Hi again, Michael, thanks for adding in my patches (and fixing up my antiquated python!)... 5:) I'm still working towards moving all the modules over to plugins, and so here's a couple more. I've been cleaning up the various forensics.win32 files as I go once a function's no longer called. It will break compatibility with old plugins, but I think we've already covered this and decided that cleaning things up is the best way to let new people get into it, and old devs figure out what they should use and what they shouldn't. As ever, do let me know if there's any stylistic changes, or functionality issues, and please feel free to improve them in any way! 5;) Mike 5:) From: Mike Auty <mike.auty(a)gmail.com> Date: Sat, 26 Sep 2009 12:49:47 +0100 Subject: [PATCH] Add in modules plugin. --- Volatility/forensics/win32/network.py | 73 ------------------------- Volatility/memory_plugins/internal/modules.py | 39 +++++++++++++ Volatility/vmodules.py | 39 ------------- Volatility/volatility.py | 4 -- 4 files changed, 39 insertions(+), 116 deletions(-) create mode 100644 Volatility/memory_plugins/internal/modules.py diff --git a/Volatility/forensics/win32/network.py b/Volatility/forensics/win32/network.py index b4598dd..7ebad10 100644 --- a/Volatility/forensics/win32/network.py +++ b/Volatility/forensics/win32/network.py @@ -111,79 +111,6 @@ def determine_connections(addr_space, profile): return object2.NoneObject("Unable to determine connections") -def tcb_connections(addr_space, types, symbol_table): - all_modules = modules_list(addr_space, types, symbol_table) - base_addr = module_find_baseaddr(addr_space, types, all_modules,"tcpip") - - if base_addr is None: - return [] - - connection_list = [] - - connection_list = find_connections(addr_space, types, symbol_table, base_addr) - - return connection_list - -def get_tcb_connections(addr_space, types, _symbol_table, base_addr, TCBTableOff, SizeOff): - - TCBTable = base_addr + TCBTableOff - MaxHashTableSize = base_addr + SizeOff - - - TCBTableAddr = read_value(addr_space, 'unsigned long', TCBTable) - - if TCBTableAddr == None: - return [] - - if not addr_space.is_valid_address(TCBTableAddr): - return [] - - TableSize = read_value(addr_space, 'unsigned long', MaxHashTableSize) - - if TableSize == None: - return [] - - connection_list = [] - for cnt in range(0, TableSize): - EntryAddress = TCBTableAddr + 4*cnt - - if not addr_space.is_valid_address(EntryAddress): - continue - - TableEntry = read_value(addr_space, 'unsigned long', EntryAddress) - if TableEntry == 0 or TableEntry == None: - continue - - next = read_obj(addr_space, types, - ['_TCPT_OBJECT', 'Next'], TableEntry) - - while next != 0x0: - if not addr_space.is_valid_address(next): - print "ConnectionList Truncated Invalid 0x%x" % next - return connection_list - connection_list.append(next) - next = read_obj(addr_space, types, - ['_TCPT_OBJECT', 'Next'], next) - - connection_list.append(TableEntry) - - return connection_list - - -def find_connections(addr_space, types, symbol_table, base_addr): - - connection_list = [] - - for offsets in module_versions: - offsets = module_versions[offsets] - - connection_list = get_tcb_connections(addr_space, types, symbol_table, base_addr, offsets['TCBTableOff'][0], offsets['SizeOff'][0]) - if len(connection_list) > 0: - return connection_list - - return connection_list - - def connection_pid(addr_space, types, connection_vaddr): return read_obj(addr_space, types, ['_TCPT_OBJECT', 'Pid'], connection_vaddr) diff --git a/Volatility/memory_plugins/internal/modules.py b/Volatility/memory_plugins/internal/modules.py new file mode 100644 index 0000000..7436b2a --- /dev/null +++ b/Volatility/memory_plugins/internal/modules.py @@ -0,0 +1,39 @@ +''' +Created on 25 Sep 2009 + +@author: Mike Auty +''' + +#pylint: disable-msg=C0111 + +import forensics.commands +import forensics.win32 as win32 +import forensics.object2 as object2 +import forensics.utils as utils + +class modules(forensics.commands.command): + """Print list of loaded modules""" + + def __init__(self, args=None): + forensics.commands.command.__init__(self, args) + self.profile = None + + def render_text(self, outfd, data): + header = False + + for module in data: + if not header: + outfd.write("%-50s %-12s %-8s %s\n" % ('File', 'Base', 'Size', 'Name')) + header = True + outfd.write("%-50s 0x%0.10x 0x%0.6x %s\n" % (module.FullDllName, int(module.BaseAddress.value()), int(module.SizeOfImage), module.ModuleName)) + + + def calculate(self): + result = {} + self.profile = object2.Profile() + + addr_space = utils.load_as(self.opts) + + result = win32.modules.lsmod(addr_space, self.profile) + + return result \ No newline at end of file diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py index 46bef38..80748fd 100644 --- a/Volatility/vmodules.py +++ b/Volatility/vmodules.py @@ -40,10 +40,8 @@ from forensics.object import read_unicode_string, read_obj from forensics.win32.tasks import module_base, module_path, module_size, create_addr_space, process_addr_space, process_command_line, process_dtb, process_find_pid from forensics.win32.tasks import process_imagename, process_ldrs, process_list, process_peb, process_pid, process_handle_table, process_create_time, process_handle_count from forensics.win32.tasks import process_inherited_from, process_num_active_threads, process_vadroot -from forensics.win32.modules import modules_list from forensics.win32.network import socket_create_time, socket_local_port, socket_pid, socket_protocol, open_sockets from forensics.win32.handles import handle_entries, handle_process_id, handle_tables, handle_entry_object, is_object_file, object_data, file_name -from forensics.win32.modules import module_baseaddr, module_imagename, module_imagesize, module_modulename from forensics.win32.vad import vad_dump, vad_info, print_vad_dot_infix, print_vad_dot_prefix, print_vad_table, print_vad_tree, traverse_vad from forensics.win32.scan import module_scan, conn_scan, ps_scan_dot, ps_scan, socket_scan, thrd_scan from forensics.win32.crashdump import crash_to_dd, dd_to_crash @@ -75,43 +73,6 @@ def format_time(time): return ts ################################### -# modules list -################################### -def get_modules(cmdname, argv): - """ - Function prints a formatted table of module information - """ - op = get_standard_parser(cmdname) - opts, _args = op.parse_args(argv) - - (addr_space, symtab, types) = load_and_identify_image(op, opts) - - all_modules = modules_list(addr_space, types, symtab) - - print "%-50s %-12s %-8s %s" % ('File', 'Base', 'Size', 'Name') - - for module in all_modules: - if not addr_space.is_valid_address(module): - continue - module_image = module_imagename(addr_space, types, module) - if module_image is None: - module_image = "UNKNOWN" - - module_name = module_modulename(addr_space, types, module) - if module_name is None: - module_name = "UNKNOWN" - - module_base = module_baseaddr(addr_space, types, module) - if module_base is None: - module_base = "UNKNOWN" - else: - module_base = "0x%010x" % module_base - - module_size = module_imagesize(addr_space, types, module) - - print "%-50s %s 0x%06x %s" % (module_image, module_base, module_size, module_name) - -################################### # pslist - process list ################################### def get_pslist(cmdname, argv): diff --git a/Volatility/volatility.py b/Volatility/volatility.py index ebdf02e..dc7b894 100644 --- a/Volatility/volatility.py +++ b/Volatility/volatility.py @@ -56,10 +56,6 @@ modules = { VolatoolsModule('files', 'Print list of open files for each process', get_open_files), - 'modules': - VolatoolsModule('modules', - 'Print list of loaded modules', - get_modules), 'strings': VolatoolsModule('strings', 'Match physical offsets to virtual addresses (may take a while, VERY verbose)', -- 1.6.5.rc1 From: Mike Auty <mike.auty(a)gmail.com> Date: Sat, 26 Sep 2009 13:00:01 +0100 Subject: [PATCH] Add in sockets plugin. --- Volatility/forensics/win32/modules.py | 46 +----------- Volatility/forensics/win32/network.py | 96 ++++++++----------------- Volatility/memory_plugins/internal/sockets.py | 39 ++++++++++ Volatility/vmodules.py | 30 -------- Volatility/volatility.py | 4 - 5 files changed, 71 insertions(+), 144 deletions(-) create mode 100644 Volatility/memory_plugins/internal/sockets.py diff --git a/Volatility/forensics/win32/modules.py b/Volatility/forensics/win32/modules.py index 7b20ff1..9f438aa 100644 --- a/Volatility/forensics/win32/modules.py +++ b/Volatility/forensics/win32/modules.py @@ -25,8 +25,8 @@ #pylint: disable-msg=C0111 -from forensics.object import read_obj, read_unicode_string, get_obj_offset -from forensics.win32.info import find_psloadedmodulelist, kpcr_addr +from forensics.object import read_obj, read_unicode_string +from forensics.win32.info import kpcr_addr from forensics.object2 import NewObject def lsmod(addr_space, profile): @@ -55,48 +55,6 @@ def lsmod(addr_space, profile): "_LDR_MODULE", "InLoadOrderModuleList"): yield l -def modules_list(addr_space, types, _symbol_table): - """ - Get the virtual addresses of all Windows modules - """ - modules_list = [] - - PsLoadedModuleList = find_psloadedmodulelist(addr_space, types) - - if not PsLoadedModuleList is None: - (offset, _tmp) = get_obj_offset(types, \ - ['_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks']) - - first_module = PsLoadedModuleList - offset - - current = read_obj(addr_space, types, \ - ['_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks', 'Flink'], - first_module) - - this_module = current - offset - - next = read_obj(addr_space, types, \ - ['_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks', 'Flink'], - this_module) - - while this_module != PsLoadedModuleList: - - if not addr_space.is_valid_address(this_module): - print "Module list truncated, unable to read 0x%x." % (this_module) - return modules_list - - modules_list.append(this_module) - current = read_obj(addr_space, types, \ - ['_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks', 'Flink'], - this_module) - this_module = current - offset - - if not addr_space.is_valid_address(this_module): - print "ModuleList Truncated Invalid Module" - return modules_list - - return modules_list - def module_imagename(address_space, types, module_vaddr): return read_unicode_string(address_space, types, ['_LDR_DATA_TABLE_ENTRY', 'FullDllName'], module_vaddr) diff --git a/Volatility/forensics/win32/network.py b/Volatility/forensics/win32/network.py index 7ebad10..bb1f182 100644 --- a/Volatility/forensics/win32/network.py +++ b/Volatility/forensics/win32/network.py @@ -31,9 +31,8 @@ import struct import forensics.win32 as win32 import forensics.object2 as object2 -from forensics.object import read_value, read_obj, get_obj_offset +from forensics.object import read_obj, get_obj_offset from forensics.win32.datetime import read_time, windows_to_unix_time -from forensics.win32.modules import module_find_baseaddr, modules_list from socket import ntohs, inet_ntoa module_versions = { \ @@ -111,6 +110,35 @@ def determine_connections(addr_space, profile): return object2.NoneObject("Unable to determine connections") +def determine_sockets(addr_space, profile): + """Determines all sockets for each module""" + all_modules = win32.modules.lsmod(addr_space, profile) + + profile.add_types({'_ADDRESS_OBJECT_POINTER': [0x4, + {'Pointer': [0x0, ['pointer', ['_ADDRESS_OBJECT']]]} + ]}) + + sockets = [] + + for m in all_modules: + if str(m.ModuleName).lower() == 'tcpip.sys': + for attempt in module_versions: + table_size = object2.NewObject("unsigned long", m.BaseAddress + module_versions[attempt]['AddrObjTableSizeOffset'][0], addr_space, profile=profile) + table_addr = object2.NewObject("unsigned long", m.BaseAddress + module_versions[attempt]['AddrObjTableOffset'][0], addr_space, profile=profile) + if int(table_size) > 0: + table = object2.Array('Array', table_addr, addr_space, count=table_size, profile=profile, + target=object2.Curry(object2.NewObject, '_ADDRESS_OBJECT_POINTER')) + for entry in table: + if entry is None: + break + sock = entry.Pointer.dereference() + while sock.is_valid(): + sockets.append(sock) + sock = sock.Next + return sockets + + return object2.NoneObject("Unable to determine sockets") + def connection_pid(addr_space, types, connection_vaddr): return read_obj(addr_space, types, ['_TCPT_OBJECT', 'Pid'], connection_vaddr) @@ -133,70 +161,6 @@ def connection_raddr(addr_space, types, connection_vaddr): ['_TCPT_OBJECT', 'RemoteIpAddress'], connection_vaddr) return inet_ntoa(struct.pack('=L', raddr)) -def open_sockets(addr_space, types, symbol_table): - all_modules = modules_list(addr_space, types, symbol_table) - base_addr = module_find_baseaddr(addr_space, types, all_modules,"tcpip") - - if base_addr is None: - return [] - - socket_list = [] - - socket_list = find_sockets(addr_space, types, symbol_table, base_addr) - - return socket_list - -def get_open_sockets(addr_space, types, _symbol_table, base_addr, AddrObjTableOffset, AddrObjTableSizeOffset): - - AddrObjTable = base_addr + AddrObjTableOffset - AddrObjTableSize = base_addr + AddrObjTableSizeOffset - - AddrObjAddr = read_value(addr_space, 'unsigned long', AddrObjTable) - AddrTableSize = read_value(addr_space, 'unsigned long', AddrObjTableSize) - - if AddrObjAddr == None or AddrTableSize == None: - return [] - - socket_list = [] - for cnt in range(0, AddrTableSize): - EntryAddress = AddrObjAddr + 4*cnt - - if not addr_space.is_valid_address(EntryAddress): - continue - - TableEntry = read_value(addr_space, 'unsigned long', EntryAddress) - if TableEntry == 0 or TableEntry == None: - continue - - socket_list.append(TableEntry) - next = read_obj(addr_space, types, - ['_ADDRESS_OBJECT', 'Next'], TableEntry) - - while next != 0x0: - if not addr_space.is_valid_address(next): - print "SocketList Truncated Invalid 0x%x" % next - return socket_list - socket_list.append(next) - next = read_obj(addr_space, types, - ['_ADDRESS_OBJECT', 'Next'], next) - - return socket_list - - -def find_sockets(addr_space, types, symbol_table, base_addr): - - socket_list = [] - - for offsets in module_versions: - offsets = module_versions[offsets] - - socket_list = get_open_sockets(addr_space, types, symbol_table, base_addr, offsets['AddrObjTableOffset'][0], offsets['AddrObjTableSizeOffset'][0]) - if len(socket_list) > 0: - return socket_list - - return socket_list - - def socket_pid(addr_space, types, socket_vaddr): return read_obj(addr_space, types, ['_ADDRESS_OBJECT', 'Pid'], socket_vaddr) diff --git a/Volatility/memory_plugins/internal/sockets.py b/Volatility/memory_plugins/internal/sockets.py new file mode 100644 index 0000000..b931964 --- /dev/null +++ b/Volatility/memory_plugins/internal/sockets.py @@ -0,0 +1,39 @@ +''' +Created on 25 Sep 2009 + +@author: Mike Auty +''' + +#pylint: disable-msg=C0111 + +import forensics.commands +import forensics.win32 as win32 +import forensics.object2 as object2 +import forensics.utils as utils +import socket + +class sockets(forensics.commands.command): + """Print list of open sockets""" + + def __init__(self, args=None): + forensics.commands.command.__init__(self, args) + self.profile = None + + def render_text(self, outfd, data): + if len(data): + outfd.write("%-6s %-6s %-6s %-26s\n" % ('Pid', 'Port', 'Proto', 'Create Time')) + + for sock in data: + outfd.write("%-6s %-6s %-6s %-26s\n" % (int(sock.Pid), socket.ntohs(sock.LocalPort), int(sock.Protocol), sock.CreateTime)) + + + def calculate(self): + result = {} + self.profile = object2.Profile() + + addr_space = utils.load_as(self.opts) + + # Get the Image Datetime + result = win32.network.determine_sockets(addr_space, self.profile) + + return result \ No newline at end of file diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py index 80748fd..8633c7a 100644 --- a/Volatility/vmodules.py +++ b/Volatility/vmodules.py @@ -40,7 +40,6 @@ from forensics.object import read_unicode_string, read_obj from forensics.win32.tasks import module_base, module_path, module_size, create_addr_space, process_addr_space, process_command_line, process_dtb, process_find_pid from forensics.win32.tasks import process_imagename, process_ldrs, process_list, process_peb, process_pid, process_handle_table, process_create_time, process_handle_count from forensics.win32.tasks import process_inherited_from, process_num_active_threads, process_vadroot -from forensics.win32.network import socket_create_time, socket_local_port, socket_pid, socket_protocol, open_sockets from forensics.win32.handles import handle_entries, handle_process_id, handle_tables, handle_entry_object, is_object_file, object_data, file_name from forensics.win32.vad import vad_dump, vad_info, print_vad_dot_infix, print_vad_dot_prefix, print_vad_table, print_vad_tree, traverse_vad from forensics.win32.scan import module_scan, conn_scan, ps_scan_dot, ps_scan, socket_scan, thrd_scan @@ -296,35 +295,6 @@ def get_dlllist(cmdname, argv): print ################################### -# sockets - List open sockets -################################### -def get_sockets(cmdname, argv): - """ - Function prints a list of open sockets. - """ - op = get_standard_parser(cmdname) - opts, _args = op.parse_args(argv) - - (addr_space, symtab, types) = load_and_identify_image(op, opts) - - sockets = open_sockets(addr_space, types, symtab) - - if len(sockets) > 0: - print "%-6s %-6s %-6s %-26s" % ('Pid', 'Port', 'Proto', 'Create Time') - - for socket in sockets: - - if not addr_space.is_valid_address(socket): - continue - - pid = socket_pid(addr_space, types, socket) - proto = socket_protocol(addr_space, types, socket) - port = socket_local_port(addr_space, types, socket) - time = socket_create_time(addr_space, types, socket) - - print "%-6d %-6d %-6d %-26s" % (pid, port, proto, format_time(time)) - -################################### # files - List open files ################################### def print_entry_file(addr_space, types, entry): diff --git a/Volatility/volatility.py b/Volatility/volatility.py index dc7b894..65f6732 100644 --- a/Volatility/volatility.py +++ b/Volatility/volatility.py @@ -48,10 +48,6 @@ modules = { VolatoolsModule('dlllist', 'Print list of loaded dlls for each process', get_dlllist), - 'sockets': - VolatoolsModule('sockets', - 'Print list of open sockets', - get_sockets), 'files': VolatoolsModule('files', 'Print list of open files for each process', -- 1.6.5.rc1