def IOSFrames(coredumpFilename, filenameIOMEM, filenamePCAP, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParserHeap = naft_impf.cIOSMemoryParser(memoryHeap)
oIOSMemoryParserHeap.ResolveNames(oIOSCoreDump)
dataIOMEM = naft_uf.File2Data(filenameIOMEM)
oIOSMemoryParserIOMEM = naft_impf.cIOSMemoryParser(dataIOMEM)
addressIOMEM = oIOSMemoryParserIOMEM.baseAddress
if addressIOMEM == None:
print('Error parsing IOMEM')
return
oFrames = naft_pfef.cFrames()
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParserHeap.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == '*Packet Header*':
frameAddress = struct.unpack('>I', oIOSMemoryBlockHeader.GetData()[40:44])[0]
frameSize = struct.unpack('>H', oIOSMemoryBlockHeader.GetData()[72:74])[0]
if frameAddress != 0 and frameSize != 0:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.DumpBytes(dataIOMEM[frameAddress - addressIOMEM : frameAddress - addressIOMEM + frameSize], frameAddress)
oFrames.AddFrame(frameAddress - addressIOMEM, dataIOMEM[frameAddress - addressIOMEM : frameAddress - addressIOMEM + frameSize], True)
oFrames.WritePCAP(filenamePCAP)
def IOSFrames(coredumpFilename, filenameIOMEM, filenamePCAP, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParserHeap = naft_impf.cIOSMemoryParser(memoryHeap)
oIOSMemoryParserHeap.ResolveNames(oIOSCoreDump)
dataIOMEM = naft_uf.File2Data(filenameIOMEM)
oIOSMemoryParserIOMEM = naft_impf.cIOSMemoryParser(dataIOMEM)
addressIOMEM = oIOSMemoryParserIOMEM.baseAddress
if addressIOMEM == None:
print('Error parsing IOMEM')
return
oFrames = naft_pfef.cFrames()
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParserHeap.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == '*Packet Header*':
frameAddress = struct.unpack(
'>I',
oIOSMemoryBlockHeader.GetData()[40:44])[0]
frameSize = struct.unpack(
'>H',
oIOSMemoryBlockHeader.GetData()[72:74])[0]
if frameSize <= 1:
frameSize = struct.unpack(
'>H',
oIOSMemoryBlockHeader.GetData()[68:70])[0]
if frameAddress != 0 and frameSize != 0:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.DumpBytes(
dataIOMEM[frameAddress - addressIOMEM:frameAddress -
addressIOMEM + frameSize], frameAddress)
oFrames.AddFrame(
frameAddress - addressIOMEM,
dataIOMEM[frameAddress - addressIOMEM:frameAddress -
addressIOMEM + frameSize], True)
oFrames.WritePCAP(filenamePCAP)
def IOSIntegrityText(coredumpFilename, options):
returnString = ''
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
returnString += (oIOSCoreDump.error)
return returnString
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
returnString += ('Heap region not found')
return returnString
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
returnString += ('Check start magic:<br>')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.GetRawData(
)[0:4] != naft_impf.cCiscoMagic.STR_BLOCK_BEGIN:
returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>'
hit = True
if not hit:
returnString += ('OK<br>')
returnString += ('Check end magic:<br>')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if struct.unpack(
'>I',
oIOSMemoryBlockHeader.GetRawData()[-4:]
)[0] != naft_impf.cCiscoMagic.INT_BLOCK_CANARY and oIOSMemoryBlockHeader.RefCnt > 0:
returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>'
hit = True
if not hit:
returnString += ('OK<br>')
returnString += ('Check previous block:<br>')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[1:]:
if oIOSMemoryBlockHeader.PrevBlock == 0:
returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>'
hit = True
if not hit:
returnString += ('OK<br>')
returnString += ('Check next block: <br>')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[:-1]:
if oIOSMemoryBlockHeader.NextBlock == 0:
returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>'
hit = True
if not hit:
returnString += ('OK<br>')
return returnString
def FilterInitBlocksForString(coredumpFilename, searchTerm):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return []
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return []
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
oIOSMemoryParser.ResolveNames(oIOSCoreDump)
found = []
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == 'Init':
dStrings = naft_uf.SearchASCIIStrings(oIOSMemoryBlockHeader.GetData())
for value in dStrings.values():
if value.find(searchTerm) >= 0:
found.append(value)
return found
def IOSIntegrityText(coredumpFilename, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
print('Check start magic:')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.GetRawData()[0:4] != naft_impf.cCiscoMagic.STR_BLOCK_BEGIN:
print(oIOSMemoryBlockHeader.ShowLine())
hit = True
if not hit:
print('OK')
print('Check end magic:')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if struct.unpack('>I', oIOSMemoryBlockHeader.GetRawData()[-4:])[0] != naft_impf.cCiscoMagic.INT_BLOCK_CANARY and oIOSMemoryBlockHeader.RefCnt > 0:
print(oIOSMemoryBlockHeader.ShowLine())
hit = True
if not hit:
print('OK')
print('Check previous block:')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[1:]:
if oIOSMemoryBlockHeader.PrevBlock == 0:
print(oIOSMemoryBlockHeader.ShowLine())
hit = True
if not hit:
print('OK')
print('Check next block:')
hit = False
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers[:-1]:
if oIOSMemoryBlockHeader.NextBlock == 0:
print(oIOSMemoryBlockHeader.ShowLine())
hit = True
if not hit:
print('OK')
def FilterInitBlocksForString(coredumpFilename, searchTerm):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
#print(oIOSCoreDump.error)
return []
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return []
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
oIOSMemoryParser.ResolveNames(oIOSCoreDump)
found = []
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == 'Init':
dStrings = naft_uf.SearchASCIIStrings(
oIOSMemoryBlockHeader.GetData())
for value in dStrings.values():
if value.find(searchTerm) >= 0:
found.append(value)
return found
def IOSHeap(coredumpFilename, options):
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
if options.resolve or options.filter != '':
oIOSMemoryParser.ResolveNames(oIOSCoreDump)
if options.filter == '':
oIOSMemoryParser.Show()
else:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == options.filter:
if not options.strings:
print(oIOSMemoryBlockHeader.ShowLine())
if options.strings:
dStrings = naft_uf.SearchASCIIStrings(oIOSMemoryBlockHeader.GetData())
if options.grep != '':
printHeader = True
for key, value in dStrings.items():
if value.find(options.grep) >= 0:
if printHeader:
print(oIOSMemoryBlockHeader.ShowLine())
printHeader = False
print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value))
elif options.minimum == 0 or len(dStrings) >= options.minimum:
print(oIOSMemoryBlockHeader.ShowLine())
for key, value in dStrings.items():
print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value))
if options.dump:
naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetData(), oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.headerSize)
def IOSHeap(coredumpFilename, options):
global decoders
decoders = []
LoadDecoders(options.decoders, True)
returnString = ''
if options.yara != None:
if not 'yara' in sys.modules:
print('Error: option yara requires the YARA Python module.')
return returnString
rules = YARACompile(options.yara)
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
returnString += (oIOSCoreDump.error)
return returnString
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
returnString += ('Heap region not found')
return returnString
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
if options.resolve or options.filter != '':
oIOSMemoryParser.ResolveNames(oIOSCoreDump)
if options.filter == '':
if options.write:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.Data2File(
oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' %
(coredumpFilename, oIOSMemoryBlockHeader.address))
elif options.yara:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
linePrinted = False
oDecoders = [cIdentity(oIOSMemoryBlockHeader.GetData(), None)]
for cDecoder in decoders:
try:
oDecoder = cDecoder(oIOSMemoryBlockHeader.GetData(),
options.decoderoptions)
oDecoders.append(oDecoder)
except Exception as e:
print('Error instantiating decoder: %s' %
cDecoder.name)
raise e
for oDecoder in oDecoders:
while oDecoder.Available():
for result in rules.match(data=oDecoder.Decode()):
if not linePrinted:
print(oIOSMemoryBlockHeader.ShowLine())
linePrinted = True
print(' YARA rule%s: %s' % (IFF(
oDecoder.Name() == '', '', ' (decoder: %s)' %
oDecoder.Name()), result.rule))
if options.yarastrings:
for stringdata in result.strings:
print(' %06x %s:' %
(stringdata[0], stringdata[1]))
print(' %s' %
binascii.hexlify(stringdata[2]))
print(' %s' % repr(stringdata[2]))
else:
returnString += oIOSMemoryParser.Show()
else:
returnString += (naft_impf.cIOSMemoryBlockHeader.ShowHeader) + '<br>'
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == options.filter:
if not options.strings:
returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>'
if options.strings:
dStrings = naft_uf.SearchASCIIStrings(
oIOSMemoryBlockHeader.GetData())
if options.grep != '':
printHeader = True
for key, value in dStrings.items():
if value.find(options.grep) >= 0:
if printHeader:
returnString += (oIOSMemoryBlockHeader.
ShowLine()) + '<br>'
printHeader = False
returnString += (
' %08X: %s<br>' %
(oIOSMemoryBlockHeader.address +
oIOSMemoryBlockHeader.BlockSize + key,
value))
elif options.minimum == 0 or len(
dStrings) >= options.minimum:
returnString += (
oIOSMemoryBlockHeader.ShowLine()) + '<br>'
for key, value in dStrings.items():
returnString += (
' %08X: %s<br>' %
(oIOSMemoryBlockHeader.address +
oIOSMemoryBlockHeader.BlockSize + key, value))
if options.dump:
naft_uf.DumpBytes(
oIOSMemoryBlockHeader.GetData(),
oIOSMemoryBlockHeader.address +
oIOSMemoryBlockHeader.headerSize)
if options.dumpraw:
naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetRawData(),
oIOSMemoryBlockHeader.address)
if options.write:
naft_uf.Data2File(
oIOSMemoryBlockHeader.GetData(),
'%s-heap-0x%08X.data' %
(coredumpFilename, oIOSMemoryBlockHeader.address))
return returnString
def IOSHeap(coredumpFilename, options):
global decoders
decoders = []
LoadDecoders(options.decoders, True)
if options.yara != None:
if not 'yara' in sys.modules:
print('Error: option yara requires the YARA Python module.')
return
rules = YARACompile(options.yara)
oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename)
if oIOSCoreDump.error != '':
print(oIOSCoreDump.error)
return
addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP()
if memoryHeap == None:
print('Heap region not found')
return
oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap)
if options.resolve or options.filter != '':
oIOSMemoryParser.ResolveNames(oIOSCoreDump)
if options.filter == '':
if options.write:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
print(oIOSMemoryBlockHeader.ShowLine())
naft_uf.Data2File(oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' % (coredumpFilename, oIOSMemoryBlockHeader.address))
elif options.yara:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
linePrinted = False
oDecoders = [cIdentity(oIOSMemoryBlockHeader.GetData(), None)]
for cDecoder in decoders:
try:
oDecoder = cDecoder(oIOSMemoryBlockHeader.GetData(), options.decoderoptions)
oDecoders.append(oDecoder)
except Exception as e:
print('Error instantiating decoder: %s' % cDecoder.name)
raise e
for oDecoder in oDecoders:
while oDecoder.Available():
for result in rules.match(data=oDecoder.Decode()):
if not linePrinted:
print(oIOSMemoryBlockHeader.ShowLine())
linePrinted = True
print(' YARA rule%s: %s' % (IFF(oDecoder.Name() == '', '', ' (decoder: %s)' % oDecoder.Name()), result.rule))
if options.yarastrings:
for stringdata in result.strings:
print(' %06x %s:' % (stringdata[0], stringdata[1]))
print(' %s' % binascii.hexlify(stringdata[2]))
print(' %s' % repr(stringdata[2]))
else:
oIOSMemoryParser.Show()
else:
print(naft_impf.cIOSMemoryBlockHeader.ShowHeader)
for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers:
if oIOSMemoryBlockHeader.AllocNameResolved == options.filter:
if not options.strings:
print(oIOSMemoryBlockHeader.ShowLine())
if options.strings:
dStrings = naft_uf.SearchASCIIStrings(oIOSMemoryBlockHeader.GetData())
if options.grep != '':
printHeader = True
for key, value in dStrings.items():
if value.find(options.grep) >= 0:
if printHeader:
print(oIOSMemoryBlockHeader.ShowLine())
printHeader = False
print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value))
elif options.minimum == 0 or len(dStrings) >= options.minimum:
print(oIOSMemoryBlockHeader.ShowLine())
for key, value in dStrings.items():
print(' %08X: %s' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value))
if options.dump:
naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetData(), oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.headerSize)
if options.dumpraw:
naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetRawData(), oIOSMemoryBlockHeader.address)
if options.write:
naft_uf.Data2File(oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' % (coredumpFilename, oIOSMemoryBlockHeader.address))