def _init_cuckoo(self, os_name, arch, major):
# get profile for target ?
# get the platform
# get the proc name for pid x
if os_name == "windows":
os_name = ''
if major == 5.1:
os_name = 'winxp'
elif major == 6.1:
os_name = 'win7'
#
if arch == u'I386':
self._target = target.TargetPlatform.make_target_win_32(
os_name)
else:
self._target = target.TargetPlatform.make_target_win_64(
os_name)
else:
if arch == u'I386':
self._target = target.TargetPlatform.make_target_linux_32()
else:
self._target = target.TargetPlatform.make_target_linux_64()
log.debug("target: %s", self._target)
# Use a folder name for its cache later on
h_name = self.filename + ".d"
memory_handler = base.MemoryHandler(self.mappings, self._target,
h_name)
self._memory_handler = memory_handler
def _do_haystack(self, task):
pid = task.UniqueProcessId
my_mappings = []
# get the mappings
address_space = task.get_process_address_space()
for vad in task.VadRoot.traverse():
# print type(vad)
if vad is None:
continue
offset = vad.obj_offset
start = vad.Start
end = vad.End
tag = vad.Tag
flags = str(vad.u.VadFlags)
perms = hvol.PERMS_PROTECTION[vad.u.VadFlags.Protection.v() & 7]
pathname = ''
if vad.u.VadFlags.PrivateMemory == 1 or not vad.ControlArea:
pathname = ''
elif vad.FileObject:
pathname = str(vad.FileObject.FileName or '')
pmap = hvol.VolatilityProcessMappingA(address_space,
start,
end,
permissions=perms,
pathname=pathname)
my_mappings.append(pmap)
# now build the memory_handler
# get the platform
profile = None
my_target = None
if 'WinXP' in self.config.PROFILE:
profile = 'winxp'
elif 'Win7' in self.config.PROFILE:
profile = 'win7'
else:
raise ValueError('Profile %s not supported' % self.config.PROFILE)
if 'x86' in self.config.PROFILE:
my_target = target.TargetPlatform.make_target_win_32(profile)
elif 'x64' in self.config.PROFILE:
my_target = target.TargetPlatform.make_target_win_64(profile)
# create a memory handler
dumpname = '%s_%d' % (self.config.LOCATION.split('/')[-1], pid)
memory_handler = base.MemoryHandler(my_mappings, my_target, dumpname)
for res in self.make_results(pid, memory_handler):
yield res
def _init_memfile(memfile, baseOffset):
size = os.fstat(memfile.fileno()).st_size
if size > haystack.MAX_MAPPING_SIZE_FOR_MMAP:
mem = FileBackedMemoryMapping(
memfile,
baseOffset,
baseOffset +
size) # is that valid ?
log.warning(
'Dump file size is big. Using file backend memory mapping. Its gonna be slooow')
else:
mem = MemoryDumpMemoryMapping(
memfile,
baseOffset,
baseOffset +
size) # is that valid ?
mappings = base.MemoryHandler([mem], memfile.name)
return mappings
def _init_mappings(self, construct_data):
content_file = open(self.filename, 'rb')
fsize = os.path.getsize(self.filename)
mmap_content = mmap.mmap(content_file.fileno(),
fsize,
access=mmap.ACCESS_READ)
log.debug("fsize: %d", fsize)
maps = []
#
# get the named modules
named_modules = {}
for directory in construct_data.MINIDUMP_DIRECTORY:
if directory.StreamType == 'ModuleListStream':
for _range in directory.DirectoryData.MINIDUMP_MODULE:
start = _range.BaseOfImage
size = _range.SizeOfImage
for page_start in range(start, start + size, 0x1000):
named_modules[page_start] = (size, _range.ModuleName)
# BUG ?
# the last mapping is sometimes incomplete, and seems to be the PE file.
for directory in construct_data.MINIDUMP_DIRECTORY:
if directory.StreamType == 'Memory64ListStream':
#print directory
#print directory.DirectoryData.NumberOfMemoryRanges, "mappings"
offset = directory.DirectoryData.BaseRva
map_offset = offset
prev_size = 0
for _range in directory.DirectoryData.MINIDUMP_MEMORY_DESCRIPTOR64:
map_offset += prev_size
start = _range.StartOfMemoryRange
size = _range.DataSize
if map_offset + size > fsize:
log.error(
'BAD FILE: reducing mapping 0x%x-0x%x size 0x%x -> 0x%x bytes',
start, start + size, size, fsize - map_offset)
size = fsize - map_offset
end = start + size
log.debug("0x%x-0x%x size:0x%x offset_in_file:0x%x", start,
start + size, size, map_offset)
## BUG FIXME, offset reading ???
name = 'None'
if start in named_modules:
name = named_modules[start][1]
maps.append(
cuckoo.MMapProcessMapping(mmap_content, start, end,
name, map_offset))
prev_size = size
elif directory.StreamType == 'MemoryInfoListStream':
## absent ?
print directory
# target
cpu = os_name = None
if self.os_name is None or self.cpu is None:
# then resolve it
for directory in construct_data.MINIDUMP_DIRECTORY:
if directory.StreamType == 'SystemInfoStream':
data = directory.DirectoryData
if data.MajorVersion == 5:
os_name = 'winxp'
else:
os_name = 'win7'
# the heapfinder would have to make a difference.
if 'X86' in data.ProcessorArchitecture:
cpu = 32
else:
cpu = 64
break
if self.os_name is None:
self.os_name = os_name
if self.os_name not in ['winxp', 'win7']:
raise NotImplementedError('Unsupported os : %s' % self.os_name)
if self.cpu is None:
self.cpu = cpu
# now set the target
if self.cpu == 32:
self._target = target.TargetPlatform.make_target_win_32(
self.os_name)
elif self.cpu == 64:
self._target = target.TargetPlatform.make_target_win_64(
self.os_name)
#
self.mappings = maps
log.debug("nb maps: %d", len(self.mappings))
log.debug("target: %s", self._target)
# Use a folder name for its cache later on
h_name = self.filename + ".d"
memory_handler = base.MemoryHandler(self.mappings, self._target,
h_name)
self._memory_handler = memory_handler
return
def _init_rekall(self):
from rekall import session
from rekall import plugins
s = session.Session(
filename=self.imgname,
autodetect=["rsds"],
logger=logging.getLogger(),
profile_path=["http://profiles.rekall-forensic.com"])
self.session = s
task_plugin = s.plugins.pslist(pid=self.pid)
maps = []
# print type(task)
for task in task_plugin.filter_processes():
# we need the file address space reader
address_space = task.get_process_address_space()
# then we look at vad
for vad in task.VadRoot.traverse():
# print type(vad)
if vad is None:
continue
offset = vad.obj_offset
start = vad.Start
end = vad.End
tag = vad.Tag
flags = str(vad.u.VadFlags)
perms = PERMS_PROTECTION[vad.u.VadFlags.Protection.v() & 7]
pathname = ''
if vad.u.VadFlags.PrivateMemory == 1 or not vad.ControlArea:
pathname = ''
else:
try:
file_obj = vad.ControlArea.FilePointer
if file_obj:
pathname = file_obj.FileName or "Pagefile-backed section"
except AttributeError:
pass
pmap = RekallProcessMappingA(address_space,
start,
end,
permissions=perms,
pathname=pathname)
maps.append(pmap)
# get the platform
meta = s.profile._metadata
if meta['os'] == "windows":
os = ''
if meta['major'] == 5.0:
os = 'winxp'
elif meta['major'] == 7.0:
os = 'win7'
#
if meta['arch'] == u'I386':
self._target = target.TargetPlatform.make_target_win_32(os)
else:
self._target = target.TargetPlatform.make_target_win_64(os)
else:
if meta['arch'] == u'I386':
self._target = target.TargetPlatform.make_target_linux_32()
else:
self._target = target.TargetPlatform.make_target_linux_64()
memory_handler = base.MemoryHandler(maps, self._target, self.imgname)
self._memory_handler = memory_handler