def init_vatopa_x86_pae(self, vflag): if self.mempath == '': return 1 if self.build[ 0: 2] >= '12': # for KSLR supported OS (Mountain Lion, Mavericks) if vflag: print '[+] Finding Kernel Base Address (KASLR)' self.base_address = self.catfishlocation - ( self.symbol_list['_lowGlo'] % 0xFFFFFF80 ) # find table base address if vflag: print ' [-] Kernel Base Address : 0x%.8x' % self.base_address self.idlepdpt = (self.symbol_list['_BootPDPT'] % 0xFFFFFF80) + self.base_address self.bootpml4 = (self.symbol_list['_BootPML4'] % 0xFFFFFF80) + self.base_address if isMachoVolafoxCompatible(self.mempath): self.boot_pml4_pt = IA32PML4MemoryPae( MachoAddressSpace(self.mempath), self.bootpml4) else: self.boot_pml4_pt = IA32PML4MemoryPae( FileAddressSpace(self.mempath), self.bootpml4) idlepml4_ptr = self.boot_pml4_pt.read( self.symbol_list['_IdlePML4'] + self.base_address, 8) self.idlepml4 = struct.unpack('=Q', idlepml4_ptr)[0] else: self.idlepdpt = self.symbol_list['_IdlePDPT'] self.idlepml4 = self.symbol_list['_IdlePML4'] if self.arch is 32: if vflag: print '[+] Loading Intel 32bit(PAE Enabled) Paging Table' if isMachoVolafoxCompatible(self.mempath): self.x86_mem_pae = IA32PagedMemoryPae( MachoAddressSpace(self.mempath), self.idlepdpt) else: self.x86_mem_pae = IA32PagedMemoryPae( FileAddressSpace(self.mempath), self.idlepdpt) else: # 64 if vflag: print '[+] Loading Intel IA-32e(PAE Enabled) Paging Table' if isMachoVolafoxCompatible(self.mempath): self.x86_mem_pae = IA32PML4MemoryPae( MachoAddressSpace(self.mempath), self.idlepml4) else: self.x86_mem_pae = IA32PML4MemoryPae( FileAddressSpace(self.mempath), self.idlepml4) return 0
def netstat(self): tcb_symbol_addr = self.symbol_list['_tcbinfo'] udb_symbol_addr = self.symbol_list['_udbinfo'] if isMachoVolafoxCompatible(self.mempath): net_pae = IA32PML4MemoryPae(MachoAddressSpace(self.mempath), self.idlepml4) else: net_pae = IA32PML4MemoryPae(FileAddressSpace(self.mempath), self.idlepml4) network_list = get_network_hash(net_pae, tcb_symbol_addr, udb_symbol_addr, self.arch, self.os_version, self.build, self.base_address) print_network_list(network_list[0], network_list[1])
def init_vatopa_x86_pae(self, vflag): if self.mempath == "": return 1 if self.build[0:2] >= "12": # for KSLR supported OS (Mountain Lion, Mavericks) if vflag: print "[+] Finding Kernel Base Address (KASLR)" self.base_address = self.catfishlocation - ( self.symbol_list["_lowGlo"] % 0xFFFFFF80 ) # find table base address if vflag: print " [-] Kernel Base Address : 0x%.8x" % self.base_address self.idlepdpt = (self.symbol_list["_BootPDPT"] % 0xFFFFFF80) + self.base_address self.bootpml4 = (self.symbol_list["_BootPML4"] % 0xFFFFFF80) + self.base_address if isMachoVolafoxCompatible(self.mempath): self.boot_pml4_pt = IA32PML4MemoryPae(MachoAddressSpace(self.mempath), self.bootpml4) else: self.boot_pml4_pt = IA32PML4MemoryPae(FileAddressSpace(self.mempath), self.bootpml4) idlepml4_ptr = self.boot_pml4_pt.read(self.symbol_list["_IdlePML4"] + self.base_address, 8) self.idlepml4 = struct.unpack("=Q", idlepml4_ptr)[0] else: self.idlepdpt = self.symbol_list["_IdlePDPT"] self.idlepml4 = self.symbol_list["_IdlePML4"] if self.arch is 32: if vflag: print "[+] Loading Intel 32bit(PAE Enabled) Paging Table" if isMachoVolafoxCompatible(self.mempath): self.x86_mem_pae = IA32PagedMemoryPae(MachoAddressSpace(self.mempath), self.idlepdpt) else: self.x86_mem_pae = IA32PagedMemoryPae(FileAddressSpace(self.mempath), self.idlepdpt) else: # 64 if vflag: print "[+] Loading Intel IA-32e(PAE Enabled) Paging Table" if isMachoVolafoxCompatible(self.mempath): self.x86_mem_pae = IA32PML4MemoryPae(MachoAddressSpace(self.mempath), self.idlepml4) else: self.x86_mem_pae = IA32PML4MemoryPae(FileAddressSpace(self.mempath), self.idlepml4) return 0