def get_alloc(self, addr_space):
'''
Mimics volatility's connections, sockets. and netscan plugins.
'''
import volatility.utils as utils
addr_space = utils.load_as(self.vol.config)
if self.is_post_XP_profile(addr_space.profile):
# mimic Volatility netscan
import volatility.plugins.netscan as netscan
import volatility.utils as utils
nscan = netscan.Netscan(self.vol.config)
for net_object, proto, laddr, lport, raddr, rport, state in nscan.calculate():
#yield Connection(net_object, proto, laddr, lport, raddr, rport, state, )
yield Connection(hex(net_object.obj_offset), str(net_object.Owner.UniqueProcessId), str(laddr), str(lport), str(raddr), str(rport), str(proto), '', str(state), str(net_object.CreateTime), str(net_object.Owner.ImageFileName))
elif self.is_XP_profile(addr_space.profile):
import volatility.plugins.connections as connections
for tcp_obj in connections.Connections(self.vol.config).calculate():
#yield Connection(conn, True, self.get_offset(conn, True))
yield Connection(self.get_offset(tcp_obj), str(tcp_obj.Pid), str(tcp_obj.LocalIpAddress), str(tcp_obj.LocalPort), str(tcp_obj.RemoteIpAddress), str(tcp_obj.RemotePort), '', '', '', '', '', 'True')
import volatility.win32.network as network
import volatility.protos as protos
for sock in network.determine_sockets(addr_space):
#yield Connection(sock, True, self.get_offset(sock, True))
yield Connection(offset=self.get_offset(sock), pid=str(sock.Pid), local_ip=str(sock.LocalIpAddress), local_port=str(sock.LocalPort), proto=str(protos.protos.get(sock.Protocol.v(), "-")), protocol=str(sock.Protocol), created=str(sock.CreateTime), allocated='True')
else:
import sys
sys.stderr.write("connections plugin does not support %s\n" % self.vol.config.get_value('profile'))
def calculate_ip(self):
addr_space = utils.load_as(self._config)
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
conns = []
if version[0] == 5:
data = connscan.ConnScan(self._config).calculate()
for conn in data:
element = []
element.append(str(conn.RemoteIpAddress))
element.append(conn.Pid)
conns.append(element)
else:
data = netscan.Netscan(self._config).calculate()
for net_object, proto, laddr, lport, raddr, rport, state in data:
element = []
element.append("{0}:{1}".format(raddr, rport))
element.append(net_object.Owner.UniqueProcessId)
conns.append(element)
seen = set()
for remote, pid in conns:
whitelisted = False
owner = "Pid {0}".format(pid)
ipaddr = remote.split(":")[0]
matches = re.findall('^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$', ipaddr)
if len(matches) > 0:
ip = matches[0]
with open(self._config.WHITELIST_FILE) as f:
for line in f:
if ip.endswith(line.strip()):
whitelisted = True
break
if whitelisted:
continue
if ip not in seen:
seen.add(ip)
bluecoat = self.sitereview(ip, self._config.SOCKS5_HOST,
self._config.SOCKS5_PORT)
vt = self.virustotal(ip, self._config.SOCKS5_HOST,
self._config.SOCKS5_PORT)
msp = self.misp(ip, "ip-dst")
yield owner, bluecoat, vt, msp, ip
]:
self.suspicious[line] = {
"reason": "LOGIN FAILURE",
"color": "TAN"
}
if fields[1].lower(
) == "osession.evt" and fields[5] == 7003:
self.suspicious[line] = {
"reason": "OFFICE APPLICATION FAILURE",
"color": "TAN"
}
elif version <= (6, 1):
# Vista+
nets = []
if "Socket" in self._config.TYPE:
nets = netscan.Netscan(self._config).calculate()
for net_object, proto, laddr, lport, raddr, rport, state in nets:
conn = "{0}:{1} -> {2}:{3}".format(laddr, lport, raddr, rport)
line = "[{6}NETWORK CONNECTION]{0} {2}{0} {1}/{3}/{4}/{5:<#10x}".format(
"" if body else "|", net_object.Owner.UniqueProcessId,
conn, proto, state, net_object.obj_offset,
self._config.MACHINE)
yield self.getoutput(line, net_object.CreateTime, body=body)
if detections and net_object.Owner.UniqueProcessId.v(
) in self.suspiciouspids.keys():
suspiciousline = "{0}/{1}/{2}/{3:<#10x}".format(
net_object.Owner.UniqueProcessId, proto, state,
net_object.obj_offset)
self.suspicious[suspiciousline] = {
"reason":
def calculate(self):
if self._config.OUTPUT == "xlsx" and not has_openpyxl:
debug.error(
"You must install OpenPyxl for xlsx format:\n\thttps://bitbucket.org/ericgazoni/openpyxl/wiki/Home"
)
elif self._config.OUTPUT == "xlsx" and not self._config.OUTPUT_FILE:
debug.error(
"You must specify an output *.xlsx file!\n\t(Example: --output-file=OUTPUT.xlsx)"
)
if (self._config.HIVE
or self._config.USER) and not (self._config.REGISTRY):
debug.error(
"You must use -R/--registry in conjuction with -H/--hive and/or -U/--user"
)
addr_space = utils.load_as(self._config)
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
pids = {} #dictionary of process IDs/ImageFileName
offsets = [] #process offsets
im = imageinfo.ImageInfo(self._config).get_image_time(addr_space)
body = False
if self._config.OUTPUT == "body":
body = True
if not body:
event = "{0}|[END LIVE RESPONSE]\n".format(im['ImageDatetime'])
else:
event = "0|[END LIVE RESPONSE]|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format(
im['ImageDatetime'].v())
yield event
# Get EPROCESS
psscan = filescan.PSScan(self._config).calculate()
for eprocess in psscan:
if eprocess.obj_offset not in offsets:
offsets.append(eprocess.obj_offset)
if not body:
line = "{0}|{1}|{2}|{3}|{4}|{5}|0x{6:08x}||\n".format(
eprocess.CreateTime or '-1', "[PROCESS]",
eprocess.ImageFileName, eprocess.UniqueProcessId,
eprocess.InheritedFromUniqueProcessId, eprocess.ExitTime
or '', eprocess.obj_offset)
else:
line = "0|[PROCESS] {2}/PID: {3}/PPID: {4}/POffset: 0x{5:08x}|0|---------------|0|0|0|{0}|{1}|{0}|{0}\n".format(
eprocess.CreateTime.v(), eprocess.ExitTime.v(),
eprocess.ImageFileName, eprocess.UniqueProcessId,
eprocess.InheritedFromUniqueProcessId, eprocess.obj_offset)
pids[eprocess.UniqueProcessId.v()] = eprocess.ImageFileName
yield line
# Get Sockets and Evtlogs XP/2k3 only
if addr_space.profile.metadata.get('major', 0) == 5:
socks = sockets.Sockets(self._config).calculate()
#socks = sockscan.SockScan(self._config).calculate() # you can use sockscan instead if you uncomment
for sock in socks:
la = "{0}:{1}".format(sock.LocalIpAddress, sock.LocalPort)
if not body:
line = "{0}|[SOCKET]|{1}|{2}|Protocol: {3} ({4})|{5:#010x}|||\n".format(
sock.CreateTime, sock.Pid, la, sock.Protocol,
protos.protos.get(sock.Protocol.v(), "-"),
sock.obj_offset)
else:
line = "0|[SOCKET] PID: {1}/LocalIP: {2}/Protocol: {3}({4})/POffset: 0x{5:#010x}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format(
sock.CreateTime.v(), sock.Pid, la, sock.Protocol,
protos.protos.get(sock.Protocol.v(), "-"),
sock.obj_offset)
yield line
evt = evtlogs.EvtLogs(self._config)
stuff = evt.calculate()
for name, buf in stuff:
for fields in evt.parse_evt_info(name, buf, rawtime=True):
if not body:
line = '{0} |[EVT LOG]|{1}|{2}|{3}|{4}|{5}|{6}|{7}\n'.format(
fields[0], fields[1], fields[2], fields[3],
fields[4], fields[5], fields[6], fields[7])
else:
line = "0|[EVT LOG] {1}/{2}/{3}/{4}/{5}/{6}/{7}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format(
fields[0].v(), fields[1], fields[2], fields[3],
fields[4], fields[5], fields[6], fields[7])
yield line
else:
# Vista+
nets = netscan.Netscan(self._config).calculate()
for net_object, proto, laddr, lport, raddr, rport, state in nets:
conn = "{0}:{1} -> {2}:{3}".format(laddr, lport, raddr, rport)
if not body:
line = "{0}|[NETWORK CONNECTION]|{1}|{2}|{3}|{4}|{5:<#10x}||\n".format(
str(net_object.CreateTime
or "-1"), net_object.Owner.UniqueProcessId, conn,
proto, state, net_object.obj_offset)
else:
line = "0|[NETWORK CONNECTION] {1}/{2}/{3}/{4}/{5:<#10x}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format(
net_object.CreateTime.v(),
net_object.Owner.UniqueProcessId, conn, proto, state,
net_object.obj_offset)
yield line
# Get threads
threads = modscan.ThrdScan(self._config).calculate()
for thread in threads:
image = pids.get(thread.Cid.UniqueProcess.v(), "UNKNOWN")
if not body:
line = "{0}|[THREAD]|{1}|{2}|{3}|{4}|||\n".format(
thread.CreateTime or '-1',
image,
thread.Cid.UniqueProcess,
thread.Cid.UniqueThread,
thread.ExitTime or '',
)
else:
line = "0|[THREAD] {2}/PID: {3}/TID: {4}|0|---------------|0|0|0|{0}|{1}|{0}|{0}\n".format(
thread.CreateTime.v(),
thread.ExitTime.v(),
image,
thread.Cid.UniqueProcess,
thread.Cid.UniqueThread,
)
yield line
# now we get to the PE part. All PE's are dumped in case you want to inspect them later
data = moddump.ModDump(self._config).calculate()
for addr_space, procs, mod_base, mod_name in data:
mod_name = str(mod_name or '')
space = tasks.find_space(addr_space, procs, mod_base)
if space != None:
try:
header = procdump.ProcExeDump(self._config).get_nt_header(
space, mod_base)
except ValueError, ve:
continue
try:
if not body:
line = "{0}|[PE Timestamp (module)]|{1}||{2:#010x}|||||\n".format(
header.FileHeader.TimeDateStamp or '-1', mod_name,
mod_base)
else:
line = "0|[PE Timestamp (module)] {1}/Base: {2:#010x}|0|---------------|0|0|0|{0}|{0}|{0}|{0}\n".format(
header.FileHeader.TimeDateStamp.v(), mod_name,
mod_base)
except ValueError, ve:
if not body:
line = "-1|[PE Timestamp (module)]|{0}||{1}|||||\n".format(
mod_name, mod_base)
else:
line = "0|[PE Timestamp (module)] {0}/Base: {1:#010x}|0|---------------|0|0|0|0|0|0|0\n".format(
mod_name, mod_base)
yield line
def __findConnections(self):
self.connections = {}
conn = namedtuple("aconn", [
'localAddr', 'localPort', 'proto', 'type', 'ctime', 'remoteAddr',
'remotePort', 'state'
])
if self._aspace.profile.metadata.get('major', 0) == 6:
self.stateinfo = "Step {:<2d} / {:<2d}: Connections -- NetScan".format(
self.__step, self.__steps)
for net_object, proto, laddr, lport, raddr, rport, state in netscan.Netscan(
self._config).calculate():
if proto.startswith("UDP"):
raddr = rport = None
if not self.connections.has_key(
long(net_object.Owner.UniqueProcessId)):
self.connections[long(
net_object.Owner.UniqueProcessId)] = [
conn(laddr, lport, None, proto,
net_object.CreateTime or None, raddr, rport,
state)
]
else:
self.connections[long(
net_object.Owner.UniqueProcessId)].append(
conn(laddr, lport, None, proto,
net_object.CreateTime or None, raddr, rport,
state))
else:
socks = {}
conns = {}
self.stateinfo = "Step {:<2d} / {:<2d}: Connections -- ConnScan".format(
self.__step, self.__steps)
for tcp_obj in connscan.ConnScan(self._config).calculate():
if not conns.has_key(long(tcp_obj.Pid)):
conns[long(tcp_obj.Pid)] = {
long(tcp_obj.LocalPort): [tcp_obj]
}
elif not conns[long(tcp_obj.Pid)].has_key(
long(tcp_obj.LocalPort)):
conns[long(tcp_obj.Pid)][long(
tcp_obj.LocalPort)] = [tcp_obj]
else:
conns[long(tcp_obj.Pid)][long(
tcp_obj.LocalPort)].append(tcp_obj)
self.stateinfo = "Step {:<2d} / {:<2d}: Connections -- SockScan".format(
self.__step, self.__steps)
for sock_obj in sockscan.SockScan(self._config).calculate():
if not socks.has_key(long(sock_obj.Pid)):
socks[long(sock_obj.Pid)] = [sock_obj]
else:
socks[long(sock_obj.Pid)].append(sock_obj)
for pid in socks:
pconns = []
for sock_obj in socks[pid]:
if conns.has_key(pid) and conns[pid].has_key(
long(sock_obj.LocalPort)):
for tcp_obj in conns[pid][long(sock_obj.LocalPort)]:
pconns.append(
conn(
tcp_obj.LocalIpAddress, tcp_obj.LocalPort,
sock_obj.Protocol,
protos.protos.get(sock_obj.Protocol.v(),
"-"),
sock_obj.CreateTime,
tcp_obj.RemoteIpAddress,
tcp_obj.RemotePort, None))
del conns[pid][long(sock_obj.LocalPort)]
else:
pconns.append(
conn(sock_obj.LocalIpAddress, sock_obj.LocalPort,
sock_obj.Protocol,
protos.protos.get(sock_obj.Protocol.v(), "-"),
sock_obj.CreateTime, None, None, None))
self.connections[pid] = pconns
for pid in conns:
if len(conns[pid]):
for port in conns[pid]:
for tcp_obj in conns[pid][port]:
if self.connections.has_key(pid):
self.connections[pid].append(
conn(tcp_obj.LocalIpAddress,
tcp_obj.LocalPort, 6, "TCP", None,
tcp_obj.RemoteIpAddress,
tcp_obj.RemotePort, None))
else:
self.connections[pid] = [
conn(tcp_obj.LocalIpAddress,
tcp_obj.LocalPort, 6, "TCP", None,
tcp_obj.RemoteIpAddress,
tcp_obj.RemotePort, None)
]
if debug:
for pid in self.connections:
print "PID", pid
for pconn in self.connections[pid]:
print "\t", pconn
self.__step += 1
def calculate(self):
if (self._config.HIVE
or self._config.USER) and "Registry" not in self._config.TYPE:
debug.error(
"You must use --registry in conjuction with -H/--hive and/or -U/--user"
)
if self._config.TYPE != None:
for t in self._config.TYPE.split(","):
if t.strip() not in self.types and t.strip() != "Registry":
debug.error(
"You have entered an incorrect type: {0}".format(t))
addr_space = utils.load_as(self._config)
version = (
addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0),
)
pids = {} # dictionary of process IDs/ImageFileName
body = False
if self._config.OUTPUT == "body":
body = True
if self._config.MACHINE != "":
self._config.update("MACHINE", "{0} ".format(self._config.MACHINE))
if "ImageDate" in self._config.TYPE:
im = imageinfo.ImageInfo(self._config).get_image_time(addr_space)
yield self.getoutput(
"[{0}LIVE RESPONSE]{1} (System time){1}".format(
self._config.MACHINE, "" if body else "|"),
im['ImageDatetime'],
body=body,
)
if version <= (6, 1) and "IEHistory" in self._config.TYPE:
self._config.update("LEAK", True)
data = iehistory.IEHistory(self._config).calculate()
for process, record in data:
## Extended fields are available for these records
if record.obj_name == "_URL_RECORD":
line = "[{6}IEHISTORY]{0} {1}->{5}{0} PID: {2}/Cache type \"{3}\" at {4:#x}".format(
"" if body else "|",
process.ImageFileName,
process.UniqueProcessId,
record.Signature,
record.obj_offset,
record.Url,
self._config.MACHINE,
)
yield self.getoutput(
line,
record.LastModified,
end=record.LastAccessed,
body=body,
)
self._config.remove_option("REDR")
self._config.remove_option("LEAK")
psx = []
if ("Process" in self._config.Type
or "TimeDateStamp" in self._config.Type
or "LoadTime" in self._config.Type
or "_CM_KEY_BODY" in self._config.Type):
psx = psxview.PsXview(self._config).calculate()
for offset, eprocess, ps_sources in psx:
pids[eprocess.UniqueProcessId.v()] = eprocess.ImageFileName
if "Process" in self._config.TYPE:
line = "[{5}PROCESS]{0} {1}{0} PID: {2}/PPID: {3}/POffset: 0x{4:08x}".format(
"" if body else "|",
eprocess.ImageFileName,
eprocess.UniqueProcessId,
eprocess.InheritedFromUniqueProcessId,
offset,
self._config.MACHINE,
)
yield self.getoutput(line,
eprocess.CreateTime,
end=eprocess.ExitTime,
body=body)
if not hasattr(eprocess.obj_vm, "vtop"):
eprocess = taskmods.DllList(
self._config).virtual_process_from_physical_offset(
addr_space, eprocess.obj_offset)
if eprocess == None:
continue
else:
ps_ad = eprocess.get_process_address_space()
if ps_ad == None:
continue
if version[0] == 5 and "Process" in self._config.TYPE:
line = "[{5}PROCESS LastTrimTime]{0} {1}{0} PID: {2}/PPID: {3}/POffset: 0x{4:08x}".format(
"" if body else "|",
eprocess.ImageFileName,
eprocess.UniqueProcessId,
eprocess.InheritedFromUniqueProcessId,
offset,
self._config.MACHINE,
)
yield self.getoutput(line, eprocess.Vm.LastTrimTime, body=body)
if (eprocess.ObjectTable.HandleTableList
and "_CM_KEY_BODY" in self._config.TYPE):
for handle in eprocess.ObjectTable.handles():
if not handle.is_valid():
continue
name = ""
object_type = handle.get_object_type()
if object_type == "Key":
key_obj = handle.dereference_as("_CM_KEY_BODY")
name = key_obj.full_key_name()
line = "[{6}Handle (Key)]{0} {1}{0} {2} PID: {3}/PPID: {4}/POffset: 0x{5:08x}".format(
"" if body else "|",
name,
eprocess.ImageFileName,
eprocess.UniqueProcessId,
eprocess.InheritedFromUniqueProcessId,
offset,
self._config.MACHINE,
)
yield self.getoutput(
line,
key_obj.KeyControlBlock.KcbLastWriteTime,
body=body,
)
if eprocess.Peb == None or eprocess.Peb.ImageBaseAddress == None:
continue
# Get DLL PE timestamps for Wow64 processes (excluding 64-bit ones)
if eprocess.IsWow64 and "TimeDateStamp" in self._config.TYPE:
for vad, address_space in eprocess.get_vads(
vad_filter=eprocess._mapped_file_filter):
if vad.FileObject.FileName:
name = str(vad.FileObject.FileName).lower()
basename = ntpath.basename(name)
if not basename.endswith("dll") or basename in [
"wow64cpu.dll",
"ntdll.dll",
"wow64.dll",
"wow64win.dll",
]:
continue
data = ps_ad.zread(vad.Start, vad.Length)
bufferas = addrspace.BufferAddressSpace(self._config,
data=data)
try:
pe_file = obj.Object("_IMAGE_DOS_HEADER",
offset=0,
vm=bufferas)
header = pe_file.get_nt_header()
except ValueError as ve:
continue
line = "[{7}PE HEADER 32-bit (dll)]{0} {4}{0} Process: {1}/PID: {2}/PPID: {3}/Process POffset: 0x{5:08x}/DLL Base: 0x{6:08x}".format(
"" if body else "|",
eprocess.ImageFileName,
eprocess.UniqueProcessId,
eprocess.InheritedFromUniqueProcessId,
basename,
offset,
vad.Start,
self._config.MACHINE,
)
yield self.getoutput(line,
header.FileHeader.TimeDateStamp,
body=body)
# get DLL PE timestamps
mods = dict()
if ("TimeDateStamp" in self._config.TYPE
or "LoadTime" in self._config.TYPE):
mods = dict((mod.DllBase.v(), mod)
for mod in eprocess.get_load_modules())
for mod in list(mods.values()):
basename = str(mod.BaseDllName or "")
if basename == str(eprocess.ImageFileName):
line = "[{7}PE HEADER (exe)]{0} {4}{0} Process: {1}/PID: {2}/PPID: {3}/Process POffset: 0x{5:08x}/DLL Base: 0x{6:08x}".format(
"" if body else "|",
eprocess.ImageFileName,
eprocess.UniqueProcessId,
eprocess.InheritedFromUniqueProcessId,
basename,
offset,
mod.DllBase.v(),
self._config.MACHINE,
)
else:
line = "[{7}PE HEADER (dll)]{0} {4}{0} Process: {1}/PID: {2}/PPID: {3}/Process POffset: 0x{5:08x}/DLL Base: 0x{6:08x}".format(
"" if body else "|",
eprocess.ImageFileName,
eprocess.UniqueProcessId,
eprocess.InheritedFromUniqueProcessId,
basename,
offset,
mod.DllBase.v(),
self._config.MACHINE,
)
if "TimeDateStamp" in self._config.TYPE:
yield self.getoutput(line, mod.TimeDateStamp, body=body)
line2 = "[{7}PE DEBUG]{0} {4}{0} Process: {1}/PID: {2}/PPID: {3}/Process POffset: 0x{5:08x}/DLL Base: 0x{6:08x}".format(
"" if body else "|",
eprocess.ImageFileName,
eprocess.UniqueProcessId,
eprocess.InheritedFromUniqueProcessId,
basename,
offset,
mod.DllBase.v(),
self._config.MACHINE,
)
yield self.getoutput(
line2,
mod.get_debug_directory().TimeDateStamp,
body=body,
)
if (hasattr(mod, "LoadTime")
and "LoadTime" in self._config.TYPE):
temp = line.replace(
"[{0}PE HEADER ".format(self._config.MACHINE),
"[{0}DLL LOADTIME ".format(self._config.MACHINE),
)
yield self.getoutput(temp, mod.LoadTime, body=body)
# Get Sockets and Evtlogs XP/2k3 only
if version[0] == 5:
# socks = sockets.Sockets(self._config).calculate()
socks = []
if "Socket" in self._config.TYPE:
socks = sockscan.SockScan(self._config).calculate(
) # you can use sockscan instead if you uncomment
for sock in socks:
la = "{0}:{1}".format(sock.LocalIpAddress, sock.LocalPort)
line = "[{6}SOCKET]{0} LocalIP: {2}/Protocol: {3}({4}){0} PID: {1}/POffset: 0x{5:#010x}".format(
"" if body else "|",
sock.Pid,
la,
sock.Protocol,
protos.protos.get(sock.Protocol.v(), "-"),
sock.obj_offset,
self._config.MACHINE,
)
yield self.getoutput(line, sock.CreateTime, body=body)
stuff = []
if "EvtLog" in self._config.TYPE:
evt = evtlogs.EvtLogs(self._config)
stuff = evt.calculate()
for name, buf in stuff:
for fields in evt.parse_evt_info(name, buf, rawtime=True):
line = "[{8}EVT LOG]{0} {1}{0} {2}/{3}/{4}/{5}/{6}/{7}".format(
"" if body else "|",
fields[1],
fields[2],
fields[3],
fields[4],
fields[5],
fields[6],
fields[7],
self._config.MACHINE,
)
yield self.getoutput(line, fields[0], body=body)
elif version <= (6, 1):
# Vista+
nets = []
if "Socket" in self._config.TYPE:
nets = netscan.Netscan(self._config).calculate()
for net_object, proto, laddr, lport, raddr, rport, state in nets:
if net_object.CreateTime.v() == 0:
continue
if raddr == "*" and rport == "*":
conn = "{0}:{1}".format(laddr, lport)
socket_type = "SOCKET"
else:
conn = "{0}:{1} -> {2}:{3}".format(laddr, lport, raddr,
rport)
socket_TYPE = "CONNECTION"
line = (
"[{6}NETWORK {7}]{0} {2}{0} {1}/{3}/{4}/{5:<#10x}".format(
"" if body else "|",
net_object.Owner.UniqueProcessId,
conn,
proto,
state,
net_object.obj_offset,
self._config.MACHINE,
socket_type,
))
yield self.getoutput(line, net_object.CreateTime, body=body)
# Get threads
threads = []
if "Thread" in self._config.TYPE:
threads = modscan.ThrdScan(self._config).calculate()
for thread in threads:
image = pids.get(thread.Cid.UniqueProcess.v(), "UNKNOWN")
line = "[{4}THREAD]{0} {1}{0} PID: {2}/TID: {3}".format(
"" if body else "|",
image,
thread.Cid.UniqueProcess,
thread.Cid.UniqueThread,
self._config.MACHINE,
)
yield self.getoutput(line,
thread.CreateTime,
end=thread.ExitTime,
body=body)
data = []
if "Symlink" in self._config.TYPE:
data = filescan.SymLinkScan(self._config).calculate()
for link in data:
objct = link.get_object_header()
line = "[{6}SYMLINK]{0} {1}->{2}{0} POffset: {3}/Ptr: {4}/Hnd: {5}".format(
"" if body else "|",
str(objct.NameInfo.Name or ''),
str(link.LinkTarget or ''),
link.obj_offset,
objct.PointerCount,
objct.HandleCount,
self._config.MACHINE,
)
yield self.getoutput(line, link.CreationTime, body=body)
data = []
if "TimeDateStamp" in self._config.TYPE:
data = moddump.ModDump(self._config).calculate()
for aspace, procs, mod_base, mod_name in data:
mod_name = str(mod_name or '')
space = tasks.find_space(aspace, procs, mod_base)
if space != None:
try:
pe_file = obj.Object("_IMAGE_DOS_HEADER",
offset=mod_base,
vm=space)
header = pe_file.get_nt_header()
except ValueError as ve:
continue
line = (
"[{3}PE HEADER (module)]{0} {1}{0} Base: {2:#010x}".format(
"" if body else "|",
mod_name,
mod_base,
self._config.MACHINE,
))
yield self.getoutput(line,
header.FileHeader.TimeDateStamp,
body=body)
uastuff = []
if "Userassist" in self._config.TYPE:
uastuff = userassist.UserAssist(self._config).calculate()
for win7, reg, key in uastuff:
ts = "{0}".format(key.LastWriteTime)
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
subname = v.Name
if tp == 'REG_BINARY':
dat_raw = dat
try:
subname = codecs.encode(subname, 'rot_13')
except UnicodeDecodeError:
pass
if win7:
guid = subname.split("\\")[0]
if guid in userassist.folder_guids:
subname = subname.replace(
guid, userassist.folder_guids[guid])
bufferas = addrspace.BufferAddressSpace(self._config,
data=dat_raw)
uadata = obj.Object("_VOLUSER_ASSIST_TYPES",
offset=0,
vm=bufferas)
ID = "N/A"
count = "N/A"
fc = "N/A"
tf = "N/A"
lw = "N/A"
if (len(dat_raw) < bufferas.profile.get_obj_size(
'_VOLUSER_ASSIST_TYPES') or uadata == None):
continue
else:
if hasattr(uadata, "ID"):
ID = "{0}".format(uadata.ID)
if hasattr(uadata, "Count"):
count = "{0}".format(uadata.Count)
else:
count = "{0}".format(
uadata.CountStartingAtFive
if uadata.CountStartingAtFive < 5 else
uadata.CountStartingAtFive - 5)
if hasattr(uadata, "FocusCount"):
seconds = (uadata.FocusTime + 500) / 1000.0
time = (datetime.timedelta(seconds=seconds)
if seconds > 0 else uadata.FocusTime)
fc = "{0}".format(uadata.FocusCount)
tf = "{0}".format(time)
lw = "{0}".format(uadata.LastUpdated)
subname = subname.replace("|", "%7c")
line = "[{7}USER ASSIST]{0} {2}{0} Registry: {1}/ID: {3}/Count: {4}/FocusCount: {5}/TimeFocused: {6}".format(
"" if body else "|",
reg,
subname,
ID,
count,
fc,
tf,
self._config.MACHINE,
)
yield self.getoutput(line, uadata.LastUpdated, body=body)
shimdata = []
if "Shimcache" in self._config.TYPE:
shimdata = shimcache.ShimCache(self._config).calculate()
for path, lm, lu in shimdata:
line = "[{2}SHIMCACHE]{0} {1}{0} ".format("" if body else "|",
path,
self._config.MACHINE)
if lu:
yield self.getoutput(line, lm, end=lu, body=body)
else:
yield self.getoutput(line, lm, body=body)
if ("_HBASE_BLOCK" in self._config.TYPE
or "_CMHIVE" in self._config.TYPE
or "Registry" in self._config.TYPE):
regapi = registryapi.RegistryApi(self._config)
for o in regapi.all_offsets:
if "_HBASE_BLOCK" in self._config.TYPE:
line = "[{2}_HBASE_BLOCK TimeStamp]{0} {1}{0} ".format(
"" if body else "|",
regapi.all_offsets[o],
self._config.MACHINE,
)
h = obj.Object("_HHIVE", o, addr_space)
yield self.getoutput(line,
h.BaseBlock.TimeStamp,
body=body)
if ("_CMHIVE" in self._config.TYPE and version[0] == 6 and
addr_space.profile.metadata.get('build', 0) >= 7601):
line = (
line) = "[{2}_CMHIVE LastWriteTime]{0} {1}{0} ".format(
"" if body else "|",
regapi.all_offsets[o],
self._config.MACHINE,
)
cmhive = obj.Object("_CMHIVE", o, addr_space)
yield self.getoutput(line, cmhive.LastWriteTime, body=body)
if "Registry" in self._config.TYPE:
regapi.reset_current()
regdata = regapi.reg_get_all_keys(self._config.HIVE,
self._config.USER,
reg=True,
rawtime=True)
for lwtime, reg, item in regdata:
item = item.replace("|", "%7c")
line = "[{3}REGISTRY]{0} {2}{0} Registry: {1}".format(
"" if body else "|", reg, item, self._config.MACHINE)
yield self.getoutput(line, lwtime, body=body)
if "Timer" in self._config.TYPE:
volmagic = obj.VolMagic(addr_space)
KUSER_SHARED_DATA = obj.Object(
"_KUSER_SHARED_DATA",
offset=volmagic.KUSER_SHARED_DATA.v(),
vm=addr_space,
)
interrupt = (KUSER_SHARED_DATA.InterruptTime.High1Time <<
32) | KUSER_SHARED_DATA.InterruptTime.LowPart
now = KUSER_SHARED_DATA.SystemTime.as_windows_timestamp()
data = timers.Timers(self._config).calculate()
for timer, module in data:
signaled = "-"
if timer.Header.SignalState.v():
signaled = "Yes"
module_name = "UNKNOWN"
if module:
module_name = str(module.BaseDllName or '')
try:
# human readable time taken from http://computer.forensikblog.de/en/2011/10/timers-and-times.html
bufferas = addrspace.BufferAddressSpace(
self._config,
data=struct.pack(
'<Q', timer.DueTime.QuadPart - interrupt + now),
)
due_time = obj.Object("WinTimeStamp",
is_utc=True,
offset=0,
vm=bufferas)
except TypeError:
due_time = 0
line = "[{6}TIMER]{0} {1}{0} Signaled: {2}/Routine: 0x{3:x}/Period(ms): {4}/Offset: 0x{5:x}".format(
"" if body else "|",
module_name,
signaled,
timer.Dpc.DeferredRoutine,
timer.Period,
timer.obj_offset,
self._config.MACHINE,
)
yield self.getoutput(line, due_time, body=body)