def render_scan_physical(self, renderer):
"""This method scans the physical memory."""
for rule, address, _, _ in self.generate_hits(
self.physical_address_space):
renderer.format("Rule: {0}\n", rule)
context = self.physical_address_space.read(address, 0x40)
utils.WriteHexdump(renderer, context, base=address)
def render(self, renderer):
for entity in self.session.entities.find(
query=("Buffer/purpose is 'zones' and "
"any Buffer/context matches "
" (AllocationZone/name is {zone_name})"),
query_params=dict(zone_name=self.zone_name)):
utils.WriteHexdump(renderer=renderer,
data=entity["Buffer/contents"],
base=entity["Buffer/address"][0])
def render_task_scan(self, renderer, task):
task_as = task.get_process_address_space()
for rule, address, _, _ in self.generate_hits(task_as):
renderer.format("Rule: {0}\n", rule)
renderer.format("Owner: {0}\n", task.ImageFileName)
context = task_as.read(address, 0x40)
utils.WriteHexdump(renderer, context, base=address)
def render_kernel_scan(self, renderer):
for rule, address, _, _ in self.generate_hits(
self.kernel_address_space):
renderer.format("Rule: {0}\n", rule)
owner = self.session.address_resolver.format_address(address)
if not owner:
owner = "Unknown"
renderer.format("Owner: {0}\n", owner)
context = self.kernel_address_space.read(address, 0x40)
utils.WriteHexdump(renderer, context, base=address)
def render_task_scan(self, renderer, task):
"""Scan a task's address space."""
end = self.session.GetParameter("highest_usermode_address")
task_as = task.get_process_address_space()
for rule, address, _, _ in self.generate_hits(task_as, end=end):
renderer.format("Rule: {0}\n", rule)
renderer.format(
"Owner: {0} ({1})\n", task,
self.session.address_resolver.format_address(address))
context = task_as.read(address, 0x40)
utils.WriteHexdump(renderer, context, base=address)
def render_task_scan_vad(self, renderer, task):
"""This method scans the process memory using the VAD."""
task_as = task.get_process_address_space()
scanner = VadYaraScanner(
session=self.session, rules=self.rules, task=task)
for rule, address, _, hit in scanner.scan():
renderer.format("Rule: {0}\n", rule)
renderer.format("Owner: {0}\n", task.ImageFileName)
context = task_as.read(address, 0x40)
utils.WriteHexdump(renderer, context, base=address)
def render_kernel_scan(self, renderer):
modules = self.session.plugins.modules()
for rule, address, _, _ in self.generate_hits(
self.kernel_address_space):
renderer.format("Rule: {0}\n", rule)
# Find out who owns this hit.
owner = modules.find_module(address)
if owner:
renderer.format("Owner: {0}\n", owner.BaseDllName)
else:
renderer.format("Owner: (Unknown Kernel Memory)\n")
context = self.kernel_address_space.read(address, 0x40)
utils.WriteHexdump(renderer, context, base=address)
def testEncoderCache(self):
# Make the string long enough so that parts of it are garbage
# collected. If the encoded uses id() to deduplicate it will fail since
# id() might reuse across GCed objects.
test_string = ("this_is_a_very_long_sentence" * 10)
parts = [
test_string[x:x + 16] for x in xrange(0, len(test_string), 16)
]
with data_export.DataExportRenderer(
session=self.session,
output=StringIO.StringIO()).start() as renderer:
utils.WriteHexdump(renderer, test_string)
rows = []
for row in renderer.data:
if row[0] == "r":
rows.append(row[1]["data"])
self.assertEqual(rows, parts)
def render_kernel_scan(self, renderer):
modules = self.session.plugins.lsmod()
for rule, address, _, hit in self.generate_hits(
self.kernel_address_space):
renderer.format("Rule: {0}\n", rule)
# Find out who owns this hit.
owner = modules.find_module(address)
if owner:
renderer.format("Owner: {0}\n", owner.name)
filename = "kernel.{0:#x}.{1:#x}.dmp".format(
owner.obj_offset, address)
else:
filename = "kernel.{0:#x}.dmp".format(address)
renderer.format("Owner: (Unknown Kernel Memory)\n")
context = self.kernel_address_space.read(address, 0x40)
utils.WriteHexdump(renderer, context, base=address)
def render(self, outfd):
for reg, key in self.find_count_keys():
if not key:
continue
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg.Name))
outfd.write("Key path: {0}\n".format(key.Path))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for subkey in key.subkeys():
outfd.write(" {0}\n".format(subkey.Name))
outfd.write("\n")
outfd.write("Values:\n")
for value in key.values():
# In windows 7, folder names are replaced by guids.
value_name = str(value.Name).decode("rot13")
value_name = self._resolve_gui_folders(value_name)
outfd.write("\n{0:13} {1:15} :\n".format(
value.Type, value_name))
# Decode the data
if value.Type == "REG_BINARY":
# Does this look like a userassist record?
if value.DataLength == self.ua_profile.get_obj_size(
"_VOLUSER_ASSIST_TYPES"):
# Use the specialized profile to instantiate this object.
uadata = self.ua_profile.Object(
"_VOLUSER_ASSIST_TYPES",
offset=value.Data,
vm=value.obj_vm)
self._render_assist_type(outfd, uadata)
# Show a hexdump of the value as well.
utils.WriteHexdump(outfd, value.DecodedData)
def render(self, renderer):
renderer.format("Legend: (S) = Stable (V) = Volatile\n\n")
for reg, key in self.list_keys():
self.session.report_progress("Printing %s",
lambda key=key: key.Path)
if key:
renderer.format("----------------------------\n")
renderer.format("Registry: {0}\n", reg.Name)
renderer.format("Key name: {0} {1} @ {2:addrpad}\n", key.Name,
self.voltext(key), key.obj_vm.vtop(int(key)))
renderer.format("Last updated: {0}\n", key.LastWriteTime)
renderer.format("\n")
renderer.format("Subkeys:\n")
for subkey in key.subkeys():
if not subkey.Name:
renderer.format(" Unknown subkey: {0}\n",
subkey.Name.reason)
else:
renderer.format(u" {1} {0}\n", subkey.Name,
self.voltext(subkey))
renderer.format("\n")
renderer.format("Values:\n")
for value in key.values():
renderer.format("{0:addrpad} ", value.obj_vm.vtop(value))
if value.Type == 'REG_BINARY':
data = value.DecodedData
if isinstance(data, basestring):
renderer.format(
u"{0:width=13} {1:width=15} : {2}\n",
value.Type, value.Name, self.voltext(value))
utils.WriteHexdump(renderer, value.DecodedData)
else:
renderer.format(
u"{0:width=13} {1:width=15} : {2} {3}\n",
value.Type, value.Name, self.voltext(value),
utils.SmartUnicode(value.DecodedData).strip())
def render(self, outfd):
for k, v in self.calculate():
outfd.write(k + "\n")
utils.WriteHexdump(outfd, v)
outfd.write("\n")
