def calculate(self):
linux_common.set_plugin_members(self)
knl_addr = self.addr_space.profile.get_symbol("keyboard_notifier_list")
if not knl_addr:
debug.error("Symbol keyboard_notifier_list not found in kernel")
knl = obj.Object("atomic_notifier_head", offset = knl_addr, vm = self.addr_space)
symbol_cache = {}
for call_back in linux_common.walk_internal_list("notifier_block", "next", knl.head):
call_addr = call_back.notifier_call
if symbol_cache.has_key(call_addr):
sym_name = symbol_cache[call_addr]
hooked = 0
else:
sym_name = self.profile.get_symbol_by_address("kernel", call_addr)
if not sym_name:
sym_name = "HOOKED"
module = obj.Object("module", offset = 0xffffffffa03a15d0, vm = self.addr_space)
sym = module.get_symbol_for_address(call_addr)
sym_name = "%s: %s/%s" % (sym_name, module.name, sym)
hooked = 1
symbol_cache[call_addr] = sym_name
yield call_addr, sym_name, hooked
def calculate(self):
linux_common.set_plugin_members(self)
ntables_ptr = obj.Object("Pointer", offset = self.get_profile_symbol("neigh_tables"), vm = self.addr_space)
for ntable in linux_common.walk_internal_list("neigh_table", "next", ntables_ptr):
yield self.handle_table(ntable)
def calculate(self):
linux_common.set_plugin_members(self)
knl_addr = self.addr_space.profile.get_symbol("keyboard_notifier_list")
if not knl_addr:
debug.error("Symbol keyboard_notifier_list not found in kernel")
knl = obj.Object("atomic_notifier_head",
offset=knl_addr,
vm=self.addr_space)
symbol_cache = {}
for callback in linux_common.walk_internal_list(
"notifier_block", "next", knl.head):
if symbol_cache.has_key(callback):
sym_name = symbol_cache[callback]
hooked = 0
else:
sym_name = self.profile.get_symbol_by_address(
"kernel", callback)
if not sym_name:
sym_name = "HOOKED"
hooked = 1
symbol_cache[callback] = sym_name
yield callback.notifier_call, sym_name, hooked
def walk_neighbor(self, neighbor):
seen = []
ret = []
ctr = 0
for n in linux_common.walk_internal_list("neighbour", "next", neighbor):
if n.obj_offset in seen:
break
seen.append(n.obj_offset)
if ctr > 1024:
break
ctr = ctr + 1
# get the family from each neighbour in order to work with ipv4 and 6
family = n.tbl.family
if family == socket.AF_INET:
ip = obj.Object("IpAddress", offset = n.primary_key.obj_offset, vm = self.addr_space).v()
elif family == socket.AF_INET6:
ip = obj.Object("Ipv6Address", offset = n.primary_key.obj_offset, vm = self.addr_space).v()
else:
ip = '?'
if n.dev.is_valid():
mac = ":".join(["{0:02x}".format(x) for x in n.ha][:n.dev.addr_len])
devname = n.dev.name
ret.append(a_ent(ip, mac, devname))
return ret
def walk_neighbor(self, neighbor):
ret = []
for n in linux_common.walk_internal_list("neighbour", "next",
neighbor):
# get the family from each neighbour in order to work with ipv4 and 6
family = n.tbl.family
if family == socket.AF_INET:
ip = obj.Object("IpAddress",
offset=n.primary_key.obj_offset,
vm=self.addr_space).v()
elif family == socket.AF_INET6:
ip = obj.Object("Ipv6Address",
offset=n.primary_key.obj_offset,
vm=self.addr_space).v()
else:
ip = '?'
mac = ":".join(["{0:02x}".format(x)
for x in n.ha][:n.dev.addr_len])
devname = n.dev.name
ret.append(a_ent(ip, mac, devname))
return ret
def calculate(self):
linux_common.set_plugin_members(self)
neigh_tables_addr = self.addr_space.profile.get_symbol("neigh_tables")
hasnext = True
try:
self.addr_space.profile.get_obj_offset("neigh_table", "next")
except KeyError:
hasnext = False
if hasnext == True:
ntables_ptr = obj.Object("Pointer",
offset=neigh_tables_addr,
vm=self.addr_space)
tables = linux_common.walk_internal_list("neigh_table", "next",
ntables_ptr)
else:
tables_arr = obj.Object(
theType="Array",
targetType="Pointer",
offset=neigh_tables_addr,
vm=self.addr_space,
count=4,
)
tables = [t.dereference_as("neigh_table") for t in tables_arr]
for ntable in tables:
for aent in self.handle_table(ntable):
yield aent
def calculate(self):
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if task.mm:
for vma in linux_common.walk_internal_list("vm_area_struct", "vm_next", task.mm.mmap):
yield task, vma
def calculate(self):
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
if task.mm:
for vma in linux_common.walk_internal_list(
"vm_area_struct", "vm_next", task.mm.mmap):
yield task, vma
def _get_devs_base(self):
net_device_ptr = obj.Object(
"Pointer",
offset=self.addr_space.profile.get_symbol("dev_base"),
vm=self.addr_space)
net_device = net_device_ptr.dereference_as("net_device")
for net_dev in linux_common.walk_internal_list("net_device", "next",
net_device):
yield net_dev
def get_devs_base(self):
net_device_ptr = obj.Object("Pointer", offset = self.get_profile_symbol("dev_base"), vm = self.addr_space)
net_device = net_device_ptr.dereference_as("net_device")
for net_dev in linux_common.walk_internal_list("net_device", "next", net_device):
in_dev = obj.Object("in_device", offset = net_dev.ip_ptr, vm = self.addr_space)
yield net_dev, in_dev
def calculate(self):
linux_common.set_plugin_members(self)
ntables_ptr = obj.Object(
"Pointer",
offset=self.get_profile_symbol("neigh_tables"),
vm=self.addr_space)
for ntable in linux_common.walk_internal_list("neigh_table", "next",
ntables_ptr):
yield self.handle_table(ntable)
def calculate(self):
linux_common.set_plugin_members(self)
knl_addr = self.get_profile_symbol("keyboard_notifier_list")
if not knl_addr:
debug.error("Symbol keyboard_notifier_list not found in kernel")
knl = obj.Object("atomic_notifier_head", offset = knl_addr, vm = self.addr_space)
for callback in linux_common.walk_internal_list("notifier_block", "next", knl.head):
yield callback.notifier_call
def calculate(self):
linux_common.set_plugin_members(self)
neigh_tables_addr = self.addr_space.profile.get_symbol("neigh_tables")
if hasattr("neigh_table", "next"):
ntables_ptr = obj.Object("Pointer", offset = neigh_tables_addr, vm = self.addr_space)
tables = linux_common.walk_internal_list("neigh_table", "next", ntables_ptr)
else:
tables_arr = obj.Object(theType="Array", targetType="Pointer", offset = neigh_tables_addr, vm = self.addr_space, count = 4)
tables = [t.dereference_as("neigh_table") for t in tables_arr]
for ntable in tables:
for aent in self.handle_table(ntable):
yield aent
def walk_neighbor(self, neighbor):
seen = []
ret = []
ctr = 0
for n in linux_common.walk_internal_list("neighbour", "next",
neighbor):
if n.obj_offset in seen:
break
seen.append(n.obj_offset)
if ctr > 1024:
break
ctr = ctr + 1
# get the family from each neighbour in order to work with ipv4 and 6
family = n.tbl.family
if family == socket.AF_INET:
ip = obj.Object(
"IpAddress",
offset=n.primary_key.obj_offset,
vm=self.addr_space,
).v()
elif family == socket.AF_INET6:
ip = obj.Object(
"Ipv6Address",
offset=n.primary_key.obj_offset,
vm=self.addr_space,
).v()
else:
ip = '?'
if n.dev.is_valid():
mac = ":".join(["{0:02x}".format(x)
for x in n.ha][:n.dev.addr_len])
devname = n.dev.name
ret.append(a_ent(ip, mac, devname))
return ret
def walk_neighbor(self, neighbor):
ret = []
for n in linux_common.walk_internal_list("neighbour", "next", neighbor):
# get the family from each neighbour in order to work with ipv4 and 6
family = n.tbl.family
if family == socket.AF_INET:
ip = obj.Object("IpAddress", offset=n.primary_key.obj_offset, vm=self.addr_space).v()
elif family == socket.AF_INET6:
ip = obj.Object("Ipv6Address", offset=n.primary_key.obj_offset, vm=self.addr_space).v()
else:
ip = "?"
mac = ":".join(["{0:02x}".format(x) for x in n.ha][: n.dev.addr_len])
devname = n.dev.name
ret.append(a_ent(ip, mac, devname))
return ret
def get_proc_maps(self):
for vma in linux_common.walk_internal_list("vm_area_struct", "vm_next", self.mm.mmap):
yield vma
def get_proc_maps(self):
for vma in linux_common.walk_internal_list("vm_area_struct", "vm_next",
self.mm.mmap):
yield vma
