def _init_cuckoo(self, os_name, arch, major): # get profile for target ? # get the platform # get the proc name for pid x if os_name == "windows": os_name = '' if major == 5.1: os_name = 'winxp' elif major == 6.1: os_name = 'win7' # if arch == u'I386': self._target = target.TargetPlatform.make_target_win_32( os_name) else: self._target = target.TargetPlatform.make_target_win_64( os_name) else: if arch == u'I386': self._target = target.TargetPlatform.make_target_linux_32() else: self._target = target.TargetPlatform.make_target_linux_64() log.debug("target: %s", self._target) # Use a folder name for its cache later on h_name = self.filename + ".d" memory_handler = base.MemoryHandler(self.mappings, self._target, h_name) self._memory_handler = memory_handler
def _do_haystack(self, task): pid = task.UniqueProcessId my_mappings = [] # get the mappings address_space = task.get_process_address_space() for vad in task.VadRoot.traverse(): # print type(vad) if vad is None: continue offset = vad.obj_offset start = vad.Start end = vad.End tag = vad.Tag flags = str(vad.u.VadFlags) perms = hvol.PERMS_PROTECTION[vad.u.VadFlags.Protection.v() & 7] pathname = '' if vad.u.VadFlags.PrivateMemory == 1 or not vad.ControlArea: pathname = '' elif vad.FileObject: pathname = str(vad.FileObject.FileName or '') pmap = hvol.VolatilityProcessMappingA(address_space, start, end, permissions=perms, pathname=pathname) my_mappings.append(pmap) # now build the memory_handler # get the platform profile = None my_target = None if 'WinXP' in self.config.PROFILE: profile = 'winxp' elif 'Win7' in self.config.PROFILE: profile = 'win7' else: raise ValueError('Profile %s not supported' % self.config.PROFILE) if 'x86' in self.config.PROFILE: my_target = target.TargetPlatform.make_target_win_32(profile) elif 'x64' in self.config.PROFILE: my_target = target.TargetPlatform.make_target_win_64(profile) # create a memory handler dumpname = '%s_%d' % (self.config.LOCATION.split('/')[-1], pid) memory_handler = base.MemoryHandler(my_mappings, my_target, dumpname) for res in self.make_results(pid, memory_handler): yield res
def _init_memfile(memfile, baseOffset): size = os.fstat(memfile.fileno()).st_size if size > haystack.MAX_MAPPING_SIZE_FOR_MMAP: mem = FileBackedMemoryMapping( memfile, baseOffset, baseOffset + size) # is that valid ? log.warning( 'Dump file size is big. Using file backend memory mapping. Its gonna be slooow') else: mem = MemoryDumpMemoryMapping( memfile, baseOffset, baseOffset + size) # is that valid ? mappings = base.MemoryHandler([mem], memfile.name) return mappings
def _init_mappings(self, construct_data): content_file = open(self.filename, 'rb') fsize = os.path.getsize(self.filename) mmap_content = mmap.mmap(content_file.fileno(), fsize, access=mmap.ACCESS_READ) log.debug("fsize: %d", fsize) maps = [] # # get the named modules named_modules = {} for directory in construct_data.MINIDUMP_DIRECTORY: if directory.StreamType == 'ModuleListStream': for _range in directory.DirectoryData.MINIDUMP_MODULE: start = _range.BaseOfImage size = _range.SizeOfImage for page_start in range(start, start + size, 0x1000): named_modules[page_start] = (size, _range.ModuleName) # BUG ? # the last mapping is sometimes incomplete, and seems to be the PE file. for directory in construct_data.MINIDUMP_DIRECTORY: if directory.StreamType == 'Memory64ListStream': #print directory #print directory.DirectoryData.NumberOfMemoryRanges, "mappings" offset = directory.DirectoryData.BaseRva map_offset = offset prev_size = 0 for _range in directory.DirectoryData.MINIDUMP_MEMORY_DESCRIPTOR64: map_offset += prev_size start = _range.StartOfMemoryRange size = _range.DataSize if map_offset + size > fsize: log.error( 'BAD FILE: reducing mapping 0x%x-0x%x size 0x%x -> 0x%x bytes', start, start + size, size, fsize - map_offset) size = fsize - map_offset end = start + size log.debug("0x%x-0x%x size:0x%x offset_in_file:0x%x", start, start + size, size, map_offset) ## BUG FIXME, offset reading ??? name = 'None' if start in named_modules: name = named_modules[start][1] maps.append( cuckoo.MMapProcessMapping(mmap_content, start, end, name, map_offset)) prev_size = size elif directory.StreamType == 'MemoryInfoListStream': ## absent ? print directory # target cpu = os_name = None if self.os_name is None or self.cpu is None: # then resolve it for directory in construct_data.MINIDUMP_DIRECTORY: if directory.StreamType == 'SystemInfoStream': data = directory.DirectoryData if data.MajorVersion == 5: os_name = 'winxp' else: os_name = 'win7' # the heapfinder would have to make a difference. if 'X86' in data.ProcessorArchitecture: cpu = 32 else: cpu = 64 break if self.os_name is None: self.os_name = os_name if self.os_name not in ['winxp', 'win7']: raise NotImplementedError('Unsupported os : %s' % self.os_name) if self.cpu is None: self.cpu = cpu # now set the target if self.cpu == 32: self._target = target.TargetPlatform.make_target_win_32( self.os_name) elif self.cpu == 64: self._target = target.TargetPlatform.make_target_win_64( self.os_name) # self.mappings = maps log.debug("nb maps: %d", len(self.mappings)) log.debug("target: %s", self._target) # Use a folder name for its cache later on h_name = self.filename + ".d" memory_handler = base.MemoryHandler(self.mappings, self._target, h_name) self._memory_handler = memory_handler return
def _init_rekall(self): from rekall import session from rekall import plugins s = session.Session( filename=self.imgname, autodetect=["rsds"], logger=logging.getLogger(), profile_path=["http://profiles.rekall-forensic.com"]) self.session = s task_plugin = s.plugins.pslist(pid=self.pid) maps = [] # print type(task) for task in task_plugin.filter_processes(): # we need the file address space reader address_space = task.get_process_address_space() # then we look at vad for vad in task.VadRoot.traverse(): # print type(vad) if vad is None: continue offset = vad.obj_offset start = vad.Start end = vad.End tag = vad.Tag flags = str(vad.u.VadFlags) perms = PERMS_PROTECTION[vad.u.VadFlags.Protection.v() & 7] pathname = '' if vad.u.VadFlags.PrivateMemory == 1 or not vad.ControlArea: pathname = '' else: try: file_obj = vad.ControlArea.FilePointer if file_obj: pathname = file_obj.FileName or "Pagefile-backed section" except AttributeError: pass pmap = RekallProcessMappingA(address_space, start, end, permissions=perms, pathname=pathname) maps.append(pmap) # get the platform meta = s.profile._metadata if meta['os'] == "windows": os = '' if meta['major'] == 5.0: os = 'winxp' elif meta['major'] == 7.0: os = 'win7' # if meta['arch'] == u'I386': self._target = target.TargetPlatform.make_target_win_32(os) else: self._target = target.TargetPlatform.make_target_win_64(os) else: if meta['arch'] == u'I386': self._target = target.TargetPlatform.make_target_linux_32() else: self._target = target.TargetPlatform.make_target_linux_64() memory_handler = base.MemoryHandler(maps, self._target, self.imgname) self._memory_handler = memory_handler