def generator(self, data):
for reg, key in data:
if key:
subkeys = list(rawreg.subkeys(key))
values = list(rawreg.values(key))
yield (0, [
str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)), "-", "-", "-", "-",
"-", "-"
])
if subkeys:
for s in subkeys:
if s.Name == None:
yield (0, [
str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)),
str("Unknown subkey: {0}".format(
s.Name.reason)), "-", "-", "-", "-", "-"
])
else:
yield (0, [
str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)),
str("{0}".format(s.Name)),
str("{0:3s}".format(self.voltext(s))), "-",
"-", "-", "-"
])
if values:
for v in values:
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = Bytes(dat)
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii",
'backslashreplace')
yield (0, [
str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)), "-", "-",
str(tp),
str("{0}".format(v.Name)),
str("{0:3s}".format(self.voltext(v))),
str(dat)
])
def generator(self, data):
if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
for o, addr, hit, content in data:
owner = "Owner: (Unknown Kernel Memory)"
if o == None:
filename = "kernel.{0:#x}.dmp".format(addr)
elif o.obj_name == "_EPROCESS":
owner = "{0}: (Pid {1})".format(o.ImageFileName,
o.UniqueProcessId)
filename = "process.{0:#x}.{1:#x}.dmp".format(
o.obj_offset, addr)
else:
owner = "{0}".format(o.BaseDllName)
filename = "kernel.{0:#x}.{1:#x}.dmp".format(
o.obj_offset, addr)
# Dump the data if --dump-dir was supplied
if self._config.DUMP_DIR:
path = os.path.join(self._config.DUMP_DIR, filename)
fh = open(path, "wb")
fh.write(content)
fh.close()
yield (0, [str(hit.rule), owner, Address(addr), Bytes(content)])
def generator(self, data):
if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
for task in data:
for vad, address_space in task.get_vads(
vad_filter=task._injection_filter):
if self._is_vad_empty(vad, address_space):
continue
content = address_space.zread(vad.Start, 64)
yield (0, [
str(task.ImageFileName),
int(task.UniqueProcessId),
Address(vad.Start),
str(vad.Tag),
str(
vadinfo.PROTECT_FLAGS.get(vad.VadFlags.Protection.v(),
"")),
str(vad.VadFlags),
Bytes(content)
])
# Dump the data if --dump-dir was supplied
if self._config.DUMP_DIR:
filename = os.path.join(
self._config.DUMP_DIR,
"process.{0:#x}.{1:#x}.dmp".format(
task.obj_offset, vad.Start))
self.dump_vad(filename, vad, address_space)
def generator(self, data):
for process, module, hook in data:
if not self._config.NO_WHITELIST:
process_name = ""
if process:
process_name = str(process.ImageFileName)
if self.whitelist(hook.hook_mode | hook.hook_type,
process_name, hook.VictimModule,
hook.HookModule, hook.Function):
continue
procname = "N/A"
pid = -1
if process:
procname = str(process.ImageFileName)
pid = int(process.UniqueProcessId)
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
yield (0, [str(hook.Mode),
str(hook.Type),
procname,
pid,
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
Address(module.DllBase),
Hex(module.DllBase + module.SizeOfImage),
str(hook.Detail),
Address(hook.hook_address),
str(hook.HookModule),
Address(address),
Bytes(data)])
def generator(self, data):
for process, cert in data:
if cert.obj_name == "_X509_PUBLIC_CERT":
ext = ".crt"
else:
ext = ".key"
if process:
file_name = "{0}-{1:x}{2}".format(process.UniqueProcessId,
cert.obj_offset, ext)
else:
file_name = "phys.{0:x}{1}".format(cert.obj_offset, ext)
full_path = os.path.join(self._config.DUMP_DIR, file_name)
with open(full_path, "wb") as cert_file:
cert_file.write(cert.object_as_string())
parsed_subject = ""
if self._config.SSL:
openssl_string = cert.as_openssl(full_path)
parsed_subject = '/'.join(
[v[1] for v in self.get_parsed_fields(openssl_string)])
yield (0, [
int(process.UniqueProcessId if process else -1),
str(process.ImageFileName if process else "-"),
Address(cert.obj_offset),
str(cert.obj_name),
int(cert.Size),
str(file_name),
str(parsed_subject),
Bytes(cert.object_as_string())
])
def generator(self, data):
for key_type, key_name, key in data:
pem = PvkToPem().convert(key)
yield (0,
[str(key_type),
str(key_name),
Bytes(key),
str(pem).replace('\n', '\\n')])
def generator(self, data):
for process_name, pid, vad, vad_bytes in data:
scan_result, where = self.is_malicious(vad, vad_bytes)
if scan_result:
vad_protection = vadinfo.PROTECT_FLAGS.get(vad.VadFlags.Protection.v(), '')
yield (0, [str(process_name),
int(pid),
Address(vad.Start),
Address(vad.End),
str(vad.Tag),
str(vad_protection),
str(vad.VadFlags),
str(scan_result),
Bytes(vad_bytes[where:where+64])])
def generator(self, data):
for session, wndsta, clip, handle in data:
# If no tagCLIP is provided, we do not know the format
if not clip:
fmt = obj.NoneObject("Format unknown")
else:
# Try to get the format name, but failing that, print
# the format number in hex instead.
if clip.fmt.v() in consts.CLIPBOARD_FORMAT_ENUM:
fmt = str(clip.fmt)
else:
fmt = hex(clip.fmt.v())
# Try to get the handle from tagCLIP first, but
# fall back to using _HANDLEENTRY.phead. Note: this can
# be a value like DUMMY_TEXT_HANDLE (1) etc.
if clip:
handle_value = clip.hData
else:
handle_value = handle.phead.h
clip_data = ""
if handle:
try:
clip_data = ''.join(
[chr(c) for c in handle.reference_object().abData])
except AttributeError:
pass
yield (
0,
[
int(session.SessionId),
str(wndsta.Name),
str(fmt),
Hex(handle_value),
Address(handle.phead.v()),
Bytes(clip_data),
],
)
def generator(self, data):
for reg, key in data:
if key:
subkeys = list(rawreg.subkeys(key))
values = list(rawreg.values(key))
yield (
0,
[
f"{reg}",
f"{key.Name}",
f"{self.voltext(key):3s}",
f"{key.LastWriteTime}",
"-",
"-",
"-",
"-",
"-",
"-",
],
)
if subkeys:
for s in subkeys:
if s.Name == None:
yield (
0,
[
f"{reg}",
f"{key.Name}",
f"{self.voltext(key):3s}",
f"{key.LastWriteTime}",
f"Unknown subkey: {s.Name.reason}",
"-",
"-",
"-",
"-",
"-",
],
)
else:
yield (
0,
[
f"{reg}",
f"{key.Name}",
f"{self.voltext(key):3s}",
f"{key.LastWriteTime}",
f"{s.Name}",
f"{self.voltext(s):3s}",
"-",
"-",
"-",
"-",
],
)
if values:
for v in values:
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = Bytes(dat)
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii",
'backslashreplace')
yield (
0,
[
f"{reg}",
f"{key.Name}",
f"{self.voltext(key):3s}",
f"{key.LastWriteTime}",
"-",
"-",
f"{tp}",
f"{v.Name}",
f"{self.voltext(v):3s}",
f"{dat}",
],
)
def generator(self, data):
if self._config.DISOFFSET:
dis = self._config.DISOFFSET
for offset, PARTITION_TABLE, boot_code in data:
entry1 = PARTITION_TABLE.Entry1.dereference_as('PARTITION_ENTRY')
entry2 = PARTITION_TABLE.Entry2.dereference_as('PARTITION_ENTRY')
entry3 = PARTITION_TABLE.Entry3.dereference_as('PARTITION_ENTRY')
entry4 = PARTITION_TABLE.Entry4.dereference_as('PARTITION_ENTRY')
have_bootable = entry1.is_bootable_and_used(
) or entry2.is_bootable_and_used() or entry3.is_bootable_and_used(
) or entry4.is_bootable_and_used()
if not self._config.NOCHECK and not have_bootable:
# it doesn't really make sense to have a partition that is bootable, but empty or invalid
# but we only skip MBRs with these types of partitions if we are checking
continue
distance = 0
h = hashlib.md5()
f = hashlib.md5()
h.update(self.code_data)
f.update(boot_code)
if self._config.HASH:
hash = "{0}".format(h.hexdigest())
if hash.lower() != self._config.HASH.lower():
continue
elif self._config.FULLHASH:
hash = "{0}".format(f.hexdigest())
if hash.lower() != self._config.FULLHASH.lower():
continue
if self.disk_mbr:
distance = self.levenshtein(
self._get_instructions(self.disk_mbr),
self._get_instructions(boot_code))
if self._config.MAXDISTANCE != None and distance > self._config.MAXDISTANCE:
continue
disksig = "{0:02x}-{1:02x}-{2:02x}-{3:02x}".format(
PARTITION_TABLE.DiskSignature[0],
PARTITION_TABLE.DiskSignature[1],
PARTITION_TABLE.DiskSignature[2],
PARTITION_TABLE.DiskSignature[3])
yield (0, [
Address(offset), disksig,
str(h.hexdigest()),
str(f.hexdigest()),
int(distance), "{0:#x} {1}".format(
entry1.get_value(entry1.BootableFlag),
"(Bootable)" if entry1.is_bootable() else ""),
"{0:#x} ({1})".format(entry1.get_value(entry1.PartitionType),
entry1.get_type()),
Hex(entry1.StartingLBA),
"Cylinder: {0} Head: {1} Sector: {2}".format(
entry1.StartingCylinder(), entry1.StartingCHS[0],
entry1.StartingSector()),
"Cylinder: {0} Head: {1} Sector: {2}".format(
entry1.EndingCylinder(), entry1.EndingCHS[0],
entry1.EndingSector()),
Hex(entry1.SizeInSectors), "{0:#x} {1}".format(
entry2.get_value(entry2.BootableFlag),
"(Bootable)" if entry2.is_bootable() else ""),
"{0:#x} ({1})".format(entry2.get_value(entry2.PartitionType),
entry2.get_type()),
Hex(entry2.StartingLBA),
"Cylinder: {0} Head: {1} Sector: {2}".format(
entry2.StartingCylinder(), entry2.StartingCHS[0],
entry2.StartingSector()),
"Cylinder: {0} Head: {1} Sector: {2}".format(
entry2.EndingCylinder(), entry2.EndingCHS[0],
entry2.EndingSector()),
Hex(entry2.SizeInSectors), "{0:#x} {1}".format(
entry3.get_value(entry3.BootableFlag),
"(Bootable)" if entry3.is_bootable() else ""),
"{0:#x} ({1})".format(entry3.get_value(entry3.PartitionType),
entry3.get_type()),
Hex(entry3.StartingLBA),
"Cylinder: {0} Head: {1} Sector: {2}".format(
entry3.StartingCylinder(), entry3.StartingCHS[0],
entry3.StartingSector()),
"Cylinder: {0} Head: {1} Sector: {2}".format(
entry3.EndingCylinder(), entry3.EndingCHS[0],
entry3.EndingSector()),
Hex(entry3.SizeInSectors), "{0:#x} {1}".format(
entry4.get_value(entry4.BootableFlag),
"(Bootable)" if entry4.is_bootable() else ""),
"{0:#x} ({1})".format(entry4.get_value(entry4.PartitionType),
entry4.get_type()),
Hex(entry4.StartingLBA),
"Cylinder: {0} Head: {1} Sector: {2}".format(
entry4.StartingCylinder(), entry4.StartingCHS[0],
entry4.StartingSector()),
"Cylinder: {0} Head: {1} Sector: {2}".format(
entry4.EndingCylinder(), entry4.EndingCHS[0],
entry4.EndingSector()),
Hex(entry4.SizeInSectors),
Bytes(boot_code)
])
def generator(self, data):
for reg, key in data:
if key:
subkeys = list(rawreg.subkeys(key))
values = list(rawreg.values(key))
yield (0, [str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)),
"-",
"-",
"-",
"-",
"-",
"-"])
if subkeys:
for s in subkeys:
if s.Name == None:
yield (0, [str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)),
str("Unknown subkey: {0}".format(s.Name.reason)),
"-",
"-",
"-",
"-",
"-"])
else:
yield (0, [str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)),
str("{0}".format(s.Name)),
str("{0:3s}".format(self.voltext(s))),
"-",
"-",
"-",
"-"])
if values:
for v in values:
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = Bytes(dat)
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
yield (0, [str("{0}".format(reg)),
str("{0}".format(key.Name)),
str("{0:3s}".format(self.voltext(key))),
str("{0}".format(key.LastWriteTime)),
"-",
"-",
str(tp),
str("{0}".format(v.Name)),
str("{0:3s}".format(self.voltext(v))),
str(dat)])
def generator(self, data):
for k in data:
yield (0, [str(k), Bytes(data[k])])