Exemplo n.º 1
0
    def execute(self):
        from vtypes import xpsp2types
        xpsp2types['_EPROCESS'][1]['Token'] = [0xc8, ['_EX_FAST_REF']]
        theProfile = Profile()
        theProfile.add_types(token_types)

        (addr_space, symtab,
         types) = load_and_identify_image(self.op, self.opts)

        pslist = process_list(addr_space, types, symtab)

        for proc_addr in pslist:
            proc = Object("_EPROCESS",
                          proc_addr,
                          addr_space,
                          profile=theProfile)
            if not proc.Token.is_valid():
                name = process_imagename(addr_space, types, proc_addr)
                pid = process_pid(addr_space, types, proc_addr)
                print "%s (%d): Token unreadable" % (name, pid)
                continue
            tok_addr = proc.Token.Value & ~0x7
            tok = Object('_TOKEN', tok_addr, proc.vm, None, profile=theProfile)

            sids = []
            sid_addr = tok.UserAndGroups.offset
            sid_size = obj_size(token_types, '_SID_AND_ATTRIBUTES')
            for i in range(tok.UserAndGroupCount):
                sids.append(
                    Object('_SID_AND_ATTRIBUTES',
                           sid_addr,
                           proc.vm,
                           None,
                           profile=theProfile))
                sid_addr += sid_size

            for sa in sids:
                sid = sa.Sid.dereference_as('_SID')
                subauth_addr = sid.get_member_offset('SubAuthority')
                subauths = unpack(
                    "<%dI" % sid.SubAuthorityCount,
                    proc.vm.read(subauth_addr, sid.SubAuthorityCount * 4))
                sid_string = "S-" + "-".join(
                    str(i)
                    for i in (sid.Revision,
                              sid.IdentifierAuthority.Value[-1]) + subauths)
                if sid_string in well_known_sids:
                    sid_name = " (%s)" % well_known_sids[sid_string]
                else:
                    sid_name_re = find_sid_re(sid_string, well_known_sid_re)
                    if sid_name_re:
                        sid_name = " (%s)" % sid_name_re
                    else:
                        sid_name = ""

                print "%s (%d): %s%s" % (proc.ImageFileName,
                                         proc.UniqueProcessId.v(), sid_string,
                                         sid_name)
Exemplo n.º 2
0
    def execute(self):
        from vtypes import xpsp2types
        xpsp2types['_EPROCESS'][1]['Token'] = [ 0xc8, ['_EX_FAST_REF']]
        theProfile = Profile()
        theProfile.add_types(token_types)
	
        (addr_space, symtab, types) = load_and_identify_image(self.op,
            self.opts)

        pslist = process_list(addr_space, types, symtab)

        for proc_addr in pslist:
            proc = Object("_EPROCESS", proc_addr, addr_space, profile=theProfile)
            if not proc.Token.is_valid():
                name = process_imagename(addr_space, types, proc_addr)
                pid = process_pid(addr_space, types, proc_addr)
                print "%s (%d): Token unreadable" % (name,pid)
                continue
            tok_addr = proc.Token.Value & ~0x7
            tok = Object('_TOKEN', tok_addr, proc.vm, None, profile=theProfile)

            sids = []
            sid_addr = tok.UserAndGroups.offset
            sid_size = obj_size(token_types, '_SID_AND_ATTRIBUTES')
            for i in range(tok.UserAndGroupCount):
                sids.append(Object('_SID_AND_ATTRIBUTES', sid_addr, proc.vm, None, profile=theProfile))
                sid_addr += sid_size

            for sa in sids:
                sid = sa.Sid.dereference_as('_SID')
                subauth_addr = sid.get_member_offset('SubAuthority')
                subauths = unpack("<%dI" % sid.SubAuthorityCount, proc.vm.read(subauth_addr, sid.SubAuthorityCount*4))
                sid_string = "S-" + "-".join(str(i) for i in (sid.Revision,sid.IdentifierAuthority.Value[-1])+subauths)
                if sid_string in well_known_sids:
                    sid_name = " (%s)" % well_known_sids[sid_string]
                else:
                    sid_name_re = find_sid_re(sid_string, well_known_sid_re)
                    if sid_name_re:
                        sid_name = " (%s)" % sid_name_re
                    else:
                        sid_name= ""
                
                print "%s (%d): %s%s" % (proc.ImageFileName, proc.UniqueProcessId.v(), sid_string, sid_name)
Exemplo n.º 3
0
    def execute(self):
        op = self.op
        opts = self.opts
        dbout = opts.outfd1

        if (opts.filename is None) or (not os.path.isfile(opts.filename)):
            op.error("File is required")
        else:
            filename = opts.filename
            temp = filename.replace("\\", "/").lower().split("/")
            imgname = temp[-1]

        if dbout is not None:
            conn = sqlite3.connect(dbout)
            cur = conn.cursor()

            try:
                cur.execute("select * from sids")
            except sqlite3.OperationalError:
                cur.execute(
                    "create table sids (pname text, pid integer, sid_string text, sid_name text, memimage text)"
                )
                conn.commit()

        from vtypes import xpsp2types

        xpsp2types["_EPROCESS"][1]["Token"] = [0xC8, ["_EX_FAST_REF"]]
        theProfile = Profile()
        theProfile.add_types(token_types)

        (addr_space, symtab, types) = load_and_identify_image(self.op, self.opts)

        pslist = process_list(addr_space, types, symtab)

        for proc_addr in pslist:
            proc = Object("_EPROCESS", proc_addr, addr_space, profile=theProfile)
            if not proc.Token.is_valid():
                name = process_imagename(addr_space, types, proc_addr)
                pid = process_pid(addr_space, types, proc_addr)
                print "%s (%d): Token unreadable" % (name, pid)
                continue
            tok_addr = proc.Token.Value & ~0x7
            tok = Object("_TOKEN", tok_addr, proc.vm, None, profile=theProfile)

            sids = []
            try:
                sid_addr = tok.UserAndGroups.offset
                sid_size = obj_size(token_types, "_SID_AND_ATTRIBUTES")

                for i in range(tok.UserAndGroupCount):
                    sids.append(Object("_SID_AND_ATTRIBUTES", sid_addr, proc.vm, None, profile=theProfile))
                    sid_addr += sid_size
            except:
                pass

            for sa in sids:
                sid = sa.Sid.dereference_as("_SID")
                subauth_addr = sid.get_member_offset("SubAuthority")
                subauths = unpack("<%dI" % sid.SubAuthorityCount, proc.vm.read(subauth_addr, sid.SubAuthorityCount * 4))
                sid_string = "S-" + "-".join(
                    str(i) for i in (sid.Revision, sid.IdentifierAuthority.Value[-1]) + subauths
                )
                if sid_string in well_known_sids:
                    sid_name = "(%s)" % well_known_sids[sid_string]
                else:
                    sid_name_re = find_sid_re(sid_string, well_known_sid_re)
                    if sid_name_re:
                        sid_name = "(%s)" % sid_name_re
                    else:
                        if not dbout == None:
                            sid_name = "(none)"
                        else:
                            sid_name = ""

                if not dbout == None:
                    cur.execute(
                        "insert into sids values (?,?,?,?,?)",
                        (proc.ImageFileName.lower(), proc.UniqueProcessId.v(), sid_string, sid_name.lower(), imgname),
                    )
                else:
                    print "%s (%d): %s %s" % (proc.ImageFileName, proc.UniqueProcessId.v(), sid_string, sid_name)

        if not dbout == None:
            conn.commit()
            conn.close()