def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks(self._config).calculate() for proc in procs: fds = obj.Object('Array', offset=proc.p_fd.fd_ofiles, vm=self.addr_space, targetType='Pointer', count=proc.p_fd.fd_lastfile) for i, fd in enumerate(fds): f = fd.dereference_as("fileproc") if f: ## FIXME after 2.3 replace this explicit int field with the following line: ## if str(f.f_fglob.fg_type) == 'DTYPE_VNODE': ## Its not needed for profiles generated with convert.py after r3290 fg_type = obj.Object("int", f.f_fglob.fg_type.obj_offset, vm=self.addr_space) if fg_type == 1: # VNODE vnode = f.f_fglob.fg_data.dereference_as("vnode") path = vnode.full_path() else: path = "" yield proc, i, f, path
def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks(self._config).calculate() for proc in procs: fds = obj.Object('Array', offset = proc.p_fd.fd_ofiles, vm = self.addr_space, targetType = 'Pointer', count = proc.p_fd.fd_lastfile) for i, fd in enumerate(fds): f = fd.dereference_as("fileproc") if f: if 'fg_type' in f.f_fglob.dereference().__dict__['members']: ## FIXME after 2.3 replace this explicit int field with the following line: ## if str(f.f_fglob.fg_type) == 'DTYPE_VNODE': ## Its not needed for profiles generated with convert.py after r3290 fg_type = obj.Object("int", f.f_fglob.fg_type.obj_offset, vm = self.addr_space) # OS X MAVERICKS else: fg_type = obj.Object("int", f.f_fglob.fg_ops.fo_type.obj_offset, vm = self.addr_space) if fg_type == 1: # VNODE vnode = f.f_fglob.fg_data.dereference_as("vnode") path = vnode.full_path() else: path = "" yield proc, i, f, path
def calculate(self): ## we need this module imported if not has_yara: debug.error("Please install Yara from code.google.com/p/yara-project") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces common.set_plugin_members(self) if self._config.KERNEL: ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24 if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": if not common.is_64bit_capable(self.addr_space): kernel_start = 0 else: kernel_start = 0xc0000000 else: kernel_start = 0xffffff8000000000 scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space) for hit, address in scanner.scan(start_offset = kernel_start): yield (None, address, hit, scanner.address_space.zread(address, 64)) else: # Scan each process memory block for task in pstasks.mac_tasks(self._config).calculate(): scanner = MapYaraScanner(task = task, rules = rules) for hit, address in scanner.scan(): yield (task, address, hit, scanner.address_space.zread(address, 64))
def calculate(self): all_tasks = pstasks.mac_tasks(self._config).allprocs() bit_tasks = [] try: if self._config.PID: # find tasks given PIDs pidlist = [int(p) for p in self._config.PID.split(',')] bit_tasks = [t for t in all_tasks if t.p_pid in pidlist] else: # find multibit process name_re = re.compile("JavaApplicationS", re.I) bit_tasks = [ t for t in all_tasks if name_re.search(str(t.p_comm)) ] except: pass if len(bit_tasks) == 0: yield (None, None) # scan for bitcoin addresses with yara, 34 chars, https://en.bitcoin.it/wiki/Address # Most Bitcoin addresses are 34 characters. They consist of random digits and uppercase # and lowercase letters, with the exception that the uppercase letter "O", uppercase # letter "I", lowercase letter "l", and the number "0" are never used to prevent visual ambiguity. bit_addrs = [] addr_rule = yara.compile(sources={ 'n': 'rule r1 {strings: $a = /[1-9a-zA-z]{34}(?!OIl)/ condition: $a}' }) for task in bit_tasks: scanner = mac_yarascan.MapYaraScanner(task=task, rules=addr_rule) for hit, address in scanner.scan(): content = scanner.address_space.zread(address, 34) if pyenc.is_valid_bitcoin_address( content) and content not in bit_addrs: bit_addrs.append(content) # scan for bitcoin keys with yara, 52 char compressed base58, starts with L or K, https://en.bitcoin.it/wiki/Private_key addr_key = {} key_rule = yara.compile(sources={ 'n': 'rule r1 {strings: $a = /(L|K)[0-9A-Za-z]{51}/ condition: $a}' }) for task in bit_tasks: scanner = mac_yarascan.MapYaraScanner(task=task, rules=key_rule) for hit, address in scanner.scan(): content = scanner.address_space.zread(address, 52) if pyenc.is_valid_wif(content): secret_exp = pyenc.wif_to_secret_exponent(content) key = pykey.Key(secret_exponent=secret_exp, is_compressed=True) if key.address() not in addr_key.keys(): addr_key[key.address()] = content yield (content, key.address()) # addresses with no known keys for bit_addr in bit_addrs: if bit_addr not in addr_key.keys(): yield ("UNKNOWN", bit_addr)
def _fill_cache(self): for task in mac_pstasks.mac_tasks(self._config).calculate(): for filp, _, fd in task.lsof(): if filp.f_fglob.fg_type == 'DTYPE_SOCKET': socket = filp.f_fglob.fg_data.dereference_as("socket").v() self.fd_cache[socket] = [task, fd]
def calculate(self): common.set_plugin_members(self) for task in pstasks.mac_tasks(self._config).calculate(): fdp = task.p_fd # for (i = 0; i < fdp->fd_knlistsize; i++) { # kn = SLIST_FIRST(&fdp->fd_knlist[i]); for kn in self._walk_karray(fdp.fd_knlist, fdp.fd_knlistsize): yield task, kn # if (fdp->fd_knhashmask != 0) { # for (i = 0; i < (int)fdp->fd_knhashmask + 1; i++) { # kn = SLIST_FIRST(&fdp->fd_knhash[i]); mask = fdp.fd_knhashmask if mask != 0: for kn in self._walk_karray(fdp.fd_knhash, mask + 1): yield task, kn kn = task.p_klist.slh_first while kn.is_valid(): yield task, kn kn = kn.kn_link.sle_next
def calculate(self): common.set_plugin_members(self) for task in pstasks.mac_tasks(self._config).calculate(): fdp = task.p_fd # for (i = 0; i < fdp->fd_knlistsize; i++) { # kn = SLIST_FIRST(&fdp->fd_knlist[i]); for kn in self._walk_karray(fdp.fd_knlist, fdp.fd_knlistsize): yield task, kn # if (fdp->fd_knhashmask != 0) { # for (i = 0; i < (int)fdp->fd_knhashmask + 1; i++) { # kn = SLIST_FIRST(&fdp->fd_knhash[i]); mask = fdp.fd_knhashmask if mask != 0: for kn in self._walk_karray(fdp.fd_knhash, mask + 1): yield task, kn kn = task.p_klist.slh_first while kn.is_valid(): yield task, kn kn = kn.kn_link.sle_next
def filter_tasks(self): tasks = pstasks.mac_tasks(self._config).allprocs() if self._config.PID is not None: try: pidlist = [int(p) for p in self._config.PID.split(',')] except ValueError: debug.error("Invalid PID {0}".format(self._config.PID)) pids = [t for t in tasks if t.p_pid in pidlist] if len(pids) == 0: debug.error( "Cannot find PID {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET" .format(self._config.PID)) return pids if self._config.NAME is not None: try: name_re = re.compile(self._config.NAME, re.I) except re.error: debug.error("Invalid name {0}".format(self._config.NAME)) names = [t for t in tasks if name_re.search(str(t.p_comm))] if len(names) == 0: debug.error( "Cannot find name {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET" .format(self._config.NAME)) return names return tasks
def filter_tasks(self): tasks = pstasks.mac_tasks(self._config).allprocs() if self._config.PID is not None: try: pidlist = [int(p) for p in self._config.PID.split(',')] except ValueError: debug.error("Invalid PID {0}".format(self._config.PID)) pids = [t for t in tasks if t.p_pid in pidlist] if len(pids) == 0: debug.error("Cannot find PID {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.PID)) return pids if self._config.NAME is not None: try: name_re = re.compile(self._config.NAME, re.I) except re.error: debug.error("Invalid name {0}".format(self._config.NAME)) names = [t for t in tasks if name_re.search(str(t.p_comm))] if len(names) == 0: debug.error("Cannot find name {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.NAME)) return names return tasks
def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks(self._config).calculate() for proc in procs: num_fds = proc.p_fd.fd_lastfile if proc.p_fd.fd_nfiles > num_fds: num_fds = proc.p_fd.fd_nfiles fds = obj.Object('Array', offset=proc.p_fd.fd_ofiles, vm=self.addr_space, targetType='Pointer', count=proc.p_fd.fd_nfiles) for i, fd in enumerate(fds): f = fd.dereference_as("fileproc") if f: ftype = f.f_fglob.fg_type if ftype == 'DTYPE_VNODE': vnode = f.f_fglob.fg_data.dereference_as("vnode") path = vnode.full_path() else: path = "" yield proc, i, f, path
def _fill_cache(self): for task in mac_pstasks.mac_tasks(self._config).calculate(): for filp, _, fd in task.lsof(): if filp.f_fglob.fg_type == 'DTYPE_SOCKET': socket = filp.f_fglob.fg_data.dereference_as("socket").v() self.fd_cache[socket] = [task, fd]
def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks(self._config).calculate() for proc in procs: proc_as = proc.get_process_address_space() for mapping in proc.get_dyld_maps(): path = mapping.imageFilePath macho = obj.Object("macho_header", offset=mapping.imageLoadAddress, vm=proc_as) needed_libraries = {} for n in macho.needed_libraries(): needed_libraries[n] = 1 for (name, addr) in macho.imports(): is_lazy = False is_ptr_hooked = False is_api_hooked = False hook_addr = 0 hook_type = "" vma_mapping = self._find_mapping(proc, addr) if vma_mapping == None: vma_mapping = self._find_mapping_proc_maps(proc, addr) if vma_mapping: (vma_path, vma_start, vma_end) = vma_mapping else: # the address points to a bogus (non-mapped region) vma_path = "<UNKNOWN>" vma_start = addr vma_end = addr addr_mapping = vma_path # non-resolved symbols if vma_start <= mapping.imageLoadAddress <= vma_end: is_lazy = True else: is_ptr_hooked = not addr_mapping in needed_libraries # check if pointing into the shared region # this happens as libraries in the region are not listed as needed if is_ptr_hooked: if proc.task.shared_region.sr_base_address <= addr <= proc.task.shared_region.sr_base_address + proc.task.shared_region.sr_size: is_ptr_hooked = False if not is_ptr_hooked: is_api_hooked = self._is_api_hooked(addr, proc_as) if is_api_hooked: (hook_type, hook_addr) = is_api_hooked yield (proc, name, addr, is_lazy, is_ptr_hooked, is_api_hooked, hook_type, hook_addr, addr_mapping)
def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks(self._config).calculate() for proc in procs: proc_as = proc.get_process_address_space() for mapping in proc.get_dyld_maps(): path = mapping.imageFilePath macho = obj.Object("macho_header", offset = mapping.imageLoadAddress, vm = proc_as) needed_libraries = {} for n in macho.needed_libraries(): needed_libraries[n] = 1 for (name, addr) in macho.imports(): is_lazy = False is_ptr_hooked = False is_api_hooked = False hook_addr = 0 hook_type = "" vma_mapping = self._find_mapping(proc, addr) if vma_mapping == None: vma_mapping = self._find_mapping_proc_maps(proc, addr) if vma_mapping: (vma_path, vma_start, vma_end) = vma_mapping else: # the address points to a bogus (non-mapped region) vma_path = "<UNKNOWN>" vma_start = addr vma_end = addr addr_mapping = vma_path # non-resolved symbols if vma_start <= mapping.imageLoadAddress <= vma_end: is_lazy = True else: is_ptr_hooked = not addr_mapping in needed_libraries # check if pointing into the shared region # this happens as libraries in the region are not listed as needed if is_ptr_hooked: if proc.task.shared_region.sr_base_address <= addr <= proc.task.shared_region.sr_base_address + proc.task.shared_region.sr_size: is_ptr_hooked = False if not is_ptr_hooked: is_api_hooked = self._is_api_hooked(addr, proc_as) if is_api_hooked: (hook_type, hook_addr) = is_api_hooked yield (proc, name, addr, is_lazy, is_ptr_hooked, is_api_hooked, hook_type, hook_addr, addr_mapping)
def calculate(self): all_tasks = pstasks.mac_tasks(self._config).allprocs() bit_tasks = [] try: if self._config.PID: # find tasks given PIDs pidlist = [int(p) for p in self._config.PID.split(',')] bit_tasks = [t for t in all_tasks if t.p_pid in pidlist] else: # find multibit process name_re = re.compile("JavaApplicationS", re.I) bit_tasks = [t for t in all_tasks if name_re.search(str(t.p_comm))] except: pass if len(bit_tasks) == 0: yield (None, None) # scan for bitcoin addresses with yara, 34 chars, https://en.bitcoin.it/wiki/Address # Most Bitcoin addresses are 34 characters. They consist of random digits and uppercase # and lowercase letters, with the exception that the uppercase letter "O", uppercase # letter "I", lowercase letter "l", and the number "0" are never used to prevent visual ambiguity. bit_addrs = [] addr_rule = yara.compile(sources = {'n' : 'rule r1 {strings: $a = /[1-9a-zA-z]{34}(?!OIl)/ condition: $a}'}) for task in bit_tasks: scanner = mac_yarascan.MapYaraScanner(task = task, rules = addr_rule) for hit, address in scanner.scan(): content = scanner.address_space.zread(address, 34) if pyenc.is_valid_bitcoin_address(content) and content not in bit_addrs: bit_addrs.append(content) # scan for bitcoin keys with yara, 52 char compressed base58, starts with L or K, https://en.bitcoin.it/wiki/Private_key addr_key = {} key_rule = yara.compile(sources = {'n' : 'rule r1 {strings: $a = /(L|K)[0-9A-Za-z]{51}/ condition: $a}'}) for task in bit_tasks: scanner = mac_yarascan.MapYaraScanner(task = task, rules = key_rule) for hit, address in scanner.scan(): content = scanner.address_space.zread(address, 52) if pyenc.is_valid_wif(content): secret_exp = pyenc.wif_to_secret_exponent(content) key = pykey.Key(secret_exponent = secret_exp,is_compressed=True) if key.address() not in addr_key.keys(): addr_key[key.address()] = content yield(content, key.address()) # addresses with no known keys for bit_addr in bit_addrs: if bit_addr not in addr_key.keys(): yield ("UNKNOWN", bit_addr)
def get_processes(self, addr_space): """Enumerate processes based on user options. :param addr_space | <addrspace.AbstractVirtualAddressSpace> :returns <list> """ tasks = mac_tasks.mac_tasks(self._config).calculate() try: if self._config.PID is not None: pidlist = [int(p) for p in self._config.PID.split(',')] tasks = [t for t in tasks if int(t.p_pid) in pidlist] except (ValueError, TypeError): debug.error("Invalid PID {0}".format(self._config.PID)) return tasks
def get_processes(self, addr_space): """Enumerate processes based on user options. :param addr_space | <addrspace.AbstractVirtualAddressSpace> :returns <list> """ tasks = mac_tasks.mac_tasks(self._config).calculate() try: if self._config.PID is not None: pidlist = [int(p) for p in self._config.PID.split(',')] tasks = [t for t in tasks if int(t.p_pid) in pidlist] except (ValueError, TypeError): debug.error("Invalid PID {0}".format(self._config.PID)) return tasks
def calculate(self): common.set_plugin_members(self) procs = pstasks.mac_tasks(self._config).calculate() for proc in procs: fds = obj.Object('Array', offset = proc.p_fd.fd_ofiles, vm = self.addr_space, targetType = 'Pointer', count = proc.p_fd.fd_lastfile) for i, fd in enumerate(fds): f = fd.dereference_as("fileproc") if f: ftype = f.f_fglob.fg_type if ftype == 'DTYPE_VNODE': vnode = f.f_fglob.fg_data.dereference_as("vnode") path = vnode.full_path() else: path = "" yield proc, i, f, path
def calculate(self): ## we need this module imported if not has_yara: debug.error( "Please install Yara from code.google.com/p/yara-project") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces common.set_plugin_members(self) if self._config.KERNEL: ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24 if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": if not common.is_64bit_capable(self.addr_space): kernel_start = 0 else: kernel_start = 0xc0000000 else: kernel_start = 0xffffff8000000000 scanner = malfind.DiscontigYaraScanner( rules=rules, address_space=self.addr_space) for hit, address in scanner.scan(start_offset=kernel_start): yield (None, address, hit, scanner.address_space.zread(address, 64)) else: # Scan each process memory block for task in pstasks.mac_tasks(self._config).calculate(): scanner = MapYaraScanner(task=task, rules=rules) for hit, address in scanner.scan(): yield (task, address, hit, scanner.address_space.zread(address, 64))
def getpidlist(self): return list(pstasks.mac_tasks(self._config).allprocs())
def _get_procs_from_tasks(self): return [p.v() for p in pstasks.mac_tasks(self._config).calculate()]
def calculate(self): mac_common.set_plugin_members(self) tasks = mac_tasks.mac_tasks(self._config).calculate() for task in tasks: proc_as = task.get_process_address_space() # In cases when mm is an invalid pointer if not proc_as: continue # Are we dealing with 32 or 64-bit pointers bit_string = str(task.task.map.pmap.pm_task_map or '')[9:] if bit_string.find("64BIT") == -1: pack_format = "<I" addr_sz = 4 addr_type = "unsigned int" else: pack_format = "<Q" addr_sz = 8 addr_type = "unsigned long long" procvars = [] for mapping in task.get_proc_maps(): if not str(mapping.get_perms()) == "rw-" or mapping.get_path( ).find("bash") == -1: continue env_start = 0 for off in range(mapping.links.start, mapping.links.end): # check the first index addrstr = proc_as.read(off, addr_sz) if not addrstr or len(addrstr) != addr_sz: continue addr = struct.unpack(pack_format, addrstr)[0] # check first idx... if addr: firstaddrstr = proc_as.read(addr, addr_sz) if not firstaddrstr or len(firstaddrstr) != addr_sz: continue firstaddr = struct.unpack(pack_format, firstaddrstr)[0] buf = proc_as.read(firstaddr, 64) if not buf: continue eqidx = buf.find("=") if eqidx > 0: nullidx = buf.find("\x00") # single char name, = if nullidx >= eqidx: env_start = addr if env_start == 0: continue envars = obj.Object(theType="Array", targetType=addr_type, vm=proc_as, offset=env_start, count=256) for var in envars: if var: sizes = [ 8, 16, 32, 64, 128, 256, 384, 512, 1024, 2048, 4096 ] good_varstr = None for size in sizes: varstr = proc_as.read(var, size) if not varstr: continue eqidx = varstr.find("=") idx = varstr.find("\x00") if idx == -1 or eqidx == -1 or idx < eqidx: continue good_varstr = varstr break if good_varstr: good_varstr = good_varstr[:idx] procvars.append(good_varstr) yield task, " ".join(procvars) break
def calculate(self): common.set_plugin_members(self) for proc in mac_tasks.mac_tasks(self._config).calculate(): bit_string = str(proc.task.map.pmap.pm_task_map or '')[9:] # get proc args and arg address args = proc.get_arguments() args_addr = proc.user_stack - proc.p_argslen # get threads qentry = proc.task.threads seen_threads = [] thread_list = [] active_threads = self.get_active_threads() for thread in qentry.thread_walk_list(qentry.obj_offset): if thread.obj_offset not in seen_threads: seen_threads.append(thread.obj_offset) thread_list.append(thread) # get proc maps maps = self.get_stack_map(proc, thread_list, bit_string) # get thread stack start and size for thread in thread_list: stack_start = 0 stack_size = 0 thread_args = "" registers = {} is_active = "NO" dtraced = "NO" debugged = "NO" uid = "NONE" for proc, map, map_path in maps: if "thread id {0}".format(thread.thread_id) in map_path: if stack_start == 0 or stack_start > map.links.start: stack_start = map.links.start stack_size += map.links.end - map.links.start # find thread with args, which probably is main thread if map.links.start < args_addr < map.links.end: thread_args = args # kernel_stack process # thread stack information is empty for kernel threads if str(proc.p_pid) == "0": stack_start = thread.kernel_stack registers = self.get_thread_registers(thread, bit_string) if self.is_thread_active(thread, active_threads): is_active = "YES" # check if thread is being hardware debugged, ids = x86_debug_state64 if thread.machine.ids != 0: debugged = "YES" # check if dtrace probe is applied if "TH_OPT_DTRACE" in str(thread.options): dtraced = "YES" #get thread User ID #if thread.uthread != 0: #uid = thread.uthread.dereference_as('uthread').uu_context.vc_ucred.cr_posix.cr_uid yield proc, thread, stack_start, stack_size, thread_args, registers, is_active, dtraced, debugged, uid proc = proc.p_list.le_next.dereference() self.get_active_threads()
def getpidlist(self): return pstasks.mac_tasks(self._config).calculate()
def getpidlist(self): return list(pstasks.mac_tasks(self._config).allprocs())
def getpidlist(self): return pstasks.mac_tasks(self._config).calculate()
def _get_procs_from_tasks(self): return [p.v() for p in pstasks.mac_tasks(self._config).calculate()]
def calculate(self): mac_common.set_plugin_members(self) tasks = mac_tasks.mac_tasks(self._config).calculate() for task in tasks: proc_as = task.get_process_address_space() if not self._config.HISTORY_LIST: # Do we scan everything or just /bin/bash instances? if not (self._config.SCAN_ALL or str(task.p_comm) == "bash"): continue bit_string = str(task.task.map.pmap.pm_task_map or '')[9:] if bit_string.find("64BIT") == -1: pack_format = "<I" hist_struct = "bash32_hist_entry" else: pack_format = "<Q" hist_struct = "bash64_hist_entry" # Brute force the history list of an address isn't provided ts_offset = proc_as.profile.get_obj_offset(hist_struct, "timestamp") history_entries = [] bang_addrs = [] # Look for strings that begin with pound/hash on the process heap for ptr_hash in task.search_process_memory_rw_nofile(["#"]): # Find pointers to this strings address, also on the heap addr = struct.pack(pack_format, ptr_hash) bang_addrs.append(addr) for (idx, ptr_string) in enumerate(task.search_process_memory_rw_nofile(bang_addrs)): # Check if we found a valid history entry object hist = obj.Object(hist_struct, offset = ptr_string - ts_offset, vm = proc_as) if hist.is_valid(): history_entries.append(hist) # Report everything we found in order for hist in sorted(history_entries, key = attrgetter('time_as_integer')): yield task, hist else: the_history_addr = the_history_addr = self._config.HISTORY_LIST the_history = obj.Object("Pointer", vm = proc_as, offset = the_history_addr) max_ents = 2001 the_history = obj.Object(theType = 'Array', offset = the_history, vm = proc_as, targetType = 'Pointer', count = max_ents) for ptr in the_history: if not ptr: if self._config.PRINTUNALLOC: continue else: break hist = ptr.dereference_as("_hist_entry") if hist.is_valid(): yield task, hist
def calculate(self): mac_common.set_plugin_members(self) tasks = mac_tasks.mac_tasks(self._config).calculate() for task in tasks: proc_as = task.get_process_address_space() # In cases when mm is an invalid pointer if not proc_as: continue # Are we dealing with 32 or 64-bit pointers bit_string = str(task.task.map.pmap.pm_task_map or '')[9:] if bit_string.find("64BIT") == -1: pack_format = "<I" addr_sz = 4 addr_type = "unsigned int" else: pack_format = "<Q" addr_sz = 8 addr_type = "unsigned long long" procvars = [] for mapping in task.get_proc_maps(): if not str(mapping.get_perms()) == "rw-" or mapping.get_path().find("bash") == -1: continue env_start = 0 for off in range(mapping.links.start, mapping.links.end): # check the first index addrstr = proc_as.read(off, addr_sz) if not addrstr or len(addrstr) != addr_sz: continue addr = struct.unpack(pack_format, addrstr)[0] # check first idx... if addr: firstaddrstr = proc_as.read(addr, addr_sz) if not firstaddrstr or len(firstaddrstr) != addr_sz: continue firstaddr = struct.unpack(pack_format, firstaddrstr)[0] buf = proc_as.read(firstaddr, 64) if not buf: continue eqidx = buf.find("=") if eqidx > 0: nullidx = buf.find("\x00") # single char name, = if nullidx >= eqidx: env_start = addr if env_start == 0: continue envars = obj.Object(theType="Array", targetType=addr_type, vm=proc_as, offset=env_start, count=256) for var in envars: if var: sizes = [8, 16, 32, 64, 128, 256, 384, 512, 1024, 2048, 4096] good_varstr = None for size in sizes: varstr = proc_as.read(var, size) if not varstr: continue eqidx = varstr.find("=") idx = varstr.find("\x00") if idx == -1 or eqidx == -1 or idx < eqidx: continue good_varstr = varstr break if good_varstr: good_varstr = good_varstr[:idx] procvars.append(good_varstr) yield task, " ".join(procvars) break
def check_mac_tasks(self): procs = dict((v.obj_offset,(v, v.size())) for v in macpstasks.mac_tasks(self._config).obtainTasks()) return procs