8:24 p.m.
Hiya guys,
A slightly bigger and more complex one this time round. This is the
next module I've attempted to convert into a plugin. It seems a bit
fiddly, because you've got to jump around in memory looking for the
right spot (depending on the sys file that created it), so the error
checking on it could probably do with some improvements, but hopefully
the object model will automatically detect and mark as None any invalid
addresses we might ask for.
Again, any comments or criticisms would be gratefully received, I'm not
sure if I'm allowed to just invent type names like I've done for the
table pointers, and I'd also like to know whether the result of a
calculation can contain types, or whether I should be putting the data
into dicts/lists?
I'm also wondering what could be done about the plugin namespace,
because at the moment, there's no way of extending another plugin from a
different module (because relative addressing only works within a python
module, and we haven't been adding __init__.py files to the
memory_plugins directory). Is there a good way of inheriting from a
plugin, or should we just be putting the main functionality under
forensics.win32 and then make the plugins as empty as possible?
The *scan/scan2 functions look like they'll be trickier to convert, if
anyone with a good understanding of the NewObject model would like to
have a go at converting one of them, it'd help me a lot as a template to
get the others converted. If not, I'll have to wing it... 5;P
Mike 5:)
diff --git a/Volatility/forensics/object2.py b/Volatility/forensics/object2.py
index 29552d8..f4f9181 100644
--- a/Volatility/forensics/object2.py
+++ b/Volatility/forensics/object2.py
@@ -99,6 +99,9 @@ class NoneObject(object):
def __iter__(self):
return self
+ def __len__(self):
+ return 0
+
def next(self):
raise StopIteration()
@@ -588,8 +591,14 @@ class Profile:
system. We parse the abstract_types and join them with
native_types to make everything work together.
"""
- def __init__(self, native_types=x86_native_types, abstract_types=types,
- overlay=xpsp2overlays, strict=False):
+ def __init__(self, native_types=None, abstract_types=None,
+ overlay=None, strict=False):
+ if native_types is None:
+ native_types = x86_native_types
+ if abstract_types is None:
+ abstract_types = types
+ if overlay is None:
+ overlay = xpsp2overlays
self.types = {}
self.strict = strict
diff --git a/Volatility/forensics/win32/network.py
b/Volatility/forensics/win32/network.py
index 5ee84d6..b4598dd 100644
--- a/Volatility/forensics/win32/network.py
+++ b/Volatility/forensics/win32/network.py
@@ -29,6 +29,8 @@
#pylint: disable-msg=C0111
import struct
+import forensics.win32 as win32
+import forensics.object2 as object2
from forensics.object import read_value, read_obj, get_obj_offset
from forensics.win32.datetime import read_time, windows_to_unix_time
from forensics.win32.modules import module_find_baseaddr, modules_list
@@ -60,10 +62,10 @@ module_versions = { \
'AddrObjTableSizeOffset' : [0x48664], \
},
'3394': {
- 'TCBTableOff': [0x49768], \
- 'SizeOff': [0x3F73C], \
- 'AddrObjTableOffset': [0x486E0], \
- 'AddrObjTableSizeOffset': [0x486E4], \
+ 'TCBTableOff': [0x49768], \
+ 'SizeOff': [0x3F73C], \
+ 'AddrObjTableOffset': [0x486E0], \
+ 'AddrObjTableSizeOffset': [0x486E4], \
},
'5625' : { \
'TCBTableOff' : [0x49ae8], \
@@ -80,6 +82,35 @@ module_versions = { \
}
+def determine_connections(addr_space, profile):
+ """Determines all connections for each module"""
+ all_modules = win32.modules.lsmod(addr_space, profile)
+
+ profile.add_types({'_TCPT_OBJECT_POINTER': [0x4,
+ {'Pointer': [0x0,
['pointer', ['_TCPT_OBJECT']]]}
+ ]})
+
+ connections = []
+
+ for m in all_modules:
+ if str(m.ModuleName).lower() == 'tcpip.sys':
+ for attempt in module_versions:
+ table_size = object2.NewObject("unsigned long", m.BaseAddress +
module_versions[attempt]['SizeOff'][0], addr_space, profile=profile)
+ table_addr = object2.NewObject("unsigned long", m.BaseAddress +
module_versions[attempt]['TCBTableOff'][0], addr_space, profile=profile)
+ if int(table_size) > 0:
+ table = object2.Array('Array', table_addr, addr_space,
count=table_size, profile=profile,
+ target=object2.Curry(object2.NewObject,
'_TCPT_OBJECT_POINTER'))
+ for entry in table:
+ if entry is None:
+ break
+ conn = entry.Pointer.dereference()
+ while conn.is_valid():
+ connections.append(conn)
+ conn = conn.Next
+ return connections
+
+ return object2.NoneObject("Unable to determine connections")
+
def tcb_connections(addr_space, types, symbol_table):
all_modules = modules_list(addr_space, types, symbol_table)
base_addr = module_find_baseaddr(addr_space, types, all_modules,"tcpip")
diff --git a/Volatility/memory_plugins/internal/connections.py
b/Volatility/memory_plugins/internal/connections.py
new file mode 100644
index 0000000..91a1fff
--- /dev/null
+++ b/Volatility/memory_plugins/internal/connections.py
@@ -0,0 +1,40 @@
+'''
+Created on 25 Sep 2009
+
+@author: Mike Auty
+'''
+
+#pylint: disable-msg=C0111
+
+import forensics.commands
+import forensics.win32 as win32
+import forensics.object2 as object2
+import forensics.utils as utils
+
+class connections(forensics.commands.command):
+ """Print list of open connections"""
+
+ def __init__(self, args=None):
+ forensics.commands.command.__init__(self, args)
+ self.profile = None
+
+ def render_text(self, outfd, data):
+ if len(data):
+ outfd.write("%-25s %-25s %-6s\n" % ('Local Address',
'Remote Address', 'Pid'))
+
+ for conn in data:
+ local = "%s:%s" % (conn.LocalIpAddress, conn.LocalPort)
+ remote = "%s:%s" % (conn.RemoteIpAddress, conn.RemotePort)
+ outfd.write("%-25s %-25s %-6d\n" % (local, remote, conn.Pid))
+
+
+ def calculate(self):
+ result = {}
+ self.profile = object2.Profile()
+
+ addr_space = utils.load_as(self.opts)
+
+ # Get the Image Datetime
+ result = win32.network.determine_connections(addr_space, self.profile)
+
+ return result
\ No newline at end of file
diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py
index ec642f8..46bef38 100644
--- a/Volatility/vmodules.py
+++ b/Volatility/vmodules.py
@@ -41,7 +41,6 @@ from forensics.win32.tasks import module_base, module_path, module_size,
create_
from forensics.win32.tasks import process_imagename, process_ldrs, process_list,
process_peb, process_pid, process_handle_table, process_create_time, process_handle_count
from forensics.win32.tasks import process_inherited_from, process_num_active_threads,
process_vadroot
from forensics.win32.modules import modules_list
-from forensics.win32.network import connection_laddr, connection_lport, connection_raddr,
connection_rport, connection_pid, tcb_connections
from forensics.win32.network import socket_create_time, socket_local_port, socket_pid,
socket_protocol, open_sockets
from forensics.win32.handles import handle_entries, handle_process_id, handle_tables,
handle_entry_object, is_object_file, object_data, file_name
from forensics.win32.modules import module_baseaddr, module_imagename, module_imagesize,
module_modulename
@@ -336,39 +335,6 @@ def get_dlllist(cmdname, argv):
print
###################################
-# connections - List open connections
-###################################
-def get_connections(cmdname, argv):
- """
- Function prints a list of open connections
- """
- op = get_standard_parser(cmdname)
- opts, _args = op.parse_args(argv)
-
- (addr_space, symtab, types) = load_and_identify_image(op, opts)
-
- connections = tcb_connections(addr_space, types, symtab)
-
- if len(connections) > 0:
- print "%-25s %-25s %-6s" % ('Local Address', 'Remote
Address', 'Pid')
-
- for connection in connections:
-
- if not addr_space.is_valid_address(connection):
- continue
-
- pid = connection_pid(addr_space, types, connection)
- lport = connection_lport(addr_space, types, connection)
- laddr = connection_laddr(addr_space, types, connection)
- rport = connection_rport(addr_space, types, connection)
- raddr = connection_raddr(addr_space, types, connection)
-
- local = "%s:%d" % (laddr, lport)
- remote = "%s:%d" % (raddr, rport)
-
- print "%-25s %-25s %-6d" % (local, remote, pid)
-
-###################################
# sockets - List open sockets
###################################
def get_sockets(cmdname, argv):
diff --git a/Volatility/volatility.py b/Volatility/volatility.py
index 4e04aeb..ebdf02e 100644
--- a/Volatility/volatility.py
+++ b/Volatility/volatility.py
@@ -56,10 +56,6 @@ modules = {
VolatoolsModule('files',
'Print list of open files for each process',
get_open_files),
- 'connections':
- VolatoolsModule('connections',
- 'Print list of open connections',
- get_connections),
'modules':
VolatoolsModule('modules',
'Print list of loaded modules',
10:01 a.m.
New subject: [Patch] NewObject branch conversion of internal connections module to plugin
Hi Mike,
This is a great patch. Just a few little comments:
I noticed you create a whole new type:
+ profile.add_types({'_TCPT_OBJECT_POINTER': [0x4,
+ {'Pointer': [0x0,
['pointer', ['_TCPT_OBJECT']]]}
+ ]})
+
whichh seems quite annoying to have to define special types for a
pointer to something. I changed the Pointer class so you can do:
Pointer( '_TCPT_OJECT', offset=xxx,....)
The first arg (theType) should be interpreted as a specialised type
within the broader class - so for example passing '_TCPT_OBJECT' as
theType of a Pointer class means the pointer will be made of this
type.
So for example:
Array('_TCPT_OBJECT_POINTER', offset=.... etc is the same thing as
object2.Array(None,
target = object2.Curry(object2.Pointer,
'_TCPT_OBJECT'))
BTW python 2.6 already comes with a Curry implementation which might
be faster to use. I will look into using it.
Another thing:
+ for entry in table:
+ if entry is None:
+ break
+ conn = entry.Pointer.dereference()
+ while conn.is_valid():
+ connections.append(conn)
+ conn = conn.Next
You are still using if XXX is None... this is not needed as you can
use this now (its OK to deference NoneObject). You dont need to
explicitely check is_valid() either:
for entry in table:
conn = entry.dereference()
while conn:
connections.append(conn)
conn = conn.Next
Michael.
On Sat, Sep 26, 2009 at 10:24 AM, Mike Auty <mike.auty(a)gmail.com> wrote:
Hiya guys,
A slightly bigger and more complex one this time round. This is the
next module I've attempted to convert into a plugin. It seems a bit
fiddly, because you've got to jump around in memory looking for the
right spot (depending on the sys file that created it), so the error
checking on it could probably do with some improvements, but hopefully
the object model will automatically detect and mark as None any invalid
addresses we might ask for.
Again, any comments or criticisms would be gratefully received, I'm not
sure if I'm allowed to just invent type names like I've done for the
table pointers, and I'd also like to know whether the result of a
calculation can contain types, or whether I should be putting the data
into dicts/lists?
I'm also wondering what could be done about the plugin namespace,
because at the moment, there's no way of extending another plugin from a
different module (because relative addressing only works within a python
module, and we haven't been adding __init__.py files to the
memory_plugins directory). Is there a good way of inheriting from a
plugin, or should we just be putting the main functionality under
forensics.win32 and then make the plugins as empty as possible?
The *scan/scan2 functions look like they'll be trickier to convert, if
anyone with a good understanding of the NewObject model would like to
have a go at converting one of them, it'd help me a lot as a template to
get the others converted. If not, I'll have to wing it... 5;P
Mike 5:)
diff --git a/Volatility/forensics/object2.py b/Volatility/forensics/object2.py
index 29552d8..f4f9181 100644
--- a/Volatility/forensics/object2.py
+++ b/Volatility/forensics/object2.py
@@ -99,6 +99,9 @@ class NoneObject(object):
def __iter__(self):
return self
+ def __len__(self):
+ return 0
+
def next(self):
raise StopIteration()
@@ -588,8 +591,14 @@ class Profile:
system. We parse the abstract_types and join them with
native_types to make everything work together.
"""
- def __init__(self, native_types=x86_native_types, abstract_types=types,
- overlay=xpsp2overlays, strict=False):
+ def __init__(self, native_types=None, abstract_types=None,
+ overlay=None, strict=False):
+ if native_types is None:
+ native_types = x86_native_types
+ if abstract_types is None:
+ abstract_types = types
+ if overlay is None:
+ overlay = xpsp2overlays
self.types = {}
self.strict = strict
diff --git a/Volatility/forensics/win32/network.py
b/Volatility/forensics/win32/network.py
index 5ee84d6..b4598dd 100644
--- a/Volatility/forensics/win32/network.py
+++ b/Volatility/forensics/win32/network.py
@@ -29,6 +29,8 @@
#pylint: disable-msg=C0111
import struct
+import forensics.win32 as win32
+import forensics.object2 as object2
from forensics.object import read_value, read_obj, get_obj_offset
from forensics.win32.datetime import read_time, windows_to_unix_time
from forensics.win32.modules import module_find_baseaddr, modules_list
@@ -60,10 +62,10 @@ module_versions = { \
'AddrObjTableSizeOffset' : [0x48664], \
},
'3394': {
- 'TCBTableOff': [0x49768], \
- 'SizeOff': [0x3F73C], \
- 'AddrObjTableOffset': [0x486E0], \
- 'AddrObjTableSizeOffset': [0x486E4], \
+ 'TCBTableOff': [0x49768], \
+ 'SizeOff': [0x3F73C], \
+ 'AddrObjTableOffset': [0x486E0], \
+ 'AddrObjTableSizeOffset': [0x486E4], \
},
'5625' : { \
'TCBTableOff' : [0x49ae8], \
@@ -80,6 +82,35 @@ module_versions = { \
}
+def determine_connections(addr_space, profile):
+ """Determines all connections for each module"""
+ all_modules = win32.modules.lsmod(addr_space, profile)
+
+ profile.add_types({'_TCPT_OBJECT_POINTER': [0x4,
+ {'Pointer': [0x0,
['pointer', ['_TCPT_OBJECT']]]}
+ ]})
+
+ connections = []
+
+ for m in all_modules:
+ if str(m.ModuleName).lower() == 'tcpip.sys':
+ for attempt in module_versions:
+ table_size = object2.NewObject("unsigned long", m.BaseAddress
+ module_versions[attempt]['SizeOff'][0], addr_space, profile=profile)
+ table_addr = object2.NewObject("unsigned long", m.BaseAddress
+ module_versions[attempt]['TCBTableOff'][0], addr_space, profile=profile)
+ if int(table_size) > 0:
+ table = object2.Array('Array', table_addr, addr_space,
count=table_size, profile=profile,
+ target=object2.Curry(object2.NewObject,
'_TCPT_OBJECT_POINTER'))
+ for entry in table:
+ if entry is None:
+ break
+ conn = entry.Pointer.dereference()
+ while conn.is_valid():
+ connections.append(conn)
+ conn = conn.Next
+ return connections
+
+ return object2.NoneObject("Unable to determine connections")
+
def tcb_connections(addr_space, types, symbol_table):
all_modules = modules_list(addr_space, types, symbol_table)
base_addr = module_find_baseaddr(addr_space, types, all_modules,"tcpip")
diff --git a/Volatility/memory_plugins/internal/connections.py
b/Volatility/memory_plugins/internal/connections.py
new file mode 100644
index 0000000..91a1fff
--- /dev/null
+++ b/Volatility/memory_plugins/internal/connections.py
@@ -0,0 +1,40 @@
+'''
+Created on 25 Sep 2009
+
+@author: Mike Auty
+'''
+
+#pylint: disable-msg=C0111
+
+import forensics.commands
+import forensics.win32 as win32
+import forensics.object2 as object2
+import forensics.utils as utils
+
+class connections(forensics.commands.command):
+ """Print list of open connections"""
+
+ def __init__(self, args=None):
+ forensics.commands.command.__init__(self, args)
+ self.profile = None
+
+ def render_text(self, outfd, data):
+ if len(data):
+ outfd.write("%-25s %-25s %-6s\n" % ('Local Address',
'Remote Address', 'Pid'))
+
+ for conn in data:
+ local = "%s:%s" % (conn.LocalIpAddress, conn.LocalPort)
+ remote = "%s:%s" % (conn.RemoteIpAddress, conn.RemotePort)
+ outfd.write("%-25s %-25s %-6d\n" % (local, remote, conn.Pid))
+
+
+ def calculate(self):
+ result = {}
+ self.profile = object2.Profile()
+
+ addr_space = utils.load_as(self.opts)
+
+ # Get the Image Datetime
+ result = win32.network.determine_connections(addr_space, self.profile)
+
+ return result
\ No newline at end of file
diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py
index ec642f8..46bef38 100644
--- a/Volatility/vmodules.py
+++ b/Volatility/vmodules.py
@@ -41,7 +41,6 @@ from forensics.win32.tasks import module_base, module_path,
module_size, create_
from forensics.win32.tasks import process_imagename, process_ldrs, process_list,
process_peb, process_pid, process_handle_table, process_create_time, process_handle_count
from forensics.win32.tasks import process_inherited_from, process_num_active_threads,
process_vadroot
from forensics.win32.modules import modules_list
-from forensics.win32.network import connection_laddr, connection_lport,
connection_raddr, connection_rport, connection_pid, tcb_connections
from forensics.win32.network import socket_create_time, socket_local_port, socket_pid,
socket_protocol, open_sockets
from forensics.win32.handles import handle_entries, handle_process_id, handle_tables,
handle_entry_object, is_object_file, object_data, file_name
from forensics.win32.modules import module_baseaddr, module_imagename, module_imagesize,
module_modulename
@@ -336,39 +335,6 @@ def get_dlllist(cmdname, argv):
print
###################################
-# connections - List open connections
-###################################
-def get_connections(cmdname, argv):
- """
- Function prints a list of open connections
- """
- op = get_standard_parser(cmdname)
- opts, _args = op.parse_args(argv)
-
- (addr_space, symtab, types) = load_and_identify_image(op, opts)
-
- connections = tcb_connections(addr_space, types, symtab)
-
- if len(connections) > 0:
- print "%-25s %-25s %-6s" % ('Local Address', 'Remote
Address', 'Pid')
-
- for connection in connections:
-
- if not addr_space.is_valid_address(connection):
- continue
-
- pid = connection_pid(addr_space, types, connection)
- lport = connection_lport(addr_space, types, connection)
- laddr = connection_laddr(addr_space, types, connection)
- rport = connection_rport(addr_space, types, connection)
- raddr = connection_raddr(addr_space, types, connection)
-
- local = "%s:%d" % (laddr, lport)
- remote = "%s:%d" % (raddr, rport)
-
- print "%-25s %-25s %-6d" % (local, remote, pid)
-
-###################################
# sockets - List open sockets
###################################
def get_sockets(cmdname, argv):
diff --git a/Volatility/volatility.py b/Volatility/volatility.py
index 4e04aeb..ebdf02e 100644
--- a/Volatility/volatility.py
+++ b/Volatility/volatility.py
@@ -56,10 +56,6 @@ modules = {
VolatoolsModule('files',
'Print list of open files for each process',
get_open_files),
- 'connections':
- VolatoolsModule('connections',
- 'Print list of open connections',
- get_connections),
'modules':
VolatoolsModule('modules',
'Print list of loaded modules',
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
5528
days inactive
5528
days old
vol-dev@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Michael Cohen -
Mike Auty