本文整理汇总了Python中volatility.win32.tasks.get_kdbg函数的典型用法代码示例。如果您正苦于以下问题:Python get_kdbg函数的具体用法?Python get_kdbg怎么用?Python get_kdbg使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了get_kdbg函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a IDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
# Get the GDT for access to selector bases
gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
for i, entry in kpcr.idt_entries():
# Where the IDT entry points.
addr = entry.Address
# Per MITRE, add the GDT selector base if available.
# This allows us to detect sneaky attempts to hook IDT
# entries by changing the entry's GDT selector.
gdt_entry = gdt.get(entry.Selector.v())
if gdt_entry != None and "Code" in gdt_entry.Type:
addr += gdt_entry.Base
# Lookup the function's owner
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))
yield i, entry, addr, module示例2: generate_suggestions
def generate_suggestions(self):
"""The nt!PoolBigPageTable and nt!PoolBigPageTableSize
are found relative to nt!PoolTrackTable"""
track_table = tasks.get_kdbg(self.obj_vm).PoolTrackTable
for pair in self.distance:
table_base = obj.Object("address",
offset = track_table - pair[0],
vm = self.obj_vm)
table_size = obj.Object("address",
offset = track_table - pair[1],
vm = self.obj_vm)
if (table_base % 0x1000 == 0 and
self.obj_vm.is_valid_address(table_base) and
table_size != 0 and
table_size % 0x1000 == 0 and
table_size < 0x1000000):
break
debug.debug("Distance Map: {0}".format(repr(self.distance)))
debug.debug("PoolTrackTable: {0:#x}".format(track_table))
debug.debug("PoolBigPageTable: {0:#x} => {1:#x}".format(table_base.obj_offset, table_base))
debug.debug("PoolBigPageTableSize: {0:#x} => {1:#x}".format(table_size.obj_offset, table_size))
yield table_base, table_size示例3: __init__
def __init__(self, config, *args, **kwargs):
commands.Command.__init__(self, config, *args, **kwargs)
config.add_option("BUILD_SYMBOLS", default = False, action = 'store_true', cache_invalidator = False, help = "Build symbol table information")
config.add_option("USE_SYMBOLS", default = False, action = 'store_true', cache_invalidator = False, help = "Use symbol servers to resolve process addresses to module names")
self.kdbg = tasks.get_kdbg(utils.load_as(config))
self.build_symbols = getattr(config, 'BUILD_SYMBOLS', False)
self.use_symbols = getattr(config, 'USE_SYMBOLS', False)示例4: calculate
def calculate(self):
kernel_space = utils.load_as(self._config)
if not self.is_valid_profile(kernel_space.profile):
debug.error("Windows XP/2003 does not track pool tags")
knowntags = {}
if self._config.TAGFILE and os.path.isfile(self._config.TAGFILE):
taglines = open(self._config.TAGFILE).readlines()
for tag in taglines:
tag = tag.strip()
if tag.startswith("rem") or tag.startswith(" ") or tag == "":
continue
info = tag.split("-", 2)
try:
key = info[0].strip()
driver = info[1].strip()
reason = info[2].strip()
except IndexError:
continue
knowntags[key] = (driver, reason)
track_table = tasks.get_kdbg(kernel_space).PoolTrackTable
# not really an address, this is just a trick to get
# a 32bit number on x86 and 64bit number on x64. the
# size is always directly before the pool table.
table_size = obj.Object("address", offset =
track_table - kernel_space.profile.get_obj_size("address"),
vm = kernel_space
)
track_table = track_table.dereference_as("address")
entries = obj.Object("Array", targetType = "_POOL_TRACKER_TABLE",
offset = track_table, count = table_size,
vm = kernel_space
)
if self._config.TAGS:
tags = [tag for tag in self._config.TAGS.split(",")]
else:
tags = []
for entry in entries:
if not self._config.SHOW_FREE:
if entry.PagedBytes == 0 and entry.NonPagedBytes == 0:
continue
if not tags or entry.Key in tags:
try:
(driver, reason) = knowntags[str(entry.Key).strip()]
if self._config.WHITELIST:
continue
except KeyError:
(driver, reason) = ("", "")
yield entry, driver, reason示例5: calculate
def calculate(self):
if not has_pydeep:
debug.error(
"Please install ssdeep and pydeep from http://ssdeep.sourceforge.net/ and https://github.com/kbandla/pydeep"
)
addr_space = utils.load_as(self._config)
self._addr_space = addr_space
page_sig = self._pydeep_page()
if page_sig == None:
debug.error("Pydeep was not able to hash the input")
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigSSDeepScanner(address_space=session_space, rules=rules)
for hit, address in scanner.scan(start_offset=start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadSSDeepScanner(task=task, pydeep_hash=page_sig)
for sig, vStart, vLength, offset, alike in scanner.scan():
yield (task, sig, vStart, vLength, offset, alike, scanner.address_space.zread(offset, 0x1000))示例6: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a GDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
for i, entry in kpcr.gdt_entries():
yield i, entry示例7: calculate
def calculate(self):
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
addr_space = utils.load_as(self._config)
rules = self._compile_rules()
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address, 1024))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit, scanner.address_space.zread(address, 1024))示例8: get_bugcheck_callbacks
def get_bugcheck_callbacks(self):
"""
Enumerate generic Bugcheck callbacks.
Note: These structures don't exist in tagged pools, but you can find
them via KDDEBUGGER_DATA64 on all versions of Windows.
"""
kbcclh = tasks.get_kdbg(self.kern_space).KeBugCheckCallbackListHead.dereference_as('_KBUGCHECK_CALLBACK_RECORD')
for l in kbcclh.Entry.list_of_type("_KBUGCHECK_CALLBACK_RECORD", "Entry"):
yield "KeBugCheckCallbackListHead", l.CallbackRoutine, l.Component.dereference()示例9: check_pspcid
def check_pspcid(self, addr_space):
"""Enumerate processes by walking the PspCidTable"""
ret = dict()
# Follow the pointers to the table base
kdbg = tasks.get_kdbg(addr_space)
PspCidTable = kdbg.PspCidTable.dereference().dereference()
# Walk the handle table
for handle in PspCidTable.handles():
if handle.get_object_type() == "Process":
process = handle.dereference_as("_EPROCESS")
ret[process.obj_vm.vtop(process.obj_offset)] = process
return ret示例10: calculate
def calculate(self):
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
addr_space = utils.load_as(self._config)
rules = yara.compile(sources=ghost_sig)
decrypted_data = None
mal_proc = {}
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = malfind.DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
content = session_space.zread(address,1024)
header_size = content.find("\x78\x9c")
magic_header_size = header_size - 8
magic_keyword = content[:magic_header_size]
comp_uncomp_size = content[magic_header_size:header_size]
s = struct.Struct("I I")
comp_size, uncomp_size = s.unpack(comp_uncomp_size)
enc_data = content[0:comp_size]
to_decrypt = content[header_size:comp_size]
dec_data = self.decrypt_communication(to_decrypt)
if not mal_proc:
self.get_ghost_process(magic_keyword, mal_proc, addr_space)
os_version = self.get_os_version(addr_space)
yield (mal_proc, address, magic_keyword, enc_data, dec_data, os_version)示例11: _scan_kernel_memory
def _scan_kernel_memory(self, addr_space, rules):
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address - self._config.REVERSE, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))示例12: calculate
def calculate(self):
## Stop executing if the user did not mean to overwrite the file
if os.path.isfile(self.save_location):
resp = raw_input("Are you sure you want to overwrite {}? [Y/n] ".format(self.save_location))
if resp.upper() == 'N':
self.abort = True
return # Not continuing
## Read from existing target configuration (if modifying)
if self._config.MODIFY:
self.new_config.read(self.save_location)
## Attempt to automatically determine profile
if self._config.AUTO:
print("Determining profile based on KDBG search...")
self.suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
if self.suglist:
self.new_config.set("DEFAULT", "profile", self.suglist[0])
## Update profile so --offsets will work
self._config.PROFILE = self.suglist[0]
self._exclude_options.append('profile')
else:
print("Failed to determine profile")
## Read in current command line (precedence over settings in configs)
for key in self._config.opts:
if key not in self._exclude_options:
self.new_config.set("DEFAULT", key, self._config.opts[key])
## Add to excluded list so we do not overwrite them later
self._exclude_options.append(key)
## Save options from configuration files (unless excluded by user)
if self._config.EXCLUDE_CONF == False:
for key in self._config.cnf_opts:
if key not in self._exclude_options:
self.new_config.set("DEFAULT", key, self._config.cnf_opts[key])
## Get offsets (KDBG and DTB)
if self._config.OFFSETS:
addr_space = utils.load_as(self._config)
kdbg = tasks.get_kdbg(addr_space)
self.new_config.set("DEFAULT", "kdbg", str(kdbg.v()))
if hasattr(addr_space, "dtb"):
self.new_config.set("DEFAULT", "dtb", str(addr_space.dtb))
## Ensure DTB and KDBG are converted properly at the last moment:
## Note, volatility will convert these to int when read from CNF_OPTS
try:
kdbg = self.new_config.get("DEFAULT", "kdbg")
self.new_config.set("DEFAULT", "kdbg", str(hex(int(kdbg))))
except ConfigParser.NoOptionError:
pass
try:
dtb = self.new_config.get("DEFAULT", "dtb")
self.new_config.set("DEFAULT", "dtb", str(hex(int(dtb))))
except ConfigParser.NoOptionError:
pass
## Write the new configuration file
with open(self.save_location, "wb") as configfile:
self.new_config.write(configfile)示例13: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
# Get the OS version we're analyzing
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
# KTIMERs collected
timers = []
# Valid KTIMER.Header.Type values
TimerNotificationObject = 8
TimerSynchronizationObject = 9
valid_types = (TimerNotificationObject, TimerSynchronizationObject)
if version == (5, 1) or (version == (5, 2) and
addr_space.profile.metadata.get('build', 0) == 3789):
# On XP SP0-SP3 x86 and Windows 2003 SP0, KiTimerTableListHead
# is an array of 256 _LIST_ENTRY for _KTIMERs.
KiTimerTableListHead = self.find_list_head(modlist[0],
"KeUpdateSystemTime",
"\x25\xFF\x00\x00\x00\x8D\x0C\xC5")
lists = obj.Object("Array", offset = KiTimerTableListHead,
vm = addr_space,
targetType = '_LIST_ENTRY',
count = 256)
for l in lists:
for t in l.list_of_type("_KTIMER", "TimerListEntry"):
timers.append(t)
elif version == (5, 2) or version == (6, 0):
# On XP x64, Windows 2003 SP1-SP2, and Vista SP0-SP2, KiTimerTableListHead
# is an array of 512 _KTIMER_TABLE_ENTRY structs.
KiTimerTableListHead = self.find_list_head(modlist[0],
"KeCancelTimer",
"\xC1\xE7\x04\x81\xC7")
lists = obj.Object("Array", offset = KiTimerTableListHead,
vm = addr_space,
targetType = '_KTIMER_TABLE_ENTRY',
count = 512)
for l in lists:
for t in l.Entry.list_of_type("_KTIMER", "TimerListEntry"):
timers.append(t)
elif version == (6, 1):
# On Windows 7, there is no more KiTimerTableListHead. The list is
# at _KPCR.PrcbData.TimerTable.TimerEntries (credits to Matt Suiche
# for this one. See http://pastebin.com/FiRsGW3f).
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
for table in kpcr.ProcessorBlock.TimerTable.TimerEntries:
for t in table.Entry.list_of_type("_KTIMER", "TimerListEntry"):
timers.append(t)
for timer in timers:
# Sanity check on the timer type
if timer.Header.Type not in valid_types:
continue
# Ignore timers without DPCs
if not timer.Dpc.is_valid() or not timer.Dpc.DeferredRoutine.is_valid():
continue
# Lookup the module containing the DPC
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(timer.Dpc.DeferredRoutine))
yield timer, module示例14: lsmod
def lsmod(addr_space):
""" A Generator for modules """
for m in tasks.get_kdbg(addr_space).modules():
yield m示例15: calculate
def calculate(self):
if self._config.SLACK and (self._config.DSTS or self._config.PCAP):
debug.error('SLACK can\'t be used with PCAP or DSTS')
# Make sure the MAC address is valid
if self._config.MAC:
hex_mac = self.validate_mac(self._config.MAC)
if not hex_mac:
debug.error('Invalid MAC address')
# Ensure PCAP file won't overwrite an existing file
if self._config.PCAP and os.path.exists(self._config.PCAP):
debug.error('\'{}\' already exists. Cowardly refusing to overwrite it...'.format(
self._config.PCAP))
# Ensure DSTS file won't overwrite an existing file
if self._config.DSTS and os.path.exists(self._config.DSTS):
debug.error('\'{}\' already exists. Cowardly refusing to overwrite it...'.format(
self._config.DSTS))
if self._config.SLACK:
# Compiled RegEx = (tiny) increase in efficiency
# NetBIOS code chars
self.rx_nbchars = re.compile('^([ACDEFH][A-P])+$')
# Get the start of kernel space
addr_space = utils.load_as(self._config)
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# 64-bit to 48-bit adjustment
# TODO: Is there a more Volatility-esque way of doing this?
if start > 0xffff000000000000:
start = start & 0x0000ffffffffffff
macs = set() # Store the MAC addresses we find
if self._config.MAC:
macs.add(hex_mac)
else: # No MAC provided, so we'd better try and find one
# Attemp 1: NDsh
new_macs = self.macfind_ndsh(addr_space, start)
if new_macs:
for new_mac in new_macs:
macs.add(new_mac)
if len(macs) < 1:
debug.error('No MAC addresses found.')
hits = []
_MAX_SLACK_LENGTH = 128
for session_space in self.gen_session_spaces(addr_space):
for mac in macs:
scanner = MacScanner(mac)
for address in scanner.scan(session_space, offset=start):
if address in hits:
continue
hits.append(address)
eth = obj.Object('_ETHERNET', vm=session_space, offset=address)
if eth.eth_type == 0x0800 or eth.eth_type == 0x86dd:
raw = session_space.zread(address, 2048)
# Parse ethernet's payload
if eth.eth_type == 0x0800: # IPv4:
eth_payload = obj.Object('_IPv4', vm=session_space,
offset = eth.v() + 0x0E)
end = 14 + eth_payload.length
if self._config.SLACK:
yield address, raw[end:end+_MAX_SLACK_LENGTH]
continue
raw = raw[:end]
elif eth.eth_type == 0x86dd: # IPv6
eth_payload = obj.Object('_IPv6', vm=session_space,
offset = eth.v() + 0x0E)
end = 14 + 40 + eth_payload.pld_len
if self._config.SLACK:
yield address, raw[end:end+_MAX_SLACK_LENGTH]
continue
raw = raw[:end]
else: # This shouldn't happen, but just in case
continue
# Parse ethernet's payload's payload
if eth_payload.is_tcp():
payload = obj.Object('_TCP', vm=session_space,
offset=eth_payload.payload_offset())
elif eth_payload.is_udp():
payload = obj.Object('_UDP', vm=session_space,
offset=eth_payload.payload_offset())
else:
yield raw, eth, eth_payload, None
continue
yield raw, eth, eth_payload, payload