def generator(self, data): kaddr_info = common.get_handler_name_addrs(self) for proc in data: for th in proc.threads(): func_addr = th.continuation (module, handler_sym) = common.get_handler_name(kaddr_info, func_addr) if handler_sym: handler = handler_sym elif module: handler = module else: handler = proc.find_map_path(func_addr) yield ( 0, [ int(proc.p_pid), str(proc.p_comm), str(th.start_time()), int(th.sched_pri), Address(func_addr), str(handler), ], )
def render_text(self, outfd, data): common.set_plugin_members(self) self.table_header(outfd, [ ("PID", "8"), ("Name", "16"), ("Start Time", "32"), ("Priority", "6"), ("Start Function", "[addrpad]"), ("Function Map", ""), ]) kaddr_info = common.get_handler_name_addrs(self) for proc in data: for th in proc.threads(): func_addr = th.continuation (module, handler_sym) = common.get_handler_name(kaddr_info, func_addr) if handler_sym: handler = handler_sym elif module: handler = module else: handler = proc.find_map_path(func_addr) self.table_row(outfd, proc.p_pid, proc.p_comm, th.start_time(), th.priority, func_addr, handler)
def render_text(self, outfd, data): common.set_plugin_members(self) self.table_header(outfd, [("PID","8"), ("Name", "16"), ("Start Time", "32"), ("Priority", "6"), ("Start Function", "[addrpad]"), ("Function Map", ""), ]) kaddr_info = common.get_handler_name_addrs(self) for proc in data: for th in proc.threads(): func_addr = th.continuation (module, handler_sym) = common.get_handler_name(kaddr_info, func_addr) if handler_sym: handler = handler_sym elif module: handler = module else: handler = proc.find_map_path(func_addr) self.table_row(outfd, proc.p_pid, proc.p_comm, th.start_time(), th.sched_pri, func_addr, handler)
def render_text(self, outfd, data): common.set_plugin_members(self) self.table_header( outfd, [ ("Offset", "[addrpad]"), ("Scope", "24"), ("IData", "[addrpad]"), ("Callback Addr", "[addrpad]"), ("Callback Mod", "24"), ("Callback Sym", ""), ], ) kaddr_info = common.get_handler_name_addrs(self) for scope in data: scope_name = scope.ks_identifier for ls in scope.listeners(): cb = ls.kll_callback.v() (module, handler_sym) = common.get_handler_name(kaddr_info, cb) self.table_row( outfd, ls.v(), scope_name, ls.kll_idata, cb, module, handler_sym, )
def calculate(self): common.set_plugin_members(self) kaddr_info = common.get_handler_name_addrs(self) dict_ptr_addr = common.get_cpp_sym("sAllClassesDict", self.addr_space.profile) dict_addr = obj.Object("unsigned long", offset=dict_ptr_addr, vm=self.addr_space) fdict = obj.Object(self._struct_or_class("OSDictionary"), offset=dict_addr.v(), vm=self.addr_space) ents = obj.Object('Array', offset=fdict.dictionary, vm=self.addr_space, targetType=self._struct_or_class("dictEntry"), count=fdict.count) for ent in ents: if ent == None or not ent.is_valid(): continue class_name = str( ent.key.dereference_as(self._struct_or_class("OSString"))) osmeta = obj.Object(self._struct_or_class("OSMetaClass"), offset=ent.value.v(), vm=self.addr_space) cname = str( osmeta.className.dereference_as( self._struct_or_class("OSString"))) offset = 0 if hasattr(osmeta, "metaClass"): arr_start = osmeta.metaClass.v() else: arr_start = obj.Object("Pointer", offset=osmeta.obj_offset, vm=self.addr_space) vptr = obj.Object("unsigned long", offset=arr_start, vm=self.addr_space) while vptr != 0: (module, handler_sym) = common.get_handler_name(kaddr_info, vptr) yield (cname, vptr, module, handler_sym) offset = offset + vptr.size() vptr = obj.Object("unsigned long", offset=arr_start + offset, vm=self.addr_space)
def calculate(self): common.set_plugin_members(self) kaddr_info = common.get_handler_name_addrs(self) funcs = [self._walk_opv_desc, self._walk_vfstbllist] for func in funcs: for (vfs_ptr, name, ptr, module, handler_sym) in func(kaddr_info): yield (vfs_ptr, name, ptr, module, handler_sym)
def calculate(self): common.set_plugin_members(self) kaddr_info = common.get_handler_name_addrs(self) funcs = [self._walk_opv_desc, self._walk_vfstbllist] for func in funcs: for (vfs_ptr, name, ptr, module, handler_sym) in func(kaddr_info): yield (vfs_ptr, name, ptr, module, handler_sym)
def calculate(self): common.set_plugin_members(self) global kaddr_info kaddr_info = common.get_handler_name_addrs(self) regroot_addr = common.get_cpp_sym("gRegistryRoot", self.addr_space.profile) p = obj.Object("Pointer", offset = regroot_addr, vm = self.addr_space) for key, handler, module, handler_sym in self.walk_reg_entry(p): yield key, handler, module, handler_sym
def calculate(self): common.set_plugin_members(self) global kaddr_info kaddr_info = common.get_handler_name_addrs(self) regroot_addr = common.get_cpp_sym("gRegistryRoot", self.addr_space.profile) p = obj.Object("Pointer", offset=regroot_addr, vm=self.addr_space) for key, handler, module, handler_sym in self.walk_reg_entry(p): yield key, handler, module, handler_sym
def calculate(self): common.set_plugin_members(self) nchrdev_addr = self.addr_space.profile.get_symbol("_nchrdev") nchrdev = obj.Object("unsigned int", offset=nchrdev_addr, vm=self.addr_space) cdevsw_addr = self.addr_space.profile.get_symbol("_cdevsw") cdevsw = obj.Object( theType="Array", targetType="cdevsw", offset=cdevsw_addr, vm=self.addr_space, count=nchrdev, ) kaddr_info = common.get_handler_name_addrs(self) op_members = list( self.profile.types['cdevsw'].keywords["members"].keys()) op_members.remove('d_ttys') op_members.remove('d_type') files = mac_list_files.mac_list_files(self._config).calculate() for vnode, path in files: if vnode.v_type.v() not in [3, 4]: continue if path.startswith("/Macintosh HD"): path = path[13:] dn = vnode.v_data.dereference_as("devnode") dev = dn.dn_typeinfo.dev major = (dev >> 24) & 0xFF if not (0 <= major <= nchrdev): continue cdev = cdevsw[major] for member in op_members: ptr = cdev.__getattr__(member).v() if ptr != 0: (module, handler_sym) = common.get_handler_name(kaddr_info, ptr) yield (cdev.v(), path, member, ptr, module, handler_sym)
def generator(self, data): kaddr_info = common.get_handler_name_addrs(self) for scope in data: cb = scope.ks_callback.v() (module, handler_sym) = common.get_handler_name(kaddr_info, cb) yield(0, [ Address(scope.v()), str(scope.ks_identifier), Address(scope.ks_idata), int(len([l for l in scope.listeners()])), Address(cb), str(module), str(handler_sym), ])
def generator(self, data): kaddr_info = common.get_handler_name_addrs(self) for scope in data: cb = scope.ks_callback.v() (module, handler_sym) = common.get_handler_name(kaddr_info, cb) yield (0, [ Address(scope.v()), str(scope.ks_identifier), Address(scope.ks_idata), str(len([l for l in scope.listeners()])), Address(cb), str(module), str(handler_sym), ])
def generator(self, data): kaddr_info = common.get_handler_name_addrs(self) for scope in data: scope_name = scope.ks_identifier for ls in scope.listeners(): cb = ls.kll_callback.v() (module, handler_sym) = common.get_handler_name(kaddr_info, cb) yield(0, [ Address(ls.v()), str(scope_name), Address(ls.kll_idata), Address(cb), str(module), str(handler_sym), ])
def generator(self, data): kaddr_info = common.get_handler_name_addrs(self) for scope in data: scope_name = scope.ks_identifier for ls in scope.listeners(): cb = ls.kll_callback.v() (module, handler_sym) = common.get_handler_name(kaddr_info, cb) yield (0, [ Address(ls.v()), str(scope_name), Address(ls.kll_idata), Address(cb), str(module), str(handler_sym), ])
def calculate(self): common.set_plugin_members(self) kaddr_info = common.get_handler_name_addrs(self) real_ncpus = obj.Object("int", offset = self.addr_space.profile.get_symbol("_real_ncpus"), vm = self.addr_space) ptr = self.addr_space.profile.get_symbol("_cpu_data_ptr") cpu_data_ptrs = obj.Object(theType = 'Array', offset = ptr, vm = self.addr_space, targetType = "unsigned long long", count = real_ncpus) for i in range(real_ncpus): cpu_data = obj.Object('cpu_data', offset = cpu_data_ptrs[i], vm = self.addr_space) c = cpu_data.rtclock_timer q = c.queue ent = q.head.next first = ent seen = {} while ent.is_valid(): seen[ent.v()] = 1 timer = obj.Object("call_entry", offset = ent.v(), vm = self.addr_space) func = timer.func.v() if func < 0x1000 or func == 0xffffffff00000000: break (module, handler_sym) = common.get_handler_name(kaddr_info, func) if hasattr(timer, "entry_time"): entry_time = timer.entry_time.v() else: entry_time = -1 yield func, timer.param0, timer.param1, timer.deadline, entry_time, module, handler_sym ent = timer.q_link.next if ent == first or ent.v() in seen: break
def render_text(self, outfd, data): common.set_plugin_members(self) self.table_header(outfd, [("Offset", "[addrpad]"), ("Scope", "24"), ("IData", "[addrpad]"), ("Callback Addr", "[addrpad]"), ("Callback Mod", "24"), ("Callback Sym", ""),]) kaddr_info = common.get_handler_name_addrs(self) for scope in data: scope_name = scope.ks_identifier for ls in scope.listeners(): cb = ls.kll_callback.v() (module, handler_sym) = common.get_handler_name(kaddr_info, cb) self.table_row(outfd, ls.v(), scope_name, ls.kll_idata, cb, module, handler_sym)
def calculate(self): common.set_plugin_members(self) kaddr_info = common.get_handler_name_addrs(self) dict_ptr_addr = common.get_cpp_sym("sAllClassesDict", self.addr_space.profile) dict_addr = obj.Object("unsigned long", offset = dict_ptr_addr, vm = self.addr_space) fdict = obj.Object(self._struct_or_class("OSDictionary"), offset = dict_addr.v(), vm = self.addr_space) ents = obj.Object('Array', offset = fdict.dictionary, vm = self.addr_space, targetType = self._struct_or_class("dictEntry"), count = fdict.count) for ent in ents: if ent == None or not ent.is_valid(): continue class_name = str(ent.key.dereference_as(self._struct_or_class("OSString"))) osmeta = obj.Object(self._struct_or_class("OSMetaClass"), offset = ent.value.v(), vm = self.addr_space) cname = str(osmeta.className.dereference_as(self._struct_or_class("OSString"))) offset = 0 if hasattr(osmeta, "metaClass"): arr_start = osmeta.metaClass.v() else: arr_start = obj.Object("Pointer", offset = osmeta.obj_offset, vm = self.addr_space) vptr = obj.Object("unsigned long", offset = arr_start, vm = self.addr_space) while vptr != 0: (module, handler_sym) = common.get_handler_name(kaddr_info, vptr) yield (cname, vptr, module, handler_sym) offset = offset + vptr.size() vptr = obj.Object("unsigned long", offset = arr_start + offset, vm = self.addr_space)
def calculate(self): common.set_plugin_members(self) nchrdev_addr = self.addr_space.profile.get_symbol("_nchrdev") nchrdev = obj.Object("unsigned int", offset = nchrdev_addr, vm = self.addr_space) cdevsw_addr = self.addr_space.profile.get_symbol("_cdevsw") cdevsw = obj.Object(theType = "Array", targetType = "cdevsw", offset = cdevsw_addr, vm = self.addr_space, count = nchrdev) kaddr_info = common.get_handler_name_addrs(self) op_members = self.profile.types['cdevsw'].keywords["members"].keys() op_members.remove('d_ttys') op_members.remove('d_type') files = mac_list_files.mac_list_files(self._config).calculate() for vnode, path in files: if vnode.v_type.v() not in [3, 4]: continue if path.startswith("/Macintosh HD"): path = path[13:] dn = vnode.v_data.dereference_as("devnode") dev = dn.dn_typeinfo.dev major = (dev >> 24) & 0xff if not (0 <= major <= nchrdev): continue cdev = cdevsw[major] for member in op_members: ptr = cdev.__getattr__(member).v() if ptr != 0: (module, handler_sym) = common.get_handler_name(kaddr_info, ptr) yield (cdev.v(), path, member, ptr, module, handler_sym)
def render_text(self, outfd, data): common.set_plugin_members(self) self.table_header(outfd, [("Offset", "[addrpad]"), ("Name", "24"), ("IData", "[addrpad]"), ("Listeners", "5"), ("Callback Addr", "[addrpad]"), ("Callback Mod", "24"), ("Callback Sym", ""),]) kaddr_info = common.get_handler_name_addrs(self) for scope in data: cb = scope.ks_callback.v() (module, handler_sym) = common.get_handler_name(kaddr_info, cb) self.table_row(outfd, scope.v(), scope.ks_identifier, scope.ks_idata, len([l for l in scope.listeners()]), cb, module, handler_sym)
def generator(self, data): kaddr_info = common.get_handler_name_addrs(self) for proc in data: for th in proc.threads(): func_addr = th.continuation (module, handler_sym) = common.get_handler_name(kaddr_info, func_addr) if handler_sym: handler = handler_sym elif module: handler = module else: handler = proc.find_map_path(func_addr) yield(0, [ int(proc.p_pid), str(proc.p_comm), str(th.start_time()), str(th.priority), Address(func_addr), str(handler), ])