class DarwinLsof(common.AbstractDarwinCommand):
"""Walks open files of each proc in order and prints PID, FD and the handle.
Each process has an array of pointers to fileproc structs - the offset into
the array is the file descriptor and each fileproc struct represents a
handle on some resource. A type field in the fileproc determines the type
of the resource pointed to from the fileproc (e.g. vnode, socket, pipe...).
"""
name = "lsof"
table_header = plugin.PluginHeader(
dict(name="Process",
cname="proc",
type="proc",
columns=[
dict(name="Command", cname="command", width=16),
dict(name="PID", cname="pid", width=8),
dict(name="UID", cname="p_uid", width=8)
]), dict(name="FD", cname="fd", width=5),
dict(name="Handle", cname="fileproc", type="fileproc"))
def collect(self):
procs = self.session.plugins.collect("proc").collect()
for proc in sorted(procs, key=lambda proc: proc.pid):
for fd, fileproc, _ in proc.get_open_files():
yield (proc, fd, fileproc)
class DarwinDumpZone(common.AbstractDarwinCommand):
"""Dumps an allocation zone's contents."""
name = "dump_zone"
table_header = plugin.PluginHeader(
dict(name="Offset", cname="offset", style="address"),
dict(name="Data", cname="data", style="hexdump", width=34)
)
@classmethod
def args(cls, parser):
super(DarwinDumpZone, cls).args(parser)
parser.add_argument("--zone", default="buf.512")
def __init__(self, zone="buf.512", **kwargs):
super(DarwinDumpZone, self).__init__(**kwargs)
self.zone_name = zone
def collect(self):
zone = self.session.plugins.search(
"(select zone from zones() where zone.name == {zone_name}).zone",
query_parameters=dict(zone_name=self.zone_name),
silent=True
).first_result
if not zone:
raise ValueError("No such zone %r." % self.zone_name)
for offset in zone.known_offsets:
yield [offset, zone.obj_vm.read(offset, zone.elem_size)]
class ConnScan(tcpip_vtypes.TcpipPluginMixin, common.WinScanner,
common.AbstractWindowsCommandPlugin):
""" Scan Physical memory for _TCPT_OBJECT objects (tcp connections)
"""
__name = "connscan"
table_header = plugin.PluginHeader(
dict(name="Offset(P)", cname="offset_p", style="address"),
dict(name="Local Address",
cname="local_net_address",
align="l",
width=25),
dict(name="Remote Address",
cname="remote_net_address",
align="l",
width=25), dict(name="Pid", cname="pid", width=10, align="r"))
scanner_defaults = dict(scan_physical=True)
def column_types(self):
tcp_obj = self.tcpip_profile._TCPT_OBJECT()
return dict(offset_p=tcp_obj,
local_net_address="172.16.176.143:1034",
remote_net_address="131.107.115.254:80",
pid=tcp_obj.Pid)
@classmethod
def is_active(cls, session):
# These only work for XP.
return (super(ConnScan, cls).is_active(session)
and session.profile.metadata("major") == 5)
def collect(self):
"""Search the physical address space for _TCPT_OBJECTs.
Yields:
_TCPT_OBJECT instantiated on the physical address space.
"""
for run in self.generate_memory_ranges():
# The pool is managed by the kernel so we need to use the kernel's
# profile here.
scanner = PoolScanConnFast(session=self.session,
profile=self.profile,
address_space=run.address_space)
for pool_obj in scanner.scan(run.start, maxlen=run.length):
# The struct is allocated out of the pool (i.e. its not an
# object).
tcp_obj = self.tcpip_profile._TCPT_OBJECT(
vm=run.address_space,
offset=pool_obj.obj_offset + pool_obj.obj_size)
local = "{0}:{1}".format(tcp_obj.LocalIpAddress,
tcp_obj.LocalPort)
remote = "{0}:{1}".format(tcp_obj.RemoteIpAddress,
tcp_obj.RemotePort)
yield tcp_obj, local, remote, tcp_obj.Pid
def table_header(cls):
header = [dict(name="Process", width=40, cname="proc", type="proc")]
for method in cls.methods():
header.append(dict(name=method, cname=method, width=8))
return plugin.PluginHeader(*header)
def collect(self):
if self.plugin_args.producers_only:
pertinent_cls = plugin.Producer
else:
pertinent_cls = plugin.TypedProfileCommand
for plugin_cls in plugin.Command.classes.values():
if not plugin_cls.is_active(self.session):
continue
if not issubclass(plugin_cls, pertinent_cls):
continue
table_header = plugin_cls.table_header
if table_header:
if isinstance(table_header, list):
table_header = plugin.PluginHeader(*table_header)
try:
for t in table_header.types_in_output:
if (isinstance(t, type)
and self.plugin_args.type_name == t.__name__):
yield plugin_cls(session=self.session)
elif self.plugin_args.type_name == t:
yield plugin_cls(session=self.session)
except plugin.Error:
# We were unable to instantiate this plugin to figure out
# what it wants to emit. We did our best so move on.
continue
class SimpleYaraScan(YaraScanMixin, plugin.TypedProfileCommand,
plugin.PhysicalASMixin, plugin.ProfileCommand):
"""A Simple plugin which only yarascans the physical Address Space.
This plugin should not trigger profile autodetection and therefore should be
usable on any file at all.
"""
name = "simple_yarascan"
__args = [
plugin.CommandOption("start",
default=0,
type="IntParser",
help="Start searching from this offset."),
plugin.CommandOption("limit",
default=2**64,
type="IntParser",
help="The length of data to search."),
]
table_header = plugin.PluginHeader(
dict(name="Rule", width=10),
dict(name="Offset", style="address"),
dict(name="HexDump", cname="hexdump", hex_width=16, width=67),
)
PROFILE_REQUIRED = False
def collect(self):
"""Render output."""
count = 0
address_space = self.session.physical_address_space
for buffer_as in scan.BufferASGenerator(
self.session, address_space, self.plugin_args.start,
self.plugin_args.start + self.plugin_args.limit):
self.session.report_progress(
"Scanning buffer %#x->%#x (%#x)", buffer_as.base_offset,
buffer_as.end(),
buffer_as.end() - buffer_as.base_offset)
for match in self.rules.match(data=buffer_as.data):
for buffer_offset, _, _ in match.strings:
hit_offset = buffer_offset + buffer_as.base_offset
count += 1
if count >= self.plugin_args.hits:
break
yield (match.rule, hit_offset,
utils.HexDumpedString(
self.session.physical_address_space.read(
hit_offset - self.plugin_args.pre_context,
self.plugin_args.context +
self.plugin_args.pre_context)))
class DarwinBootParameters(common.AbstractDarwinCommand):
"""Prints the kernel command line."""
name = "boot_cmdline"
table_header = plugin.PluginHeader(
dict(name="Command Line", cname="cmdline", type="str"), )
def collect(self):
boot_args = self.profile.get_constant_object("_PE_state",
"PE_state").bootArgs
yield [boot_args.CommandLine.cast("String")]
class SimpleYaraScan(YaraScanMixin, plugin.TypedProfileCommand,
plugin.PhysicalASMixin, plugin.ProfileCommand):
"""A Simple plugin which only yarascans the physical Address Space.
This plugin should not trigger profile autodetection and therefore should be
usable on any file at all.
"""
name = "simple_yarascan"
__args = [
plugin.CommandOption("start",
default=0,
type="IntParser",
help="Start searching from this offset."),
plugin.CommandOption("limit",
default=2**64,
type="IntParser",
help="The length of data to search."),
]
table_header = plugin.PluginHeader(
dict(name="Rule", width=10),
dict(name="Offset", style="address"),
dict(name="HexDump", cname="hexdump", hex_width=16, width=67),
)
PROFILE_REQUIRED = False
def collect(self):
"""Render output."""
count = 0
scanner = BaseYaraASScanner(
session=self.session,
address_space=self.session.physical_address_space,
rules=self.rules)
for rule, address, _, _ in scanner.scan(offset=self.plugin_args.start,
maxlen=self.plugin_args.limit):
count += 1
if count >= self.plugin_args.hits:
break
yield (rule, address,
utils.HexDumpedString(
self.session.physical_address_space.read(
address - self.plugin_args.pre_context,
self.plugin_args.context +
self.plugin_args.pre_context)))
class DarwinTerminals(common.AbstractDarwinTypedCommand):
"""Lists open ttys."""
name = "terminals"
table_header = plugin.PluginHeader(
dict(name="Session",
type="session",
cname="session",
columns=[dict(name="Session ID", cname="s_sid")]),
dict(name="Terminal", type="tty", cname="tty"))
def collect(self):
for session in self.session.plugins.sessions().produce():
if session.s_ttyp:
yield [session, session.s_ttyp]
class DarwinPslist(common.ProcessFilterMixin, common.AbstractDarwinCommand):
name = "pslist"
table_header = plugin.PluginHeader(
dict(name="Process", width=40, cname="proc", type="proc"),
dict(name="Alive", width=8, cname="alive"),
dict(name="PPID", cname="ppid", width=6),
dict(name="UID", cname="uid", width=6),
dict(name="64-bit", cname="64bit", width=6),
dict(name="Start Time", cname="start_time", width=30, style="short"),
dict(name="CR3", cname="cr3", width=15, style="address"))
def collect(self):
for proc in self.filter_processes():
yield (proc, proc.obj_producers != {"dead_procs"}, proc.p_ppid,
proc.p_uid,
proc.task.map.pmap.pm_task_map == "TASK_MAP_64BIT",
proc.p_start.as_datetime(), proc.task.map.pmap.pm_cr3)
class Privileges(plugin.VerbosityMixIn, common.WinProcessFilter):
"""Prints process privileges."""
name = "privileges"
table_header = plugin.PluginHeader(dict(name="Process", type="_EPROCESS"),
dict(name="Value", width=3, align="r"),
dict(name="Privileges", width=40),
dict(name="Attributes", type="list"))
def collect(self):
privilege_table = self.session.GetParameter("privilege_table")
for task in self.filter_processes():
for value, flags in task.Token.GetPrivileges():
# By default skip the privileges that are not present.
if self.plugin_args.verbosity <= 1 and "Present" not in flags:
continue
yield (task, value, privilege_table.get(value), flags)
class DarwinPsTree(common.AbstractDarwinCommand):
name = "pstree"
table_header = plugin.PluginHeader(
dict(name="Depth", cname="depth", type="DepthIndicator", width=10),
dict(name="PID", cname="pid", width=6),
dict(name="PPID", cname="ppid", width=6),
dict(name="UID", cname="uid", width=6),
dict(name="Name", cname="name", width=30))
def collect(self):
# Get the first process from pslist.
first_proc = self.session.plugins.search(
"(select * from pslist() where proc.pid == 0).proc").first_result
for proc, depth in self.recurse_proc(first_proc, 0):
yield [depth, proc.pid, proc.p_ppid, proc.p_uid, proc.command]
def recurse_proc(self, proc, depth):
if proc.validate():
yield proc, depth
for child in proc.p_children.lh_first.p_sibling:
for subproc, subdepth in self.recurse_proc(child, depth + 1):
yield subproc, subdepth
class AddressResolverMixin(object):
"""The basic building block for constructing an address resolver plugin.
An address resolver maintains a collection of Modules and abstracts access
to specific symbol names within the modules.
Rekall uses a symbolic notation to refer to specific addresses within the
address space. The address resolver is responsible for parsing this notation
and resolving it to an actual address.
Rules of symbol syntax
======================
The address space is divided into "modules". A module has a name, a start
address and an end address. Modules can also contain a profile which knows
about symbols related to that module.
1. Module reference: The start address of a module can be refered to by its
name. e.g: "nt", "ntdll", "tcpip".
2. If a module contains a valid profile, the profile may also know about
symbols within the module. We can refer to these
symbols. e.g. "nt!MmGetIoSessionState"
3. If an exact symbol is not found, it can be referred to with an offset
from another symbol name. e.g. "nt!MmGetIoSessionState+5FE" (Note
integers are given in hex).
4. If the symbol is preceeded with a "*" - it means that the symbol is a
pointer. The address will be read as a pointer and the symbol name will
resolve to the address of the pointer's target.
"""
__args = [
dict(name="symbol",
type="ArrayString",
default=[],
help="List of symbols to lookup"),
]
table_header = plugin.PluginHeader(
dict(name="Symbol", width=20),
dict(name="Offset", width=20, style="address"),
)
# The name of the plugin.
name = "address_resolver"
# The format of a symbol name. Used by get_address_by_name().
ADDRESS_NAME_REGEX = re.compile(
r"(?P<deref>[*])?" # Pointer dereference.
r"((?P<address>0x[0-9A-Fa-f]+)|" # Alternative - Either an address, or,
r"(?P<module>[A-Za-z_0-9\.\\]+)" # Module name - can include extension
# (.exe, .sys)
r"!?" # ! separates module name from symbol
# name.
r"(?P<symbol>[^ +-]+)?" # Symbol name.
r")" # End alternative.
r"(?P<op> *[+-] *)?" # Possible arithmetic operator.
r"(?P<offset>[0-9a-fA-Fx]+)?") # Possible hex offset.
def __init__(self, **kwargs):
super(AddressResolverMixin, self).__init__(**kwargs)
self.reset()
def reset(self):
# A ranged collection of Module() objects.
self._address_ranges = utils.RangedCollection()
# A lookup between module names and the Module object itself.
self._modules_by_name = {}
self._initialized = False
def NormalizeModuleName(self, module_name):
if module_name is not None:
module_name = unicode(module_name)
module_name = re.split(r"[/\\]", module_name)[-1]
return module_name.lower()
def _EnsureInitialized(self):
"""Initialize this address resolver."""
def AddModule(self, module):
self._address_ranges.insert(module.start, module.end, module)
if module.name:
self._modules_by_name[module.name] = module
def _ParseAddress(self, name):
"""Parses the symbol from Rekall symbolic notation.
Raises:
TypeError if the expression has a syntax error.
Returns:
a dict containing the different components of the expression.
"""
m = self.ADDRESS_NAME_REGEX.match(name)
if m:
capture = m.groupdict()
if not capture.get("address"):
module = capture.get("module")
if not module:
raise TypeError("Module name not specified.")
capture["module"] = self.NormalizeModuleName(module)
if capture["op"] and not (capture["symbol"] or capture["address"]
or capture["module"]):
raise TypeError("Operator %s must have an operand." %
capture["op"])
if capture["op"] and not (capture["symbol"] or capture["address"]
or capture["module"]):
raise TypeError(
"Operator %s must operate on a symbol or address." %
capture["op"])
return capture
raise TypeError("Unable to parse %r as a symbol name" % name)
def modules(self):
self._EnsureInitialized()
for _, _, module in self._address_ranges:
yield module
def GetContainingModule(self, address):
"""Finds the module containing the specified address.
Returns:
A Module() instance.
"""
self._EnsureInitialized()
address = obj.Pointer.integer_to_address(address)
_, _, module = self._address_ranges.get_containing_range(address)
return module
def GetModuleByName(self, name):
self._EnsureInitialized()
return self._modules_by_name.get(self.NormalizeModuleName(name))
def GetAllModules(self):
self._EnsureInitialized()
return self._modules_by_name.values()
def get_constant_object(self, name, target=None, **kwargs):
"""Instantiate the named constant with these args.
This method is the main entry point for instantiating constants. It is
preferred than calling the profile's method of the same name directly
since it will be responsible with loading the right profile.
"""
self._EnsureInitialized()
# Parse the name
components = self._ParseAddress(name)
if not components["symbol"]:
raise ValueError("No symbol name specified.")
module = self._modules_by_name.get(components["module"])
if module is not None:
# Just delegate to the module's profile.
if module.profile:
return module.profile.get_constant_object(components["symbol"],
target=target,
**kwargs)
return obj.NoneObject("Profile for name %s unknown." % name, log=True)
def get_address_by_name(self, name):
"""Convert the symbol annotated by name to an address."""
self._EnsureInitialized()
try:
return int(name)
except (ValueError, TypeError):
pass
if not isinstance(name, basestring):
raise TypeError("Name should be a string.")
module = None
components = self._ParseAddress(name)
module_name = self.NormalizeModuleName(components["module"])
address = components["address"]
if address is not None:
address = int(address, 0)
# User did not specify an address
else:
module = self._modules_by_name.get(module_name)
if not module:
return obj.NoneObject("No module %s found" % module_name,
log=True)
# Found the module we use its base address
address = module.start
# Search for a symbol in the module.
symbol = components["symbol"]
if symbol:
# Get the profile for this module.
if module.profile:
address = module.profile.get_constant(symbol, is_address=True)
else:
return obj.NoneObject("No profile found for module", log=True)
# Support basic offset operations (+/-).
op = components["op"]
if op:
op = op.strip()
# Parse the offset as hex or decimal.
offset = int(components["offset"], 0)
if op == "+":
address += offset
elif op == "-":
address -= offset
else:
raise TypeError("Operator '%s' not supported" % op)
# If the symbol was a dereference, we need to read the address from
# this offset.
if components.get("deref"):
try:
address = module.profile.Pointer(address).v()
except AttributeError:
address = self.session.profile.Pointer(address).v()
return address
def format_address(self, address, max_distance=0x1000000):
"""Format the address as a symbol name.
This means to try and find the containing module, the symbol within the
module or possibly an offset from a known symbol. e.g.
nt!PspCidTable
nt!PspCidTable + 0x10
nt + 0x234
Returns a list of symbol names for the address. The list is empty if the
address is not in a containing module if the nearest known symbol is
farther than max_distance away.
"""
self._EnsureInitialized()
_, symbols = self.get_nearest_constant_by_address(
address, max_distance=max_distance)
return sorted(symbols)
def get_nearest_constant_by_address(self, address, max_distance=0x1000000):
"""Searches for a known symbol at an address lower than this.
Returns a tuple (nearest_offset, list of symbol names).
"""
self._EnsureInitialized()
address = obj.Pointer.integer_to_address(address)
symbols = []
module = self.GetContainingModule(address)
if not module or not module.name:
return (-1, [])
if module.profile != None:
offset, symbols = module.profile.get_nearest_constant_by_address(
address)
# Symbols not found at all, use module name.
if not symbols:
if address - module.start > max_distance:
return (-1, [])
if address == module.start:
return (module.start, [module.name])
return (module.start,
["%s+%#x" % (module.name, address - module.start)])
if address - offset > max_distance:
return (-1, [])
# Exact symbols found.
if offset == address:
return (offset, ["%s!%s" % (module.name, x) for x in symbols])
# Approximate symbol found, check if the profile knows its type.
for x in symbols:
if x in module.profile.constant_types:
type_name = self._format_type(module, x, address)
if type_name is not None:
return (offset, ["%s!%s" % (module.name, type_name)])
return (offset, [
"%s!%s+%#x" % (module.name, x, address - offset) for x in symbols
])
def _format_type(self, module, symbol, offset):
"""Use the type information to format the address within the struct."""
result = symbol
member_obj = module.profile.get_constant_object(symbol)
while offset > member_obj.obj_offset:
if isinstance(member_obj, obj.Struct):
members = [
getattr(member_obj, x, None) for x in member_obj.members
]
member_collection = utils.SortedCollection(
(x.obj_offset, x) for x in members)
member_offset, member_below = (
member_collection.get_value_smaller_than(offset))
# No member below this offset?
if member_offset is None:
result += "+%s" % (offset - member_obj.obj_offset)
break
result += ".%s" % member_below.obj_name
member_obj = member_below
elif isinstance(member_obj, obj.Array):
# Next lowest index is a whole number of items.
item = member_obj[0]
next_lowest_index = (offset -
member_obj.obj_offset) / item.obj_size
result += "[%s]" % next_lowest_index
member_obj = member_obj[next_lowest_index]
else:
result += "+%s" % (offset - member_obj.obj_offset)
break
return result
def search_symbol(self, pattern):
"""Searches symbols for the pattern.
pattern may contain wild cards (*). Note that currently a module name is
required. Example pattern:
nt!Ps*
"""
self._EnsureInitialized()
result = []
components = self._ParseAddress(pattern)
module_name = self.NormalizeModuleName(components["module"])
if module_name == None:
raise RuntimeError(
"Module name must be specified for symbol search.")
module = self._modules_by_name.get(module_name)
if module:
# Match all symbols.
symbol_regex = re.compile(components["symbol"].replace("*", ".*"))
if module.profile:
for constant in module.profile.constants:
if symbol_regex.match(constant):
result.append("%s!%s" % (module_name, constant))
return result
def collect(self):
for symbol in self.plugin_args.symbol:
yield symbol, self.get_address_by_name(symbol)
def table_header(cls): # pylint: disable=no-self-argument
header = [dict(name="socket", type="socket", width=60)]
for method in cls.methods():
header.append(dict(name=method, width=12))
return plugin.PluginHeader(*header)
class YaraScanMixin(plugin.TypedProfileCommand):
"""A common implementation of yara scanner.
This should be mixed with the process filter.
"""
name = "yarascan"
table_header = plugin.PluginHeader(
dict(name="Owner"),
dict(name="Rule", width=10),
dict(name="Offset", style="address"),
dict(name="HexDump", style="hexdump", hex_width=16),
dict(name="Symbol"),
)
@classmethod
def args(cls, parser):
super(YaraScanMixin, cls).args(parser)
parser.add_argument("--hits",
default=1E8,
type="IntParser",
help="Quit after finding this many hits.")
parser.add_argument("--string",
default=None,
help="A verbatim string to search for.")
parser.add_argument("--binary_string",
default=None,
help="A binary string (encoded as hex) to search "
"for. e.g. 000102[1-200]0506")
parser.add_argument("--yara_file",
default=None,
help="The yara signature file to read.")
parser.add_argument("--yara_expression",
default=None,
help="If provided we scan for this yara "
"expression.")
parser.add_argument(
"--scan_physical",
default=False,
type="Boolean",
help="If specified we scan the physcial address space. Note that "
"by default we scan the address space of the specified processes "
"(or if no process selectors are specified, the default AS).")
parser.add_argument("--start",
default=0,
type="IntParser",
help="Start searching from this offset.")
parser.add_argument("--context",
default=0x40,
type="IntParser",
help="Context to print after the hit.")
parser.add_argument("--pre_context",
default=0,
type="IntParser",
help="Context to print before the hit.")
parser.add_argument("--limit",
default=2**64,
help="The length of data to search.")
def __init__(self,
string=None,
scan_physical=False,
yara_file=None,
yara_expression=None,
binary_string=None,
hits=10,
context=0x40,
start=0,
limit=2**64,
pre_context=0,
**kwargs):
"""Scan using yara signatures."""
super(YaraScanMixin, self).__init__(**kwargs)
self.context = context
self.pre_context = pre_context
self.start = self.session.address_resolver.get_address_by_name(start)
self.end = self.start + limit
self.hits = hits
if yara_expression:
self.rules_source = yara_expression
self.rules = yara.compile(source=self.rules_source)
elif binary_string:
self.compile_rule('rule r1 {strings: $a = {%s} condition: $a}' %
binary_string)
elif string:
self.compile_rule('rule r1 {strings: $a = "%s" condition: $a}' %
string)
elif yara_file:
self.compile_rule(open(yara_file).read())
else:
raise plugin.PluginError("You must specify a yara rule file or "
"string to match.")
self.scan_physical = scan_physical
def compile_rule(self, rule):
self.rules_source = rule
try:
self.rules = yara.compile(source=rule)
except Exception as e:
raise plugin.PluginError("Failed to compile yara expression: %s" %
e)
def generate_hits(self, address_space, end=None):
count = 0
scanner = BaseYaraASScanner(profile=self.profile,
session=self.session,
address_space=address_space,
rules=self.rules)
for hit in scanner.scan(offset=self.start, maxlen=end):
yield hit
count += 1
if count >= self.hits:
break
def collect_scan_physical(self):
"""This method scans the physical memory."""
for rule, address, _, _ in self.generate_hits(
self.physical_address_space):
if address > self.end:
return
yield (None, rule, address,
utils.HexDumpedString(
self.physical_address_space.read(
address - self.pre_context,
self.context + self.pre_context)))
def collect_kernel_scan(self):
for rule, address, _, _ in self.generate_hits(
self.session.default_address_space):
if address > self.end:
return
symbol = self.session.address_resolver.format_address(address)
yield (None, rule, address,
utils.HexDumpedString(
self.session.default_address_space.read(
address - self.pre_context,
self.context + self.pre_context)), symbol)
def collect_task_scan(self, task):
"""Scan a task's address space."""
end = min(self.session.GetParameter("highest_usermode_address"),
self.end)
task_as = task.get_process_address_space()
for rule, address, _, _ in self.generate_hits(task_as, end=end):
if address > self.end:
return
symbol = self.session.address_resolver.format_address(address)
yield (task, rule, address,
utils.HexDumpedString(
task_as.read(address - self.pre_context,
self.context + self.pre_context)), symbol)
def collect(self):
"""Render output."""
cc = self.session.plugins.cc()
with cc:
if self.scan_physical:
for row in self.collect_scan_physical():
yield row
elif self.filtering_requested:
for task in self.filter_processes():
cc.SwitchProcessContext(task)
for row in self.collect_task_scan(task):
yield row
# We are searching the kernel address space
else:
for row in self.collect_kernel_scan():
yield row
class PSScan(common.WinScanner):
"""Scan Physical memory for _EPROCESS pool allocations.
Status flags:
E: A known _EPROCESS address from pslist.
P: A known pid from pslist.
"""
name = "psscan"
table_header = plugin.PluginHeader(
dict(name=' ', cname='allocated', width=1),
dict(name='_EPROCESS (P)', cname="offset_p", type="_EPROCESS"),
dict(name='Offset(V)', cname="offset_v", style="address"),
dict(name='PPID', cname="ppid", width=6, align="r"),
dict(name='PDB', cname="pdb", style="address"),
dict(name='Stat', cname='stat', width=4),
dict(name='Time created', cname="process_create_time", width=24),
dict(name='Time exited', cname="process_exit_time", width=24),
)
# Only bother to scan non paged pool by default.
scanner_defaults = dict(scan_kernel_nonpaged_pool=True)
def collect(self):
"""Render results in a table."""
# Try to do a regular process listing so we can compare if the process
# is known.
pslist = self.session.plugins.pslist()
# These are virtual addresses.
known_eprocess = set()
known_pids = set()
for task in pslist.list_eprocess():
known_eprocess.add(task)
known_pids.add(task.UniqueProcessId)
# Scan each requested run in turn.
for run in self.generate_memory_ranges():
# Just grab the AS and scan it using our scanner
scanner = PoolScanProcess(session=self.session,
profile=self.profile,
address_space=run.address_space)
for pool_obj, eprocess in scanner.scan(offset=run.start,
maxlen=run.length):
if run.data["type"] == "PhysicalAS":
# Switch address space from physical to virtual.
virtual_eprocess = (
pslist.virtual_process_from_physical_offset(eprocess))
else:
virtual_eprocess = eprocess
known = ""
if virtual_eprocess in known_eprocess:
known += "E"
if eprocess.UniqueProcessId in known_pids:
known += "P"
yield ('F' if pool_obj.FreePool else "", eprocess,
virtual_eprocess.obj_offset,
eprocess.InheritedFromUniqueProcessId,
eprocess.Pcb.DirectoryTableBase, known,
eprocess.CreateTime or '', eprocess.ExitTime or '')
class YaraScanMixin(object):
"""A common implementation of yara scanner.
This should be mixed with the OS specific Scanner (e.g. WinScanner) and
plugin.TypedProfileCommand.
"""
name = "yarascan"
table_header = plugin.PluginHeader(
dict(name="Owner", width=20),
dict(name="Rule", width=10),
dict(name="Offset", style="address"),
dict(name="HexDump", style="hexdump", hex_width=16),
dict(name="Context"),
)
__args = [
plugin.CommandOption("hits", default=10, type="IntParser",
help="Quit after finding this many hits."),
plugin.CommandOption("string", default=None,
help="A verbatim string to search for."),
plugin.CommandOption("binary_string", default=None,
help="A binary string (encoded as hex) to search "
"for. e.g. 000102[1-200]0506"),
plugin.CommandOption("yara_file", default=None,
help="The yara signature file to read."),
plugin.CommandOption("yara_expression", default=None,
help="If provided we scan for this yara "
"expression."),
plugin.CommandOption("context", default=0x40, type="IntParser",
help="Context to print after the hit."),
plugin.CommandOption("pre_context", default=0, type="IntParser",
help="Context to print before the hit."),
]
scanner_defaults = dict(
scan_physical=True
)
def __init__(self, *args, **kwargs):
"""Scan using yara signatures."""
super(YaraScanMixin, self).__init__(*args, **kwargs)
# Compile the yara rules in advance.
if self.plugin_args.yara_expression:
self.rules_source = self.plugin_args.yara_expression
self.rules = yara.compile(source=self.rules_source)
elif self.plugin_args.binary_string:
self.compile_rule(
'rule r1 {strings: $a = {%s} condition: $a}' %
self.plugin_args.binary_string)
elif self.plugin_args.string:
self.compile_rule(
'rule r1 {strings: $a = "%s" condition: $a}' %
self.plugin_args.string)
elif self.plugin_args.yara_file:
self.compile_rule(open(self.plugin_args.yara_file).read())
elif not self.ignore_required:
raise plugin.PluginError("You must specify a yara rule file or "
"string to match.")
def compile_rule(self, rule):
self.rules_source = rule
try:
self.rules = yara.compile(source=rule)
except Exception as e:
raise plugin.PluginError(
"Failed to compile yara expression: %s" % e)
def generate_hits(self, run):
scanner = BaseYaraASScanner(
session=self.session,
address_space=run.address_space,
rules=self.rules)
for hit in scanner.scan(offset=run.start, maxlen=run.length):
yield hit
def collect(self):
"""Render output."""
count = 0
for run in self.generate_memory_ranges():
for rule, address, _, _ in self.generate_hits(run):
count += 1
if count >= self.plugin_args.hits:
break
# Result hit the physical memory - Get some context on this hit.
if run.data.get("type") == "PhysicalAS":
rammap_plugin = self.session.plugins.rammap(
start=address, end=address+1)
symbol = rammap_plugin.summary()[0]
else:
symbol = self.session.address_resolver.format_address(
address)
yield (run.data.get("task") or run.data.get("type"),
rule, address,
utils.HexDumpedString(
run.address_space.read(
address - self.plugin_args.pre_context,
self.plugin_args.context +
self.plugin_args.pre_context)),
symbol)
