示例#1
0
    def calculate(self):
        """
        Use the volatility registry API to enumerate the
        Services registry key based on the last modified time stamp
        :return:
        """

        # Set up our registry api instance
        reg_api = registryapi.RegistryApi(self._config)
        key = "ControlSet001\\Services"

        # Pull the ControlSet001\Services registry sub-keys
        sub_keys = reg_api.reg_get_all_subkeys("system", key)
        services = dict((s.Name, int(s.LastWriteTime)) for s in sub_keys)

        # Sort them by their last modified timestamp, in descending order
        times = sorted(set(services.values()), reverse=True)

        # Pull the service info from the registry using SvcScanner
        svc_scanner = svcscan.SvcScan(self._config)
        service_info = svc_scanner.get_service_info(reg_api)

        # only return a subset of the Service last write times
        top_five = times[0:5]
        return [top_five, services, service_info]
示例#2
0
    def calculate(self):
        """
        Use the volatility registry API to enumerate the
        Services registry key based on the last modified time stamp
        :return [top_five, services, service_info]:
        """

        # Set up our registry api instance
        reg_api = registryapi.RegistryApi(self._config)
        key = "ControlSet001\\Services"

        # Pull the ControlSet001\Services registry sub-keys
        sub_keys = reg_api.reg_get_all_subkeys("system", key)

        # collect the name and the last write timestamp of the service
        services = dict((s.Name, int(s.LastWriteTime)) for s in sub_keys)

        # De-duped list of times from the Service registry sub keys
        times = sorted(set([ts for ts in services.values()]))

        # confirm that the start timestamp is within the timeline
        start = 0

        # Did the user provide a time window?
        if self._config.START_TIME:
            try:
                start = int(
                    time.mktime(
                        datetime.datetime.strptime(self._config.START_TIME,
                                                   "%m/%d/%Y").timetuple()))
            except ValueError:
                print("Please enter date in correct format:  mm/dd/YYYY")
                sys.exit(1)

            # Start time outside of the provided range?
            if start <= times[0]:
                start = times[0]
            elif start >= times[len(times) - 1]:
                start = times[len(times) - 1]

            # Get timestamps only on the provided day
            times = [
                t for t in times if time.gmtime(t)[7] == time.gmtime(start)[7]
            ]

        # Pull the service info from the registry using SvcScanner
        svc_scanner = svcscan.SvcScan(self._config)
        service_info = svc_scanner.get_service_info(reg_api)

        # grab only the top five (or top n) timestamps from the services dict
        if self._config.N_TIMES:
            n = self._config.N_TIMES
            if n > len(times):
                n = len(times)
            top_five = sorted(times, reverse=True)[0:n]
        else:
            top_five = sorted(times, reverse=True)[0:5]

        return [top_five, services, service_info, start]
示例#3
0
    def calculate(self):

        addr_space = utils.load_as(self._config)
        tasks = win32.tasks.pslist(addr_space)
        scanner = svcscan.SvcScan(self._config)

        for service in scanner.calculate():
            yield service
示例#4
0
  def get_scan(self):
      '''
      Mimics volatiltiy's svcscan - scans the memory image carving out objects
      which look like Windows processes.
      '''
      import volatility.plugins.malware.svcscan as svcscan
      import volatility.plugins.registry.registryapi as registryapi
      
      regapi = registryapi.RegistryApi(self.vol.config)
      ccs = regapi.reg_get_currentcontrolset()
      
      for rec in svcscan.SvcScan(self.vol.config).calculate():
          svcdll = regapi.reg_get_value(
                        hive_name = "system", 
                        key = "{0}\\services\\{1}\\Parameters".format(ccs, rec.ServiceName.dereference()), 
                        value = "ServiceDll")
 
          yield Service(rec, svcdll, str(hex(rec.obj_offset)))
示例#5
0
    def calculate(self):
        addr_space = utils.load_as(self._config)

        # we currently don't use this on x64 because for some reason the 
        # x64 version actually doesn't create a DisplayVersion value 
        memory_model = addr_space.profile.metadata.get('memory_model')
        if memory_model == '32bit':
            regapi = registryapi.RegistryApi(self._config)
            regapi.reset_current()
            regapi.set_current(hive_name = "software")
            x86key = "Microsoft\\Windows\\CurrentVersion\\Uninstall"
            x64key = "Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
            for subkey in regapi.reg_get_all_subkeys(None, key = x86key):
                if str(subkey.Name) == "TrueCrypt":
                    subpath = x86key + "\\" + subkey.Name
                    version = regapi.reg_get_value("software", 
                                            key = subpath, 
                                            value = "DisplayVersion")
                    if version:
                        yield "Registry Version", "{0} Version {1}".format(
                            str(subkey.Name),
                            version)

        scanner = TrueCryptPassphrase(self._config)
        for offset, passphrase in scanner.calculate():
            yield "Password", "{0} at offset {1:#x}".format(
                        passphrase, offset)

        for proc in tasks.pslist(addr_space):
            if str(proc.ImageFileName).lower() == "truecrypt.exe":     
                yield "Process", "{0} at {1:#x} pid {2}".format(
                        proc.ImageFileName,
                        proc.obj_offset, 
                        proc.UniqueProcessId)   

        scanner = svcscan.SvcScan(self._config)
        for service in scanner.calculate():
            name = str(service.ServiceName.dereference())
            if name == "truecrypt":
                yield "Service", "{0} state {1}".format(
                        name, 
                        service.State)

        for mod in modules.lsmod(addr_space):
            basename = str(mod.BaseDllName or '').lower()
            fullname = str(mod.FullDllName or '').lower()
            if (basename.endswith("truecrypt.sys") or 
                        fullname.endswith("truecrypt.sys")):
                yield "Kernel Module",  "{0} at {1:#x} - {2:#x}".format(
                        mod.BaseDllName, 
                        mod.DllBase, 
                        mod.DllBase + mod.SizeOfImage)

        scanner = filescan.SymLinkScan(self._config)
        for symlink in scanner.calculate():
            object_header = symlink.get_object_header()
            if "TrueCryptVolume" in str(symlink.LinkTarget or ''):
                yield "Symbolic Link", "{0} -> {1} mounted {2}".format(
                        str(object_header.NameInfo.Name or ''), 
                        str(symlink.LinkTarget or ''), 
                        str(symlink.CreationTime or ''))

        scanner = filescan.FileScan(self._config)
        for fileobj in scanner.calculate():
            filename = str(fileobj.file_name_with_device() or '')
            if "TrueCryptVolume" in filename:
                yield "File Object", "{0} at {1:#x}".format(
                        filename,
                        fileobj.obj_offset)
        
        scanner = filescan.DriverScan(self._config)
        for driver in scanner.calculate():
            object_header = driver.get_object_header() 
            driverext = driver.DriverExtension
            drivername = str(driver.DriverName or '')
            servicekey = str(driverext.ServiceKeyName or '')
            if (drivername.endswith("truecrypt") or 
                        servicekey.endswith("truecrypt")):
                yield "Driver", "{0} at {1:#x} range {2:#x} - {3:#x}".format(
                        drivername, 
                        driver.obj_offset, 
                        driver.DriverStart, 
                        driver.DriverStart + driver.DriverSize)
                for device in driver.devices():
                    header = device.get_object_header()
                    devname = str(header.NameInfo.Name or '')
                    type = devicetree.DEVICE_CODES.get(device.DeviceType.v())
                    yield "Device", "{0} at {1:#x} type {2}".format(
                        devname or "<HIDDEN>", 
                        device.obj_offset, 
                        type or "UNKNOWN")
                    if type == "FILE_DEVICE_DISK":
                        data = addr_space.read(device.DeviceExtension, 2000)
                        ## the file-hosted container path. no other fields in
                        ## the struct are character based, so we should not 
                        ## hit false positives on this scan. 
                        offset = data.find("\\\x00?\x00?\x00\\\x00")
                        if offset == -1:
                            container = "<HIDDEN>"
                        else:
                            container = obj.Object("String", length = 255, 
                                        offset = device.DeviceExtension + offset, 
                                        encoding = "utf16",
                                        vm = addr_space)
                        yield "Container", "Path: {0}".format(container)