def determine_map(cls, module: interfaces.context.ModuleInterface) -> \ Dict[str, List[Tuple[int, int]]]: """Returns the virtual map from a windows kernel module.""" layer = module.context.layers[module.layer_name] if not isinstance(layer, intel.Intel): raise result: Dict[str, List[Tuple[int, int]]] = {} system_va_type = module.get_enumeration('_MI_SYSTEM_VA_TYPE') large_page_size = (layer.page_size** 2) // module.get_type("_MMPTE").size if module.has_symbol('MiVisibleState'): symbol = module.get_symbol('MiVisibleState') visible_state = module.object( object_type='pointer', offset=symbol.address, subtype=module.get_type('_MI_VISIBLE_STATE')).dereference() if hasattr(visible_state, 'SystemVaRegions'): for i in range(visible_state.SystemVaRegions.count): lookup = system_va_type.lookup(i) region_range = result.get(lookup, []) region_range.append( (visible_state.SystemVaRegions[i].BaseAddress, visible_state.SystemVaRegions[i].NumberOfBytes)) result[lookup] = region_range elif hasattr(visible_state, 'SystemVaType'): system_range_start = module.object( object_type="pointer", offset=module.get_symbol("MmSystemRangeStart").address) result = cls._enumerate_system_va_type( large_page_size, system_range_start, module, visible_state.SystemVaType) else: raise exceptions.SymbolError(None, module.name, "Required structures not found") elif module.has_symbol('MiSystemVaType'): system_range_start = module.object( object_type="pointer", offset=module.get_symbol("MmSystemRangeStart").address) symbol = module.get_symbol('MiSystemVaType') array_count = (0xFFFFFFFF + 1 - system_range_start) // large_page_size type_array = module.object(object_type='array', offset=symbol.address, count=array_count, subtype=module.get_type('char')) result = cls._enumerate_system_va_type(large_page_size, system_range_start, module, type_array) else: raise exceptions.SymbolError(None, module.name, "Required structures not found") return result
def _construct_ecrypt_array(self, array_start: int, count: int, \ cryptdll_types: interfaces.context.ModuleInterface) -> interfaces.context.ModuleInterface: """ Attempts to construct an array of _KERB_ECRYPT structures Args: array_start: starting virtual address of the array count: how many elements are in the array cryptdll_types: the reverse engineered types Returns: The instantiated array """ try: array = cryptdll_types.object( object_type="array", offset=array_start, subtype=cryptdll_types.get_type("_KERB_ECRYPT"), count=count, absolute=True) except exceptions.InvalidAddressException: vollog.debug( "Unable to construct cSystems array at given offset: {:x}". format(array_start)) array = None return array
def _find_array_with_pdb_symbols( self, cryptdll_symbols: str, cryptdll_types: interfaces.context.ModuleInterface, proc_layer_name: str, cryptdll_base: int ) -> Tuple[interfaces.objects.ObjectInterface, int, int, int]: """ Finds the CSystems array through use of PDB symbols Args: cryptdll_symbols: The symbols table from the PDB file cryptdll_types: The types from cryptdll binary analysis proc_layer_name: The lsass.exe process layer name cryptdll_base: Base address of cryptdll.dll inside of lsass.exe Returns: Tuple of: array: The cSystems array rc4HmacInitialize: The runtime address of the expected initialization function rc4HmacDecrypt: The runtime address of the expected decryption function """ cryptdll_module = self.context.module(cryptdll_symbols, layer_name=proc_layer_name, offset=cryptdll_base) rc4HmacInitialize = cryptdll_module.get_absolute_symbol_address( "rc4HmacInitialize") rc4HmacDecrypt = cryptdll_module.get_absolute_symbol_address( "rc4HmacDecrypt") count_address = cryptdll_module.get_symbol("cCSystems").address # we do not want to fail just because the count is not in memory # 16 was the size on samples I tested, so I chose it as the default try: count = cryptdll_types.object(object_type="unsigned long", offset=count_address) except exceptions.InvalidAddressException: count = 16 array_start = cryptdll_module.get_absolute_symbol_address("CSystems") array = self._construct_ecrypt_array(array_start, count, cryptdll_types) if array is None: vollog.debug( "The CSystem array is not present in memory. Stopping PDB based analysis." ) return array, rc4HmacInitialize, rc4HmacDecrypt
def _find_csystems_with_scanning( self, proc_layer_name: str, cryptdll_types: interfaces.context.ModuleInterface, cryptdll_base: int, cryptdll_size: int) -> List[interfaces.context.ModuleInterface]: """ Performs scanning to find potential RC4 HMAC csystem instances This function may return several values as it cannot validate which is the active one Args: proc_layer_name: the lsass.exe process layer name cryptdll_types: the types from cryptdll binary analysis cryptdll_base: base address of cryptdll.dll inside of lsass.exe cryptdll_size: size of the VAD Returns: A list of csystem instances """ csystems = [] cryptdll_end = cryptdll_base + cryptdll_size proc_layer = self.context.layers[proc_layer_name] ecrypt_size = cryptdll_types.get_type("_KERB_ECRYPT").size # scan for potential instances of RC4 HMAC # the signature is based on the type being 0x17 # and the block size member being 1 in all test samples for address in proc_layer.scan( self.context, scanners.BytesScanner(b"\x17\x00\x00\x00\x01\x00\x00\x00"), sections=[(cryptdll_base, cryptdll_size)]): # this occurs across page boundaries if not proc_layer.is_valid(address, ecrypt_size): continue kerb = cryptdll_types.object("_KERB_ECRYPT", offset=address, absolute=True) # ensure the Encrypt and Finish pointers are inside the VAD # these are not manipulated in the attack if (cryptdll_base < kerb.Encrypt < cryptdll_end) and \ (cryptdll_base < kerb.Finish < cryptdll_end): csystems.append(kerb) return csystems
def determine_extended_value( self, leaf_type: interfaces.objects.ObjectInterface, value: interfaces.objects.ObjectInterface, module: interfaces.context.ModuleInterface, length: int ) -> Tuple[str, interfaces.objects.ObjectInterface, int]: """Reads a value and potentially consumes more data to construct the value.""" excess = 0 if value >= leaf_type.LF_CHAR: sub_leaf_type = self.context.object( self.context.symbol_space.get_enumeration( leaf_type.vol.type_name), layer_name=leaf_type.vol.layer_name, offset=value.vol.offset) # Set the offset at just after the previous size type offset = value.vol.offset + value.vol.data_format.length if sub_leaf_type in [leaf_type.LF_CHAR]: value = module.object(object_type='char', offset=offset) elif sub_leaf_type in [leaf_type.LF_SHORT]: value = module.object(object_type='short', offset=offset) elif sub_leaf_type in [leaf_type.LF_USHORT]: value = module.object(object_type='unsigned short', offset=offset) elif sub_leaf_type in [leaf_type.LF_LONG]: value = module.object(object_type='long', offset=offset) elif sub_leaf_type in [leaf_type.LF_ULONG]: value = module.object(object_type='unsigned long', offset=offset) else: raise TypeError("Unexpected extended value type") excess = value.vol.data_format.length # Updated the consume/offset counters name = module.object(object_type="string", offset=value.vol.offset + value.vol.data_format.length) name_str = self.parse_string(name, leaf_type < leaf_type.LF_ST_MAX, size=length - excess) return name_str, value, excess
def consume_type( self, module: interfaces.context.ModuleInterface, offset: int, length: int ) -> Tuple[Tuple[ Optional[interfaces.objects.ObjectInterface], Optional[str], Union[ None, List, interfaces.objects.ObjectInterface]], int]: """Returns a (leaf_type, name, object) Tuple for a type, and the number of bytes consumed.""" leaf_type = self.context.object(module.get_enumeration("LEAF_TYPE"), layer_name=module._layer_name, offset=offset) consumed = leaf_type.vol.base_type.size remaining = length - consumed if leaf_type in [ leaf_type.LF_CLASS, leaf_type.LF_CLASS_ST, leaf_type.LF_STRUCTURE, leaf_type.LF_STRUCTURE_ST, leaf_type.LF_INTERFACE ]: structure = module.object(object_type="LF_STRUCTURE", offset=offset + consumed) name_offset = structure.name.vol.offset - structure.vol.offset name, value, excess = self.determine_extended_value( leaf_type, structure.size, module, remaining - name_offset) structure.size = value structure.name = name consumed += remaining result = leaf_type, name, structure elif leaf_type in [leaf_type.LF_MEMBER, leaf_type.LF_MEMBER_ST]: member = module.object(object_type="LF_MEMBER", offset=offset + consumed) name_offset = member.name.vol.offset - member.vol.offset name, value, excess = self.determine_extended_value( leaf_type, member.offset, module, remaining - name_offset) member.offset = value member.name = name result = leaf_type, name, member consumed += member.vol.size + len(name) + 1 + excess elif leaf_type in [ leaf_type.LF_ARRAY, leaf_type.LF_ARRAY_ST, leaf_type.LF_STRIDED_ARRAY ]: array = module.object(object_type="LF_ARRAY", offset=offset + consumed) name_offset = array.name.vol.offset - array.vol.offset name, value, excess = self.determine_extended_value( leaf_type, array.size, module, remaining - name_offset) array.size = value array.name = name result = leaf_type, name, array consumed += remaining elif leaf_type in [leaf_type.LF_ENUMERATE]: enum = module.object(object_type='LF_ENUMERATE', offset=offset + consumed) name_offset = enum.name.vol.offset - enum.vol.offset name, value, excess = self.determine_extended_value( leaf_type, enum.value, module, remaining - name_offset) enum.value = value enum.name = name result = leaf_type, name, enum consumed += enum.vol.size + len(name) + 1 + excess elif leaf_type in [leaf_type.LF_ARGLIST, leaf_type.LF_ENUM]: enum = module.object(object_type="LF_ENUM", offset=offset + consumed) name_offset = enum.name.vol.offset - enum.vol.offset name = self.parse_string(enum.name, leaf_type < leaf_type.LF_ST_MAX, size=remaining - name_offset) enum.name = name result = leaf_type, name, enum consumed += remaining elif leaf_type in [leaf_type.LF_UNION]: union = module.object(object_type="LF_UNION", offset=offset + consumed) name_offset = union.name.vol.offset - union.vol.offset name = self.parse_string(union.name, leaf_type < leaf_type.LF_ST_MAX, size=remaining - name_offset) result = leaf_type, name, union consumed += remaining elif leaf_type in [ leaf_type.LF_MODIFIER, leaf_type.LF_POINTER, leaf_type.LF_PROCEDURE ]: obj = module.object(object_type=leaf_type.lookup(), offset=offset + consumed) result = leaf_type, None, obj consumed += remaining elif leaf_type in [leaf_type.LF_FIELDLIST]: sub_length = remaining sub_offset = offset + consumed fields = [] while length > consumed: subfield, sub_consumed = self.consume_type( module, sub_offset, sub_length) sub_consumed += self.consume_padding(module.layer_name, sub_offset + sub_consumed) sub_length -= sub_consumed sub_offset += sub_consumed consumed += sub_consumed fields.append(subfield) result = leaf_type, None, fields elif leaf_type in [leaf_type.LF_BITFIELD]: bitfield = module.object(object_type="LF_BITFIELD", offset=offset + consumed) result = leaf_type, None, bitfield consumed += remaining elif leaf_type in [leaf_type.LF_STRING_ID, leaf_type.LF_FUNC_ID]: string_id = module.object(object_type=leaf_type.lookup(), offset=offset + consumed) name_offset = string_id.name.vol.offset - string_id.vol.offset name = self.parse_string(string_id.name, leaf_type < leaf_type.LF_ST_MAX, size=remaining - name_offset) result = leaf_type, name, string_id elif leaf_type in [ leaf_type.LF_UDT_SRC_LINE, leaf_type.LF_UDT_MOD_SRC_LINE ]: src_line = module.object(object_type=leaf_type.lookup(), offset=offset + consumed) result = leaf_type, None, src_line elif leaf_type in [leaf_type.LF_BUILDINFO]: buildinfo = module.object(object_type=leaf_type.lookup(), offset=offset + consumed) buildinfo.arguments.count = buildinfo.count consumed += buildinfo.arguments.vol.size result = leaf_type, None, buildinfo else: raise TypeError("Unhandled leaf_type: {}".format(leaf_type)) return result, consumed
def consume_type( self, module: interfaces.context.ModuleInterface, offset: int, length: int ) -> Tuple[Tuple[ Optional[interfaces.objects.ObjectInterface], Optional[str], Union[ None, List, interfaces.objects.ObjectInterface]], int]: """Returns a (leaf_type, name, object) Tuple for a type, and the number of bytes consumed.""" leaf_type = self.context.object(module.get_enumeration("LEAF_TYPE"), layer_name=module._layer_name, offset=offset) consumed = leaf_type.vol.base_type.size remaining = length - consumed type_handler, has_name, value_attribute = self.type_handlers.get( leaf_type.lookup(), ('LF_UNKNOWN', False, None)) if type_handler in ['LF_FIELDLIST']: sub_length = remaining sub_offset = offset + consumed fields = [] while length > consumed: subfield, sub_consumed = self.consume_type( module, sub_offset, sub_length) sub_consumed += self.consume_padding(module.layer_name, sub_offset + sub_consumed) sub_length -= sub_consumed sub_offset += sub_consumed consumed += sub_consumed fields.append(subfield) result = leaf_type, None, fields elif type_handler in ['LF_BUILDINFO']: parsed_obj = module.object(object_type=type_handler, offset=offset + consumed) parsed_obj.arguments.count = parsed_obj.count consumed += parsed_obj.arguments.vol.size result = leaf_type, None, parsed_obj elif type_handler in self.type_handlers: parsed_obj = module.object(object_type=type_handler, offset=offset + consumed) current_consumed = remaining if has_name: name_offset = parsed_obj.name.vol.offset - parsed_obj.vol.offset if value_attribute: name, value, excess = self.determine_extended_value( leaf_type, getattr(parsed_obj, value_attribute), module, remaining - name_offset) setattr(parsed_obj, value_attribute, value) current_consumed = parsed_obj.vol.size + len( name) + 1 + excess else: name = self.parse_string(parsed_obj.name, leaf_type < leaf_type.LF_ST_MAX, size=remaining - name_offset) parsed_obj.name = name else: name = None result = leaf_type, name, parsed_obj consumed += current_consumed else: raise TypeError(f"Unhandled leaf_type: {leaf_type}") return result, consumed