def IOSFrames(coredumpFilename, filenameIOMEM, filenamePCAP, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParserHeap = naft_impf.cIOSMemoryParser(memoryHeap)
oIOSMemoryParserHeap.ResolveNames(oIOSCoreDump)
dataIOMEM = naft_uf.File2Data(filenameIOMEM)
oIOSMemoryParserIOMEM = naft_impf.cIOSMemoryParser(dataIOMEM)
addressIOMEM = oIOSMemoryParserIOMEM.baseAddress
if addressIOMEM == None:
print('Error parsing IOMEM')
return
oFrames = naft_pfef.cFrames()
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParserHeap.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == '*Packet Header*':
frameAddress = struct.unpack('>I', oIOSMemoryBlockHeader.GetData()[40:44])[0]
frameSize = struct.unpack('>H', oIOSMemoryBlockHeader.GetData()[72:74])[0]
if frameAddress != 0 and frameSize != 0:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.DumpBytes(dataIOMEM[frameAddress - addressIOMEM : frameAddress - addressIOMEM + frameSize], frameAddress)
oFrames.AddFrame(frameAddress - addressIOMEM, dataIOMEM[frameAddress - addressIOMEM : frameAddress - addressIOMEM + frameSize], True)
oFrames.WritePCAP(filenamePCAP)
def IOSRegions(coredumpFilename, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
else:
print('Start End Size Name')
for region in oIOSCoreDump.regions:
if region[2] != None:
print('0x%08X 0x%08X %10d %s' % (region[1], region[1] + region[2] - 1, region[2], region[0]))
if options.write:
naft_uf.Data2File(oIOSCoreDump.Region(region[0])[1], '%s-%s-0x%08X' % (coredumpFilename, region[0], region[1]))
else:
print('0x%08X %s %s' % (region[1], ' ' * 21, region[0]))
addressBSS, dataBSS = oIOSCoreDump.RegionBSS()
def IOSIntegrityText(coredumpFilename, options):
returnString = ''
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
returnString += (oIOSCoreDump.error)
return returnString
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
returnString += ('Heap region not found')
return returnString
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
returnString += ('Check start magic:<br>')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.GetRawData(
)[0:4] != naft_impf.cCiscoMagic.STR_BLOCK_BEGIN:
returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>'
hit = True
if not hit:
returnString += ('OK<br>')
returnString += ('Check end magic:<br>')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if struct.unpack(
'>I',
oIOSMemoryBlockHeader.GetRawData()[-4:]
)[0] != naft_impf.cCiscoMagic.INT_BLOCK_CANARY and oIOSMemoryBlockHeader.RefCnt > 0:
returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>'
hit = True
if not hit:
returnString += ('OK<br>')
returnString += ('Check previous block:<br>')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[1:]:
if oIOSMemoryBlockHeader.PrevBlock == 0:
returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>'
hit = True
if not hit:
returnString += ('OK<br>')
returnString += ('Check next block: <br>')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[:-1]:
if oIOSMemoryBlockHeader.NextBlock == 0:
returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>'
hit = True
if not hit:
returnString += ('OK<br>')
return returnString
def IOSCWStrings(coredumpFilename, options):
if options.raw:
coredump = naft_uf.File2Data(coredumpFilename)
if coredump == None:
print('Error reading file %s' % coredumpFilename)
else:
IOSCWStringsSub(coredump)
else:
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressData, memoryData = oIOSCoreDump.RegionDATA()
if memoryData == None:
print('Data region not found')
return
IOSCWStringsSub(memoryData)
def IOSCWStrings(coredumpFilename, options):
if options.raw:
coredump = naft_uf.File2Data(coredumpFilename)
if coredump == None:
print('Error reading file %s' % coredumpFilename)
else:
IOSCWStringsSub(coredump)
else:
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressData, memoryData = oIOSCoreDump.RegionDATA()
if memoryData == None:
print('Data region not found')
return
IOSCWStringsSub(memoryData)
def IOSRegions(coredumpFilename, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
else:
print('Start End Size Name')
for region in oIOSCoreDump.regions:
if region[2] != None:
print('0x%08X 0x%08X %10d %s' %
(region[1], region[1] + region[2] - 1, region[2],
region[0]))
if options.write:
naft_uf.Data2File(
oIOSCoreDump.Region(region[0])[1], '%s-%s-0x%08X' %
(coredumpFilename, region[0], region[1]))
else:
print('0x%08X %s %s' % (region[1], ' ' * 21, region[0]))
addressBSS, dataBSS = oIOSCoreDump.RegionBSS()
def FilterInitBlocksForString(coredumpFilename, searchTerm):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return []
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return []
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
oIOSMemoryParser.ResolveNames(oIOSCoreDump)
found = []
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == 'Init':
dStrings = naft_uf.SearchASCIIStrings(oIOSMemoryBlockHeader.GetData())
for value in dStrings.values():
if value.find(searchTerm) >= 0:
found.append(value)
return found
def IOSRegions(coredumpFilename):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
returnString = ''
if oIOSCoreDump.error != '':
returnString += (oIOSCoreDump.error)
else:
returnString += ('Start End Size Name <br>')
for region in oIOSCoreDump.regions:
if region[2] != None:
returnString += ('0x%08X 0x%08X %10d %s <br>' %
(region[1], region[1] + region[2] - 1,
region[2], region[0]))
#if options.write:
# naft_uf.Data2File(oIOSCoreDump.Region(region[0])[1], '%s-%s-0x%08X' % (coredumpFilename, region[0], region[1]))
else:
returnString += ('0x%08X %s %s <br>' %
(region[1], ' ' * 21, region[0]))
addressBSS, dataBSS = oIOSCoreDump.RegionBSS()
return returnString
def IOSCWStrings(coredumpFilename):
returnString = ''
# if options.raw:
# coredump = naft_uf.File2Data(coredumpFilename)
# if coredump == None:
# print('Error reading file %s' % coredumpFilename)
# else:
# IOSCWStringsSub(coredump)
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
returnString += (oIOSCoreDump.error)
return
addressData, memoryData = oIOSCoreDump.RegionDATA()
if memoryData == None:
returnString += ('Data region not found')
return
returnString += IOSCWStringsSub(memoryData)
return returnString
def IOSIntegrityText(coredumpFilename, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
print('Check start magic:')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.GetRawData()[0:4] != naft_impf.cCiscoMagic.STR_BLOCK_BEGIN:
print(oIOSMemoryBlockHeader.ShowLine())
hit = True
if not hit:
print('OK')
print('Check end magic:')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if struct.unpack('>I', oIOSMemoryBlockHeader.GetRawData()[-4:])[0] != naft_impf.cCiscoMagic.INT_BLOCK_CANARY and oIOSMemoryBlockHeader.RefCnt > 0:
print(oIOSMemoryBlockHeader.ShowLine())
hit = True
if not hit:
print('OK')
print('Check previous block:')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[1:]:
if oIOSMemoryBlockHeader.PrevBlock == 0:
print(oIOSMemoryBlockHeader.ShowLine())
hit = True
if not hit:
print('OK')
print('Check next block:')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[:-1]:
if oIOSMemoryBlockHeader.NextBlock == 0:
print(oIOSMemoryBlockHeader.ShowLine())
hit = True
if not hit:
print('OK')
def FilterInitBlocksForString(coredumpFilename, searchTerm):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
#print(oIOSCoreDump.error)
return []
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return []
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
oIOSMemoryParser.ResolveNames(oIOSCoreDump)
found = []
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == 'Init':
dStrings = naft_uf.SearchASCIIStrings(
oIOSMemoryBlockHeader.GetData())
for value in dStrings.values():
if value.find(searchTerm) >= 0:
found.append(value)
return found
def IOSFrames(coredumpFilename, filenameIOMEM, filenamePCAP, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParserHeap = naft_impf.cIOSMemoryParser(memoryHeap)
oIOSMemoryParserHeap.ResolveNames(oIOSCoreDump)
dataIOMEM = naft_uf.File2Data(filenameIOMEM)
oIOSMemoryParserIOMEM = naft_impf.cIOSMemoryParser(dataIOMEM)
addressIOMEM = oIOSMemoryParserIOMEM.baseAddress
if addressIOMEM == None:
print('Error parsing IOMEM')
return
oFrames = naft_pfef.cFrames()
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParserHeap.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == '*Packet Header*':
frameAddress = struct.unpack(
'>I',
oIOSMemoryBlockHeader.GetData()[40:44])[0]
frameSize = struct.unpack(
'>H',
oIOSMemoryBlockHeader.GetData()[72:74])[0]
if frameSize <= 1:
frameSize = struct.unpack(
'>H',
oIOSMemoryBlockHeader.GetData()[68:70])[0]
if frameAddress != 0 and frameSize != 0:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.DumpBytes(
dataIOMEM[frameAddress - addressIOMEM:frameAddress -
addressIOMEM + frameSize], frameAddress)
oFrames.AddFrame(
frameAddress - addressIOMEM,
dataIOMEM[frameAddress - addressIOMEM:frameAddress -
addressIOMEM + frameSize], True)
oFrames.WritePCAP(filenamePCAP)
def IOSHeap(coredumpFilename, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
if options.resolve or options.filter != '':
oIOSMemoryParser.ResolveNames(oIOSCoreDump)
if options.filter == '':
oIOSMemoryParser.Show()
else:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == options.filter:
if not options.strings:
print(oIOSMemoryBlockHeader.ShowLine())
if options.strings:
dStrings = naft_uf.SearchASCIIStrings(oIOSMemoryBlockHeader.GetData())
if options.grep != '':
printHeader = True
for key, value in dStrings.items():
if value.find(options.grep) >= 0:
if printHeader:
print(oIOSMemoryBlockHeader.ShowLine())
printHeader = False
print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value))
elif options.minimum == 0 or len(dStrings) >= options.minimum:
print(oIOSMemoryBlockHeader.ShowLine())
for key, value in dStrings.items():
print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value))
if options.dump:
naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetData(), oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.headerSize)
def IOSCheckText(coredumpFilename, imageFilename, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
else:
textAddress, textCoredump = oIOSCoreDump.RegionTEXT()
if textCoredump == None:
print('Error extracting text region from coredump %s' % coredumpFilename)
return
sysdescrCoredump = ''
dataAddress, dataCoredump = oIOSCoreDump.RegionDATA()
if dataCoredump != None:
oCWStrings = naft_impf.cCiscoCWStrings(dataCoredump)
if oCWStrings.error == '' and 'CW_SYSDESCR' in oCWStrings.dCWStrings:
sysdescrCoredump = oCWStrings.dCWStrings['CW_SYSDESCR']
image = naft_uf.File2Data(imageFilename)
if image == None:
print('Error reading image %s' % imageFilename)
return
oIOSImage = naft_iipf.cIOSImage(image)
if oIOSImage.error != 0:
return
sysdescrImage = ''
if oIOSImage.oCWStrings != None and oIOSImage.oCWStrings.error == '' and 'CW_SYSDESCR' in oIOSImage.oCWStrings.dCWStrings:
sysdescrImage = oIOSImage.oCWStrings.dCWStrings['CW_SYSDESCR']
if sysdescrCoredump != '' or sysdescrImage != '':
if sysdescrCoredump == sysdescrImage:
print('CW_SYSDESCR are identical:\n')
print(sysdescrCoredump)
elif sysdescrCoredump == sysdescrImage.replace('-MZ', '-M', 1):
print('CW_SYSDESCR are equivalent:\n')
print(sysdescrCoredump)
else:
print('CW_SYSDESCR are different:\n')
print(sysdescrCoredump)
print
print(sysdescrImage)
print
oELF = naft_iipf.cELF(oIOSImage.imageUncompressed)
if oELF.error != 0:
print('ELF parsing error %d.' % oELF.error)
return
countSectionExecutableInstructions = 0
for oSectionHeader in oELF.sections:
if oSectionHeader.flags & 4: # SHF_EXECINSTR executable instructions
textSectionData = oSectionHeader.sectionData
countSectionExecutableInstructions += 1
if countSectionExecutableInstructions != 1:
print('Error executable sections in image: found %d sections, expected 1' % countSectionExecutableInstructions)
return
start = textAddress & 0xFF # to be further researched
textImage = textSectionData[start:start + len(textCoredump)]
if len(textCoredump) != len(textImage):
print('the text region is longer than the text section')
countBytesDifferent = 0
shortestLength = min(len(textCoredump), len(textImage))
for iIter in range(shortestLength):
if textCoredump[iIter] != textImage[iIter]:
if countBytesDifferent == 0:
print('text region and section are different starting 0x%08X in coredump (iter = 0x%08X)' % ((textAddress + iIter), iIter))
countBytesDifferent += 1
if countBytesDifferent == 0:
print('text region and section are identical')
else:
print('number of different bytes: %d (%.2f%%)' % (countBytesDifferent, (countBytesDifferent * 100.0) / shortestLength))
def IOSHeap(coredumpFilename, options):
global decoders
decoders = []
LoadDecoders(options.decoders, True)
returnString = ''
if options.yara != None:
if not 'yara' in sys.modules:
print('Error: option yara requires the YARA Python module.')
return returnString
rules = YARACompile(options.yara)
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
returnString += (oIOSCoreDump.error)
return returnString
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
returnString += ('Heap region not found')
return returnString
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
if options.resolve or options.filter != '':
oIOSMemoryParser.ResolveNames(oIOSCoreDump)
if options.filter == '':
if options.write:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.Data2File(
oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' %
(coredumpFilename, oIOSMemoryBlockHeader.address))
elif options.yara:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
linePrinted = False
oDecoders = [cIdentity(oIOSMemoryBlockHeader.GetData(), None)]
for cDecoder in decoders:
try:
oDecoder = cDecoder(oIOSMemoryBlockHeader.GetData(),
options.decoderoptions)
oDecoders.append(oDecoder)
except Exception as e:
print('Error instantiating decoder: %s' %
cDecoder.name)
raise e
for oDecoder in oDecoders:
while oDecoder.Available():
for result in rules.match(data=oDecoder.Decode()):
if not linePrinted:
print(oIOSMemoryBlockHeader.ShowLine())
linePrinted = True
print(' YARA rule%s: %s' % (IFF(
oDecoder.Name() == '', '', ' (decoder: %s)' %
oDecoder.Name()), result.rule))
if options.yarastrings:
for stringdata in result.strings:
print(' %06x %s:' %
(stringdata[0], stringdata[1]))
print(' %s' %
binascii.hexlify(stringdata[2]))
print(' %s' % repr(stringdata[2]))
else:
returnString += oIOSMemoryParser.Show()
else:
returnString += (naft_impf.cIOSMemoryBlockHeader.ShowHeader) + '<br>'
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == options.filter:
if not options.strings:
returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>'
if options.strings:
dStrings = naft_uf.SearchASCIIStrings(
oIOSMemoryBlockHeader.GetData())
if options.grep != '':
printHeader = True
for key, value in dStrings.items():
if value.find(options.grep) >= 0:
if printHeader:
returnString += (oIOSMemoryBlockHeader.
ShowLine()) + '<br>'
printHeader = False
returnString += (
' %08X: %s<br>' %
(oIOSMemoryBlockHeader.address +
oIOSMemoryBlockHeader.BlockSize + key,
value))
elif options.minimum == 0 or len(
dStrings) >= options.minimum:
returnString += (
oIOSMemoryBlockHeader.ShowLine()) + '<br>'
for key, value in dStrings.items():
returnString += (
' %08X: %s<br>' %
(oIOSMemoryBlockHeader.address +
oIOSMemoryBlockHeader.BlockSize + key, value))
if options.dump:
naft_uf.DumpBytes(
oIOSMemoryBlockHeader.GetData(),
oIOSMemoryBlockHeader.address +
oIOSMemoryBlockHeader.headerSize)
if options.dumpraw:
naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetRawData(),
oIOSMemoryBlockHeader.address)
if options.write:
naft_uf.Data2File(
oIOSMemoryBlockHeader.GetData(),
'%s-heap-0x%08X.data' %
(coredumpFilename, oIOSMemoryBlockHeader.address))
return returnString
def IOSCheckText(coredumpFilename, imageFilename, options):
returnString = ''
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
returnString += (oIOSCoreDump.error) + '<br>'
return returnString
else:
textAddress, textCoredump = oIOSCoreDump.RegionTEXT()
if textCoredump == None:
returnString += (
'Error extracting text region from coredump %s<br>' %
coredumpFilename)
return returnString
sysdescrCoredump = ''
dataAddress, dataCoredump = oIOSCoreDump.RegionDATA()
if dataCoredump != None:
oCWStrings = naft_impf.cCiscoCWStrings(dataCoredump)
if oCWStrings.error == '' and 'CW_SYSDESCR' in oCWStrings.dCWStrings:
sysdescrCoredump = oCWStrings.dCWStrings['CW_SYSDESCR']
image = naft_uf.File2Data(imageFilename)
if image == None:
returnString += ('Error reading image %s' % imageFilename)
return returnString
oIOSImage = naft_iipf.cIOSImage(image)
if oIOSImage.error != 0:
return
sysdescrImage = ''
if oIOSImage.oCWStrings != None and oIOSImage.oCWStrings.error == '' and 'CW_SYSDESCR' in oIOSImage.oCWStrings.dCWStrings:
sysdescrImage = oIOSImage.oCWStrings.dCWStrings['CW_SYSDESCR']
if sysdescrCoredump != '' or sysdescrImage != '':
if sysdescrCoredump == sysdescrImage:
returnString += ('CW_SYSDESCR are identical:<br>')
returnString += (sysdescrCoredump) + '<br>'
elif sysdescrCoredump == sysdescrImage.replace('-MZ', '-M', 1):
returnString += ('CW_SYSDESCR are equivalent:<br>')
returnString += (sysdescrCoredump) + '<br>'
else:
returnString += ('CW_SYSDESCR are different:<br>')
returnString += (sysdescrCoredump) + '<br>'
returnString += '<br>'
returnString += (sysdescrImage) + '<br>'
returnString += '<br>'
oELF = naft_iipf.cELF(oIOSImage.imageUncompressed)
if oELF.error != 0:
returnString += ('ELF parsing error %d.' % oELF.error)
return returnString
countSectionExecutableInstructions = 0
countSectionSRELOC = 0
for oSectionHeader in oELF.sections:
if oSectionHeader.flags & 4: # SHF_EXECINSTR executable instructions
textSectionData = oSectionHeader.sectionData
countSectionExecutableInstructions += 1
if oSectionHeader.nameIndexString == 'sreloc':
countSectionSRELOC += 1
if countSectionExecutableInstructions != 1:
returnString += (
'Error executable sections in image: found %d sections, expected 1'
% countSectionExecutableInstructions)
return returnString
if countSectionSRELOC != 0:
returnString += (
'Error found %d sreloc section in image: checktext command does not support relocation'
% countSectionSRELOC)
return returnString
start = textAddress & 0xFF # to be further researched
textImage = textSectionData[start:start + len(textCoredump)]
if len(textCoredump) != len(textImage):
returnString += ('the text region is longer than the text section<br>')
returnString += ('len(textCoredump) = %d<br>' % len(textCoredump))
returnString += ('len(textImage) = %d<br>' % len(textImage))
countBytesDifferent = 0
shortestLength = min(len(textCoredump), len(textImage))
for iIter in range(shortestLength):
if textCoredump[iIter] != textImage[iIter]:
if countBytesDifferent == 0:
returnString += (
'text region and section are different starting 0x%08X in coredump (iter = 0x%08X)<br>'
% ((textAddress + iIter), iIter))
countBytesDifferent += 1
if countBytesDifferent == 0:
returnString += ('text region and section are identical <br>')
else:
returnString += ('number of different bytes: %d (%.2f%%)<br>' %
(countBytesDifferent,
(countBytesDifferent * 100.0) / shortestLength))
return returnString
def IOSHeap(coredumpFilename, options):
global decoders
decoders = []
LoadDecoders(options.decoders, True)
if options.yara != None:
if not 'yara' in sys.modules:
print('Error: option yara requires the YARA Python module.')
return
rules = YARACompile(options.yara)
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
if options.resolve or options.filter != '':
oIOSMemoryParser.ResolveNames(oIOSCoreDump)
if options.filter == '':
if options.write:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.Data2File(oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' % (coredumpFilename, oIOSMemoryBlockHeader.address))
elif options.yara:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
linePrinted = False
oDecoders = [cIdentity(oIOSMemoryBlockHeader.GetData(), None)]
for cDecoder in decoders:
try:
oDecoder = cDecoder(oIOSMemoryBlockHeader.GetData(), options.decoderoptions)
oDecoders.append(oDecoder)
except Exception as e:
print('Error instantiating decoder: %s' % cDecoder.name)
raise e
for oDecoder in oDecoders:
while oDecoder.Available():
for result in rules.match(data=oDecoder.Decode()):
if not linePrinted:
print(oIOSMemoryBlockHeader.ShowLine())
linePrinted = True
print(' YARA rule%s: %s' % (IFF(oDecoder.Name() == '', '', ' (decoder: %s)' % oDecoder.Name()), result.rule))
if options.yarastrings:
for stringdata in result.strings:
print(' %06x %s:' % (stringdata[0], stringdata[1]))
print(' %s' % binascii.hexlify(stringdata[2]))
print(' %s' % repr(stringdata[2]))
else:
oIOSMemoryParser.Show()
else:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == options.filter:
if not options.strings:
print(oIOSMemoryBlockHeader.ShowLine())
if options.strings:
dStrings = naft_uf.SearchASCIIStrings(oIOSMemoryBlockHeader.GetData())
if options.grep != '':
printHeader = True
for key, value in dStrings.items():
if value.find(options.grep) >= 0:
if printHeader:
print(oIOSMemoryBlockHeader.ShowLine())
printHeader = False
print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value))
elif options.minimum == 0 or len(dStrings) >= options.minimum:
print(oIOSMemoryBlockHeader.ShowLine())
for key, value in dStrings.items():
print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value))
if options.dump:
naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetData(), oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.headerSize)
if options.dumpraw:
naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetRawData(), oIOSMemoryBlockHeader.address)
if options.write:
naft_uf.Data2File(oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' % (coredumpFilename, oIOSMemoryBlockHeader.address))
