def calculate(self): ## we need this module imported if not has_yara: debug.error("Please install Yara from code.google.com/p/yara-project") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces common.set_plugin_members(self) if self._config.KERNEL: ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24 if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": if not common.is_64bit_capable(self.addr_space): kernel_start = 0 else: kernel_start = 0xc0000000 else: kernel_start = 0xffffff8000000000 scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space) for hit, address in scanner.scan(start_offset = kernel_start): yield (None, address, hit, scanner.address_space.zread(address, 64)) else: # Scan each process memory block for task in pstasks.mac_tasks(self._config).calculate(): scanner = MapYaraScanner(task = task, rules = rules) for hit, address in scanner.scan(): yield (task, address, hit, scanner.address_space.zread(address, 64))
def get_process_address_space(self): cr3 = self.task.map.pmap.pm_cr3 map_val = str(self.task.map.pmap.pm_task_map or '') # if the machine is 64 bit capable is_64bit_cap = common.is_64bit_capable(self.obj_vm) if map_val == "TASK_MAP_32BIT" and is_64bit_cap: # A 32 bit process on a 64 bit system, requires 64 bit paging # Catch exceptions when trying to get a process AS for kernel_task # which isn't really even a process. It needs to use the default cr3 try: proc_as = amd64.AMD64PagedMemory(self.obj_vm.base, self.obj_vm.get_config(), dtb=cr3, skip_as_check=True) except IOError: proc_as = self.obj_vm elif map_val == "TASK_MAP_32BIT": # A 32 bit process on a 32 bit system need # bypass b/c no sharing of address space proc_as = intel.IA32PagedMemoryPae(self.obj_vm.base, self.obj_vm.get_config(), dtb=cr3, skip_as_check=True) elif (map_val == "TASK_MAP_64BIT_SHARED" and self.obj_vm.profile.metadata.get('memory_model', '32bit') == "32bit"): # A 64 bit process running on a 32 bit system proc_as = amd64.AMD64PagedMemory(self.obj_vm.base, self.obj_vm.get_config(), dtb=cr3, skip_as_check=True) elif map_val in ["TASK_MAP_64BIT", "TASK_MAP_64BIT_SHARED"]: # A 64 bit process on a 64 bit system cr3 &= 0xFFFFFFE0 proc_as = amd64.AMD64PagedMemory(self.obj_vm.base, self.obj_vm.get_config(), dtb=cr3, skip_as_check=True) else: proc_as = obj.NoneObject( "Cannot get process AS for pm_task_map: {0}".format(map_val)) return proc_as
def calculate(self): ## we need this module imported if not has_yara: debug.error( "Please install Yara from https://plusvic.github.io/yara/") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces common.set_plugin_members(self) if self._config.KERNEL: ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24 if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": if not common.is_64bit_capable(self.addr_space): kernel_start = 0 else: kernel_start = 0xc0000000 else: vm_addr = self.addr_space.profile.get_symbol( "_vm_min_kernel_address") kernel_start = obj.Object("unsigned long", offset=vm_addr, vm=self.addr_space) scanner = malfind.DiscontigYaraScanner( rules=rules, address_space=self.addr_space) for hit, address in scanner.scan(start_offset=kernel_start): yield (None, address, hit, scanner.address_space.zread( address - self._config.REVERSE, self._config.SIZE)) else: # Scan each process memory block tasks = self.filter_tasks() for task in tasks: # skip kernel_task if task.p_pid == 0: continue scanner = MapYaraScanner(task=task, rules=rules) for hit, address in scanner.scan( max_size=self._config.MAX_SIZE): yield (task, address, hit, scanner.address_space.zread( address - self._config.REVERSE, self._config.SIZE))
def get_process_address_space(self): cr3 = self.task.map.pmap.pm_cr3 map_val = str(self.task.map.pmap.pm_task_map or '') # if the machine is 64 bit capable is_64bit_cap = common.is_64bit_capable(self.obj_vm) if map_val == "TASK_MAP_32BIT" and is_64bit_cap: # A 32 bit process on a 64 bit system, requires 64 bit paging # Catch exceptions when trying to get a process AS for kernel_task # which isn't really even a process. It needs to use the default cr3 try: proc_as = amd64.AMD64PagedMemory(self.obj_vm.base, self.obj_vm.get_config(), dtb = cr3, skip_as_check = True) except IOError: proc_as = self.obj_vm elif map_val == "TASK_MAP_32BIT": # A 32 bit process on a 32 bit system need # bypass b/c no sharing of address space proc_as = intel.IA32PagedMemoryPae(self.obj_vm.base, self.obj_vm.get_config(), dtb = cr3, skip_as_check = True) elif (map_val == "TASK_MAP_64BIT_SHARED" and self.obj_vm.profile.metadata.get('memory_model', '32bit') == "32bit"): # A 64 bit process running on a 32 bit system proc_as = amd64.AMD64PagedMemory(self.obj_vm.base, self.obj_vm.get_config(), dtb = cr3, skip_as_check = True) elif map_val in ["TASK_MAP_64BIT", "TASK_MAP_64BIT_SHARED"]: # A 64 bit process on a 64 bit system cr3 &= 0xFFFFFFE0 proc_as = amd64.AMD64PagedMemory(self.obj_vm.base, self.obj_vm.get_config(), dtb = cr3, skip_as_check = True) else: proc_as = obj.NoneObject("Cannot get process AS for pm_task_map: {0}".format(map_val)) return proc_as
def calculate(self): ## we need this module imported if not has_yara: debug.error("Please install Yara from https://plusvic.github.io/yara/") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces common.set_plugin_members(self) if self._config.KERNEL: ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24 if self.addr_space.profile.metadata.get("memory_model", "32bit") == "32bit": if not common.is_64bit_capable(self.addr_space): kernel_start = 0 else: kernel_start = 0xC0000000 else: kernel_start = 0xFFFFFF8000000000 scanner = malfind.DiscontigYaraScanner(rules=rules, address_space=self.addr_space) for hit, address in scanner.scan(start_offset=kernel_start): yield ( None, address, hit, scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE), ) else: # Scan each process memory block tasks = self.filter_tasks() for task in tasks: # skip kernel_task if task.p_pid == 0: continue scanner = MapYaraScanner(task=task, rules=rules) for hit, address in scanner.scan(): yield ( task, address, hit, scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE), )
def calculate(self): ## we need this module imported if not has_yara: debug.error( "Please install Yara from code.google.com/p/yara-project") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces common.set_plugin_members(self) if self._config.KERNEL: ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24 if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": if not common.is_64bit_capable(self.addr_space): kernel_start = 0 else: kernel_start = 0xc0000000 else: kernel_start = 0xffffff8000000000 scanner = malfind.DiscontigYaraScanner( rules=rules, address_space=self.addr_space) for hit, address in scanner.scan(start_offset=kernel_start): yield (None, address, hit, scanner.address_space.zread(address, 64)) else: # Scan each process memory block for task in pstasks.mac_tasks(self._config).calculate(): scanner = MapYaraScanner(task=task, rules=rules) for hit, address in scanner.scan(): yield (task, address, hit, scanner.address_space.zread(address, 64))