def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks(self._config).calculate()
for proc in procs:
fds = obj.Object('Array',
offset=proc.p_fd.fd_ofiles,
vm=self.addr_space,
targetType='Pointer',
count=proc.p_fd.fd_lastfile)
for i, fd in enumerate(fds):
f = fd.dereference_as("fileproc")
if f:
## FIXME after 2.3 replace this explicit int field with the following line:
## if str(f.f_fglob.fg_type) == 'DTYPE_VNODE':
## Its not needed for profiles generated with convert.py after r3290
fg_type = obj.Object("int",
f.f_fglob.fg_type.obj_offset,
vm=self.addr_space)
if fg_type == 1: # VNODE
vnode = f.f_fglob.fg_data.dereference_as("vnode")
path = vnode.full_path()
else:
path = ""
yield proc, i, f, path
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks(self._config).calculate()
for proc in procs:
fds = obj.Object('Array', offset = proc.p_fd.fd_ofiles, vm = self.addr_space, targetType = 'Pointer', count = proc.p_fd.fd_lastfile)
for i, fd in enumerate(fds):
f = fd.dereference_as("fileproc")
if f:
if 'fg_type' in f.f_fglob.dereference().__dict__['members']:
## FIXME after 2.3 replace this explicit int field with the following line:
## if str(f.f_fglob.fg_type) == 'DTYPE_VNODE':
## Its not needed for profiles generated with convert.py after r3290
fg_type = obj.Object("int", f.f_fglob.fg_type.obj_offset, vm = self.addr_space)
# OS X MAVERICKS
else:
fg_type = obj.Object("int", f.f_fglob.fg_ops.fo_type.obj_offset, vm = self.addr_space)
if fg_type == 1: # VNODE
vnode = f.f_fglob.fg_data.dereference_as("vnode")
path = vnode.full_path()
else:
path = ""
yield proc, i, f, path
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
kernel_start = 0xffffff8000000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address, 64))
else:
# Scan each process memory block
for task in pstasks.mac_tasks(self._config).calculate():
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address, 64))
def calculate(self):
all_tasks = pstasks.mac_tasks(self._config).allprocs()
bit_tasks = []
try:
if self._config.PID:
# find tasks given PIDs
pidlist = [int(p) for p in self._config.PID.split(',')]
bit_tasks = [t for t in all_tasks if t.p_pid in pidlist]
else:
# find multibit process
name_re = re.compile("JavaApplicationS", re.I)
bit_tasks = [
t for t in all_tasks if name_re.search(str(t.p_comm))
]
except:
pass
if len(bit_tasks) == 0:
yield (None, None)
# scan for bitcoin addresses with yara, 34 chars, https://en.bitcoin.it/wiki/Address
# Most Bitcoin addresses are 34 characters. They consist of random digits and uppercase
# and lowercase letters, with the exception that the uppercase letter "O", uppercase
# letter "I", lowercase letter "l", and the number "0" are never used to prevent visual ambiguity.
bit_addrs = []
addr_rule = yara.compile(sources={
'n':
'rule r1 {strings: $a = /[1-9a-zA-z]{34}(?!OIl)/ condition: $a}'
})
for task in bit_tasks:
scanner = mac_yarascan.MapYaraScanner(task=task, rules=addr_rule)
for hit, address in scanner.scan():
content = scanner.address_space.zread(address, 34)
if pyenc.is_valid_bitcoin_address(
content) and content not in bit_addrs:
bit_addrs.append(content)
# scan for bitcoin keys with yara, 52 char compressed base58, starts with L or K, https://en.bitcoin.it/wiki/Private_key
addr_key = {}
key_rule = yara.compile(sources={
'n':
'rule r1 {strings: $a = /(L|K)[0-9A-Za-z]{51}/ condition: $a}'
})
for task in bit_tasks:
scanner = mac_yarascan.MapYaraScanner(task=task, rules=key_rule)
for hit, address in scanner.scan():
content = scanner.address_space.zread(address, 52)
if pyenc.is_valid_wif(content):
secret_exp = pyenc.wif_to_secret_exponent(content)
key = pykey.Key(secret_exponent=secret_exp,
is_compressed=True)
if key.address() not in addr_key.keys():
addr_key[key.address()] = content
yield (content, key.address())
# addresses with no known keys
for bit_addr in bit_addrs:
if bit_addr not in addr_key.keys():
yield ("UNKNOWN", bit_addr)
def _fill_cache(self):
for task in mac_pstasks.mac_tasks(self._config).calculate():
for filp, _, fd in task.lsof():
if filp.f_fglob.fg_type == 'DTYPE_SOCKET':
socket = filp.f_fglob.fg_data.dereference_as("socket").v()
self.fd_cache[socket] = [task, fd]
def calculate(self):
common.set_plugin_members(self)
for task in pstasks.mac_tasks(self._config).calculate():
fdp = task.p_fd
# for (i = 0; i < fdp->fd_knlistsize; i++) {
# kn = SLIST_FIRST(&fdp->fd_knlist[i]);
for kn in self._walk_karray(fdp.fd_knlist, fdp.fd_knlistsize):
yield task, kn
# if (fdp->fd_knhashmask != 0) {
# for (i = 0; i < (int)fdp->fd_knhashmask + 1; i++) {
# kn = SLIST_FIRST(&fdp->fd_knhash[i]);
mask = fdp.fd_knhashmask
if mask != 0:
for kn in self._walk_karray(fdp.fd_knhash, mask + 1):
yield task, kn
kn = task.p_klist.slh_first
while kn.is_valid():
yield task, kn
kn = kn.kn_link.sle_next
def calculate(self):
common.set_plugin_members(self)
for task in pstasks.mac_tasks(self._config).calculate():
fdp = task.p_fd
# for (i = 0; i < fdp->fd_knlistsize; i++) {
# kn = SLIST_FIRST(&fdp->fd_knlist[i]);
for kn in self._walk_karray(fdp.fd_knlist, fdp.fd_knlistsize):
yield task, kn
# if (fdp->fd_knhashmask != 0) {
# for (i = 0; i < (int)fdp->fd_knhashmask + 1; i++) {
# kn = SLIST_FIRST(&fdp->fd_knhash[i]);
mask = fdp.fd_knhashmask
if mask != 0:
for kn in self._walk_karray(fdp.fd_knhash, mask + 1):
yield task, kn
kn = task.p_klist.slh_first
while kn.is_valid():
yield task, kn
kn = kn.kn_link.sle_next
def filter_tasks(self):
tasks = pstasks.mac_tasks(self._config).allprocs()
if self._config.PID is not None:
try:
pidlist = [int(p) for p in self._config.PID.split(',')]
except ValueError:
debug.error("Invalid PID {0}".format(self._config.PID))
pids = [t for t in tasks if t.p_pid in pidlist]
if len(pids) == 0:
debug.error(
"Cannot find PID {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET"
.format(self._config.PID))
return pids
if self._config.NAME is not None:
try:
name_re = re.compile(self._config.NAME, re.I)
except re.error:
debug.error("Invalid name {0}".format(self._config.NAME))
names = [t for t in tasks if name_re.search(str(t.p_comm))]
if len(names) == 0:
debug.error(
"Cannot find name {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET"
.format(self._config.NAME))
return names
return tasks
def filter_tasks(self):
tasks = pstasks.mac_tasks(self._config).allprocs()
if self._config.PID is not None:
try:
pidlist = [int(p) for p in self._config.PID.split(',')]
except ValueError:
debug.error("Invalid PID {0}".format(self._config.PID))
pids = [t for t in tasks if t.p_pid in pidlist]
if len(pids) == 0:
debug.error("Cannot find PID {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.PID))
return pids
if self._config.NAME is not None:
try:
name_re = re.compile(self._config.NAME, re.I)
except re.error:
debug.error("Invalid name {0}".format(self._config.NAME))
names = [t for t in tasks if name_re.search(str(t.p_comm))]
if len(names) == 0:
debug.error("Cannot find name {0}. If its terminated or unlinked, use psscan and then supply --offset=OFFSET".format(self._config.NAME))
return names
return tasks
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks(self._config).calculate()
for proc in procs:
num_fds = proc.p_fd.fd_lastfile
if proc.p_fd.fd_nfiles > num_fds:
num_fds = proc.p_fd.fd_nfiles
fds = obj.Object('Array',
offset=proc.p_fd.fd_ofiles,
vm=self.addr_space,
targetType='Pointer',
count=proc.p_fd.fd_nfiles)
for i, fd in enumerate(fds):
f = fd.dereference_as("fileproc")
if f:
ftype = f.f_fglob.fg_type
if ftype == 'DTYPE_VNODE':
vnode = f.f_fglob.fg_data.dereference_as("vnode")
path = vnode.full_path()
else:
path = ""
yield proc, i, f, path
def _fill_cache(self):
for task in mac_pstasks.mac_tasks(self._config).calculate():
for filp, _, fd in task.lsof():
if filp.f_fglob.fg_type == 'DTYPE_SOCKET':
socket = filp.f_fglob.fg_data.dereference_as("socket").v()
self.fd_cache[socket] = [task, fd]
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks(self._config).calculate()
for proc in procs:
proc_as = proc.get_process_address_space()
for mapping in proc.get_dyld_maps():
path = mapping.imageFilePath
macho = obj.Object("macho_header",
offset=mapping.imageLoadAddress,
vm=proc_as)
needed_libraries = {}
for n in macho.needed_libraries():
needed_libraries[n] = 1
for (name, addr) in macho.imports():
is_lazy = False
is_ptr_hooked = False
is_api_hooked = False
hook_addr = 0
hook_type = ""
vma_mapping = self._find_mapping(proc, addr)
if vma_mapping == None:
vma_mapping = self._find_mapping_proc_maps(proc, addr)
if vma_mapping:
(vma_path, vma_start, vma_end) = vma_mapping
else:
# the address points to a bogus (non-mapped region)
vma_path = "<UNKNOWN>"
vma_start = addr
vma_end = addr
addr_mapping = vma_path
# non-resolved symbols
if vma_start <= mapping.imageLoadAddress <= vma_end:
is_lazy = True
else:
is_ptr_hooked = not addr_mapping in needed_libraries
# check if pointing into the shared region
# this happens as libraries in the region are not listed as needed
if is_ptr_hooked:
if proc.task.shared_region.sr_base_address <= addr <= proc.task.shared_region.sr_base_address + proc.task.shared_region.sr_size:
is_ptr_hooked = False
if not is_ptr_hooked:
is_api_hooked = self._is_api_hooked(addr, proc_as)
if is_api_hooked:
(hook_type, hook_addr) = is_api_hooked
yield (proc, name, addr, is_lazy, is_ptr_hooked,
is_api_hooked, hook_type, hook_addr, addr_mapping)
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks(self._config).calculate()
for proc in procs:
proc_as = proc.get_process_address_space()
for mapping in proc.get_dyld_maps():
path = mapping.imageFilePath
macho = obj.Object("macho_header", offset = mapping.imageLoadAddress, vm = proc_as)
needed_libraries = {}
for n in macho.needed_libraries():
needed_libraries[n] = 1
for (name, addr) in macho.imports():
is_lazy = False
is_ptr_hooked = False
is_api_hooked = False
hook_addr = 0
hook_type = ""
vma_mapping = self._find_mapping(proc, addr)
if vma_mapping == None:
vma_mapping = self._find_mapping_proc_maps(proc, addr)
if vma_mapping:
(vma_path, vma_start, vma_end) = vma_mapping
else:
# the address points to a bogus (non-mapped region)
vma_path = "<UNKNOWN>"
vma_start = addr
vma_end = addr
addr_mapping = vma_path
# non-resolved symbols
if vma_start <= mapping.imageLoadAddress <= vma_end:
is_lazy = True
else:
is_ptr_hooked = not addr_mapping in needed_libraries
# check if pointing into the shared region
# this happens as libraries in the region are not listed as needed
if is_ptr_hooked:
if proc.task.shared_region.sr_base_address <= addr <= proc.task.shared_region.sr_base_address + proc.task.shared_region.sr_size:
is_ptr_hooked = False
if not is_ptr_hooked:
is_api_hooked = self._is_api_hooked(addr, proc_as)
if is_api_hooked:
(hook_type, hook_addr) = is_api_hooked
yield (proc, name, addr, is_lazy, is_ptr_hooked, is_api_hooked, hook_type, hook_addr, addr_mapping)
def calculate(self):
all_tasks = pstasks.mac_tasks(self._config).allprocs()
bit_tasks = []
try:
if self._config.PID:
# find tasks given PIDs
pidlist = [int(p) for p in self._config.PID.split(',')]
bit_tasks = [t for t in all_tasks if t.p_pid in pidlist]
else:
# find multibit process
name_re = re.compile("JavaApplicationS", re.I)
bit_tasks = [t for t in all_tasks if name_re.search(str(t.p_comm))]
except:
pass
if len(bit_tasks) == 0:
yield (None, None)
# scan for bitcoin addresses with yara, 34 chars, https://en.bitcoin.it/wiki/Address
# Most Bitcoin addresses are 34 characters. They consist of random digits and uppercase
# and lowercase letters, with the exception that the uppercase letter "O", uppercase
# letter "I", lowercase letter "l", and the number "0" are never used to prevent visual ambiguity.
bit_addrs = []
addr_rule = yara.compile(sources = {'n' : 'rule r1 {strings: $a = /[1-9a-zA-z]{34}(?!OIl)/ condition: $a}'})
for task in bit_tasks:
scanner = mac_yarascan.MapYaraScanner(task = task, rules = addr_rule)
for hit, address in scanner.scan():
content = scanner.address_space.zread(address, 34)
if pyenc.is_valid_bitcoin_address(content) and content not in bit_addrs:
bit_addrs.append(content)
# scan for bitcoin keys with yara, 52 char compressed base58, starts with L or K, https://en.bitcoin.it/wiki/Private_key
addr_key = {}
key_rule = yara.compile(sources = {'n' : 'rule r1 {strings: $a = /(L|K)[0-9A-Za-z]{51}/ condition: $a}'})
for task in bit_tasks:
scanner = mac_yarascan.MapYaraScanner(task = task, rules = key_rule)
for hit, address in scanner.scan():
content = scanner.address_space.zread(address, 52)
if pyenc.is_valid_wif(content):
secret_exp = pyenc.wif_to_secret_exponent(content)
key = pykey.Key(secret_exponent = secret_exp,is_compressed=True)
if key.address() not in addr_key.keys():
addr_key[key.address()] = content
yield(content, key.address())
# addresses with no known keys
for bit_addr in bit_addrs:
if bit_addr not in addr_key.keys():
yield ("UNKNOWN", bit_addr)
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
tasks = mac_tasks.mac_tasks(self._config).calculate()
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(',')]
tasks = [t for t in tasks if int(t.p_pid) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
tasks = mac_tasks.mac_tasks(self._config).calculate()
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(',')]
tasks = [t for t in tasks if int(t.p_pid) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks(self._config).calculate()
for proc in procs:
fds = obj.Object('Array', offset = proc.p_fd.fd_ofiles, vm = self.addr_space, targetType = 'Pointer', count = proc.p_fd.fd_lastfile)
for i, fd in enumerate(fds):
f = fd.dereference_as("fileproc")
if f:
ftype = f.f_fglob.fg_type
if ftype == 'DTYPE_VNODE':
vnode = f.f_fglob.fg_data.dereference_as("vnode")
path = vnode.full_path()
else:
path = ""
yield proc, i, f, path
def calculate(self):
## we need this module imported
if not has_yara:
debug.error(
"Please install Yara from code.google.com/p/yara-project")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model',
'32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
kernel_start = 0xffffff8000000000
scanner = malfind.DiscontigYaraScanner(
rules=rules, address_space=self.addr_space)
for hit, address in scanner.scan(start_offset=kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address, 64))
else:
# Scan each process memory block
for task in pstasks.mac_tasks(self._config).calculate():
scanner = MapYaraScanner(task=task, rules=rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address, 64))
def getpidlist(self):
return list(pstasks.mac_tasks(self._config).allprocs())
def _get_procs_from_tasks(self):
return [p.v() for p in pstasks.mac_tasks(self._config).calculate()]
def calculate(self):
mac_common.set_plugin_members(self)
tasks = mac_tasks.mac_tasks(self._config).calculate()
for task in tasks:
proc_as = task.get_process_address_space()
# In cases when mm is an invalid pointer
if not proc_as:
continue
# Are we dealing with 32 or 64-bit pointers
bit_string = str(task.task.map.pmap.pm_task_map or '')[9:]
if bit_string.find("64BIT") == -1:
pack_format = "<I"
addr_sz = 4
addr_type = "unsigned int"
else:
pack_format = "<Q"
addr_sz = 8
addr_type = "unsigned long long"
procvars = []
for mapping in task.get_proc_maps():
if not str(mapping.get_perms()) == "rw-" or mapping.get_path(
).find("bash") == -1:
continue
env_start = 0
for off in range(mapping.links.start, mapping.links.end):
# check the first index
addrstr = proc_as.read(off, addr_sz)
if not addrstr or len(addrstr) != addr_sz:
continue
addr = struct.unpack(pack_format, addrstr)[0]
# check first idx...
if addr:
firstaddrstr = proc_as.read(addr, addr_sz)
if not firstaddrstr or len(firstaddrstr) != addr_sz:
continue
firstaddr = struct.unpack(pack_format, firstaddrstr)[0]
buf = proc_as.read(firstaddr, 64)
if not buf:
continue
eqidx = buf.find("=")
if eqidx > 0:
nullidx = buf.find("\x00")
# single char name, =
if nullidx >= eqidx:
env_start = addr
if env_start == 0:
continue
envars = obj.Object(theType="Array",
targetType=addr_type,
vm=proc_as,
offset=env_start,
count=256)
for var in envars:
if var:
sizes = [
8, 16, 32, 64, 128, 256, 384, 512, 1024, 2048, 4096
]
good_varstr = None
for size in sizes:
varstr = proc_as.read(var, size)
if not varstr:
continue
eqidx = varstr.find("=")
idx = varstr.find("\x00")
if idx == -1 or eqidx == -1 or idx < eqidx:
continue
good_varstr = varstr
break
if good_varstr:
good_varstr = good_varstr[:idx]
procvars.append(good_varstr)
yield task, " ".join(procvars)
break
def calculate(self):
common.set_plugin_members(self)
for proc in mac_tasks.mac_tasks(self._config).calculate():
bit_string = str(proc.task.map.pmap.pm_task_map or '')[9:]
# get proc args and arg address
args = proc.get_arguments()
args_addr = proc.user_stack - proc.p_argslen
# get threads
qentry = proc.task.threads
seen_threads = []
thread_list = []
active_threads = self.get_active_threads()
for thread in qentry.thread_walk_list(qentry.obj_offset):
if thread.obj_offset not in seen_threads:
seen_threads.append(thread.obj_offset)
thread_list.append(thread)
# get proc maps
maps = self.get_stack_map(proc, thread_list, bit_string)
# get thread stack start and size
for thread in thread_list:
stack_start = 0
stack_size = 0
thread_args = ""
registers = {}
is_active = "NO"
dtraced = "NO"
debugged = "NO"
uid = "NONE"
for proc, map, map_path in maps:
if "thread id {0}".format(thread.thread_id) in map_path:
if stack_start == 0 or stack_start > map.links.start:
stack_start = map.links.start
stack_size += map.links.end - map.links.start
# find thread with args, which probably is main thread
if map.links.start < args_addr < map.links.end:
thread_args = args
# kernel_stack process
# thread stack information is empty for kernel threads
if str(proc.p_pid) == "0":
stack_start = thread.kernel_stack
registers = self.get_thread_registers(thread, bit_string)
if self.is_thread_active(thread, active_threads):
is_active = "YES"
# check if thread is being hardware debugged, ids = x86_debug_state64
if thread.machine.ids != 0:
debugged = "YES"
# check if dtrace probe is applied
if "TH_OPT_DTRACE" in str(thread.options):
dtraced = "YES"
#get thread User ID
#if thread.uthread != 0:
#uid = thread.uthread.dereference_as('uthread').uu_context.vc_ucred.cr_posix.cr_uid
yield proc, thread, stack_start, stack_size, thread_args, registers, is_active, dtraced, debugged, uid
proc = proc.p_list.le_next.dereference()
self.get_active_threads()
def getpidlist(self):
return pstasks.mac_tasks(self._config).calculate()
def getpidlist(self):
return list(pstasks.mac_tasks(self._config).allprocs())
def getpidlist(self):
return pstasks.mac_tasks(self._config).calculate()
def _get_procs_from_tasks(self):
return [p.v() for p in pstasks.mac_tasks(self._config).calculate()]
def calculate(self):
mac_common.set_plugin_members(self)
tasks = mac_tasks.mac_tasks(self._config).calculate()
for task in tasks:
proc_as = task.get_process_address_space()
if not self._config.HISTORY_LIST:
# Do we scan everything or just /bin/bash instances?
if not (self._config.SCAN_ALL or str(task.p_comm) == "bash"):
continue
bit_string = str(task.task.map.pmap.pm_task_map or '')[9:]
if bit_string.find("64BIT") == -1:
pack_format = "<I"
hist_struct = "bash32_hist_entry"
else:
pack_format = "<Q"
hist_struct = "bash64_hist_entry"
# Brute force the history list of an address isn't provided
ts_offset = proc_as.profile.get_obj_offset(hist_struct, "timestamp")
history_entries = []
bang_addrs = []
# Look for strings that begin with pound/hash on the process heap
for ptr_hash in task.search_process_memory_rw_nofile(["#"]):
# Find pointers to this strings address, also on the heap
addr = struct.pack(pack_format, ptr_hash)
bang_addrs.append(addr)
for (idx, ptr_string) in enumerate(task.search_process_memory_rw_nofile(bang_addrs)):
# Check if we found a valid history entry object
hist = obj.Object(hist_struct,
offset = ptr_string - ts_offset,
vm = proc_as)
if hist.is_valid():
history_entries.append(hist)
# Report everything we found in order
for hist in sorted(history_entries, key = attrgetter('time_as_integer')):
yield task, hist
else:
the_history_addr = the_history_addr = self._config.HISTORY_LIST
the_history = obj.Object("Pointer", vm = proc_as, offset = the_history_addr)
max_ents = 2001
the_history = obj.Object(theType = 'Array', offset = the_history,
vm = proc_as, targetType = 'Pointer',
count = max_ents)
for ptr in the_history:
if not ptr:
if self._config.PRINTUNALLOC:
continue
else:
break
hist = ptr.dereference_as("_hist_entry")
if hist.is_valid():
yield task, hist
def calculate(self):
mac_common.set_plugin_members(self)
tasks = mac_tasks.mac_tasks(self._config).calculate()
for task in tasks:
proc_as = task.get_process_address_space()
# In cases when mm is an invalid pointer
if not proc_as:
continue
# Are we dealing with 32 or 64-bit pointers
bit_string = str(task.task.map.pmap.pm_task_map or '')[9:]
if bit_string.find("64BIT") == -1:
pack_format = "<I"
addr_sz = 4
addr_type = "unsigned int"
else:
pack_format = "<Q"
addr_sz = 8
addr_type = "unsigned long long"
procvars = []
for mapping in task.get_proc_maps():
if not str(mapping.get_perms()) == "rw-" or mapping.get_path().find("bash") == -1:
continue
env_start = 0
for off in range(mapping.links.start, mapping.links.end):
# check the first index
addrstr = proc_as.read(off, addr_sz)
if not addrstr or len(addrstr) != addr_sz:
continue
addr = struct.unpack(pack_format, addrstr)[0]
# check first idx...
if addr:
firstaddrstr = proc_as.read(addr, addr_sz)
if not firstaddrstr or len(firstaddrstr) != addr_sz:
continue
firstaddr = struct.unpack(pack_format, firstaddrstr)[0]
buf = proc_as.read(firstaddr, 64)
if not buf:
continue
eqidx = buf.find("=")
if eqidx > 0:
nullidx = buf.find("\x00")
# single char name, =
if nullidx >= eqidx:
env_start = addr
if env_start == 0:
continue
envars = obj.Object(theType="Array", targetType=addr_type, vm=proc_as, offset=env_start, count=256)
for var in envars:
if var:
sizes = [8, 16, 32, 64, 128, 256, 384, 512, 1024, 2048, 4096]
good_varstr = None
for size in sizes:
varstr = proc_as.read(var, size)
if not varstr:
continue
eqidx = varstr.find("=")
idx = varstr.find("\x00")
if idx == -1 or eqidx == -1 or idx < eqidx:
continue
good_varstr = varstr
break
if good_varstr:
good_varstr = good_varstr[:idx]
procvars.append(good_varstr)
yield task, " ".join(procvars)
break
def check_mac_tasks(self): procs = dict((v.obj_offset,(v, v.size())) for v in macpstasks.mac_tasks(self._config).obtainTasks()) return procs
