Python volatility.utils.Hexdump() Examples

The following are 30 code examples of volatility.utils.Hexdump(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module volatility.utils , or try the search function .
Example #1
Source File: auditpol.py    From vortessence with GNU General Public License v2.0 6 votes vote down vote up
def generator(self, data):
        first = True
        for data_raw, ap in data:
            if first and hasattr(ap, "Enabled"):
                first = False
                audit = "Disabled"
                if int(ap.Enabled) != 0:
                    audit = "Enabled"
                yield (0, ["GeneralAuditing", audit])
            for k in ap.members.keys():
                if k != "Enabled":
                    yield (0, ["{0}".format(k), "{0}".format(ap.m(k))])

            if self._config.HEX:
                # for now, not sure how to handle hexdump data
                raw = "\n".join(["{0:010x}: {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(data_raw)])
                print raw 
Example #2
Source File: injections.py    From DAMM with GNU General Public License v2.0 6 votes vote down vote up
def get_alloc(self, addr_space):
        '''
        Mimics the Volatility malfind plugin
        '''
        import volatility.plugins.malware.malfind as malfind
        import volatility.utils as utils

        mfind = malfind.Malfind(self.vol.config)
        for task in mfind.calculate():  
            for vad, address_space in task.get_vads(vad_filter=task._injection_filter):
                if mfind._is_vad_empty(vad, address_space):
                    continue
                content = address_space.zread(vad.Start, 16)    
                content = "{0}".format("\n".join(
                    ["{0:<48}  {1}".format(h, ''.join(c))
                    for o, h, c in utils.Hexdump(content)
                    ]))
                offset = "{0:#x}".format(vad.Start)
                yield Injection(task, vad, offset, content) 
Example #3
Source File: auditpol.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def generator(self, data):
        first = True
        for data_raw, ap in data:
            if first and hasattr(ap, "Enabled"):
                first = False
                audit = "Disabled"
                if int(ap.Enabled) != 0:
                    audit = "Enabled"
                yield (0, ["GeneralAuditing", audit])
            for k in ap.members.keys():
                if k != "Enabled":
                    yield (0, ["{0}".format(k), "{0}".format(ap.m(k))])

            if self._config.HEX:
                # for now, not sure how to handle hexdump data
                raw = "\n".join(["{0:010x}: {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(data_raw)])
                print raw 
Example #4
Source File: auditpol.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def generator(self, data):
        first = True
        for data_raw, ap in data:
            if first and hasattr(ap, "Enabled"):
                first = False
                audit = "Disabled"
                if int(ap.Enabled) != 0:
                    audit = "Enabled"
                yield (0, ["GeneralAuditing", audit])
            for k in ap.members.keys():
                if k != "Enabled":
                    yield (0, ["{0}".format(k), "{0}".format(ap.m(k))])

            if self._config.HEX:
                # for now, not sure how to handle hexdump data
                raw = "\n".join(["{0:010x}: {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(data_raw)])
                print raw 
Example #5
Source File: linux_yarascan.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for task, address, hit, buf in data:
            if task:
                outfd.write("Task: {0} pid {1} rule {2} addr {3:#x}\n".format(
                    task.comm, task.pid, hit.rule, address))
            else:
                outfd.write("[kernel] rule {0} addr {1:#x}\n".format(hit.rule, address))
            
            outfd.write("".join(["{0:#010x}  {1:<48}  {2}\n".format(
                address + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)])) 
Example #6
Source File: tcaudit.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for device in data:
            ext = device.DeviceExtension.dereference_as("EXTENSION")
            outfd.write("Container: {0}\n".format(ext.wszVolume))
            outfd.write("Hidden Volume: {0}\n".format("Yes" if ext.cryptoInfo.hiddenVolume == 1 else "No"))
            outfd.write("Removable: {0}\n".format("Yes" if ext.bRemovable == 1 else "No"))
            outfd.write("Read Only: {0}\n".format("Yes" if ext.bReadOnly == 1 else "No"))
            outfd.write("Disk Length: {0} (bytes)\n".format(ext.DiskLength))
            outfd.write("Host Length: {0} (bytes)\n".format(ext.HostLength))
            outfd.write("Encryption Algorithm: {0}\n".format(ext.cryptoInfo.ea))
            outfd.write("Mode: {0}\n".format(ext.cryptoInfo.mode))
            outfd.write("Master Key\n")
            key = device.obj_vm.read(ext.cryptoInfo.master_keydata.obj_offset, 64)
            addr = ext.cryptoInfo.master_keydata.obj_offset
            outfd.write("{0}\n".format("\n".join(
                    ["{0:#010x}  {1:<48}  {2}".format(addr + o, h, ''.join(c))
                    for o, h, c in utils.Hexdump(key)
                    ])))
            if self._config.DUMP_DIR:
                if not os.path.isdir(self._config.DUMP_DIR):
                    debug.error("The path {0} is not a valid directory".format(self._config.DUMP_DIR))
                name = "{0:#x}_master.key".format(addr)
                keyfile = os.path.join(self._config.DUMP_DIR, name)
                with open(keyfile, "wb") as handle:
                    handle.write(key)
                outfd.write("Dumped {0} bytes to {1}\n".format(len(key), keyfile))
            outfd.write("\n") 
Example #7
Source File: malfind.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for task in data:
            proc_as = task.get_process_address_space()

            for vma in task.get_proc_maps():

                if vma.is_suspicious():
                    fname = vma.vm_name(task)
                    if fname == "[vdso]":
                        continue
                   
                    prots = vma.protection()
                    flags = vma.flags()

                    content = proc_as.zread(vma.vm_start, 64)

                    outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
                        task.comm, task.pid, vma.vm_start, fname))

                    outfd.write("Protection: {0}\n".format(prots))

                    outfd.write("Flags: {0}\n".format(str(flags)))
                    outfd.write("\n")

                    outfd.write("{0}\n".format("\n".join(
                        ["{0:#010x}  {1:<48}  {2}".format(vma.vm_start + o, h, ''.join(c))
                        for o, h, c in utils.Hexdump(content)
                        ])))

                    outfd.write("\n")
                    outfd.write("\n".join(
                        ["{0:#x} {1:<16} {2}".format(o, h, i)
                        for o, i, h in malfind.Disassemble(content, vma.vm_start)
                        ]))
                
                    outfd.write("\n\n") 
Example #8
Source File: userassist.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        keyfound = False
        for win7, reg, key in data:
            if key:
                keyfound = True
                outfd.write("----------------------------\n")
                outfd.write("Registry: {0}\n".format(reg))
                outfd.write("Path: {0}\n".format(self.regapi.reg_get_key_path(key)))
                outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
                outfd.write("\n")
                outfd.write("Subkeys:\n")
                for s in self.regapi.reg_get_all_subkeys(None, None, given_root = key):
                    if s.Name == None:
                        outfd.write("  Unknown subkey: " + s.Name.reason + "\n")
                    else:
                        outfd.write("  {0}\n".format(s.Name))
                outfd.write("\n")
                outfd.write("Values:\n")
                for subname, dat in self.regapi.reg_yield_values(None, None, given_root = key, thetype = "REG_BINARY"):
                    dat_raw = dat
                    dat = "\n".join(["{0:#010x}  {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
                    try:
                        subname = subname.encode('rot_13')
                    except UnicodeDecodeError:
                        pass
                    if win7:
                        guid = subname.split("\\")[0]
                        if guid in folder_guids:
                            subname = subname.replace(guid, folder_guids[guid])
                    d = self.parse_data(dat_raw)
                    if d != None:
                        dat = "{0}Raw Data:\n{1}".format(d, dat)
                    else:
                        dat = "Raw Data:\n{0}".format(dat)
                    outfd.write("\n{0:13} {1:15} : {2}\n".format("REG_BINARY", subname, dat))
        if not keyfound:
            outfd.write("The requested key could not be found in the hive(s) searched\n") 
Example #9
Source File: printkey.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        outfd.write("Legend: (S) = Stable   (V) = Volatile\n\n")
        keyfound = False
        for reg, key in data:
            if key:
                keyfound = True
                outfd.write("----------------------------\n")
                outfd.write("Registry: {0}\n".format(reg))
                outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
                outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
                outfd.write("\n")
                outfd.write("Subkeys:\n")
                for s in rawreg.subkeys(key):
                    if s.Name == None:
                        outfd.write("  Unknown subkey: " + s.Name.reason + "\n")
                    else:
                        outfd.write("  {1:3s} {0}\n".format(s.Name, self.voltext(s)))
                outfd.write("\n")
                outfd.write("Values:\n")
                for v in rawreg.values(key):
                    tp, dat = rawreg.value_data(v)
                    if tp == 'REG_BINARY' or tp == 'REG_NONE':
                        dat = "\n" + "\n".join(["{0:#010x}  {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
                    if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                        dat = dat.encode("ascii", 'backslashreplace')
                    if tp == 'REG_MULTI_SZ':
                        for i in range(len(dat)):
                            dat[i] = dat[i].encode("ascii", 'backslashreplace')
                    outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
        if not keyfound:
            outfd.write("The requested key could not be found in the hive(s) searched\n") 
Example #10
Source File: win32k_core.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def as_hex(self):
        """Format the clipboard contents as a hexdump"""
        data = ''.join([chr(c) for c in self.abData])
        return "".join(["{0:#x}  {1:<48}  {2}\n".format(self.abData.obj_offset + o, h, ''.join(c))
                    for o, h, c in utils.Hexdump(data)]) 
Example #11
Source File: malfind.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):

        if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR):
            debug.error(self._config.DUMP_DIR + " is not a directory")

        for o, addr, hit, content in data:
            outfd.write("Rule: {0}\n".format(hit.rule))

            # Find out if the hit is from user or kernel mode 
            if o == None:
                outfd.write("Owner: (Unknown Kernel Memory)\n")
                filename = "kernel.{0:#x}.dmp".format(addr)
            elif o.obj_name == "_EPROCESS":
                outfd.write("Owner: Process {0} Pid {1}\n".format(o.ImageFileName,
                    o.UniqueProcessId))
                filename = "process.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr)
            else:
                outfd.write("Owner: {0}\n".format(o.BaseDllName))
                filename = "kernel.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr)

            # Dump the data if --dump-dir was supplied
            if self._config.DUMP_DIR:
                path = os.path.join(self._config.DUMP_DIR, filename)
                fh = open(path, "wb")
                fh.write(content)
                fh.close()

            outfd.write("".join(
                ["{0:#010x}  {1:<48}  {2}\n".format(addr + o, h, ''.join(c))
                for o, h, c in utils.Hexdump(content)
                ]))

#--------------------------------------------------------------------------------
# malfind
#-------------------------------------------------------------------------------- 
Example #12
Source File: zeusscan.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):

        for task, struct_base, key in data:
            hex = "\n".join(["{0:#010x}  {1:<48}  {2}".format(
                            struct_base + 0x2a + o, 
                            h, ''.join(c)) for o, h, c in utils.Hexdump(key)
                            ])
            outfd.write("Process: {0} {1}\n".format(
                task.UniqueProcessId, task.ImageFileName))
            outfd.write(hex)
            outfd.write("\n")

#--------------------------------------------------------------------------------
# Scanner for Zeus >= 2.0 
#-------------------------------------------------------------------------------- 
Example #13
Source File: zeusscan.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def render_extra(self, outfd, task, vad, params):
        """Show any Zeus specific fields"""

        rc4_offset = task.obj_vm.profile.get_obj_offset(self.magic_struct, 'rc4key')
        creds_key = params['decoded_magic'][rc4_offset:rc4_offset + RC4_KEYSIZE]

        outfd.write("{0:<30} : \n{1}\n".format("Credential RC4 key", 
                "\n".join(
                ["{0:#010x}  {1:<48}  {2}".format(vad.Start + o, h, ''.join(c))
                for o, h, c in utils.Hexdump(creds_key)
                ]))) 
Example #14
Source File: extract_commands.py    From writeups with GNU General Public License v3.0 5 votes vote down vote up
def run(vmk):
    proc = find_proc(vmk, 876)       # Get infected svchost process
    if proc is None:
        print 'Failed to find process 876'
        return
    vmp = proc.get_process_address_space()
    n = 0
    with open('cmd_stream.bin', 'wb') as fout:
        for offset, size in vmp.get_available_pages():
            if (offset & 0xffff) != 0:
                continue                # We only want 64kb aligned blocks
            hdr = vmp.read(offset, 8)
            if hdr is None:
                continue
            if len(hdr) != 8:
                continue
            l, cmd = struct.unpack('<LL', hdr)
            if cmd not in cmd_codes:
                continue
            print '%016x: %08x %08x' % (offset, l, cmd)
            pkt = vmp.read(offset, l)
            if len(pkt) != l:
                print 'Failed to read packet'
            else:
#                for ofs, hexchars, chars in utils.Hexdump(pkt[:0x180]):
#                    print '%06x %-48s  %s' % (ofs, hexchars, ''.join(chars))
                fout.write(pkt)
            n += 1
    print '%d command packets extracted' % n 
Example #15
Source File: malfind.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):

        if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR):
            debug.error(self._config.DUMP_DIR + " is not a directory")

        for o, addr, hit, content in data:
            outfd.write("Rule: {0}\n".format(hit.rule))

            # Find out if the hit is from user or kernel mode 
            if o == None:
                outfd.write("Owner: (Unknown Kernel Memory)\n")
                filename = "kernel.{0:#x}.dmp".format(addr)
            elif o.obj_name == "_EPROCESS":
                outfd.write("Owner: Process {0} Pid {1}\n".format(o.ImageFileName,
                    o.UniqueProcessId))
                filename = "process.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr)
            else:
                outfd.write("Owner: {0}\n".format(o.BaseDllName))
                filename = "kernel.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr)

            # Dump the data if --dump-dir was supplied
            if self._config.DUMP_DIR:
                path = os.path.join(self._config.DUMP_DIR, filename)
                fh = open(path, "wb")
                fh.write(content)
                fh.close()

            outfd.write("".join(
                ["{0:#010x}  {1:<48}  {2}\n".format(addr + o, h, ''.join(c))
                for o, h, c in utils.Hexdump(content)
                ]))

#--------------------------------------------------------------------------------
# malfind
#-------------------------------------------------------------------------------- 
Example #16
Source File: auditpol.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for data_raw, ap in data:
            if self._config.HEX:
                raw = "\n".join(["{0:010x}: {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(data_raw)])
                outfd.write(raw + "\n\n")
            outfd.write("{0}\n".format(str(ap))) 
Example #17
Source File: linux_yarascan.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for task, address, hit, buf in data:
            if task:
                outfd.write("Task: {0} pid {1} rule {2} addr {3:#x}\n".format(
                    task.comm, task.pid, hit.rule, address))
            else:
                outfd.write("[kernel] rule {0} addr {1:#x}\n".format(hit.rule, address))
            
            outfd.write("".join(["{0:#010x}  {1:<48}  {2}\n".format(
                address + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)])) 
Example #18
Source File: printkey.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        outfd.write("Legend: (S) = Stable   (V) = Volatile\n\n")
        keyfound = False
        for reg, key in data:
            if key:
                keyfound = True
                outfd.write("----------------------------\n")
                outfd.write("Registry: {0}\n".format(reg))
                outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
                outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
                outfd.write("\n")
                outfd.write("Subkeys:\n")
                for s in rawreg.subkeys(key):
                    if s.Name == None:
                        outfd.write("  Unknown subkey: " + s.Name.reason + "\n")
                    else:
                        outfd.write("  {1:3s} {0}\n".format(s.Name, self.voltext(s)))
                outfd.write("\n")
                outfd.write("Values:\n")
                for v in rawreg.values(key):
                    tp, dat = rawreg.value_data(v)
                    if tp == 'REG_BINARY' or tp == 'REG_NONE':
                        dat = "\n" + "\n".join(["{0:#010x}  {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
                    if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
                        dat = dat.encode("ascii", 'backslashreplace')
                    if tp == 'REG_MULTI_SZ':
                        for i in range(len(dat)):
                            dat[i] = dat[i].encode("ascii", 'backslashreplace')
                    outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
        if not keyfound:
            outfd.write("The requested key could not be found in the hive(s) searched\n") 
Example #19
Source File: userassist.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        keyfound = False
        for win7, reg, key in data:
            if key:
                keyfound = True
                outfd.write("----------------------------\n")
                outfd.write("Registry: {0}\n".format(reg))
                outfd.write("Path: {0}\n".format(self.regapi.reg_get_key_path(key)))
                outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
                outfd.write("\n")
                outfd.write("Subkeys:\n")
                for s in self.regapi.reg_get_all_subkeys(None, None, given_root = key):
                    if s.Name == None:
                        outfd.write("  Unknown subkey: " + s.Name.reason + "\n")
                    else:
                        outfd.write("  {0}\n".format(s.Name))
                outfd.write("\n")
                outfd.write("Values:\n")
                for subname, dat in self.regapi.reg_yield_values(None, None, given_root = key, thetype = "REG_BINARY"):
                    dat_raw = dat
                    dat = "\n".join(["{0:#010x}  {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
                    try:
                        subname = subname.encode('rot_13')
                    except UnicodeDecodeError:
                        pass
                    if win7:
                        guid = subname.split("\\")[0]
                        if guid in folder_guids:
                            subname = subname.replace(guid, folder_guids[guid])
                    d = self.parse_data(dat_raw)
                    if d != None:
                        dat = "{0}Raw Data:\n{1}".format(d, dat)
                    else:
                        dat = "Raw Data:\n{0}".format(dat)
                    outfd.write("\n{0:13} {1:15} : {2}\n".format("REG_BINARY", subname, dat))
        if not keyfound:
            outfd.write("The requested key could not be found in the hive(s) searched\n") 
Example #20
Source File: auditpol.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for data_raw, ap in data:
            if self._config.HEX:
                raw = "\n".join(["{0:010x}: {1:<48}  {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(data_raw)])
                outfd.write(raw + "\n\n")
            outfd.write("{0}\n".format(str(ap))) 
Example #21
Source File: lsadump.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for k in data:
            outfd.write(k + "\n")
            for offset, hex, chars in utils.Hexdump(data[k]):
                outfd.write("{0:#010x}  {1:<48}  {2}\n".format(offset, hex, ''.join(chars)))
            outfd.write("\n") 
Example #22
Source File: malfind.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for task in data:
            proc_as = task.get_process_address_space()

            for map in task.get_proc_maps():
                if self._is_suspicious(map):
                    fname = map.get_path()                    
                    prots = map.get_perms()

                    content = proc_as.zread(map.start, 64)

                    outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
                        task.p_comm, task.p_pid, map.start, fname))

                    outfd.write("Protection: {0}\n".format(prots))

                    outfd.write("\n")

                    outfd.write("{0}\n".format("\n".join(
                        ["{0:#010x}  {1:<48}  {2}".format(map.start + o, h, ''.join(c))
                        for o, h, c in utils.Hexdump(content)
                        ])))

                    outfd.write("\n")
                    outfd.write("\n".join(
                        ["{0:#x} {1:<16} {2}".format(o, h, i)
                        for o, i, h in malfind.Disassemble(content, map.start)
                        ]))
                
                    outfd.write("\n\n") 
Example #23
Source File: mac_yarascan.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for task, address, hit, buf in data:
            if task:
                outfd.write("Task: {0} pid {1} rule {2} addr {3:#x}\n".format(
                    task.p_comm, task.p_pid, hit.rule, address))
            else:
                outfd.write("[kernel] rule {0} addr {1:#x}\n".format(hit.rule, address))
            
            outfd.write("".join(["{0:#018x}  {1:<48}  {2}\n".format(
                address + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)])) 
Example #24
Source File: malfind.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for task in data:
            proc_as = task.get_process_address_space()

            for vma in task.get_proc_maps():

                if vma.is_suspicious():
                    fname = vma.vm_name(task)
                    if fname == "[vdso]":
                        continue
                   
                    prots = vma.protection()
                    flags = vma.flags()

                    content = proc_as.zread(vma.vm_start, 64)

                    outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
                        task.comm, task.pid, vma.vm_start, fname))

                    outfd.write("Protection: {0}\n".format(prots))

                    outfd.write("Flags: {0}\n".format(str(flags)))
                    outfd.write("\n")

                    outfd.write("{0}\n".format("\n".join(
                        ["{0:#010x}  {1:<48}  {2}".format(vma.vm_start + o, h, ''.join(c))
                        for o, h, c in utils.Hexdump(content)
                        ])))

                    outfd.write("\n")
                    outfd.write("\n".join(
                        ["{0:#x} {1:<16} {2}".format(o, h, i)
                        for o, i, h in malfind.Disassemble(content, vma.vm_start)
                        ]))
                
                    outfd.write("\n\n") 
Example #25
Source File: linux_yarascan.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for task, address, hit, buf in data:
            if task:
                outfd.write("Task: {0} pid {1} rule {2} addr {3:#x}\n".format(
                    task.comm, task.pid, hit.rule, address))
            else:
                outfd.write("[kernel] rule {0} addr {1:#x}\n".format(hit.rule, address))
            
            outfd.write("".join(["{0:#010x}  {1:<48}  {2}\n".format(
                address + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)])) 
Example #26
Source File: tcaudit.py    From DAMM with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for device in data:
            ext = device.DeviceExtension.dereference_as("EXTENSION")
            outfd.write("Container: {0}\n".format(ext.wszVolume))
            outfd.write("Hidden Volume: {0}\n".format("Yes" if ext.cryptoInfo.hiddenVolume == 1 else "No"))
            outfd.write("Removable: {0}\n".format("Yes" if ext.bRemovable == 1 else "No"))
            outfd.write("Read Only: {0}\n".format("Yes" if ext.bReadOnly == 1 else "No"))
            outfd.write("Disk Length: {0} (bytes)\n".format(ext.DiskLength))
            outfd.write("Host Length: {0} (bytes)\n".format(ext.HostLength))
            outfd.write("Encryption Algorithm: {0}\n".format(ext.cryptoInfo.ea))
            outfd.write("Mode: {0}\n".format(ext.cryptoInfo.mode))
            outfd.write("Master Key\n")
            key = device.obj_vm.read(ext.cryptoInfo.master_keydata.obj_offset, 64)
            addr = ext.cryptoInfo.master_keydata.obj_offset
            outfd.write("{0}\n".format("\n".join(
                    ["{0:#010x}  {1:<48}  {2}".format(addr + o, h, ''.join(c))
                    for o, h, c in utils.Hexdump(key)
                    ])))
            if self._config.DUMP_DIR:
                if not os.path.isdir(self._config.DUMP_DIR):
                    debug.error("The path {0} is not a valid directory".format(self._config.DUMP_DIR))
                name = "{0:#x}_master.key".format(addr)
                keyfile = os.path.join(self._config.DUMP_DIR, name)
                with open(keyfile, "wb") as handle:
                    handle.write(key)
                outfd.write("Dumped {0} bytes to {1}\n".format(len(key), keyfile))
            outfd.write("\n") 
Example #27
Source File: memory.py    From CuckooSploit with GNU General Public License v3.0 5 votes vote down vote up
def yarascan(self):
        """Volatility yarascan plugin.
        @see volatility/plugins/malware/yarascan.py
        """
        log.debug("Executing Volatility yarascan plugin on "
                  "{0}".format(self.memdump))

        self.__config()
        results = []

        ypath = os.path.join(CUCKOO_ROOT, "data", "yara", "index_memory.yar")
        if not os.path.exists(ypath):
            return dict(config={}, data=[])

        self.config.update("YARA_FILE", ypath)

        command = self.plugins["yarascan"](self.config)
        for o, addr, hit, content in command.calculate():
            # Comment: this code is pretty much ripped from render_text in volatility.
            # Find out if the hit is from user or kernel mode
            if o is None:
                owner = "Unknown Kernel Memory"
            elif o.obj_name == "_EPROCESS":
                owner = "Process {0} Pid {1}".format(o.ImageFileName, o.UniqueProcessId)
            else:
                owner = "{0}".format(o.BaseDllName)

            hexdump = "".join(
                "{0:#010x}  {1:<48}  {2}\n".format(addr + o, h, ''.join(c))
                for o, h, c in utils.Hexdump(content[0:64]))

            new = {
                "rule": hit.rule,
                "owner": owner,
                "hexdump": hexdump,
            }
            results.append(new)

        return dict(config={}, data=results) 
Example #28
Source File: zeusscan.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def render_extra(self, outfd, task, vad, params):
        """Show any Zeus specific fields"""

        rc4_offset = task.obj_vm.profile.get_obj_offset(self.magic_struct, 'rc4key')
        creds_key = params['decoded_magic'][rc4_offset:rc4_offset + RC4_KEYSIZE]

        outfd.write("{0:<30} : \n{1}\n".format("Credential RC4 key", 
                "\n".join(
                ["{0:#010x}  {1:<48}  {2}".format(vad.Start + o, h, ''.join(c))
                for o, h, c in utils.Hexdump(creds_key)
                ]))) 
Example #29
Source File: zeusscan.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):

        for task, struct_base, key in data:
            hex = "\n".join(["{0:#010x}  {1:<48}  {2}".format(
                            struct_base + 0x2a + o, 
                            h, ''.join(c)) for o, h, c in utils.Hexdump(key)
                            ])
            outfd.write("Process: {0} {1}\n".format(
                task.UniqueProcessId, task.ImageFileName))
            outfd.write(hex)
            outfd.write("\n")

#--------------------------------------------------------------------------------
# Scanner for Zeus >= 2.0 
#-------------------------------------------------------------------------------- 
Example #30
Source File: win32k_core.py    From vortessence with GNU General Public License v2.0 5 votes vote down vote up
def as_hex(self):
        """Format the clipboard contents as a hexdump"""
        data = ''.join([chr(c) for c in self.abData])
        return "".join(["{0:#x}  {1:<48}  {2}\n".format(self.abData.obj_offset + o, h, ''.join(c))
                    for o, h, c in utils.Hexdump(data)])