def pslist(self): """Volatility pslist plugin. @see volatility/plugins/taskmods.py """ log.debug("Executing Volatility pslist plugin on " "{0}".format(self.memdump)) self.__config() results = [] command = taskmods.PSList(self.config) for process in command.calculate(): new = { "process_name": str(process.ImageFileName), "process_id": int(process.UniqueProcessId), "parent_id": int(process.InheritedFromUniqueProcessId), "num_threads": str(process.ActiveThreads), "num_handles": str(process.ObjectTable.HandleCount), "session_id": str(process.SessionId), "create_time": str(process.CreateTime or ""), "exit_time": str(process.ExitTime or ""), } results.append(new) return dict(config={}, data=results)
def main(): if len(sys.argv) != 4: print "Usage: %s %s %s %s" % (sys.argv[0], "profile", "memdump", "targetprocname") sys.exit(1) registry.PluginImporter() config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = sys.argv[1] config.LOCATION = sys.argv[2] processes = taskmods.PSList(config) target = filter_by_name(processes, sys.argv[3]) # .text info imagebase, va, rawsize = get_text_section_info(target) if imagebase == None: print "[-] Error: probably wrong .text section name" sys.exit(1) text_start = imagebase + va text_end = imagebase + va + rawsize permissions = get_vad_protect_flags(target, text_start, text_end) print "0x%x-0x%x %s %s" % (text_start, text_end, permissions, TEXT_TAG) # dll info modules = get_dll_info(target) # printing dll info for name, info in modules.items(): dll_start = info[0] dll_end = info[0] + info[1] permissions = get_vad_protect_flags(target, dll_start, dll_end) print "0x%x-0x%x %s %s" % (dll_start, dll_end, permissions, name) # heap info hs = get_heap_info(target) # printing heap info for h in hs: heap_start = h.BaseAddress.v() heap_end = h.LastValidEntry.v() permissions = get_vad_protect_flags(target, heap_start, heap_end) print "0x%x-0x%x %s %s" % (h.BaseAddress, h.LastValidEntry, permissions, HEAP_TAG) # stack info tebs = get_stack_info(target) # printing stack info for t in tebs: stack_start = t.NtTib.StackBase.v() stack_end = t.NtTib.StackLimit.v() permissions = get_vad_protect_flags(target, stack_start, stack_end) print "0x%x-0x%x %s %s" % (stack_start, stack_end, permissions, STACK_TAG)
def find_elites(self): """ Find elite level implants using a distinctive shared memory region that the malware uses instead of a mutex""" infected_pids = [] process_names = {} display_indicators = [] p = handles.Handles(self._config) for handle in p.calculate(): pid, handle, object_type, name = handle if object_type == "Section": if re.match( "^[a-zA-Z0-9]{7,8}$", name ): # HT Implants map a 7/8 character shared memory section to use instead of a Mutex # Elite implants have two watermarks per PID, so neither PIDs nor watermarks are unique. infected_pids.append({ "pid": str(pid), "watermark": name, "confidence": 1, "implant_type": "Elite" }) # Now do post-processing of results if infected_pids: # Get a list of processes, so we can tie a name to a PID p = taskmods.PSList(self._config) for process in p.calculate(): process_names[str(process.UniqueProcessId)] = str( process.ImageFileName) deletelist = [] for i in infected_pids: ### Do Confidence correlation. ### # If we have both a 7 and an 8 character watermark, this makes it more certain it's a HT elite implant pid = i["pid"] watermark = i["watermark"] # Search through all the other infected pid/name combinations for a 7 char version of our 8 char watermark searchlist = infected_pids if len(watermark) == 8: for j in infected_pids: compare_pid = j["pid"] compare_watermark = j["watermark"] if len(compare_watermark) == 7 and compare_pid == pid: # We've found both a 7 char and 8 char version - we're more confident that this is HT i["confidence"] = i["confidence"] + 1 # Remove the shorter version from the list (attributable watermarks are 8 chars) deletelist.append(j) if i not in deletelist: # Now see if the watermark can be attributed if watermark in watermark_table: i["threat_actor"] = watermark_table[watermark] i["confidence"] = i[ "confidence"] + 1 # We've matched a Hacking Team client, we're pretty sure it's HT # Tie process name to PID if pid in process_names: i["process_name"] = process_names[pid] else: i["process_name"] = "Not Found" # If we've got more than one infected process, it's more likely that we've found a HT infection, and this is typical of an Elite level implant if len(infected_pids) > 1: i["confidence"] = i["confidence"] + 1 i["implant_type"] = "Elite/Soldier" # Now delete the PIDS in the delete list for j in deletelist: del infected_pids[infected_pids.index(j)] return infected_pids
registry.PluginImporter() config = conf.ConfObject() import volatility.commands as commands import volatility.addrspace as addrspace registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = "WinXPSP2x86" config.LOCATION = "file://%s" % memory_file import volatility.plugins.taskmods as taskmods p = taskmods.PSList(config) for process in p.calculate(): if str(process.ImageFileName) == "calc.exe": print("[*] Found calc.exe with PID %d" % process.UniqueProcessId) print("[*] Hunting for physical offsets...please wait.") address_space = process.get_process_address_space() pages = address_space.get_available_pages() for page in pages: physical = address_space.vtop(page[0]) if physical is not None: if slack_space is None: fd = open(memory_file, "r+")
shellCodeFd = open("cmeasure.bin", "rb") shellContents = shellCodeFd.read() shellCodeFd.close() sys.path.append("<*****PATH TO VOLATILITY******>") registry.PluginImporter() config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrsspace.BaseAddressSpace) config.parse_options() config.PROFILE = "<********PROFILE******>" config.LOCATION = "file://%s" % memory_file processes = taskmods.PSList(config) for process in processes.calculate(): if str(process.ImageFileName) == "calc.exe": print "[*] Found calc.exe with PID: %d" % process.UniqueProcessId print "[*] Hunting for physical offsets...Please wait" address_space = process.get_process_address_space() pages = address_space.get_available_pages() for page in pages: physical = address_space.vtop(page[0]) if physical is not None: if slack_space is None: fd = open(memory_file, "r+") fd.seek(physical) buff = fd.read(page[1]) try: