def pslist(self):
"""Volatility pslist plugin.
@see volatility/plugins/taskmods.py
"""
log.debug("Executing Volatility pslist plugin on "
"{0}".format(self.memdump))
self.__config()
results = []
command = taskmods.PSList(self.config)
for process in command.calculate():
new = {
"process_name": str(process.ImageFileName),
"process_id": int(process.UniqueProcessId),
"parent_id": int(process.InheritedFromUniqueProcessId),
"num_threads": str(process.ActiveThreads),
"num_handles": str(process.ObjectTable.HandleCount),
"session_id": str(process.SessionId),
"create_time": str(process.CreateTime or ""),
"exit_time": str(process.ExitTime or ""),
}
results.append(new)
return dict(config={}, data=results)
def main():
if len(sys.argv) != 4:
print "Usage: %s %s %s %s" % (sys.argv[0], "profile", "memdump", "targetprocname")
sys.exit(1)
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = sys.argv[1]
config.LOCATION = sys.argv[2]
processes = taskmods.PSList(config)
target = filter_by_name(processes, sys.argv[3])
# .text info
imagebase, va, rawsize = get_text_section_info(target)
if imagebase == None:
print "[-] Error: probably wrong .text section name"
sys.exit(1)
text_start = imagebase + va
text_end = imagebase + va + rawsize
permissions = get_vad_protect_flags(target, text_start, text_end)
print "0x%x-0x%x %s %s" % (text_start, text_end, permissions, TEXT_TAG)
# dll info
modules = get_dll_info(target)
# printing dll info
for name, info in modules.items():
dll_start = info[0]
dll_end = info[0] + info[1]
permissions = get_vad_protect_flags(target, dll_start, dll_end)
print "0x%x-0x%x %s %s" % (dll_start, dll_end, permissions, name)
# heap info
hs = get_heap_info(target)
# printing heap info
for h in hs:
heap_start = h.BaseAddress.v()
heap_end = h.LastValidEntry.v()
permissions = get_vad_protect_flags(target, heap_start, heap_end)
print "0x%x-0x%x %s %s" % (h.BaseAddress, h.LastValidEntry, permissions, HEAP_TAG)
# stack info
tebs = get_stack_info(target)
# printing stack info
for t in tebs:
stack_start = t.NtTib.StackBase.v()
stack_end = t.NtTib.StackLimit.v()
permissions = get_vad_protect_flags(target, stack_start, stack_end)
print "0x%x-0x%x %s %s" % (stack_start, stack_end, permissions, STACK_TAG)
def find_elites(self):
""" Find elite level implants using a distinctive shared memory region that the malware uses instead of a mutex"""
infected_pids = []
process_names = {}
display_indicators = []
p = handles.Handles(self._config)
for handle in p.calculate():
pid, handle, object_type, name = handle
if object_type == "Section":
if re.match(
"^[a-zA-Z0-9]{7,8}$", name
): # HT Implants map a 7/8 character shared memory section to use instead of a Mutex
# Elite implants have two watermarks per PID, so neither PIDs nor watermarks are unique.
infected_pids.append({
"pid": str(pid),
"watermark": name,
"confidence": 1,
"implant_type": "Elite"
})
# Now do post-processing of results
if infected_pids:
# Get a list of processes, so we can tie a name to a PID
p = taskmods.PSList(self._config)
for process in p.calculate():
process_names[str(process.UniqueProcessId)] = str(
process.ImageFileName)
deletelist = []
for i in infected_pids:
### Do Confidence correlation. ###
# If we have both a 7 and an 8 character watermark, this makes it more certain it's a HT elite implant
pid = i["pid"]
watermark = i["watermark"]
# Search through all the other infected pid/name combinations for a 7 char version of our 8 char watermark
searchlist = infected_pids
if len(watermark) == 8:
for j in infected_pids:
compare_pid = j["pid"]
compare_watermark = j["watermark"]
if len(compare_watermark) == 7 and compare_pid == pid:
# We've found both a 7 char and 8 char version - we're more confident that this is HT
i["confidence"] = i["confidence"] + 1
# Remove the shorter version from the list (attributable watermarks are 8 chars)
deletelist.append(j)
if i not in deletelist:
# Now see if the watermark can be attributed
if watermark in watermark_table:
i["threat_actor"] = watermark_table[watermark]
i["confidence"] = i[
"confidence"] + 1 # We've matched a Hacking Team client, we're pretty sure it's HT
# Tie process name to PID
if pid in process_names:
i["process_name"] = process_names[pid]
else:
i["process_name"] = "Not Found"
# If we've got more than one infected process, it's more likely that we've found a HT infection, and this is typical of an Elite level implant
if len(infected_pids) > 1:
i["confidence"] = i["confidence"] + 1
i["implant_type"] = "Elite/Soldier"
# Now delete the PIDS in the delete list
for j in deletelist:
del infected_pids[infected_pids.index(j)]
return infected_pids
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://%s" % memory_file
import volatility.plugins.taskmods as taskmods
p = taskmods.PSList(config)
for process in p.calculate():
if str(process.ImageFileName) == "calc.exe":
print("[*] Found calc.exe with PID %d" % process.UniqueProcessId)
print("[*] Hunting for physical offsets...please wait.")
address_space = process.get_process_address_space()
pages = address_space.get_available_pages()
for page in pages:
physical = address_space.vtop(page[0])
if physical is not None:
if slack_space is None:
fd = open(memory_file, "r+")
shellCodeFd = open("cmeasure.bin", "rb")
shellContents = shellCodeFd.read()
shellCodeFd.close()
sys.path.append("<*****PATH TO VOLATILITY******>")
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrsspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = "<********PROFILE******>"
config.LOCATION = "file://%s" % memory_file
processes = taskmods.PSList(config)
for process in processes.calculate():
if str(process.ImageFileName) == "calc.exe":
print "[*] Found calc.exe with PID: %d" % process.UniqueProcessId
print "[*] Hunting for physical offsets...Please wait"
address_space = process.get_process_address_space()
pages = address_space.get_available_pages()
for page in pages:
physical = address_space.vtop(page[0])
if physical is not None:
if slack_space is None:
fd = open(memory_file, "r+")
fd.seek(physical)
buff = fd.read(page[1])
try:
