示例#1
0
    def GenerateVADVolatilityResult(process_list):
        volatility_response = rdfvalue.VolatilityResult()

        section = rdfvalue.VolatilitySection()
        section.table.headers.Append(print_name="Protection",
                                     name="protection")
        section.table.headers.Append(print_name="start", name="start_pfn")
        section.table.headers.Append(print_name="Filename", name="filename")

        for proc in process_list:
            section.table.rows.Append(values=[
                rdfvalue.VolatilityValue(type="__MMVAD_FLAGS",
                                         name="VadFlags",
                                         offset=0,
                                         vm="None",
                                         value=7,
                                         svalue="EXECUTE_WRITECOPY"),
                rdfvalue.VolatilityValue(value=42),
                rdfvalue.VolatilityValue(
                    type="_UNICODE_STRING",
                    name="FileName",
                    offset=275427702111096,
                    vm="AMD64PagedMemory@0x00187000 (Kernel AS@0x187000)",
                    value=275427702111096,
                    svalue=proc)
            ])
        volatility_response.sections.Append(section)

        return volatility_response
示例#2
0
  def testVolatilityResultToExportedVolatilityMutantConverter(self):
    volatility_values_1 = rdfvalue.VolatilityValues(values=[
        rdfvalue.VolatilityValue(value=50211728),
        rdfvalue.VolatilityValue(value=1),
        rdfvalue.VolatilityValue(value=1),
        rdfvalue.VolatilityValue(value=1),
        rdfvalue.VolatilityValue(value=0),
        rdfvalue.VolatilityValue(svalue=""),
        rdfvalue.VolatilityValue()])
    volatility_values_2 = rdfvalue.VolatilityValues(values=[
        rdfvalue.VolatilityValue(value=50740512),
        rdfvalue.VolatilityValue(value=2),
        rdfvalue.VolatilityValue(value=2),
        rdfvalue.VolatilityValue(value=0),
        rdfvalue.VolatilityValue(value=275427826012256),
        rdfvalue.VolatilityValue(svalue="163255304:2168"),
        rdfvalue.VolatilityValue(svalue="XYZLock")])

    volatility_table = rdfvalue.VolatilityTable(
        headers=[rdfvalue.VolatilityHeader(name="offset_p"),
                 rdfvalue.VolatilityHeader(name="ptr_count"),
                 rdfvalue.VolatilityHeader(name="hnd_count"),
                 rdfvalue.VolatilityHeader(name="mutant_signal"),
                 rdfvalue.VolatilityHeader(name="mutant_thread"),
                 rdfvalue.VolatilityHeader(name="cid"),
                 rdfvalue.VolatilityHeader(name="mutant_name")],
        rows=[volatility_values_1,
              volatility_values_2])
    volatility_result = rdfvalue.VolatilityResult(
        plugin="mutantscan",
        sections=[rdfvalue.VolatilitySection(table=volatility_table)])

    converter = export.VolatilityResultToExportedVolatilityMutantConverter()
    results = list(converter.Convert(rdfvalue.ExportedMetadata(),
                                     volatility_result,
                                     token=self.token))

    self.assertEqual(len(results), 2)
    self.assertEqual(results[0].offset, 50211728)
    self.assertEqual(results[0].ptr_count, 1)
    self.assertEqual(results[0].handle_count, 1)
    self.assertEqual(results[0].signal, 1)
    self.assertEqual(results[0].thread, 0)
    self.assertEqual(results[0].cid, "")
    self.assertEqual(results[0].name, "")

    self.assertEqual(results[1].offset, 50740512)
    self.assertEqual(results[1].ptr_count, 2)
    self.assertEqual(results[1].handle_count, 2)
    self.assertEqual(results[1].signal, 0)
    self.assertEqual(results[1].thread, 275427826012256)
    self.assertEqual(results[1].cid, "163255304:2168")
    self.assertEqual(results[1].name, "XYZLock")
示例#3
0
  def testVolatilityResultToExportedVolatilityHandleConverter(self):
    volatility_values_1 = rdfvalue.VolatilityValues(values=[
        rdfvalue.VolatilityValue(value=275427776305632),
        rdfvalue.VolatilityValue(value=4),
        rdfvalue.VolatilityValue(value=4),
        rdfvalue.VolatilityValue(value=2097151),
        rdfvalue.VolatilityValue(svalue="Process"),
        rdfvalue.VolatilityValue(svalue="System(4)"),
        rdfvalue.VolatilityValue()])
    volatility_values_2 = rdfvalue.VolatilityValues(values=[
        rdfvalue.VolatilityValue(value=273366078738336),
        rdfvalue.VolatilityValue(value=4),
        rdfvalue.VolatilityValue(value=8),
        rdfvalue.VolatilityValue(value=131103),
        rdfvalue.VolatilityValue(svalue="Key"),
        rdfvalue.VolatilityValue(
            svalue="MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\HIVELIST")])

    volatility_table = rdfvalue.VolatilityTable(
        headers=[rdfvalue.VolatilityHeader(name="offset_v"),
                 rdfvalue.VolatilityHeader(name="pid"),
                 rdfvalue.VolatilityHeader(name="handle"),
                 rdfvalue.VolatilityHeader(name="access"),
                 rdfvalue.VolatilityHeader(name="obj_type"),
                 rdfvalue.VolatilityHeader(name="details")],
        rows=[volatility_values_1,
              volatility_values_2])
    volatility_result = rdfvalue.VolatilityResult(
        plugin="mutantscan",
        sections=[rdfvalue.VolatilitySection(table=volatility_table)])

    converter = export.VolatilityResultToExportedVolatilityHandleConverter()
    results = list(converter.Convert(rdfvalue.ExportedMetadata(),
                                     volatility_result,
                                     token=self.token))

    self.assertEqual(len(results), 2)
    self.assertEqual(results[0].offset, 275427776305632)
    self.assertEqual(results[0].pid, 4)
    self.assertEqual(results[0].handle, 4)
    self.assertEqual(results[0].access, 2097151)
    self.assertEqual(results[0].type, "Process")
    self.assertEqual(results[0].path, "System(4)")

    self.assertEqual(results[1].offset, 273366078738336)
    self.assertEqual(results[1].pid, 4)
    self.assertEqual(results[1].handle, 8)
    self.assertEqual(results[1].access, 131103)
    self.assertEqual(results[1].type, "Key")
    self.assertEqual(results[1].path,
                     "MACHINE\\SYSTEM\\CONTROLSET001\\CONTROL\\HIVELIST")
示例#4
0
 def VolatilityAction(self, _):
   ps_list_file = os.path.join(config_lib.CONFIG["Test.data_dir"],
                               "vol_pslist_result.dat")
   serialized_result = open(ps_list_file).read(100000)
   return [rdfvalue.VolatilityResult(serialized_result)]
示例#5
0
    def __init__(self, **kwargs):
        super(ProtobufRenderer, self).__init__(**kwargs)

        self.response = rdfvalue.VolatilityResult()
        self.active_section = None
        self.mode = None