Python volatility.plugins.malware.malfind.Disassemble() Examples
The following are 26
code examples of volatility.plugins.malware.malfind.Disassemble().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.plugins.malware.malfind
, or try the search function
.
.
Example #1
| Source File: idt.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
self.table_header(outfd, [('CPU', '>6X'),
('Index', '>6X'),
('Selector', '[addr]'),
('Value', '[addrpad]'),
('Module', '20'),
('Section', '12'),
])
for n, entry, addr, module in data:
if addr == 0:
module_name = "NOT USED"
sect_name = ''
elif module:
module_name = str(module.BaseDllName or '')
sect_name = self.get_section_name(module, addr)
else:
module_name = "UNKNOWN"
sect_name = ''
# The parent is IDT. The grand-parent is _KPCR.
cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number
self.table_row(outfd,
cpu_number, n,
entry.Selector,
addr,
module_name,
sect_name)
if self._config.verbose:
data = entry.obj_vm.zread(addr, 32)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data, start = addr, stoponret = True)
]))
outfd.write("\n")
Example #2
| Source File: idt.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
self.table_header(outfd, [('CPU', '>6X'),
('Index', '>6X'),
('Selector', '[addr]'),
('Value', '[addrpad]'),
('Module', '20'),
('Section', '12'),
])
for n, entry, addr, module in data:
if module:
module_name = str(module.BaseDllName or '')
sect_name = self.get_section_name(module, addr)
else:
module_name = "UNKNOWN"
sect_name = ''
# The parent is IDT. The grand-parent is _KPCR.
cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number
self.table_row(outfd,
cpu_number, n,
entry.Selector,
addr,
module_name,
sect_name)
if self._config.verbose:
data = entry.obj_vm.zread(addr, 32)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data, start = addr, stoponret = True)
]))
outfd.write("\n")
Example #3
| Source File: malfind.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
for map in task.get_proc_maps():
if self._is_suspicious(map):
fname = map.get_path()
prots = map.get_perms()
content = proc_as.zread(map.start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.p_comm, task.p_pid, map.start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(map.start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, map.start)
]))
outfd.write("\n\n")
Example #4
| Source File: malfind.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
for vma in task.get_proc_maps():
if vma.is_suspicious():
fname = vma.vm_name(task)
if fname == "[vdso]":
continue
prots = vma.protection()
flags = vma.flags()
content = proc_as.zread(vma.vm_start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.comm, task.pid, vma.vm_start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("Flags: {0}\n".format(str(flags)))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(vma.vm_start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, vma.vm_start)
]))
outfd.write("\n\n")
Example #5
| Source File: idt.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
self.table_header(outfd, [('CPU', '>6X'),
('Index', '>6X'),
('Selector', '[addr]'),
('Value', '[addrpad]'),
('Module', '20'),
('Section', '12'),
])
for n, entry, addr, module in data:
if addr == 0:
module_name = "NOT USED"
sect_name = ''
elif module:
module_name = str(module.BaseDllName or '')
sect_name = self.get_section_name(module, addr)
else:
module_name = "UNKNOWN"
sect_name = ''
# The parent is IDT. The grand-parent is _KPCR.
cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number
self.table_row(outfd,
cpu_number, n,
entry.Selector,
addr,
module_name,
sect_name)
if self._config.verbose:
data = entry.obj_vm.zread(addr, 32)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data, start = addr, stoponret = True)
]))
outfd.write("\n")
Example #6
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
for vma in task.get_proc_maps():
if vma.is_suspicious():
fname = vma.vm_name(task)
if fname == "[vdso]":
continue
prots = vma.protection()
flags = vma.flags()
content = proc_as.zread(vma.vm_start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.comm, task.pid, vma.vm_start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("Flags: {0}\n".format(str(flags)))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(vma.vm_start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, vma.vm_start)
]))
outfd.write("\n\n")
Example #7
| Source File: malfind.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
for map in task.get_proc_maps():
if map.is_suspicious():
fname = map.get_path()
prots = map.get_perms()
content = proc_as.zread(map.start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.p_comm, task.p_pid, map.start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(map.start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, map.start)
]))
outfd.write("\n\n")
Example #8
| Source File: malfind.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
for vma in task.get_proc_maps():
if vma.is_suspicious():
fname = vma.vm_name(task)
if fname == "[vdso]":
continue
prots = vma.protection()
flags = vma.flags()
content = proc_as.zread(vma.vm_start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.comm, task.pid, vma.vm_start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("Flags: {0}\n".format(str(flags)))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(vma.vm_start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, vma.vm_start)
]))
outfd.write("\n\n")
Example #9
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
for map in task.get_proc_maps():
if self._is_suspicious(map):
fname = map.get_path()
prots = map.get_perms()
content = proc_as.zread(map.start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.p_comm, task.p_pid, map.start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(map.start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, map.start)
]))
outfd.write("\n\n")
Example #10
| Source File: apihooks.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
for process, module, hook in data:
outfd.write("*" * 72 + "\n")
outfd.write("Hook mode: {0}\n".format(hook.Mode))
outfd.write("Hook type: {0}\n".format(hook.Type))
if process:
outfd.write('Process: {0} ({1})\n'.format(
process.UniqueProcessId, process.ImageFileName))
outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
module.DllBase, module.DllBase + module.SizeOfImage))
outfd.write("Function: {0}\n".format(hook.Detail))
outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = ["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
outfd.write("\n\n")
Example #11
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
bit_string = str(task.task.map.pmap.pm_task_map or '')[9:]
if bit_string == "64BIT":
bits = '64bit'
else:
bits = '32bit'
for map in task.get_proc_maps():
if map.is_suspicious():
fname = map.get_path()
prots = map.get_perms()
content = proc_as.zread(map.start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.p_comm, task.p_pid, map.start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(map.start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, map.start, bits = bits)
]))
outfd.write("\n\n")
Example #12
| Source File: idt.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
self.table_header(outfd, [('CPU', '>6X'),
('Index', '>6X'),
('Selector', '[addr]'),
('Value', '[addrpad]'),
('Module', '20'),
('Section', '12'),
])
for n, entry, addr, module in data:
if module:
module_name = str(module.BaseDllName or '')
sect_name = self.get_section_name(module, addr)
else:
module_name = "UNKNOWN"
sect_name = ''
# The parent is IDT. The grand-parent is _KPCR.
cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number
self.table_row(outfd,
cpu_number, n,
entry.Selector,
addr,
module_name,
sect_name)
if self._config.verbose:
data = entry.obj_vm.zread(addr, 32)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data, start = addr, stoponret = True)
]))
outfd.write("\n")
Example #13
| Source File: idt.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def render_text(self, outfd, data):
self.table_header(outfd, [('CPU', '>6X'),
('Index', '>6X'),
('Selector', '[addr]'),
('Value', '[addrpad]'),
('Module', '20'),
('Section', '12'),
])
for n, entry, addr, module in data:
if addr == 0:
module_name = "NOT USED"
sect_name = ''
elif module:
module_name = str(module.BaseDllName or '')
sect_name = self.get_section_name(module, addr)
else:
module_name = "UNKNOWN"
sect_name = ''
# The parent is IDT. The grand-parent is _KPCR.
cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number
self.table_row(outfd,
cpu_number, n,
entry.Selector,
addr,
module_name,
sect_name)
if self._config.verbose:
data = entry.obj_vm.zread(addr, 32)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data, start = addr, stoponret = True)
]))
outfd.write("\n")
Example #14
| Source File: apihooks.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def render_text(self, outfd, data):
for process, module, hook in data:
outfd.write("*" * 72 + "\n")
outfd.write("Hook mode: {0}\n".format(hook.Mode))
outfd.write("Hook type: {0}\n".format(hook.Type))
if process:
outfd.write('Process: {0} ({1})\n'.format(
process.UniqueProcessId, process.ImageFileName))
outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
module.DllBase, module.DllBase + module.SizeOfImage))
outfd.write("Function: {0}\n".format(hook.Detail))
outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = ["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
outfd.write("\n\n")
Example #15
| Source File: malfind.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
bit_string = str(task.task.map.pmap.pm_task_map or '')[9:]
if bit_string == "64BIT":
bits = '64bit'
else:
bits = '32bit'
for map in task.get_proc_maps():
if map.is_suspicious():
fname = map.get_path()
prots = map.get_perms()
content = proc_as.zread(map.start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.p_comm, task.p_pid, map.start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(map.start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, map.start, bits = bits)
]))
outfd.write("\n\n")
Example #16
| Source File: devicetree.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
# Compile the regular expression for filtering by driver name
if self._config.regex != None:
mod_re = re.compile(self._config.regex, re.I)
else:
mod_re = None
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
bits = addr_space.profile.metadata.get('memory_model', '32bit')
self.table_header(None, [('i', ">4"),
('Funcs', "36"),
('addr', '[addrpad]'),
('name', '')
])
for driver in data:
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
# Continue if a regex was supplied and it doesn't match
if mod_re != None:
if not (mod_re.search(driver_name) or
mod_re.search(driver_name)): continue
# Write the standard header for each driver object
outfd.write("{0}\n".format("-" * 50))
outfd.write("DriverName: {0}\n".format(driver_name))
outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart))
outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize))
outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo))
# Write the address and owner of each IRP function
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
# This is where we check for inline hooks once the
# ApiHooks plugin is ported to 2.1.
self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name)
if self._config.verbose:
data = addr_space.zread(function, 64)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data,
start = function, bits = bits, stoponret = True)
]))
outfd.write("\n")
Example #17
| Source File: apihooks.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def render_text(self, outfd, data):
for process, module, hook in data:
if not self._config.NO_WHITELIST:
if process:
process_name = str(process.ImageFileName)
else:
process_name = ''
if self.whitelist(hook.hook_mode | hook.hook_type,
process_name, hook.VictimModule,
hook.HookModule, hook.Function):
#debug.debug("Skipping whitelisted function: {0} {1} {2} {3}".format(
# process_name, hook.VictimModule, hook.HookModule,
# hook.Function))
continue
outfd.write("*" * 72 + "\n")
outfd.write("Hook mode: {0}\n".format(hook.Mode))
outfd.write("Hook type: {0}\n".format(hook.Type))
if process:
outfd.write('Process: {0} ({1})\n'.format(
process.UniqueProcessId, process.ImageFileName))
outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
module.DllBase, module.DllBase + module.SizeOfImage))
outfd.write("Function: {0}\n".format(hook.Detail))
outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = ["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
outfd.write("\n\n")
Example #18
| Source File: devicetree.py From DAMM with GNU General Public License v2.0 | 4 votes |
|
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
# Compile the regular expression for filtering by driver name
if self._config.regex != None:
mod_re = re.compile(self._config.regex, re.I)
else:
mod_re = None
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
bits = addr_space.profile.metadata.get('memory_model', '32bit')
self.table_header(None, [('i', ">4"),
('Funcs', "36"),
('addr', '[addrpad]'),
('name', '')
])
for driver in data:
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
# Continue if a regex was supplied and it doesn't match
if mod_re != None:
if not (mod_re.search(driver_name) or
mod_re.search(driver_name)): continue
# Write the standard header for each driver object
outfd.write("{0}\n".format("-" * 50))
outfd.write("DriverName: {0}\n".format(driver_name))
outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart))
outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize))
outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo))
# Write the address and owner of each IRP function
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
# This is where we check for inline hooks once the
# ApiHooks plugin is ported to 2.1.
self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name)
if self._config.verbose:
data = addr_space.zread(function, 64)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data,
start = function, bits = bits, stoponret = True)
]))
outfd.write("\n")
Example #19
| Source File: malfind.py From aumfor with GNU General Public License v3.0 | 4 votes |
|
def render_text(self, outfd, data):
linux_common.set_plugin_members(self)
if self.addr_space.profile.metadata.get('memory_model', '32bit') == '32bit':
bits = '32bit'
else:
bits = '64bit'
for task in data:
proc_as = task.get_process_address_space()
for vma in task.get_proc_maps():
if vma.is_suspicious():
fname = vma.vm_name(task)
if fname == "[vdso]":
continue
prots = vma.protection()
flags = vma.flags()
content = proc_as.zread(vma.vm_start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.comm, task.pid, vma.vm_start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("Flags: {0}\n".format(str(flags)))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#016x} {1:<48} {2}".format(vma.vm_start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, vma.vm_start, bits = bits)
]))
outfd.write("\n\n")
Example #20
| Source File: apihooks.py From DAMM with GNU General Public License v2.0 | 4 votes |
|
def render_text(self, outfd, data):
for process, module, hook in data:
if not self._config.NO_WHITELIST:
if process:
process_name = str(process.ImageFileName)
else:
process_name = ''
if self.whitelist(hook.hook_mode | hook.hook_type,
process_name, hook.VictimModule,
hook.HookModule, hook.Function):
#debug.debug("Skipping whitelisted function: {0} {1} {2} {3}".format(
# process_name, hook.VictimModule, hook.HookModule,
# hook.Function))
continue
outfd.write("*" * 72 + "\n")
outfd.write("Hook mode: {0}\n".format(hook.Mode))
outfd.write("Hook type: {0}\n".format(hook.Type))
if process:
outfd.write('Process: {0} ({1})\n'.format(
process.UniqueProcessId, process.ImageFileName))
outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
module.DllBase, module.DllBase + module.SizeOfImage))
outfd.write("Function: {0}\n".format(hook.Detail))
outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = ["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
outfd.write("\n\n")
Example #21
| Source File: apihooks.py From vortessence with GNU General Public License v2.0 | 4 votes |
|
def get_json(self, data):
results = {"Hooks":[]}
for process, module, hook in data:
if not self._config.NO_WHITELIST:
if process:
process_name = str(process.ImageFileName)
process_id = int(process.UniqueProcessId)
else:
process_name = ''
process_id = -1
if self.whitelist(hook.hook_mode | hook.hook_type,
process_name, hook.VictimModule,
hook.HookModule, hook.Function):
#debug.debug("Skipping whitelisted function: {0} {1} {2} {3}".format(
# process_name, hook.VictimModule, hook.HookModule,
# hook.Function))
continue
row = {'ImageFileName':process_name or '',
'Mode':str(hook.Mode),
'Type':str(hook.Type),
'UniqueProcessId':process_id,
'BaseDllName':str(module.BaseDllName or ''),
'SizeOfImage':int(module.SizeOfImage),
'FullDllName':ntpath.basename(str(module.FullDllName or '')),
'DllBase':long(module.DllBase),
'DllSize': "{}".format(module.SizeOfImage),
'DllEndAddress': module.DllBase + module.SizeOfImage,
'Detail': str(hook.Detail),
'HookAddress':long(hook.hook_address),
'HookModule':str(hook.HookModule),
'Disassembly':[]
}
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = [{'Address':int(o), "Bytes":str(h), "Instruction":str(i)}
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
disassembled = {'Disassembly':s,
'Address':"{}".format(address),
'Hop':n}
row['Disassembly'].append(disassembled)
results['Hooks'].append(row)
return results
Example #22
| Source File: apihooks.py From vortessence with GNU General Public License v2.0 | 4 votes |
|
def render_text(self, outfd, data):
for process, module, hook in data:
if not self._config.NO_WHITELIST:
if process:
process_name = str(process.ImageFileName)
else:
process_name = ''
if self.whitelist(hook.hook_mode | hook.hook_type,
process_name, hook.VictimModule,
hook.HookModule, hook.Function):
#debug.debug("Skipping whitelisted function: {0} {1} {2} {3}".format(
# process_name, hook.VictimModule, hook.HookModule,
# hook.Function))
continue
outfd.write("*" * 72 + "\n")
outfd.write("Hook mode: {0}\n".format(hook.Mode))
outfd.write("Hook type: {0}\n".format(hook.Type))
if process:
outfd.write('Process: {0} ({1})\n'.format(
process.UniqueProcessId, process.ImageFileName))
outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
module.DllBase, module.DllBase + module.SizeOfImage))
outfd.write("Function: {0}\n".format(hook.Detail))
outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = ["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
outfd.write("\n\n")
Example #23
| Source File: devicetree.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
# Compile the regular expression for filtering by driver name
if self._config.regex != None:
mod_re = re.compile(self._config.regex, re.I)
else:
mod_re = None
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
bits = addr_space.profile.metadata.get('memory_model', '32bit')
self.table_header(None, [('i', ">4"),
('Funcs', "36"),
('addr', '[addrpad]'),
('name', '')
])
for driver in data:
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
# Continue if a regex was supplied and it doesn't match
if mod_re != None:
if not (mod_re.search(driver_name) or
mod_re.search(driver_name)): continue
# Write the standard header for each driver object
outfd.write("{0}\n".format("-" * 50))
outfd.write("DriverName: {0}\n".format(driver_name))
outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart))
outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize))
outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo))
# Write the address and owner of each IRP function
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
# This is where we check for inline hooks once the
# ApiHooks plugin is ported to 2.1.
self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name)
if self._config.verbose:
data = addr_space.zread(function, 64)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data,
start = function, bits = bits, stoponret = True)
]))
outfd.write("\n")
Example #24
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def render_text(self, outfd, data):
linux_common.set_plugin_members(self)
if self.addr_space.profile.metadata.get('memory_model', '32bit') == '32bit':
bits = '32bit'
else:
bits = '64bit'
for task in data:
proc_as = task.get_process_address_space()
for vma in task.get_proc_maps():
if vma.is_suspicious():
fname = vma.vm_name(task)
if fname == "[vdso]":
continue
prots = vma.protection()
flags = vma.flags()
content = proc_as.zread(vma.vm_start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.comm, task.pid, vma.vm_start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("Flags: {0}\n".format(str(flags)))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#016x} {1:<48} {2}".format(vma.vm_start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, vma.vm_start, bits = bits)
]))
outfd.write("\n\n")
Example #25
| Source File: browserhooks.py From volatility-browserhooks with BSD 2-Clause "Simplified" License | 4 votes |
|
def render_text(self, outfd, data):
for process, module, hook in data:
outfd.write("*" * 72 + "\n")
outfd.write("Hook type: {0}\n".format(hook.Type))
IsProcWow64 = process.IsWow64
outfd.write('Process: {0} ({1}) ({2})\n'.format(
process.UniqueProcessId, process.ImageFileName, "Wow64" if IsProcWow64 else "bitness as the image"))
outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
module.DllBase, module.DllBase + module.SizeOfImage))
outfd.write("Function: {0}\n".format(hook.Detail))
outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
hook_mod_base = vad_ck().get_vad_base(process, hook.hook_address)
hook_mod_end = vad_ck().get_vad_end(process, hook.hook_address)
if hook_mod_end != None:
hook_mod_size = hook_mod_end - hook_mod_base
else:
hook_mod_size= 0x0
outfd.write("Hooking module base: {0:#x}\n\n".format(hook_mod_base))
outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
if self._config.DUMP_DIR != None:
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
else:
proc_space = process.get_process_address_space()
if not proc_space.is_valid_address(hook_mod_base):
print "Error: DllBase is paged"
else:
process_offset = proc_space.vtop(process.obj_offset)
dump_file = "module.{0}.{1:x}.{2:x}.dll".format(process.UniqueProcessId, process_offset, hook_mod_base)
self.dump_pe(proc_space, hook_mod_base, dump_file)
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = ["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
outfd.write("\n\n")
Example #26
| Source File: devicetree.py From aumfor with GNU General Public License v3.0 | 4 votes |
|
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
# Compile the regular expression for filtering by driver name
if self._config.regex != None:
mod_re = re.compile(self._config.regex, re.I)
else:
mod_re = None
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
bits = addr_space.profile.metadata.get('memory_model', '32bit')
self.table_header(None, [('i', ">4"),
('Funcs', "36"),
('addr', '[addrpad]'),
('name', '')
])
for driver in data:
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
# Continue if a regex was supplied and it doesn't match
if mod_re != None:
if not (mod_re.search(driver_name) or
mod_re.search(driver_name)): continue
# Write the standard header for each driver object
outfd.write("{0}\n".format("-" * 50))
outfd.write("DriverName: {0}\n".format(driver_name))
outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart))
outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize))
outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo))
# Write the address and owner of each IRP function
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
# This is where we check for inline hooks once the
# ApiHooks plugin is ported to 2.1.
self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name)
if self._config.verbose:
data = addr_space.zread(function, 64)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data,
start = function, bits = bits, stoponret = True)
]))
outfd.write("\n")
