser by @n0fate.') parser.add_argument('-f', '--file', nargs=1, help='utmpx file(/var/run/utmpx)', required=True) args = parser.parse_args() strtype = '' headerlist = ["user", "session", "terminal", "pid", "start time(utc+0)", "status", "ip", ""] contentlist = [] entries = who(args.file[0]) for _utmpx in entries: if ut_type[int(_utmpx.ut_type)] == 'BOOT_TIME': _utmpx.ut_user = '******' _utmpx.ut_id = '~' strtype = '~' elif ut_type[int(_utmpx.ut_type)] == 'USER_PROCESS': strtype = 'still logged in' lotime = strftime("%a %b %d %H:%M:%S",time.gmtime(float(_utmpx.ut_sec))) line = ['%s'%_utmpx.ut_user] line.append('%s'%_utmpx.ut_id) line.append('%s'%_utmpx.ut_line) line.append('%d'%int(_utmpx.ut_pid)) line.append('%s.%03d'%(lotime, int(_utmpx.ut_usec)/1000)) line.append('%s'%strtype) line.append('%s'%_utmpx.ut_host) line.append('') contentlist.append(line) mszlist = [-1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def print_kext_list(kext_list): print '[+] Kernel Extention List' headerlist = ["OFFSET(P)", "INFO", "KID", "KEXT_NAME", "VERSION", "REFER_COUNT", "REFER_LIST", "ADDRESS", "SIZE", "HDRSIZE", "START_PTR" ,"STOP_PTR"] contentlist = [] print_kext(headerlist, contentlist, kext_list) # use optional max size list here to match default lsof output, otherwise specify # lsof +c 0 on the command line to print full name of commands mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def print_mount_list(mount_list): print '[+] Mount List' headerlist = ["NEXT ENTRY", "FS TYPE", "MOUNT ON NAME", "MOUNT FROM NAME"] contentlist = [] for data in mount_list: line = ['0x%.8X'%data[0]] line.append('%s'%data[1].strip('\x00').upper()) # char[16] line.append('%s'%data[2].strip('\x00')) # char[1024] line.append('%s'%data[3].strip('\x00')) # char[1024] contentlist.append(line) mszlist = [-1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def print_table(self, dic): for k, v in dic.iteritems(): decColumn = [] mszlist = [] # optional max size list decColumn = DecodeColumn(k) max_len = len(decColumn) offsetlst = [] #print decColumn count = 0 # add column type for coltype in decColumn: if coltype == 'BLOB': # for remove blob data on stdout offsetlst.append(count) # add column number on offsetlst mszlist.append(-1) count += 1 #print decColumn contentlist = [] for row in v: line = [] for l in range(0, max_len): if decColumn[l] == 'INTEGER': try: line.append('%d' % row[l]) except TypeError: line.append('%s' % row[l]) elif decColumn[l] == 'TEXT': sqlitetext = '' try: sqlitetext = str(row[l]).decode('utf8').replace( '\n', ' ').encode('utf8') except: sqlitetext = str(row[l]).replace('\n', '') line.append('%s' % sqlitetext) else: # blob line.append('') contentlist.append(line) #print row columnprint(decColumn, contentlist, mszlist) print ''
def print_table(self, dic): for k, v in dic.iteritems(): decColumn = [] mszlist = [] # optional max size list decColumn = DecodeColumn(k) max_len = len(decColumn) offsetlst = [] #print decColumn count = 0 # add column type for coltype in decColumn: if coltype == 'BLOB': # for remove blob data on stdout offsetlst.append(count) # add column number on offsetlst mszlist.append(-1) count += 1 #print decColumn contentlist = [] for row in v: line = [] for l in range(0, max_len): if decColumn[l] == 'INTEGER': try: line.append('%d'%row[l]) except TypeError: line.append('%s'%row[l]) elif decColumn[l] == 'TEXT': sqlitetext = '' try: sqlitetext = str(row[l]).decode('utf8').replace('\n', ' ').encode('utf8') except: sqlitetext = str(row[l]).replace('\n', '') line.append('%s'%sqlitetext) else: # blob line.append('') contentlist.append(line) #print row columnprint(decColumn, contentlist, mszlist) print ''
def print_bash_history(bash_history_list): headerlist = ["PID", "PROCESS", "TIME (UTC+0)", "CMD"] contentlist = [] for bash_history in bash_history_list: if len(bash_history_list) == 0: print '[*] Can not found bash history' return for history in bash_history[2]: line = ['%s'%bash_history[0]] # count line.append(bash_history[1]) line.append('%s'%time.strftime("%a %b %d %H:%M:%S %Y", time.gmtime(history[0]))) line.append('%s'%history[1]) contentlist.append(line) # use optional max size list here to match default lsof output, otherwise specify # lsof +c 0 on the command line to print full name of commands mszlist = [-1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def print_syscall_table(data_list, symbol_list, base_address): #data_list = m_volafox.systab(symbol_list['_nsysent']) sym_name_list = symbol_list.keys() sym_addr_list = symbol_list.values() print '[+] Syscall List' headerlist = [ "NUM", "ARG_COUNT", "NAME", "CALL_PTR", "ARG_MUNGE32_PTR", "ARG_MUNGE64_PTR", "RET_TYPE", "ARG_BYTES", "HOOK_FINDER" ] contentlist = [] count = 0 for data in data_list: symflag = 0 line = ['%d' % count] line.append('%d' % data[0]) i = 0 for sym_addr in sym_addr_list: if data[1] == sym_addr + base_address: line.append('%s' % sym_name_list[i]) symflag = 1 i += 1 if symflag != 1: line.append('0x%.8X' % data[1]) line.append('0x%.8X' % data[1]) line.append('0x%.8X' % data[2]) line.append('0x%.8X' % data[3]) try: line.append('%s' % sy_return_type[data[4]]) except: line.append('%d' % data[4]) line.append('%d' % data[5]) if symflag == 1: line.append('True') else: line.append('Maybe hooked') count += 1 contentlist.append(line) mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def print_mac_policy_list(data_list, mac_policy, kext_list): print '[+] TrustedBSD MAC Framework on Darwin' print 'Loaded Policy Count: %d, Max Count: %d, Current Policy Count: %d' % ( mac_policy[0], mac_policy[1], mac_policy[2]) print '--------------------------------------------------------------------------------' for data in data_list: print 'Name: %s, Full Name: %s' % (data[0], data[1]) print 'Loadtime : %s, Runtime: %s' % (data[2], data[3]) print '--------------------------------------------------------------------------------' kext = [] headerlist = ["Entrypoint", "Virtual Address", "Physical Address", ""] contentlist = [] for mac_ops in data[4]: line = ['%s' % mac_ops[0]] line.append('0x%.8X' % mac_ops[1]) line.append('0x%.8X' % mac_ops[2]) contentlist.append(line) #print '%s, VA: 0x%.8x, PA: 0x%.8x'%(mac_ops[0], mac_ops[1], mac_ops[2]) if len(kext) == 0: for data in kext_list: if (mac_ops[1] >= data[7]) and (mac_ops[1] <= data[7] + data[8]): kext.append(data[3]) # name kext.append(data[7]) # address kext.append(data[8]) # size kext.append(data[2]) break line.append('') mszlist = [-1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist) print '--------------------------------------------------------------------------------' if len(kext) == 4: print '[+] Associated KEXT : %s (0x%.8x-0x%.8x) - ID: %d' % ( kext[0], kext[1], kext[1] + kext[2], kext[3]) else: print 'Can not find associated KEXT!!' print '--------------------------------------------------------------------------------' print '' print 'If you want to dump associated KEXT, please to use "kextstat" with "-x ID"'
def print_syscall_table(data_list, symbol_list, base_address): #data_list = m_volafox.systab(symbol_list['_nsysent']) sym_name_list = symbol_list.keys() sym_addr_list = symbol_list.values() print '[+] Syscall List' headerlist = ["NUM","ARG_COUNT", "NAME", "CALL_PTR", "ARG_MUNGE32_PTR", "ARG_MUNGE64_PTR", "RET_TYPE", "ARG_BYTES", "HOOK_FINDER"] contentlist = [] count = 0 for data in data_list: symflag = 0 line = ['%d'%count] line.append('%d'%data[0]) i = 0 for sym_addr in sym_addr_list: if data[1] == sym_addr+base_address: line.append('%s'%sym_name_list[i]) symflag = 1 i += 1 if symflag != 1: line.append('0x%.8X'%data[1]) line.append('0x%.8X'%data[1]) line.append('0x%.8X'%data[2]) line.append('0x%.8X'%data[3]) try: line.append('%s'%sy_return_type[data[4]]) except: line.append('%d'%data[4]) line.append('%d'%data[5]) if symflag == 1: line.append('True') else: line.append('Maybe hooked') count += 1 contentlist.append(line) mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def print_mac_policy_list(data_list, mac_policy, kext_list): print '[+] TrustedBSD MAC Framework on Darwin' print 'Loaded Policy Count: %d, Max Count: %d, Current Policy Count: %d'%(mac_policy[0], mac_policy[1], mac_policy[2]) print '--------------------------------------------------------------------------------' for data in data_list: print 'Name: %s, Full Name: %s'%(data[0], data[1]) print 'Loadtime : %s, Runtime: %s'%(data[2], data[3]) print '--------------------------------------------------------------------------------' kext = [] headerlist = ["Entrypoint", "Virtual Address", "Physical Address", ""] contentlist = [] for mac_ops in data[4]: line = ['%s'%mac_ops[0]] line.append('0x%.8X'%mac_ops[1]) line.append('0x%.8X'%mac_ops[2]) contentlist.append(line) #print '%s, VA: 0x%.8x, PA: 0x%.8x'%(mac_ops[0], mac_ops[1], mac_ops[2]) if len(kext) == 0: for data in kext_list: if (mac_ops[1] >= data[7]) and (mac_ops[1] <= data[7]+data[8]): kext.append(data[3]) # name kext.append(data[7]) # address kext.append(data[8]) # size kext.append(data[2]) break line.append('') mszlist = [-1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist) print '--------------------------------------------------------------------------------' if len(kext) == 4: print '[+] Associated KEXT : %s (0x%.8x-0x%.8x) - ID: %d'%(kext[0], kext[1], kext[1] + kext[2], kext[3]) else: print 'Can not find associated KEXT!!' print '--------------------------------------------------------------------------------' print '' print 'If you want to dump associated KEXT, please to use "kextstat" with "-x ID"'
def main(): parser = argparse.ArgumentParser(description='utmpx Parser by @n0fate.') parser.add_argument('-f', '--file', nargs=1, help='utmpx file(/var/run/utmpx)', required=True) args = parser.parse_args() strtype = '' headerlist = [ "user", "session", "terminal", "pid", "start time(utc+0)", "status", "ip", "" ] contentlist = [] entries = who(args.file[0]) for _utmpx in entries: if ut_type[int(_utmpx.ut_type)] == 'BOOT_TIME': _utmpx.ut_user = '******' _utmpx.ut_id = '~' strtype = '~' elif ut_type[int(_utmpx.ut_type)] == 'USER_PROCESS': strtype = 'still logged in' lotime = strftime("%a %b %d %H:%M:%S", time.gmtime(float(_utmpx.ut_sec))) line = ['%s' % _utmpx.ut_user] line.append('%s' % _utmpx.ut_id) line.append('%s' % _utmpx.ut_line) line.append('%d' % int(_utmpx.ut_pid)) line.append('%s.%03d' % (lotime, int(_utmpx.ut_usec) / 1000)) line.append('%s' % strtype) line.append('%s' % _utmpx.ut_host) line.append('') contentlist.append(line) mszlist = [-1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def proc_print(data_list, os_version): print '[+] Process List' if os_version >= 11: headerlist = [ "OFFSET(P)", "PID", "PPID", "PRIORITY", "NICE", "PROCESS_NAME", "USERNAME(UID,GID)", "CRED(UID,GID)", "CREATE_TIME (UTC+0)", "" ] else: headerlist = [ "OFFSET(P)", "PID", "PPID", "PRIORITY", "NICE", "PROCESS_NAME", "USERNAME", "CRED(UID,GID)", "CREATE_TIME (UTC+0)", "" ] contentlist = [] for data in data_list: line = [] line.append("0x%.8X" % data[0]) # offset line.append('%d' % data[1]) # pid line.append('%d' % data[4]) # ppid line.append('%d' % unsigned8(data[10])) # Priority line.append('%d' % unsigned8(data[12])) # nice line.append('%s' % data[14]) # Changed by CL to read null formatted strings if os_version >= 11: line.append('%s(%d,%d)' % (data[15], data[5], data[6])) else: line.append('%s' % (data[15])) line.append('(%d,%d)' % (data[17], data[18])) line.append( '%s' % time.strftime("%a %b %d %H:%M:%S %Y", time.gmtime(data[16]))) line.append('') contentlist.append(line) mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def print_network_list(tcp_network_list, udp_network_list): print '[+] NETWORK INFORMATION (hashbase)' headerlist = ["Proto", "Local Address", "Foreign Address", "(state)"] contentlist = [] for network in tcp_network_list: data = ['tcp'] data.append('%s:%d'%(network[1], network[3])) data.append('%s:%d'%(network[2], network[4])) data.append('') #data.append('%s'%NETWORK_STATES[network[0]]) #print '[TCP] Local Address: %s:%d, Foreign Address: %s:%d, flag: %x'%(network[1], network[3], network[2], network[4], network[0]) contentlist.append(data) for network in udp_network_list: data = ['udp'] data.append('%s:%d'%(network[1], network[3])) data.append('%s:%d'%(network[2], network[4])) data.append('') #print '[UDP] Local Address: %s:%d, Foreign Address: %s:%d, flag: %x'%(network[1], network[3], network[2], network[4], network[0]) contentlist.append(data) mszlist = [-1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
entries[i]['id'] = '~' strtype = '~' elif ut_type[iuttype] == 'USER_PROCESS': strtype = 'still logged in' else: strtype = '' except IndexError: strtype = '' strtype = '' lotime = strftime("%Y %m %d %H:%M:%S",time.gmtime(float(entries[i]['sec']))) #eline = entries[i]['user']+'\t'+entries[i]['id']+'\t'+entries[i]['line']+'\t'+entries[i]['pid']+'\t'+ut_type[int(entries[i]['type'])]+'\t'+lotime+'\t'+entries[i]['usec']+'\t'+entries[i]['ipaddress'] line = ['%s'%entries[i]['user']] line.append('%s'%entries[i]['id']) line.append('%d'%int(entries[i]['session'])) try: line.append('%s'%ut_type[iuttype]) except IndexError: line.append('') line.append('%s'%entries[i]['line']) line.append('%d'%int(entries[i]['pid'])) line.append('%s.%03d'%(lotime, int(entries[i]['usec'])/1000)) line.append('%s'%strtype) line.append('%s'%(entries[i]['ipaddress'])) line.append('') contentlist.append(line) mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist) #EOF
def print_mach_trap_table(data_list, symbol_list, os_version, base_address): sym_name_list = symbol_list.keys() sym_addr_list = symbol_list.values() if os_version == 10: print '[+] Mach Trap Table' headerlist = ["NUM","ARG_COUNT", "CALL_NAME", "CALL_PTR", "ARG_MUNGE32_PTR", "ARG_MUNGE64_PTR", "HOOK_FINDER"] contentlist = [] count = 0 for data in data_list: symflag = 0 line = ['%d'%count] line.append('%d'%data[0]) i = 0 for sym_addr in sym_addr_list: if data[1] == sym_addr: line.append('%s'%sym_name_list[i]) symflag = 1 break i += 1 if symflag != 1: line.append('0x%.8X'%data[1]) line.append('0x%.8X'%data[1]) line.append('0x%.8X'%data[2]) line.append('0x%.8X'%data[3]) if symflag == 1: line.append('True') else: line.append('Maybe hooked') count -= 1 contentlist.append(line) mszlist = [-1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist) else: print '[+] Mach Trap Table' headerlist = ["NUM","ARG_COUNT", "CALL_NAME", "CALL_PTR", "HOOK_FINDER"] contentlist = [] count = 0 for data in data_list: symflag = 0 line = ['%d'%count] line.append('%d'%data[0]) i = 0 for sym_addr in sym_addr_list: if data[1] == sym_addr + base_address: line.append('%s'%sym_name_list[i]) symflag = 1 break i += 1 if symflag != 1: line.append('0x%.8X'%data[1]) line.append('0x%.8X'%data[1]) if symflag == 1: line.append('True') else: line.append('Maybe hooked') count -= 1 contentlist.append(line) mszlist = [-1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)
def main(): print 'Call History Decryptor for OS X Yosemite (Written by n0fate)' print 'It can decrypt a call-history in OS X.' print 'Continuity in OS X : https://www.apple.com/osx/continuity/' parser = ArgumentParser() parser.add_argument("-k", "--key", dest="keyvalue", help="Decoded key as Call History User Data Key in Keychain") parser.add_argument("-f", "--file", dest="dbname", help="Call history database (CallHistory.storedata") args = parser.parse_args() if not(args.keyvalue and args.dbname): parser.error('[+] Error : add -k and -f option') try: key = base64.decodestring(args.keyvalue) except: print '[+] Error : key format is not base64 encoded' return print '[+] Key is %s'%key.encode('hex') dbname = args.dbname print '[+] Open the database : %s'%dbname decryptor = CallHistoryDecryptor() decryptor.open(dbname) ret = decryptor.open(dbname) if ret is False: print '[+] Error : Invalid db file' return print '[+] Get a list of table' tablelist = decryptor.gettablelist() #print tablelist print '[+] Get a list of columns in %s table'%tablelist[1] column, ret = decryptor.getcolumnnamebytable(tablelist[1]) #print column print '[+] Get a list of records in %s table'%tablelist[1] records, ret = decryptor.getrecordsbytable(tablelist[1]) if ret is False: return #print records decryptor.setkey(key) d = datetime.datetime.strptime("01-01-2001", "%m-%d-%Y") from tableprint import columnprint print '[+] Result' header = ['Time(UTC+0)','Answered','Sent','Type','Phone Number', ''] rows = [] for record in records: time = record[column.index('ZDATE')] time_osx = d + datetime.timedelta(seconds=time) time_converted = time_osx.strftime("%a, %d %b %Y %H:%M:%S") ans = record[column.index('ZANSWERED')] decrypted = decryptor.decryptcallhistorydb(record[column.index('ZADDRESS')]) row = [time_converted, 'Yes' if int(ans) == 1 else 'No', 'Yes' if int(record[column.index('ZORIGINATED')]) == 1 else 'No', 'CellPhone' if int(record[column.index('ZCALLTYPE')]) == 1 else 'FaceTime', str(decrypted), ''] rows.append(row) mszlist = [-1, -1, -1, -1, -1, -1] columnprint(header, rows, mszlist)
def main(): print('Call History Decryptor for OS X Yosemite (Written by n0fate)') print('It can decrypt a call-history in OS X.') print('Continuity in OS X : https://www.apple.com/osx/continuity/') parser = ArgumentParser() parser.add_argument("-k", "--key", dest="keyvalue", help="Decoded key as Call History User Data Key in Keychain") parser.add_argument("-f", "--file", dest="dbname", help="Call history database (CallHistory.storedata") args = parser.parse_args() if not(args.keyvalue and args.dbname): parser.error('[+] Error : add -k and -f option') try: key = base64.decodebytes(args.keyvalue.encode('utf-8')) except Exception as e: print(e) print('[+] Error : key format is not base64 encoded') return print('[+] Key is %s'%key.hex()) dbname = args.dbname print('[+] Open the database : %s'%dbname) decryptor = CallHistoryDecryptor() decryptor.open(dbname) ret = decryptor.open(dbname) if ret is False: print('[+] Error : Invalid db file') return print('[+] Get a list of table') tablelist = decryptor.gettablelist() #print tablelist print('[+] Get a list of columns in %s table'%tablelist[1]) column, ret = decryptor.getcolumnnamebytable(tablelist[1]) #print column print('[+] Get a list of records in %s table'%tablelist[1]) records, ret = decryptor.getrecordsbytable(tablelist[1]) if ret is False: return #print records decryptor.setkey(key) d = datetime.datetime.strptime("01-01-2001", "%m-%d-%Y") from tableprint import columnprint print('[+] Result') header = ['Time(UTC+0)','Answered','Sent','Type','Phone Number', 'Location', 'Duration', ''] rows = [] for record in records: time = record[column.index('ZDATE')] time_osx = d + datetime.timedelta(seconds=time) time_converted = time_osx.strftime("%a, %d %b %Y %H:%M:%S") ans = record[column.index('ZANSWERED')] decrypted = decryptor.decryptcallhistorydb(record[column.index('ZADDRESS')]).decode('utf-8') row = [ time_converted, 'Yes' if int(ans) == 1 else 'No', 'Yes' if int(record[column.index('ZORIGINATED')]) == 1 else 'No', 'CellPhone' if int(record[column.index('ZCALLTYPE')]) == 1 else 'FaceTime', str(decrypted), str(record[column.index('ZLOCATION')]), str(round(record[column.index('ZDURATION')] / 60, 1)), '' ] rows.append(row) # print(decrypted) mszlist = [-1, -1, -1, -1, -1, -1, -1, -1] columnprint(header, rows, mszlist)
entries[i]['id'] = '~' strtype = '~' elif ut_type[iuttype] == 'USER_PROCESS': strtype = 'still logged in' else: strtype = '' except IndexError: strtype = '' strtype = '' lotime = strftime("%Y %m %d %H:%M:%S", time.gmtime(float(entries[i]['sec']))) #eline = entries[i]['user']+'\t'+entries[i]['id']+'\t'+entries[i]['line']+'\t'+entries[i]['pid']+'\t'+ut_type[int(entries[i]['type'])]+'\t'+lotime+'\t'+entries[i]['usec']+'\t'+entries[i]['ipaddress'] line = ['%s' % entries[i]['user']] line.append('%s' % entries[i]['id']) line.append('%d' % int(entries[i]['session'])) try: line.append('%s' % ut_type[iuttype]) except IndexError: line.append('') line.append('%s' % entries[i]['line']) line.append('%d' % int(entries[i]['pid'])) line.append('%s.%03d' % (lotime, int(entries[i]['usec']) / 1000)) line.append('%s' % strtype) line.append('%s' % (entries[i]['ipaddress'])) line.append('') contentlist.append(line) mszlist = [-1, -1, -1, -1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist) #EOF
def print_mach_trap_table(data_list, symbol_list, os_version, base_address): sym_name_list = symbol_list.keys() sym_addr_list = symbol_list.values() if os_version == 10: print '[+] Mach Trap Table' headerlist = [ "NUM", "ARG_COUNT", "CALL_NAME", "CALL_PTR", "ARG_MUNGE32_PTR", "ARG_MUNGE64_PTR", "HOOK_FINDER" ] contentlist = [] count = 0 for data in data_list: symflag = 0 line = ['%d' % count] line.append('%d' % data[0]) i = 0 for sym_addr in sym_addr_list: if data[1] == sym_addr: line.append('%s' % sym_name_list[i]) symflag = 1 break i += 1 if symflag != 1: line.append('0x%.8X' % data[1]) line.append('0x%.8X' % data[1]) line.append('0x%.8X' % data[2]) line.append('0x%.8X' % data[3]) if symflag == 1: line.append('True') else: line.append('Maybe hooked') count -= 1 contentlist.append(line) mszlist = [-1, -1, -1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist) else: print '[+] Mach Trap Table' headerlist = [ "NUM", "ARG_COUNT", "CALL_NAME", "CALL_PTR", "HOOK_FINDER" ] contentlist = [] count = 0 for data in data_list: symflag = 0 line = ['%d' % count] line.append('%d' % data[0]) i = 0 for sym_addr in sym_addr_list: if data[1] == sym_addr + base_address: line.append('%s' % sym_name_list[i]) symflag = 1 break i += 1 if symflag != 1: line.append('0x%.8X' % data[1]) line.append('0x%.8X' % data[1]) if symflag == 1: line.append('True') else: line.append('Maybe hooked') count -= 1 contentlist.append(line) mszlist = [-1, -1, -1, -1, -1] columnprint(headerlist, contentlist, mszlist)