def calculate(self):
mac_common.set_plugin_members(self)
procs = mac_pslist.mac_pslist(self._config).calculate()
proc_maps = {}
dl_maps = {}
seen_starts = []
for task in procs:
proc_maps[task.obj_offset] = {}
proc_as = task.get_process_address_space()
for map in task.get_proc_maps():
sig = proc_as.read(map.start, 4)
if sig in ['\xce\xfa\xed\xfe', '\xcf\xfa\xed\xfe']:
prot = map.get_perms()
if prot in ["rw-", "r--"]:
continue
fname = map.get_path()
proc_maps[task.obj_offset][map.start.v()] = (task, proc_as,
fname)
dl_maps[task.obj_offset] = {}
for so in task.get_dyld_maps():
dl_maps[task.obj_offset][so.imageLoadAddress] = (
task, proc_as, str(so.imageFilePath))
for task_offset in dl_maps:
for vm_start in dl_maps[task_offset]:
seen_starts.append(vm_start)
(task, proc_as, vm_name) = dl_maps[task_offset][vm_start]
yield (task_offset, task, proc_as, vm_start, vm_name,
proc_maps, dl_maps)
for task_offset in proc_maps:
for vm_start in proc_maps[task_offset]:
if vm_start in seen_starts:
continue
(task, proc_as, vm_name) = proc_maps[task_offset][vm_start]
yield (task_offset, task, proc_as, vm_start, vm_name,
proc_maps, dl_maps)
def calculate(self):
mac_common.set_plugin_members(self)
procs = mac_pslist.mac_pslist(self._config).calculate()
proc_maps = {}
dl_maps = {}
seen_starts = []
for task in procs:
proc_maps[task.obj_offset] = {}
proc_as = task.get_process_address_space()
for map in task.get_proc_maps():
sig = proc_as.read(map.start, 4)
if sig in ['\xce\xfa\xed\xfe', '\xcf\xfa\xed\xfe']:
prot = map.get_perms()
if prot in ["rw-", "r--"]:
continue
fname = map.get_path()
proc_maps[task.obj_offset][map.start.v()] = (task, proc_as, fname)
dl_maps[task.obj_offset] = {}
for so in task.get_dyld_maps():
dl_maps[task.obj_offset][so.imageLoadAddress] = (task, proc_as, str(so.imageFilePath))
for task_offset in dl_maps:
for vm_start in dl_maps[task_offset]:
seen_starts.append(vm_start)
(task, proc_as, vm_name) = dl_maps[task_offset][vm_start]
yield (task_offset, task, proc_as, vm_start, vm_name, proc_maps, dl_maps)
for task_offset in proc_maps:
for vm_start in proc_maps[task_offset]:
if vm_start in seen_starts:
continue
(task, proc_as, vm_name) = proc_maps[task_offset][vm_start]
yield (task_offset, task, proc_as, vm_start, vm_name, proc_maps, dl_maps)
def _get_parent_pointers(self):
return [p.p_pptr.v() for p in pslist.mac_pslist(self._config).calculate()]
def _get_pslist(self):
return [p.v() for p in pslist.mac_pslist(self._config).calculate()]
def _get_parent_pointers(self):
return [
p.p_pptr.v() for p in pslist.mac_pslist(self._config).calculate()
]
def _get_pslist(self):
return [p.v() for p in pslist.mac_pslist(self._config).calculate()]
def check_mac_pslist(self): procs = dict((v.obj_offset,(v, v.size())) for v in macpslist.mac_pslist(self._config).calculate()) return procs
def getPidList(self):
return pslist.mac_pslist(self._config).calculate()
def calculate(self):
mac_common.set_plugin_members(self)
tasks = mac_pslist.mac_pslist(self._config).calculate()
for task in tasks:
proc_as = task.get_process_address_space()
# In cases when mm is an invalid pointer
if not proc_as:
continue
# Do we scan everything or just /bin/bash instances?
if not (self._config.SCAN_ALL or str(task.p_comm) == "bash"):
continue
bit_string = str(task.task.map.pmap.pm_task_map or '')[9:]
if bit_string.find("64BIT") == -1:
addr_type = "unsigned int"
bucket_contents_type = "mac32_bucket_contents"
htable_type = "mac32_bash_hash_table"
nbuckets_offset = self.addr_space.profile.get_obj_offset(htable_type, "nbuckets")
else:
addr_type = "unsigned long long"
bucket_contents_type = "mac64_bucket_contents"
htable_type = "mac64_bash_hash_table"
nbuckets_offset = self.addr_space.profile.get_obj_offset(htable_type, "nbuckets")
proc_as = task.get_process_address_space()
for map in task.get_proc_maps():
if map.get_path() != "":
continue
off = map.start
while off < map.end:
# test the number of buckets
dr = proc_as.read(off + nbuckets_offset, 4)
if dr == None:
new_off = (off & ~0xfff) + 0xfff + 1
off = new_off
continue
test = struct.unpack("<I", dr)[0]
if test != 64:
off = off + 1
continue
htable = obj.Object(htable_type, offset = off, vm = proc_as)
if htable.is_valid():
bucket_array = obj.Object(theType="Array", targetType=addr_type, offset = htable.bucket_array, vm = htable.nbuckets.obj_vm, count = 64)
for bucket_ptr in bucket_array:
bucket = obj.Object(bucket_contents_type, offset = bucket_ptr, vm = htable.nbuckets.obj_vm)
while bucket != None and bucket.times_found > 0:
pdata = bucket.data
if pdata == None:
bucket = bucket.next_bucket()
continue
if pdata.is_valid() and (0 <= pdata.flags <= 2):
yield task, bucket
bucket = bucket.next_bucket()
off = off + 1
def getPidList(self): return pslist.mac_pslist(self._config).calculate()
