def get_syscalls(self, index_info=None, get_hidden=False, compute_name=True): linux_common.set_plugin_members(self) if get_hidden: hidden_mods = list( linux_hidden_modules.linux_hidden_modules( self._config).calculate()) else: hidden_mods = [] if compute_name: visible_mods = linux_lsmod.linux_lsmod(self._config).calculate() else: visible_mods = [] if index_info == None: index_info = self._find_and_parse_index_file() table_name = self.addr_space.profile.metadata.get( 'memory_model', '32bit') sym_addrs = self.profile.get_all_addresses() sys_call_info = self._get_table_info("sys_call_table") addrs = [(table_name, sys_call_info)] # 64 bit systems with 32 bit emulation ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table") if ia32: ia32_info = self._get_table_info("ia32_sys_call_table") addrs.append(("32bit", ia32_info)) for (table_name, (tableaddr, tblsz)) in addrs: table = obj.Object(theType='Array', offset=tableaddr, vm=self.addr_space, targetType='unsigned long', count=tblsz + 1) for (i, call_addr) in enumerate(table): if not call_addr: continue idx_name = self._index_name(table_name, index_info, i) call_addr = int(call_addr) if not call_addr in sym_addrs: hooked = 1 sym_name = self._compute_hook_sym_name( visible_mods, hidden_mods, call_addr) else: hooked = 0 sym_name = self.profile.get_symbol_by_address( "kernel", call_addr) yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked)
def get_syscalls(self, index_info = None, get_hidden = False, compute_name = True): linux_common.set_plugin_members(self) if get_hidden: hidden_mods = list(linux_hidden_modules.linux_hidden_modules(self._config).calculate()) else: hidden_mods = [] if compute_name: visible_mods = linux_lsmod.linux_lsmod(self._config).calculate() else: visible_mods = [] if index_info == None: index_info = self._find_and_parse_index_file() table_name = self.addr_space.profile.metadata.get('memory_model', '32bit') sym_addrs = self.profile.get_all_addresses() sys_call_info = self._get_table_info("sys_call_table") addrs = [(table_name, sys_call_info)] # 64 bit systems with 32 bit emulation ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table") if ia32: ia32_info = self._get_table_info("ia32_sys_call_table") addrs.append(("32bit", ia32_info)) for (table_name, (tableaddr, tblsz)) in addrs: table = obj.Object(theType = 'Array', offset = tableaddr, vm = self.addr_space, targetType = 'unsigned long', count = tblsz) for (i, call_addr) in enumerate(table): if not call_addr: continue idx_name = self._index_name(table_name, index_info, i) call_addr = int(call_addr) if not call_addr in sym_addrs: hooked = 1 sym_name = self._compute_hook_sym_name(visible_mods, hidden_mods, call_addr) else: hooked = 0 sym_name = self.profile.get_symbol_by_address("kernel", call_addr) yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked)
registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = "LinuxDebian31604x64" config.LOCATION = "vmi://debian-hvm" # Other imports import time # Import Plugins print "Checking for Malware" # Retrieve hidden modules import volatility.plugins.linux.hidden_modules as hiddenModulesPlugin hiddenModulesData = hiddenModulesPlugin.linux_hidden_modules(config) # Retrieve hidden af info import volatility.plugins.linux.check_afinfo as afInfoPlugin afInfoData = afInfoPlugin.linux_check_afinfo(config) while True: for msg in hiddenModulesData.calculate(): print "***Possible malware detected by checking for hidden modules***" print msg dir(msg) for msg in afInfoData.calculate(): print "***Possible malware detected by checking for network connection tampering***" print msg dir(msg)
def get_syscalls(self, index_lines = None, get_hidden = False): linux_common.set_plugin_members(self) if get_hidden: hidden_mods = list(linux_hidden_modules.linux_hidden_modules(self._config).calculate()) else: hidden_mods = [] visible_mods = linux_lsmod.linux_lsmod(self._config).calculate() if not index_lines: index_lines = self._find_and_parse_index_file() if index_lines: index_names = {} for line in index_lines.split("\n"): ents = line.split() if len(ents) == 3 and ents[0] == "#define": name = ents[1].replace("__NR_", "") # "(__NR_timer_create+1)" index = ents[2] if index[0] == "(": index = self._find_index(index_names, index) else: index = int(index) index_names[index] = name else: index_names = None table_name = self.addr_space.profile.metadata.get('memory_model', '32bit') sym_addrs = self.profile.get_all_addresses() sys_call_info = self._get_table_info("sys_call_table") addrs = [(table_name, sys_call_info)] # 64 bit systems with 32 bit emulation ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table") if ia32: ia32_info = self._get_table_info("ia32_sys_call_table") addrs.append(("32bit", ia32_info)) for (table_name, (tableaddr, tblsz)) in addrs: table = obj.Object(theType = 'Array', offset = tableaddr, vm = self.addr_space, targetType = 'unsigned long', count = tblsz) for (i, call_addr) in enumerate(table): if not call_addr: continue if index_names: idx_name = self._index_name(index_names, i) else: idx_name = "" call_addr = int(call_addr) if not call_addr in sym_addrs: hooked = 1 sym_name = self._compute_hook_sym_name(visible_mods, hidden_mods, call_addr) else: hooked = 0 sym_name = self.profile.get_symbol_by_address("kernel", call_addr) yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked)
def calculate(self): """ This works by walking the system call table and verifies that each is a symbol in the kernel """ linux_common.set_plugin_members(self) if not has_distorm: debug.warning( "distorm not installed. The best method to calculate the system call table size will not be used." ) if self._config.SYSCALL_INDEXES: if not os.path.exists(self._config.SYSCALL_INDEXES): debug.error("Given syscall indexes file does not exist!") index_names = {} for line in open(self._config.SYSCALL_INDEXES, "r").readlines(): ents = line.split() if len(ents) == 3 and ents[0] == "#define": name = ents[1].replace("__NR_", "") # "(__NR_timer_create+1)" index = ents[2] if index[0] == "(": index = self._find_index(index_names, index) else: index = int(index) index_names[index] = name else: index_names = None hidden_mods = list( linux_hidden_modules.linux_hidden_modules( self._config).calculate()) visible_mods = linux_lsmod.linux_lsmod(self._config).calculate() table_name = self.addr_space.profile.metadata.get( 'memory_model', '32bit') sym_addrs = self.profile.get_all_addresses() sys_call_info = self._get_table_info("sys_call_table") addrs = [(table_name, sys_call_info)] # 64 bit systems with 32 bit emulation ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table") if ia32: ia32_info = self._get_table_info("ia32_sys_call_table") addrs.append(("32bit", ia32_info)) for (table_name, (tableaddr, tblsz)) in addrs: table = obj.Object(theType='Array', offset=tableaddr, vm=self.addr_space, targetType='unsigned long', count=tblsz) for (i, call_addr) in enumerate(table): if not call_addr: continue if index_names: idx_name = self._index_name(index_names, i) else: idx_name = "" call_addr = int(call_addr) if not call_addr in sym_addrs: hooked = 1 sym_name = self._compute_hook_sym_name( visible_mods, hidden_mods, call_addr) else: hooked = 0 sym_name = self.profile.get_symbol_by_address( "kernel", call_addr) yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked)
def get_syscalls(self, index_lines=None, get_hidden=False): linux_common.set_plugin_members(self) if get_hidden: hidden_mods = list( linux_hidden_modules.linux_hidden_modules( self._config).calculate()) else: hidden_mods = [] visible_mods = linux_lsmod.linux_lsmod(self._config).calculate() if not index_lines: index_lines = self._find_and_parse_index_file() if index_lines: index_names = {} for line in index_lines.split("\n"): ents = line.split() if len(ents) == 3 and ents[0] == "#define": name = ents[1].replace("__NR_", "") # "(__NR_timer_create+1)" index = ents[2] if index[0] == "(": index = self._find_index(index_names, index) else: index = int(index) index_names[index] = name else: index_names = None table_name = self.addr_space.profile.metadata.get( 'memory_model', '32bit') sym_addrs = self.profile.get_all_addresses() sys_call_info = self._get_table_info("sys_call_table") addrs = [(table_name, sys_call_info)] # 64 bit systems with 32 bit emulation ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table") if ia32: ia32_info = self._get_table_info("ia32_sys_call_table") addrs.append(("32bit", ia32_info)) for (table_name, (tableaddr, tblsz)) in addrs: table = obj.Object(theType='Array', offset=tableaddr, vm=self.addr_space, targetType='unsigned long', count=tblsz) for (i, call_addr) in enumerate(table): if not call_addr: continue if index_names: idx_name = self._index_name(index_names, i) else: idx_name = "" call_addr = int(call_addr) if not call_addr in sym_addrs: hooked = 1 sym_name = self._compute_hook_sym_name( visible_mods, hidden_mods, call_addr) else: hooked = 0 sym_name = self.profile.get_symbol_by_address( "kernel", call_addr) yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked)
def calculate(self): """ This works by walking the system call table and verifies that each is a symbol in the kernel """ linux_common.set_plugin_members(self) if not has_distorm: debug.warning("distorm not installed. The best method to calculate the system call table size will not be used.") if self._config.SYSCALL_INDEXES: if not os.path.exists(self._config.SYSCALL_INDEXES): debug.error("Given syscall indexes file does not exist!") index_names = {} for line in open(self._config.SYSCALL_INDEXES, "r").readlines(): ents = line.split() if len(ents) == 3 and ents[0] == "#define": name = ents[1].replace("__NR_", "") # "(__NR_timer_create+1)" index = ents[2] if index[0] == "(": index = self._find_index(index_names, index) else: index = int(index) index_names[index] = name else: index_names = None hidden_mods = list(linux_hidden_modules.linux_hidden_modules(self._config).calculate()) visible_mods = linux_lsmod.linux_lsmod(self._config).calculate() table_name = self.addr_space.profile.metadata.get('memory_model', '32bit') sym_addrs = self.profile.get_all_addresses() sys_call_info = self._get_table_info("sys_call_table") addrs = [(table_name, sys_call_info)] # 64 bit systems with 32 bit emulation ia32 = self.addr_space.profile.get_symbol("ia32_sys_call_table") if ia32: ia32_info = self._get_table_info("ia32_sys_call_table") addrs.append(("32bit", ia32_info)) for (table_name, (tableaddr, tblsz)) in addrs: table = obj.Object(theType = 'Array', offset = tableaddr, vm = self.addr_space, targetType = 'unsigned long', count = tblsz) for (i, call_addr) in enumerate(table): if not call_addr: continue if index_names: idx_name = self._index_name(index_names, i) else: idx_name = "" call_addr = int(call_addr) if not call_addr in sym_addrs: hooked = 1 sym_name = self._compute_hook_sym_name(visible_mods, hidden_mods, call_addr) else: hooked = 0 sym_name = self.profile.get_symbol_by_address("kernel", call_addr) yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked)