def calculate(self): ## we need this module imported if not has_yara: debug.error( "Please install Yara from code.google.com/p/yara-project") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces linux_common.set_plugin_members(self) if self._config.KERNEL: ## the start of kernel memory taken from VolatilityLinuxIntelValidAS if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": kernel_start = 0xc0000000 else: kernel_start = 0xffffffff80000000 scanner = malfind.DiscontigYaraScanner( rules=rules, address_space=self.addr_space) for hit, address in scanner.scan(start_offset=kernel_start): yield (None, address, hit, scanner.address_space.zread(address, 64)) else: for task in pslist.linux_pslist(self._config).calculate(): scanner = VmaYaraScanner(task=task, rules=rules) for hit, address in scanner.scan(): yield (task, address, hit, scanner.address_space.zread(address, 64))
def calculate(self): addr_space = utils.load_as(self._config) if not has_yara: debug.error("You must install yara to use this plugin") if not self._config.DUMP_DIR: debug.error("You must supply a --dump-dir parameter") if self._config.PHYSICAL: # Find the FileAddressSpace while addr_space.__class__.__name__ != "FileAddressSpace": addr_space = addr_space.base scanner = malfind.DiscontigYaraScanner(address_space=addr_space, rules=DumpCerts.rules) for hit, address in scanner.scan(): cert = obj.Object( DumpCerts.type_map.get(hit.rule), vm=scanner.address_space, offset=address, ) if cert.is_valid(): yield None, cert else: for process in self.filter_tasks(tasks.pslist(addr_space)): scanner = malfind.VadYaraScanner(task=process, rules=DumpCerts.rules) for hit, address in scanner.scan(): cert = obj.Object( DumpCerts.type_map.get(hit.rule), vm=scanner.address_space, offset=address, ) if cert.is_valid(): yield process, cert
def calculate(self): if not has_yara: debug.error("Please install Yara from https://plusvic.github.io/yara/") linux_common.set_plugin_members(self) ## the start of kernel memory taken from VolatilityLinuxIntelValidAS if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": kernel_start = 0xc0000000 pack_size = 4 pack_fmt = "<I" else: kernel_start = 0xffff880000000000 pack_size = 8 pack_fmt = "<Q" checks = [self.check_family, self.check_proto, self.check_socket_back_pointer, self.check_pointers] destruct_offset = self.addr_space.profile.get_obj_offset("sock", "sk_destruct") # sk_destruct pointer value of sock func_addr = self.addr_space.profile.get_symbol("inet_sock_destruct") vals = struct.pack(pack_fmt, func_addr) s = "{ " + " ".join(["%.02x" % ord(v) for v in vals]) + " }" rules = yara.compile(sources = { 'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}' }) scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space) for _, address in scanner.scan(start_offset = kernel_start): base_address = address - destruct_offset i = obj.Object("inet_sock", offset = base_address, vm = self.addr_space) valid = True for check in checks: if check(i) == False: valid = False break if valid: state = i.state if i.protocol == "TCP" else "" family = i.sk.__sk_common.skc_family #pylint: disable-msg=W0212 sport = i.src_port dport = i.dst_port saddr = i.src_addr daddr = i.dst_addr if str(saddr) == "0.0.0.0" and str(daddr) == "0.0.0.0" and sport == 6 and dport == 0: continue yield (i, i.protocol, saddr, sport, daddr, dport, state)
def calculate(self): ## we need this module imported if not has_yara: debug.error( "Please install Yara from https://plusvic.github.io/yara/" ) ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces linux_common.set_plugin_members(self) if self._config.KERNEL: ## the start of kernel memory taken from VolatilityLinuxIntelValidAS if ( self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit" ): kernel_start = 0xC0000000 else: kernel_start = 0xFFFFFFFF80000000 scanner = malfind.DiscontigYaraScanner( rules=rules, address_space=self.addr_space ) for hit, address in scanner.scan(start_offset=kernel_start): yield ( None, address - self._config.REVERSE, hit, scanner.address_space.zread( address - self._config.REVERSE, self._config.SIZE ), ) else: tasks = self.filter_tasks() for task in tasks: scanner = VmaYaraScanner(task=task, rules=rules) for hit, address in scanner.scan(): yield ( task, address - self._config.REVERSE, hit, scanner.address_space.zread( address - self._config.REVERSE, self._config.SIZE ), )
def calculate(self): ## we need this module imported if not has_yara: debug.error( "Please install Yara from https://plusvic.github.io/yara/") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces common.set_plugin_members(self) if self._config.KERNEL: ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24 if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": if not common.is_64bit_capable(self.addr_space): kernel_start = 0 else: kernel_start = 0xc0000000 else: vm_addr = self.addr_space.profile.get_symbol( "_vm_min_kernel_address") kernel_start = obj.Object("unsigned long", offset=vm_addr, vm=self.addr_space) scanner = malfind.DiscontigYaraScanner( rules=rules, address_space=self.addr_space) for hit, address in scanner.scan(start_offset=kernel_start): yield (None, address, hit, scanner.address_space.zread( address - self._config.REVERSE, self._config.SIZE)) else: # Scan each process memory block tasks = self.filter_tasks() for task in tasks: # skip kernel_task if task.p_pid == 0: continue scanner = MapYaraScanner(task=task, rules=rules) for hit, address in scanner.scan( max_size=self._config.MAX_SIZE): yield (task, address, hit, scanner.address_space.zread( address - self._config.REVERSE, self._config.SIZE))
def calculate(self): addr_space = utils.load_as(self._config) if not has_yara: debug.error("You must install yara to use this plugin") if not self._config.DUMP_DIR: debug.error("You must supply a --dump-dir parameter") # Wildcard signatures to scan for rules = yara.compile( sources={ 'x509': 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}', 'pkcs': 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}', }) # These signature names map to these data structures type_map = { 'x509': '_X509_PUBLIC_CERT', 'pkcs': '_PKCS_PRIVATE_CERT', } if self._config.PHYSICAL: # Find the FileAddressSpace while addr_space.__class__.__name__ != "FileAddressSpace": addr_space = addr_space.base scanner = malfind.DiscontigYaraScanner(address_space=addr_space, rules=rules) for hit, address in scanner.scan(): cert = obj.Object( type_map.get(hit.rule), vm=scanner.address_space, offset=address, ) if cert.is_valid(): yield None, cert else: for process in self.filter_tasks(tasks.pslist(addr_space)): scanner = malfind.VadYaraScanner(task=process, rules=rules) for hit, address in scanner.scan(): cert = obj.Object( type_map.get(hit.rule), vm=scanner.address_space, offset=address, ) if cert.is_valid(): yield process, cert
def _yara_scan(self, addrspace, rule, start, end): rules = yara.compile( sources={ 'n': 'rule r1 {strings: $a = ' + rule + ' condition: $a}' }) scanner = malfind.DiscontigYaraScanner(address_space=addrspace, rules=rules) scan_results = scanner.scan(start_offset=start, maxlen=end) try: hit, addr = next(scan_results) except StopIteration: return None, None return hit, addr
def calculate(self): if not has_yara: debug.error( "Please install Yara from code.google.com/p/yara-project") addr_space = utils.load_as(self._config) rules = yara.compile(sources=ghost_sig) decrypted_data = None mal_proc = {} kdbg = tasks.get_kdbg(addr_space) start = kdbg.MmSystemRangeStart.dereference_as("Pointer") mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space)) mod_addrs = sorted(mods.keys()) sessions = [] for proc in tasks.pslist(addr_space): sid = proc.SessionId if sid == None or sid in sessions: continue session_space = proc.get_process_address_space() if session_space == None: continue sessions.append(sid) scanner = malfind.DiscontigYaraScanner(address_space=session_space, rules=rules) for hit, address in scanner.scan(start_offset=start): module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address)) content = session_space.zread(address, 1024) header_size = content.find("\x78\x9c") magic_header_size = header_size - 8 magic_keyword = content[:magic_header_size] comp_uncomp_size = content[magic_header_size:header_size] s = struct.Struct("I I") comp_size, uncomp_size = s.unpack(comp_uncomp_size) enc_data = content[0:comp_size] to_decrypt = content[header_size:comp_size] dec_data = self.decrypt_communication(to_decrypt) if not mal_proc: self.get_ghost_process(magic_keyword, mal_proc, addr_space) os_version = self.get_os_version(addr_space) yield (mal_proc, address, magic_keyword, enc_data, dec_data, os_version)
def calculate(self): ## we need this module imported if not has_yara: debug.error( "Please install Yara from code.google.com/p/yara-project") ## leveraged from the windows yarascan plugin rules = self._compile_rules() ## set the linux plugin address spaces common.set_plugin_members(self) if self._config.KERNEL: ## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24 if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": if not common.is_64bit_capable(self.addr_space): kernel_start = 0 else: kernel_start = 0xc0000000 else: kernel_start = 0xffffff8000000000 scanner = malfind.DiscontigYaraScanner( rules=rules, address_space=self.addr_space) for hit, address in scanner.scan(start_offset=kernel_start): yield (None, address, hit, scanner.address_space.zread(address, 64)) else: # Scan each process memory block for task in pstasks.mac_tasks(self._config).calculate(): scanner = MapYaraScanner(task=task, rules=rules) for hit, address in scanner.scan(): yield (task, address, hit, scanner.address_space.zread(address, 64))
def calculate(self): linux_common.set_plugin_members(self) ## the start of kernel memory taken from VolatilityLinuxIntelValidAS if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": kernel_start = 0xc0000000 pack_size = 4 pack_fmt = "<I" else: kernel_start = 0xffffffff80000000 pack_size = 8 pack_fmt = "<Q" checks = [ self.check_family, self.check_proto, self.check_socket_back_pointer, self.check_pointers ] destruct_offset = self.addr_space.profile.get_obj_offset( "sock", "sk_destruct") # sk_destruct pointer value of sock func_addr = self.addr_space.profile.get_symbol("inet_sock_destruct") vals = [] # convert address into a yara hex rule for bit in range(pack_size): idx = (pack_size - bit - 1) * 8 mask = 0xff << idx val = ((func_addr & mask) >> idx) & 0xff vals.insert(0, val) s = "{" + " ".join(["%.02x" % v for v in vals]) + " }" rules = yara.compile( sources={'n': 'rule r1 {strings: $a = ' + s + ' condition: $a}'}) scanner = malfind.DiscontigYaraScanner(rules=rules, address_space=self.addr_space) for _, address in scanner.scan(start_offset=kernel_start): base_address = address - destruct_offset i = obj.Object("inet_sock", offset=base_address, vm=self.addr_space) valid = True for check in checks: if check(i) == False: valid = False break if valid: state = i.state if i.protocol == "TCP" else "" family = i.sk.__sk_common.skc_family #pylint: disable-msg=W0212 sport = i.src_port dport = i.dst_port saddr = i.src_addr daddr = i.dst_addr yield (i, i.protocol, saddr, sport, daddr, dport, state)