def calculate(self): common.set_plugin_members(self) (kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self) gnotify_addr = common.get_cpp_sym("gNotifications", self.addr_space.profile) gnotify_ptr = obj.Object("Pointer", offset = gnotify_addr, vm = self.addr_space) gnotifications = gnotify_ptr.dereference_as("OSDictionary") ents = obj.Object('Array', offset = gnotifications.dictionary, vm = self.addr_space, targetType = 'dictEntry', count = gnotifications.count) # walk the current set of notifications for ent in ents: if ent == None: continue key = ent.key.dereference_as("OSString") # get the value valset = ent.value.dereference_as("OSOrderedSet") notifiers_ptrs = obj.Object('Array', offset = valset.array, vm = self.addr_space, targetType = 'Pointer', count = valset.count) for ptr in notifiers_ptrs: notifier = ptr.dereference_as("_IOServiceNotifier") if notifier == None: continue matches = self.get_matching(notifier) # this is the function that handles whatever the notification is for # this should be only in the kernel or in one of the known IOKit drivers for the specific kernel handler = notifier.handler good = common.is_known_address(handler, kernel_symbol_addresses, kmods) yield (good, key, notifier, matches)
def calculate(self): common.set_plugin_members(self) saddr = common.get_cpp_sym("sLoadedKexts", self.addr_space.profile) p = obj.Object("Pointer", offset=saddr, vm=self.addr_space) kOSArr = obj.Object(self._struct_or_class("OSArray"), offset=p, vm=self.addr_space) if kOSArr == None: debug.error( "The OSArray_class type was not found in the profile. Please file a bug if you are running aginst Mac >= 10.7" ) kext_arr = obj.Object(theType="Array", targetType="Pointer", offset=kOSArr.array, count=kOSArr.capacity, vm=self.addr_space) for (i, kext) in enumerate(kext_arr): kext = kext.dereference_as(self._struct_or_class("OSKext")) if kext and kext.is_valid(): yield kext
def calculate(self): common.set_plugin_members(self) kaddr_info = common.get_handler_name_addrs(self) dict_ptr_addr = common.get_cpp_sym("sAllClassesDict", self.addr_space.profile) dict_addr = obj.Object("unsigned long", offset=dict_ptr_addr, vm=self.addr_space) fdict = obj.Object(self._struct_or_class("OSDictionary"), offset=dict_addr.v(), vm=self.addr_space) ents = obj.Object('Array', offset=fdict.dictionary, vm=self.addr_space, targetType=self._struct_or_class("dictEntry"), count=fdict.count) for ent in ents: if ent == None or not ent.is_valid(): continue class_name = str( ent.key.dereference_as(self._struct_or_class("OSString"))) osmeta = obj.Object(self._struct_or_class("OSMetaClass"), offset=ent.value.v(), vm=self.addr_space) cname = str( osmeta.className.dereference_as( self._struct_or_class("OSString"))) offset = 0 if hasattr(osmeta, "metaClass"): arr_start = osmeta.metaClass.v() else: arr_start = obj.Object("Pointer", offset=osmeta.obj_offset, vm=self.addr_space) vptr = obj.Object("unsigned long", offset=arr_start, vm=self.addr_space) while vptr != 0: (module, handler_sym) = common.get_handler_name(kaddr_info, vptr) yield (cname, vptr, module, handler_sym) offset = offset + vptr.size() vptr = obj.Object("unsigned long", offset=arr_start + offset, vm=self.addr_space)
def calculate(self): common.set_plugin_members(self) (kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self) gnotify_addr = common.get_cpp_sym("gNotifications", self.addr_space.profile) p = obj.Object("Pointer", offset=gnotify_addr, vm=self.addr_space) gnotifications = p.dereference_as( self._struct_or_class("OSDictionary")) ents = obj.Object('Array', offset=gnotifications.dictionary, vm=self.addr_space, targetType=self._struct_or_class("dictEntry"), count=gnotifications.count) # walk the current set of notifications for ent in ents: if ent == None or not ent.is_valid(): continue key = str(ent.key.dereference_as( self._struct_or_class("OSString"))) # get the value valset = ent.value.dereference_as( self._struct_or_class("OSOrderedSet")) notifiers_ptrs = obj.Object('Array', offset=valset.array, vm=self.addr_space, targetType='Pointer', count=valset.count) for ptr in notifiers_ptrs: notifier = ptr.dereference_as( self._struct_or_class("_IOServiceNotifier")) if notifier == None: continue matches = self.get_matching(notifier) # this is the function that handles whatever the notification is for # this should be only in the kernel or in one of the known IOKit # drivers for the specific kernel handler = notifier.handler.v() ch = notifier.compatHandler.v() if ch: handler = ch (good, module) = common.is_known_address_name( handler, kernel_symbol_addresses, kmods) yield (good, module, key, notifier, matches, handler)
def calculate(self): common.set_plugin_members(self) global kaddr_info kaddr_info = common.get_handler_name_addrs(self) regroot_addr = common.get_cpp_sym("gRegistryRoot", self.addr_space.profile) p = obj.Object("Pointer", offset = regroot_addr, vm = self.addr_space) for key, handler, module, handler_sym in self.walk_reg_entry(p): yield key, handler, module, handler_sym
def calculate(self): common.set_plugin_members(self) global kaddr_info kaddr_info = common.get_handler_name_addrs(self) regroot_addr = common.get_cpp_sym("gRegistryRoot", self.addr_space.profile) p = obj.Object("Pointer", offset=regroot_addr, vm=self.addr_space) for key, handler, module, handler_sym in self.walk_reg_entry(p): yield key, handler, module, handler_sym
def calculate(self): common.set_plugin_members(self) saddr = common.get_cpp_sym("sLoadedKexts", self.addr_space.profile) p = obj.Object("Pointer", offset = saddr, vm = self.addr_space) kOSArr = obj.Object(self._struct_or_class("OSArray"), offset = p, vm = self.addr_space) if kOSArr == None: debug.error("The OSArray_class type was not found in the profile. Please file a bug if you are running aginst Mac >= 10.7") kext_arr = obj.Object(theType = "Array", targetType = "Pointer", offset = kOSArr.array, count = kOSArr.capacity, vm = self.addr_space) for (i, kext) in enumerate(kext_arr): kext = kext.dereference_as(self._struct_or_class("OSKext")) if kext and kext.is_valid(): yield kext
def calculate(self): common.set_plugin_members(self) kaddr_info = common.get_handler_name_addrs(self) dict_ptr_addr = common.get_cpp_sym("sAllClassesDict", self.addr_space.profile) dict_addr = obj.Object("unsigned long", offset = dict_ptr_addr, vm = self.addr_space) fdict = obj.Object(self._struct_or_class("OSDictionary"), offset = dict_addr.v(), vm = self.addr_space) ents = obj.Object('Array', offset = fdict.dictionary, vm = self.addr_space, targetType = self._struct_or_class("dictEntry"), count = fdict.count) for ent in ents: if ent == None or not ent.is_valid(): continue class_name = str(ent.key.dereference_as(self._struct_or_class("OSString"))) osmeta = obj.Object(self._struct_or_class("OSMetaClass"), offset = ent.value.v(), vm = self.addr_space) cname = str(osmeta.className.dereference_as(self._struct_or_class("OSString"))) offset = 0 if hasattr(osmeta, "metaClass"): arr_start = osmeta.metaClass.v() else: arr_start = obj.Object("Pointer", offset = osmeta.obj_offset, vm = self.addr_space) vptr = obj.Object("unsigned long", offset = arr_start, vm = self.addr_space) while vptr != 0: (module, handler_sym) = common.get_handler_name(kaddr_info, vptr) yield (cname, vptr, module, handler_sym) offset = offset + vptr.size() vptr = obj.Object("unsigned long", offset = arr_start + offset, vm = self.addr_space)