Python volatility.plugins.malware.malfind.DiscontigYaraScanner() Examples
The following are 18
code examples of volatility.plugins.malware.malfind.DiscontigYaraScanner().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.plugins.malware.malfind
, or try the search function
.
.
Example #1
| Source File: linux_yarascan.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
linux_common.set_plugin_members(self)
if self._config.KERNEL:
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
else:
kernel_start = 0xffffffff80000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
tasks = self.filter_tasks()
for task in tasks:
scanner = VmaYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #2
| Source File: mac_yarascan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
kernel_start = 0xffffff8000000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #3
| Source File: linux_yarascan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
linux_common.set_plugin_members(self)
if self._config.KERNEL:
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
else:
kernel_start = 0xffffffff80000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
tasks = self.filter_tasks()
for task in tasks:
scanner = VmaYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #4
| Source File: mac_yarascan.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
kernel_start = 0xffffff8000000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #5
| Source File: linux_yarascan.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
linux_common.set_plugin_members(self)
if self._config.KERNEL:
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
else:
kernel_start = 0xffffffff80000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
tasks = self.filter_tasks()
for task in tasks:
scanner = VmaYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #6
| Source File: mac_yarascan.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
vm_addr = self.addr_space.profile.get_symbol("_vm_min_kernel_address")
kernel_start = obj.Object("unsigned long", offset = vm_addr, vm = self.addr_space)
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #7
| Source File: linux_yarascan.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
linux_common.set_plugin_members(self)
if self._config.KERNEL:
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
else:
kernel_start = 0xffffffff80000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
tasks = self.filter_tasks()
for task in tasks:
scanner = VmaYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #8
| Source File: dumpcerts.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not has_yara:
debug.error("You must install yara to use this plugin")
if not self._config.DUMP_DIR:
debug.error("You must supply a --dump-dir parameter")
if self._config.PHYSICAL:
# Find the FileAddressSpace
while addr_space.__class__.__name__ != "FileAddressSpace":
addr_space = addr_space.base
scanner = malfind.DiscontigYaraScanner(address_space = addr_space,
rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield None, cert
else:
for process in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = process, rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield process, cert
Example #9
| Source File: mac_yarascan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
vm_addr = self.addr_space.profile.get_symbol("_vm_min_kernel_address")
kernel_start = obj.Object("unsigned long", offset = vm_addr, vm = self.addr_space)
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan(max_size = self._config.MAX_SIZE):
yield (task, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #10
| Source File: linux_yarascan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
linux_common.set_plugin_members(self)
if self._config.KERNEL:
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
else:
kernel_start = 0xffffffff80000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
tasks = self.filter_tasks()
for task in tasks:
scanner = VmaYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #11
| Source File: dumpcerts.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not has_yara:
debug.error("You must install yara to use this plugin")
if not self._config.DUMP_DIR:
debug.error("You must supply a --dump-dir parameter")
if self._config.PHYSICAL:
# Find the FileAddressSpace
while addr_space.__class__.__name__ != "FileAddressSpace":
addr_space = addr_space.base
scanner = malfind.DiscontigYaraScanner(address_space = addr_space,
rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield None, cert
else:
for process in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = process, rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield process, cert
Example #12
| Source File: mac_yarascan.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
vm_addr = self.addr_space.profile.get_symbol("_vm_min_kernel_address")
kernel_start = obj.Object("unsigned long", offset = vm_addr, vm = self.addr_space)
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan(max_size = self._config.MAX_SIZE):
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #13
| Source File: netscan.py From vortessence with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
linux_common.set_plugin_members(self)
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
pack_size = 4
pack_fmt = "<I"
else:
kernel_start = 0xffffffff80000000
pack_size = 8
pack_fmt = "<Q"
checks = [self.check_family, self.check_proto, self.check_socket_back_pointer, self.check_pointers]
destruct_offset = self.addr_space.profile.get_obj_offset("sock", "sk_destruct")
# sk_destruct pointer value of sock
func_addr = self.addr_space.profile.get_symbol("inet_sock_destruct")
vals = []
# convert address into a yara hex rule
for bit in range(pack_size):
idx = (pack_size - bit - 1) * 8
mask = 0xff << idx
val = ((func_addr & mask) >> idx) & 0xff
vals.insert(0, val)
s = "{" + " ".join(["%.02x" % v for v in vals]) + " }"
rules = yara.compile(sources = { 'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}' })
scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space)
for _, address in scanner.scan(start_offset = kernel_start):
base_address = address - destruct_offset
i = obj.Object("inet_sock", offset = base_address, vm = self.addr_space)
valid = True
for check in checks:
if check(i) == False:
valid = False
break
if valid:
state = i.state if i.protocol == "TCP" else ""
family = i.sk.__sk_common.skc_family #pylint: disable-msg=W0212
sport = i.src_port
dport = i.dst_port
saddr = i.src_addr
daddr = i.dst_addr
yield (i, i.protocol, saddr, sport, daddr, dport, state)
Example #14
| Source File: dumpcerts.py From vortessence with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not has_yara:
debug.error("You must install yara to use this plugin")
if not self._config.DUMP_DIR:
debug.error("You must supply a --dump-dir parameter")
# Wildcard signatures to scan for
rules = yara.compile(sources = {
'x509' : 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}',
'pkcs' : 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}',
})
# These signature names map to these data structures
type_map = {
'x509' : '_X509_PUBLIC_CERT',
'pkcs' : '_PKCS_PRIVATE_CERT',
}
if self._config.PHYSICAL:
# Find the FileAddressSpace
while addr_space.__class__.__name__ != "FileAddressSpace":
addr_space = addr_space.base
scanner = malfind.DiscontigYaraScanner(address_space = addr_space,
rules = rules)
for hit, address in scanner.scan():
cert = obj.Object(type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield None, cert
else:
for process in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = process, rules = rules)
for hit, address in scanner.scan():
cert = obj.Object(type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield process, cert
Example #15
| Source File: netscan.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
pack_size = 4
pack_fmt = "<I"
else:
kernel_start = 0xffff880000000000
pack_size = 8
pack_fmt = "<Q"
checks = [self.check_family, self.check_proto, self.check_socket_back_pointer, self.check_pointers]
destruct_offset = self.addr_space.profile.get_obj_offset("sock", "sk_destruct")
# sk_destruct pointer value of sock
func_addr = self.addr_space.profile.get_symbol("inet_sock_destruct")
vals = struct.pack(pack_fmt, func_addr)
s = "{ " + " ".join(["%.02x" % ord(v) for v in vals]) + " }"
rules = yara.compile(sources = { 'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}' })
scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space)
for _, address in scanner.scan(start_offset = kernel_start):
base_address = address - destruct_offset
i = obj.Object("inet_sock", offset = base_address, vm = self.addr_space)
valid = True
for check in checks:
if check(i) == False:
valid = False
break
if valid:
state = i.state if i.protocol == "TCP" else ""
family = i.sk.__sk_common.skc_family #pylint: disable-msg=W0212
sport = i.src_port
dport = i.dst_port
saddr = i.src_addr
daddr = i.dst_addr
if str(saddr) == "0.0.0.0" and str(daddr) == "0.0.0.0" and sport == 6 and dport == 0:
continue
yield (i, i.protocol, saddr, sport, daddr, dport, state)
Example #16
| Source File: dumpcerts.py From DAMM with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not has_yara:
debug.error("You must install yara to use this plugin")
if not self._config.DUMP_DIR:
debug.error("You must supply a --dump-dir parameter")
# Wildcard signatures to scan for
rules = yara.compile(sources = {
'x509' : 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}',
'pkcs' : 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}',
})
# These signature names map to these data structures
type_map = {
'x509' : '_X509_PUBLIC_CERT',
'pkcs' : '_PKCS_PRIVATE_CERT',
}
if self._config.PHYSICAL:
# Find the FileAddressSpace
while addr_space.__class__.__name__ != "FileAddressSpace":
addr_space = addr_space.base
scanner = malfind.DiscontigYaraScanner(address_space = addr_space,
rules = rules)
for hit, address in scanner.scan():
cert = obj.Object(type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield None, cert
else:
for process in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = process, rules = rules)
for hit, address in scanner.scan():
cert = obj.Object(type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield process, cert
Example #17
| Source File: netscan.py From aumfor with GNU General Public License v3.0 | 4 votes |
|
def calculate(self):
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
pack_size = 4
pack_fmt = "<I"
else:
kernel_start = 0xffff880000000000
pack_size = 8
pack_fmt = "<Q"
checks = [self.check_family, self.check_proto, self.check_socket_back_pointer, self.check_pointers]
destruct_offset = self.addr_space.profile.get_obj_offset("sock", "sk_destruct")
# sk_destruct pointer value of sock
func_addr = self.addr_space.profile.get_symbol("inet_sock_destruct")
vals = struct.pack(pack_fmt, func_addr)
s = "{ " + " ".join(["%.02x" % ord(v) for v in vals]) + " }"
rules = yara.compile(sources = { 'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}' })
scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space)
for _, address in scanner.scan(start_offset = kernel_start):
base_address = address - destruct_offset
i = obj.Object("inet_sock", offset = base_address, vm = self.addr_space)
valid = True
for check in checks:
if check(i) == False:
valid = False
break
if valid:
state = i.state if i.protocol == "TCP" else ""
family = i.sk.__sk_common.skc_family #pylint: disable-msg=W0212
sport = i.src_port
dport = i.dst_port
saddr = i.src_addr
daddr = i.dst_addr
if str(saddr) == "0.0.0.0" and str(daddr) == "0.0.0.0" and sport == 6 and dport == 0:
continue
yield (i, i.protocol, saddr, sport, daddr, dport, state)
Example #18
| Source File: dumpcerts.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not has_yara:
debug.error("You must install yara to use this plugin")
if not self._config.DUMP_DIR:
debug.error("You must supply a --dump-dir parameter")
# Wildcard signatures to scan for
rules = yara.compile(sources = {
'x509' : 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}',
'pkcs' : 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}',
})
# These signature names map to these data structures
type_map = {
'x509' : '_X509_PUBLIC_CERT',
'pkcs' : '_PKCS_PRIVATE_CERT',
}
if self._config.PHYSICAL:
# Find the FileAddressSpace
while addr_space.__class__.__name__ != "FileAddressSpace":
addr_space = addr_space.base
scanner = malfind.DiscontigYaraScanner(address_space = addr_space,
rules = rules)
for hit, address in scanner.scan():
cert = obj.Object(type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield None, cert
else:
for process in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = process, rules = rules)
for hit, address in scanner.scan():
cert = obj.Object(type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield process, cert
