def IOSProcesses(coredumpFilename, options): returnString = '' oIOSCoreDumpAnalysis = naft_impf.cIOSCoreDumpAnalysis(coredumpFilename) if oIOSCoreDumpAnalysis.error != '': returnString += (oIOSCoreDumpAnalysis.error) return returnString for (processID, addressProcess, oIOSProcess) in oIOSCoreDumpAnalysis.processes: if options.filter == '' or processID == int(options.filter): if oIOSProcess != None: if oIOSProcess.error == '': line = oIOSProcess.Line() else: line = '%4d %s' % (processID, oIOSProcess.error) returnString += (line) + '<br>' if options.dump: naft_uf.DumpBytes(oIOSProcess.data, addressProcess) else: returnString += ('addressProcess not found %d %08X <br>' % (processID, addressProcess)) if oIOSCoreDumpAnalysis.RanHeuristics: returnString += ('<br>') returnString += ('*** WARNING ***<br>') returnString += ('Unexpected process structure<br>') returnString += ('Please reports these results<br>') returnString += ('Fields determined with heuristics:<br>') returnString += ('Process structure size: %d<br>' % oIOSCoreDumpAnalysis.HeuristicsSize) keys = oIOSCoreDumpAnalysis.HeuristicsFields.keys() keys.sort(key=str.lower) for key in keys: value = oIOSCoreDumpAnalysis.HeuristicsFields[key] if value != None: returnString += ('%-22s: 0x%04X <br>' % (key, value[1])) if options.statistics: keys = oIOSCoreDumpAnalysis.dProcessStructureStats.keys() keys.sort() returnString += ('Number of different process structures: %d<br>' % len(keys)) for index in keys: returnString += ('Process structures length: %d<br>' % index) PrintStatsAnalysis( oIOSCoreDumpAnalysis.dProcessStructureStats[index], oIOSCoreDumpAnalysis.oIOSCoreDump) return returnString
def IOSFrames(coredumpFilename, filenameIOMEM, filenamePCAP, options): oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': print(oIOSCoreDump.error) return addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP() if memoryHeap == None: print('Heap region not found') return oIOSMemoryParserHeap = naft_impf.cIOSMemoryParser(memoryHeap) oIOSMemoryParserHeap.ResolveNames(oIOSCoreDump) dataIOMEM = naft_uf.File2Data(filenameIOMEM) oIOSMemoryParserIOMEM = naft_impf.cIOSMemoryParser(dataIOMEM) addressIOMEM = oIOSMemoryParserIOMEM.baseAddress if addressIOMEM == None: print('Error parsing IOMEM') return oFrames = naft_pfef.cFrames() print(naft_impf.cIOSMemoryBlockHeader.ShowHeader) for oIOSMemoryBlockHeader in oIOSMemoryParserHeap.Headers: if oIOSMemoryBlockHeader.AllocNameResolved == '*Packet Header*': frameAddress = struct.unpack( '>I', oIOSMemoryBlockHeader.GetData()[40:44])[0] frameSize = struct.unpack( '>H', oIOSMemoryBlockHeader.GetData()[72:74])[0] if frameSize <= 1: frameSize = struct.unpack( '>H', oIOSMemoryBlockHeader.GetData()[68:70])[0] if frameAddress != 0 and frameSize != 0: print(oIOSMemoryBlockHeader.ShowLine()) naft_uf.DumpBytes( dataIOMEM[frameAddress - addressIOMEM:frameAddress - addressIOMEM + frameSize], frameAddress) oFrames.AddFrame( frameAddress - addressIOMEM, dataIOMEM[frameAddress - addressIOMEM:frameAddress - addressIOMEM + frameSize], True) oFrames.WritePCAP(filenamePCAP)
def IOSHeap(coredumpFilename, options): global decoders decoders = [] LoadDecoders(options.decoders, True) returnString = '' if options.yara != None: if not 'yara' in sys.modules: print('Error: option yara requires the YARA Python module.') return returnString rules = YARACompile(options.yara) oIOSCoreDump = naft_impf.cIOSCoreDump(coredumpFilename) if oIOSCoreDump.error != '': returnString += (oIOSCoreDump.error) return returnString addressHeap, memoryHeap = oIOSCoreDump.RegionHEAP() if memoryHeap == None: returnString += ('Heap region not found') return returnString oIOSMemoryParser = naft_impf.cIOSMemoryParser(memoryHeap) if options.resolve or options.filter != '': oIOSMemoryParser.ResolveNames(oIOSCoreDump) if options.filter == '': if options.write: print(naft_impf.cIOSMemoryBlockHeader.ShowHeader) for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: print(oIOSMemoryBlockHeader.ShowLine()) naft_uf.Data2File( oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' % (coredumpFilename, oIOSMemoryBlockHeader.address)) elif options.yara: print(naft_impf.cIOSMemoryBlockHeader.ShowHeader) for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: linePrinted = False oDecoders = [cIdentity(oIOSMemoryBlockHeader.GetData(), None)] for cDecoder in decoders: try: oDecoder = cDecoder(oIOSMemoryBlockHeader.GetData(), options.decoderoptions) oDecoders.append(oDecoder) except Exception as e: print('Error instantiating decoder: %s' % cDecoder.name) raise e for oDecoder in oDecoders: while oDecoder.Available(): for result in rules.match(data=oDecoder.Decode()): if not linePrinted: print(oIOSMemoryBlockHeader.ShowLine()) linePrinted = True print(' YARA rule%s: %s' % (IFF( oDecoder.Name() == '', '', ' (decoder: %s)' % oDecoder.Name()), result.rule)) if options.yarastrings: for stringdata in result.strings: print(' %06x %s:' % (stringdata[0], stringdata[1])) print(' %s' % binascii.hexlify(stringdata[2])) print(' %s' % repr(stringdata[2])) else: returnString += oIOSMemoryParser.Show() else: returnString += (naft_impf.cIOSMemoryBlockHeader.ShowHeader) + '<br>' for oIOSMemoryBlockHeader in oIOSMemoryParser.Headers: if oIOSMemoryBlockHeader.AllocNameResolved == options.filter: if not options.strings: returnString += (oIOSMemoryBlockHeader.ShowLine()) + '<br>' if options.strings: dStrings = naft_uf.SearchASCIIStrings( oIOSMemoryBlockHeader.GetData()) if options.grep != '': printHeader = True for key, value in dStrings.items(): if value.find(options.grep) >= 0: if printHeader: returnString += (oIOSMemoryBlockHeader. ShowLine()) + '<br>' printHeader = False returnString += ( ' %08X: %s<br>' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value)) elif options.minimum == 0 or len( dStrings) >= options.minimum: returnString += ( oIOSMemoryBlockHeader.ShowLine()) + '<br>' for key, value in dStrings.items(): returnString += ( ' %08X: %s<br>' % (oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.BlockSize + key, value)) if options.dump: naft_uf.DumpBytes( oIOSMemoryBlockHeader.GetData(), oIOSMemoryBlockHeader.address + oIOSMemoryBlockHeader.headerSize) if options.dumpraw: naft_uf.DumpBytes(oIOSMemoryBlockHeader.GetRawData(), oIOSMemoryBlockHeader.address) if options.write: naft_uf.Data2File( oIOSMemoryBlockHeader.GetData(), '%s-heap-0x%08X.data' % (coredumpFilename, oIOSMemoryBlockHeader.address)) return returnString