rekall.plugins.overlays.windows.tcpip

Source Code for Module rekall.plugins.overlays.windows.tcpip_vtypes

1 # Rekall Memory Forensics 2 # 3 # Copyright 2013 Google Inc. All Rights Reserved. 4 # 5 # This program is free software; you can redistribute it and/or modify 6 # it under the terms of the GNU General Public License as published by 7 # the Free Software Foundation; either version 2 of the License, or (at 8 # your option) any later version. 9 # 10 # This program is distributed in the hope that it will be useful, but 11 # WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 # General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program; if not, write to the Free Software 17 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 # 19 import socket 20 21 from rekall import kb 22 from rekall import obj 23 from rekall.plugins.overlays import basic 24 from rekall.plugins.overlays.windows import pe_vtypes 25 from rekall_lib import utils 26 27 28 AF_INET = 2 29 AF_INET6 = 0x17 30 31 # String representations of INADDR_ANY and INADDR6_ANY 32 inaddr_any = utils.inet_ntop(socket.AF_INET, '\0' * 4) 33 inaddr6_any = utils.inet_ntop(socket.AF_INET6, '\0' * 16) 34 35 protos = { 36 0:"HOPOPT", 37 1:"ICMP", 38 2:"IGMP", 39 3:"GGP", 40 4:"IPv4", 41 5:"ST", 42 6:"TCP", 43 7:"CBT", 44 8:"EGP", 45 9:"IGP", 46 10:"BBN-RCC-MON", 47 11:"NVP-II", 48 12:"PUP", 49 13:"ARGUS", 50 14:"EMCON", 51 15:"XNET", 52 16:"CHAOS", 53 17:"UDP", 54 18:"MUX", 55 19:"DCN-MEAS", 56 20:"HMP", 57 21:"PRM", 58 22:"XNS-IDP", 59 23:"TRUNK-1", 60 24:"TRUNK-2", 61 25:"LEAF-1", 62 26:"LEAF-2", 63 27:"RDP", 64 28:"IRTP", 65 29:"ISO-TP4", 66 30:"NETBLT", 67 31:"MFE-NSP", 68 32:"MERIT-INP", 69 33:"DCCP", 70 34:"3PC", 71 35:"IDPR", 72 36:"XTP", 73 37:"DDP", 74 38:"IDPR-CMTP", 75 39:"TP++", 76 40:"IL", 77 41:"IPv6", 78 42:"SDRP", 79 43:"IPv6-Route", 80 44:"IPv6-Frag", 81 45:"IDRP", 82 46:"RSVP", 83 47:"GRE", 84 48:"DSR", 85 49:"BNA", 86 50:"ESP", 87 51:"AH", 88 52:"I-NLSP", 89 53:"SWIPE", 90 54:"NARP", 91 55:"MOBILE", 92 56:"TLSP", 93 57:"SKIP", 94 58:"IPv6-ICMP", 95 59:"IPv6-NoNxt", 96 60:"IPv6-Opts", 97 61:"Host-interal", 98 62:"CFTP", 99 63:"Local Network", 100 64:"SAT-EXPAK", 101 65:"KRYPTOLAN", 102 66:"RVD", 103 67:"IPPC", 104 68:"Dist-FS", 105 69:"SAT-MON", 106 70:"VISA", 107 71:"IPCV", 108 72:"CPNX", 109 73:"CPHB", 110 74:"WSN", 111 75:"PVP", 112 76:"BR-SAT-MON", 113 77:"SUN-ND", 114 78:"WB-MON", 115 79:"WB-EXPAK", 116 80:"ISO-IP", 117 81:"VMTP", 118 82:"SECURE-VMTP", 119 83:"VINES", 120 84:"TTP", 121 # 84:"IPTM", 122 85:"NSFNET-IGP", 123 86:"DGP", 124 87:"TCF", 125 88:"EIGRP", 126 89:"OSPFIGP", 127 90:"Sprite-RPC", 128 91:"LARP", 129 92:"MTP", 130 93:"AX.25", 131 94:"IPIP", 132 95:"MICP", 133 96:"SCC-SP", 134 97:"ETHERIP", 135 98:"ENCAP", 136 99:"Encryption", 137 100:"GMTP", 138 101:"IFMP", 139 102:"PNNI", 140 103:"PIM", 141 104:"ARIS", 142 105:"SCPS", 143 106:"QNX", 144 107:"A/N", 145 108:"IPComp", 146 109:"SNP", 147 110:"Compaq-Peer", 148 111:"IPX-in-IP", 149 112:"VRRP", 150 113:"PGM", 151 114:"0-hop", 152 115:"L2TP", 153 116:"DDX", 154 117:"IATP", 155 118:"STP", 156 119:"SRP", 157 120:"UTI", 158 121:"SMP", 159 122:"SM", 160 123:"PTP", 161 124:"ISIS over IPv4", 162 125:"FIRE", 163 126:"CRTP", 164 127:"CRUDP", 165 128:"SSCOPMCE", 166 129:"IPLT", 167 130:"SPS", 168 131:"PIPE", 169 132:"SCTP", 170 133:"FC", 171 134:"RSVP-E2E-IGNORE", 172 135:"Mobility Header", 173 136:"UDPLite", 174 137:"MPLS-in-IP", 175 138:"manet", 176 139:"HIP", 177 140:"Shim6", 178 141:"WESP", 179 142:"ROHC", 180 253:"Experimental", 181 254:"Experimental", 182 255:"Reserved", 183 } 184 185 # Structures used by connections, connscan, sockets, sockscan. 186 # Used by x86 XP (all service packs) and x86 2003 SP0. 187 tcpip_vtypes = { 188 '_ADDRESS_OBJECT' : [0x68, { 189 'Next' : [0x0, ['pointer', ['_ADDRESS_OBJECT']]], 190 'LocalIpAddress' : [0x2c, ['Ipv4Address']], 191 'LocalPort' : [0x30, ['unsigned be short']], 192 'Protocol' : [0x32, ['unsigned short']], 193 'Pid' : [0x148, ['unsigned long']], 194 'CreateTime' : [0x158, ['WinFileTime', {}]], 195 }], 196 '_TCPT_OBJECT' : [0x20, { 197 'Next' : [0x0, ['pointer', ['_TCPT_OBJECT']]], 198 'RemoteIpAddress' : [0xc, ['Ipv4Address']], 199 'LocalIpAddress' : [0x10, ['Ipv4Address']], 200 'RemotePort' : [0x14, ['unsigned be short']], 201 'LocalPort' : [0x16, ['unsigned be short']], 202 'Pid' : [0x18, ['unsigned long']], 203 }], 204 } 205 206 # Structures used by connections, connscan, sockets, sockscan. 207 # Used by x64 XP and x64 2003 (all service packs). 208 tcpip_vtypes_2003_x64 = { 209 '_ADDRESS_OBJECT' : [0x250, { 210 'Next' : [0x0, ['pointer', ['_ADDRESS_OBJECT']]], 211 'LocalIpAddress' : [0x58, ['Ipv4Address']], 212 'LocalPort' : [0x5c, ['unsigned be short']], 213 'Protocol' : [0x5e, ['unsigned short']], 214 'Pid' : [0x238, ['unsigned long']], 215 'CreateTime' : [0x248, ['WinFileTime', {}]], 216 }], 217 '_TCPT_OBJECT' : [0x28, { 218 'Next' : [0x0, ['pointer', ['_TCPT_OBJECT']]], 219 'RemoteIpAddress' : [0x14, ['Ipv4Address']], 220 'LocalIpAddress' : [0x18, ['Ipv4Address']], 221 'RemotePort' : [0x1c, ['unsigned be short']], 222 'LocalPort' : [0x1e, ['unsigned be short']], 223 'Pid' : [0x20, ['unsigned long']], 224 }], 225 } 226 227 # Structures used by sockets and sockscan. 228 # Used by x86 2003 SP1 and SP2 only. 229 tcpip_vtypes_2003_sp1_sp2 = { 230 '_ADDRESS_OBJECT' : [0x68, { 231 'Next' : [0x0, ['pointer', ['_ADDRESS_OBJECT']]], 232 'LocalIpAddress' : [0x30, ['Ipv4Address']], 233 'LocalPort' : [0x34, ['unsigned be short']], 234 'Protocol' : [0x36, ['unsigned short']], 235 'Pid' : [0x14C, ['unsigned long']], 236 'CreateTime' : [0x158, ['WinFileTime', {}]], 237 }], 238 } 239 240 TCP_STATE_ENUM = { 241 0: 'CLOSED', 1: 'LISTENING', 2: 'SYN_SENT', 242 3: 'SYN_RCVD', 4: 'ESTABLISHED', 5: 'FIN_WAIT1', 243 6: 'FIN_WAIT2', 7: 'CLOSE_WAIT', 8: 'CLOSING', 244 9: 'LAST_ACK', 12: 'TIME_WAIT', 13: 'DELETE_TCB' 245 } 246 247 # Structures used by netscan for x86 Vista and 2008 (all service packs). 248 tcpip_vtypes_vista = { 249 '_IN_ADDR' : [None, { 250 'addr4' : [0x0, ['Ipv4Address']], 251 'addr6' : [0x0, ['Ipv6Address']], 252 }], 253 '_LOCAL_ADDRESS' : [None, { 254 'pData' : [0xC, ['pointer', ['pointer', ['_IN_ADDR']]]], 255 }], 256 '_TCP_LISTENER': [0xa8, { # TcpL 257 'Owner' : [0x18, ['pointer', ['_EPROCESS']]], 258 'CreateTime' : [0x20, ['WinFileTime', {}]], 259 'LocalAddr' : [0x34, ['pointer', ['_LOCAL_ADDRESS']]], 260 'InetAF' : [0x38, ['pointer', ['_INETAF']]], 261 "Endpoint": [0x50, ['Pointer', dict( 262 target="_TCP_ENDPOINT" 263 )]], 264 'Port' : [0x3E, ['unsigned be short']], 265 }], 266 '_TCP_ENDPOINT': [0x1f0, { # TcpE 267 'InetAF' : [0xC, ['pointer', ['_INETAF']]], 268 'AddrInfo' : [0x10, ['pointer', ['_ADDRINFO']]], 269 'ListEntry': [0x14, ['_LIST_ENTRY']], 270 'State' : [0x28, ['Enumeration', dict( 271 target='long', 272 choices=TCP_STATE_ENUM)]], 273 'LocalPort' : [0x2C, ['unsigned be short']], 274 'RemotePort' : [0x2E, ['unsigned be short']], 275 'Owner' : [0x160, ['pointer', ['_EPROCESS']]], 276 'CreateTime' : [0, ['WinFileTime', {}]], 277 }], 278 '_TCP_SYN_ENDPOINT': [None, { 279 'ListEntry': [8, ['_LIST_ENTRY']], 280 'InetAF' : [0x18, ['pointer', ['_INETAF']]], 281 'LocalPort' : [0x3c, ['unsigned be short']], 282 'RemotePort' : [0x3e, ['unsigned be short']], 283 'LocalAddr' : [0x1c, ['pointer', ['_LOCAL_ADDRESS']]], 284 'RemoteAddress' : [0x28, ['pointer', ['_IN_ADDR']]], 285 'Owner' : [0x20, ['pointer', ['_SYN_OWNER']]], 286 'CreateTime' : [0, ['WinFileTime', {}]], 287 }], 288 '_SYN_OWNER': [None, { 289 'Process': [0x18, ['pointer', ['_EPROCESS']]], 290 }], 291 '_TCP_TIMEWAIT_ENDPOINT': [None, { 292 'ListEntry': [0x14, ['_LIST_ENTRY']], 293 'InetAF' : [0xc, ['pointer', ['_INETAF']]], 294 'LocalPort' : [0x1c, ['unsigned be short']], 295 'RemotePort' : [0x1e, ['unsigned be short']], 296 'LocalAddr' : [0x20, ['pointer', ['_LOCAL_ADDRESS']]], 297 'RemoteAddress' : [0x24, ['pointer', ['_IN_ADDR']]], 298 'CreateTime' : [0, ['WinFileTime', {}]], 299 }], 300 '_INETAF' : [None, { 301 'AddressFamily' : [0xC, ['unsigned short']], 302 }], 303 '_ADDRINFO' : [None, { 304 'Local' : [0x0, ['pointer', ['_LOCAL_ADDRESS']]], 305 'Remote' : [0x8, ['pointer', ['_IN_ADDR']]], 306 }], 307 '_UDP_ENDPOINT': [0xa8, { # UdpA 308 'Owner' : [0x18, ['pointer', ['_EPROCESS']]], 309 'CreateTime' : [0x30, ['WinFileTime', {}]], 310 'LocalAddr' : [0x38, ['pointer', ['_LOCAL_ADDRESS']]], 311 'InetAF' : [0x14, ['pointer', ['_INETAF']]], 312 'Port' : [0x48, ['unsigned be short']], 313 }], 314 315 # Reversed from tcpip.sys!TcpStartPartitionModule 316 "PARTITION_TABLE": [None, { 317 "Partitions": [4, ["Array", dict( 318 target="Pointer", 319 320 count=lambda x: x.obj_profile.get_constant_object( 321 "PartitionCount", "unsigned int"), 322 323 target_args=dict( 324 target="Array", 325 target_args=dict( 326 count=4, 327 target="FIRST_LEVEL_DIR", 328 profile=lambda x: x.session.profile, 329 ) 330 ) 331 )]], 332 }], 333 # ntoskrnl.exe!RtlCreateHashTable 334 "FIRST_LEVEL_DIR": [0x24, { 335 "SizeOfSecondLevel": [0x8, ["unsigned int"]], 336 337 "Mask": [0x10, ["unsigned int"]], 338 339 # Reversed from ntoskrnl.exe!RtlpAllocateSecondLevelDir 340 "SecondLevel": [0x20, ["Pointer", dict( 341 target="Array", 342 target_args=dict( 343 count=lambda x: x.SizeOfSecondLevel, 344 target="_LIST_ENTRY" 345 ) 346 )]], 347 }], 348 } 349 350 # Structures for netscan on x86 Windows 7 (all service packs). 351 tcpip_vtypes_7 = { 352 '_TCP_ENDPOINT': [0x210, { # TcpE 353 'InetAF' : [0xC, ['pointer', ['_INETAF']]], 354 'AddrInfo' : [0x10, ['pointer', ['_ADDRINFO']]], 355 'ListEntry': [0x14, ['_LIST_ENTRY']], 356 'State' : [0x34, ['Enumeration', dict( 357 target='long', choices=TCP_STATE_ENUM)]], 358 'LocalPort' : [0x38, ['unsigned be short']], 359 'RemotePort' : [0x3A, ['unsigned be short']], 360 'Owner' : [0x174, ['pointer', ['_EPROCESS']]], 361 'CreateTime' : [0, ['WinFileTime', {}]], 362 }], 363 '_TCP_SYN_ENDPOINT': [None, { 364 'ListEntry': [8, ['_LIST_ENTRY']], 365 'InetAF' : [0x24, ['pointer', ['_INETAF']]], 366 'LocalPort' : [0x48, ['unsigned be short']], 367 'RemotePort' : [0x4a, ['unsigned be short']], 368 'LocalAddr' : [0x28, ['pointer', ['_LOCAL_ADDRESS']]], 369 'RemoteAddress' : [0x34, ['pointer', ['_IN_ADDR']]], 370 'Owner' : [0x2c, ['pointer', ['_SYN_OWNER']]], 371 'CreateTime' : [0, ['WinFileTime', {}]], 372 }], 373 '_TCP_TIMEWAIT_ENDPOINT': [None, { 374 'ListEntry': [0, ['_LIST_ENTRY']], 375 'InetAF' : [0x18, ['pointer', ['_INETAF']]], 376 'LocalPort' : [0x28, ['unsigned be short']], 377 'RemotePort' : [0x2a, ['unsigned be short']], 378 'LocalAddr' : [0x2c, ['pointer', ['_LOCAL_ADDRESS']]], 379 'RemoteAddress' : [0x30, ['pointer', ['_IN_ADDR']]], 380 'CreateTime' : [0, ['WinFileTime', {}]], 381 }], 382 "_LIST_ENTRY": basic.common_overlay["LIST_ENTRY32"], 383 } 384 385 # Structures for netscan on x64 Vista SP0 and 2008 SP0 386 tcpip_vtypes_vista_64 = { 387 '_IN_ADDR' : [None, { 388 'addr4' : [0x0, ['Ipv4Address']], 389 'addr6' : [0x0, ['Ipv6Address']], 390 }], 391 '_TCP_LISTENER': [0x120, { # TcpL 392 'Owner' : [0x28, ['pointer', ['_EPROCESS']]], 393 'CreateTime' : [0x20, ['WinFileTime', {}]], 394 'LocalAddr' : [0x58, ['pointer', ['_LOCAL_ADDRESS']]], 395 'InetAF' : [0x60, ['pointer', ['_INETAF']]], 396 'Port' : [0x6a, ['unsigned be short']], 397 }], 398 '_INETAF' : [None, { 399 'AddressFamily' : [0x14, ['unsigned short']], 400 }], 401 '_LOCAL_ADDRESS' : [None, { 402 'pData' : [0x10, ['pointer', ['pointer', ['_IN_ADDR']]]], 403 }], 404 '_ADDRINFO' : [None, { 405 'Local' : [0x0, ['pointer', ['_LOCAL_ADDRESS']]], 406 'Remote' : [0x10, ['pointer', ['_IN_ADDR']]], 407 }], 408 '_TCP_ENDPOINT': [0x210, { # TcpE 409 'InetAF' : [0x18, ['pointer', ['_INETAF']]], 410 'AddrInfo' : [0x20, ['pointer', ['_ADDRINFO']]], 411 'ListEntry': [0x28, ['_LIST_ENTRY']], 412 'State' : [0x50, ['Enumeration', dict( 413 target='long', 414 choices=TCP_STATE_ENUM)]], 415 'LocalPort' : [0x54, ['unsigned be short']], 416 'RemotePort' : [0x56, ['unsigned be short']], 417 'Owner' : [0x208, ['pointer', ['_EPROCESS']]], 418 'CreateTime' : [0, ['WinFileTime', {}]], 419 }], 420 '_TCP_SYN_ENDPOINT': [None, { 421 'ListEntry': [0x10, ['_LIST_ENTRY']], 422 'InetAF' : [0x30, ['pointer', ['_INETAF']]], 423 'LocalPort' : [0x64, ['unsigned be short']], 424 'RemotePort' : [0x66, ['unsigned be short']], 425 'LocalAddr' : [0x38, ['pointer', ['_LOCAL_ADDRESS']]], 426 'RemoteAddress' : [0x50, ['pointer', ['_IN_ADDR']]], 427 'Owner' : [0x40, ['pointer', ['_SYN_OWNER']]], 428 'CreateTime' : [0, ['WinFileTime', {}]], 429 }], 430 '_SYN_OWNER': [None, { 431 'Process': [0x28, ['pointer', ['_EPROCESS']]], 432 }], 433 '_TCP_TIMEWAIT_ENDPOINT': [None, { 434 'ListEntry': [0, ['_LIST_ENTRY']], 435 'InetAF' : [0x18, ['pointer', ['_INETAF']]], 436 'LocalPort' : [0x30, ['unsigned be short']], 437 'RemotePort' : [0x32, ['unsigned be short']], 438 'LocalAddr' : [0x38, ['pointer', ['_LOCAL_ADDRESS']]], 439 'RemoteAddress' : [0x40, ['pointer', ['_IN_ADDR']]], 440 'CreateTime' : [0, ['WinFileTime', {}]], 441 }], 442 '_UDP_ENDPOINT': [0x82, { # UdpA 443 'Owner' : [0x28, ['pointer', ['_EPROCESS']]], 444 'CreateTime' : [0x58, ['WinFileTime', {}]], 445 'LocalAddr' : [0x60, ['pointer', ['_LOCAL_ADDRESS']]], 446 'InetAF' : [0x20, ['pointer', ['_INETAF']]], 447 'Port' : [0x80, ['unsigned be short']], 448 }], 449 450 # Reversed from tcpip.sys!TcpStartPartitionModule 451 "PARTITION_TABLE": [None, { 452 "Partitions": [8, ["Array", dict( 453 target="Pointer", 454 455 count=lambda x: x.obj_profile.get_constant_object( 456 "PartitionCount", "unsigned int"), 457 458 target_args=dict( 459 target="Array", 460 target_args=dict( 461 count=4, 462 target="FIRST_LEVEL_DIR", 463 ), 464 ), 465 )]], 466 }], 467 468 # ntoskrnl.exe!RtlCreateHashTable (PoolTag:HTab) 469 "FIRST_LEVEL_DIR": [0x24, { 470 "SizeOfSecondLevel": [0x8, ["unsigned int"]], 471 472 "Mask": [0x10, ["unsigned int"]], 473 474 # Reversed from ntoskrnl.exe!RtlpAllocateSecondLevelDir 475 "SecondLevel": [0x20, ["Pointer", dict( 476 target="Array", 477 # Actual hash table (PoolTag:HTab) 478 target_args=dict( 479 count=lambda x: x.SizeOfSecondLevel, 480 target="_LIST_ENTRY" 481 ) 482 )]], 483 }], 484 "_LIST_ENTRY": basic.common_overlay["LIST_ENTRY64"], 485 } 486 487 488 tcpip_vtypes_win7_64 = { 489 '_TCP_ENDPOINT': [0x320, { 490 'State' : [0x68, ['Enumeration', dict(target='long', 491 choices=TCP_STATE_ENUM)]], 492 'LocalPort' : [0x6c, ['unsigned be short']], 493 'RemotePort' : [0x6e, ['unsigned be short']], 494 'Owner' : [0x238, ['pointer', ['_EPROCESS']]], 495 }], 496 '_TCP_SYN_ENDPOINT': [None, { 497 'InetAF' : [0x48, ['pointer', ['_INETAF']]], 498 'LocalPort' : [0x7c, ['unsigned be short']], 499 'RemotePort' : [0x7e, ['unsigned be short']], 500 'LocalAddr' : [0x50, ['pointer', ['_LOCAL_ADDRESS']]], 501 'RemoteAddress' : [0x68, ['pointer', ['_IN_ADDR']]], 502 'Owner' : [0x58, ['pointer', ['_SYN_OWNER']]], 503 }], 504 '_TCP_TIMEWAIT_ENDPOINT': [None, { 505 'InetAF' : [0x30, ['pointer', ['_INETAF']]], 506 'LocalPort' : [0x48, ['unsigned be short']], 507 'RemotePort' : [0x4a, ['unsigned be short']], 508 'LocalAddr' : [0x50, ['pointer', ['_LOCAL_ADDRESS']]], 509 'RemoteAddress' : [0x58, ['pointer', ['_IN_ADDR']]], 510 }], 511 } 512 513 514 515 overlays = { 516 "_ADDRESS_OBJECT": [None, { 517 "Protocol": [None, ["Enumeration", dict( 518 choices=protos, 519 target="unsigned int")]], 520 }] 521 } 522 523 524 # This is not used just yet but soon! 525 win7_x86_dynamic_overlays = { 526 "_TCP_LISTENER": dict( 527 # The Owner process. 528 Owner=[ 529 # Attempt 1 530 ["Disassembler", dict( 531 start="tcpip.sys!_TcpCreateListener@8", 532 length=300, 533 rules=[ 534 "CALL *InetGetClientProcess", 535 "MOV [EBX+$out], EAX", 536 ], 537 target="Pointer", 538 target_args=dict( 539 target="_EPROCESS" 540 ), 541 )], 542 543 # Attempt 2 544 ["Disassembler", dict( 545 start="tcpip.sys!_TcpCovetNetBufferList@20", 546 rules=[ 547 "MOV EAX, [ESI+$out]", 548 "TEST EAX, EAX", 549 "PUSH EAX", 550 "CALL DWORD *PsGetProcessId", 551 ], 552 target="Pointer", 553 target_args=dict( 554 target="_EPROCESS" 555 ), 556 )] 557 ], 558 # Socket creation time. 559 CreateTime=[ 560 ["Disassembler", dict( 561 start="tcpip.sys!_TcpCreateListener@8", 562 length=300, 563 rules=[ 564 "LEA EAX, [EBX+$out]", 565 "PUSH EAX", 566 "CALL DWORD *KeQuerySystemTime", 567 ], 568 target="WinFileTime", 569 )], 570 ], 571 ), 572 } 573 574 # Structures for netscan on x32 Win10 575 tcpip_vtypes_win10_32 = { 576 '_ADDRINFO' : [None, { 577 'Local' : [0x0, ['pointer', ['_LOCAL_ADDRESS']]], 578 'Remote' : [0xC, ['pointer', ['_IN_ADDR']]], 579 }], 580 '_TCP_ENDPOINT': [None, { # TcpE 581 'InetAF' : [0x8, ['pointer', ['_INETAF']]], 582 'AddrInfo' : [0xC, ['pointer', ['_ADDRINFO']]], 583 'State' : [0x38, ['Enumeration', dict( 584 target='long', 585 choices=TCP_STATE_ENUM)]], 586 'LocalPort' : [0x3C, ['unsigned be short']], 587 'RemotePort' : [0x3E, ['unsigned be short']], 588 'Owner' : [0x1B0, ['pointer', ['_EPROCESS']]], 589 }], 590 } 591 592 # Structures for netscan on x64 Win10 593 tcpip_vtypes_win10_64 = { 594 '_IN_ADDR' : [None, { 595 'addr4' : [0x0, ['Ipv4Address']], 596 'addr6' : [0x0, ['Ipv6Address']], 597 }], 598 '_TCP_LISTENER': [0x74, { # TcpL 599 'Owner' : [0x30, ['pointer', ['_EPROCESS']]], 600 'CreateTime' : [0x40, ['WinFileTime', {}]], 601 'LocalAddr' : [0x60, ['pointer', ['_LOCAL_ADDRESS']]], 602 'InetAF' : [0x28, ['pointer', ['_INETAF']]], 603 'Port' : [0x72, ['unsigned be short']], 604 }], 605 '_INETAF' : [None, { 606 'AddressFamily' : [0x18, ['unsigned short']], 607 }], 608 '_LOCAL_ADDRESS_WIN10_UDP' : [None, { 609 'pData' : [0x0, ['pointer', ['_IN_ADDR']]], 610 }], 611 '_LOCAL_ADDRESS' : [None, { 612 'pData' : [0x10, ['pointer', ['pointer', ['_IN_ADDR']]]], 613 }], 614 '_ADDRINFO' : [None, { 615 'Local' : [0x0, ['pointer', ['_LOCAL_ADDRESS']]], 616 'Remote' : [0x10, ['pointer', ['_IN_ADDR']]], 617 }], 618 '_TCP_ENDPOINT': [0x270, { # TcpE 619 'InetAF' : [0x10, ['pointer', ['_INETAF']]], 620 'AddrInfo' : [0x18, ['pointer', ['_ADDRINFO']]], 621 'State' : [0x6c, ['Enumeration', dict( 622 target='long', 623 choices=TCP_STATE_ENUM)]], 624 'LocalPort' : [0x70, ['unsigned be short']], 625 'RemotePort' : [0x72, ['unsigned be short']], 626 'Owner' : [0x258, ['pointer', ['_EPROCESS']]], 627 'CreateTime' : [0x268, ['WinFileTime', {}]], 628 }], 629 '_UDP_ENDPOINT': [0x80, { # UdpA 630 'Owner' : [0x28, ['pointer', ['_EPROCESS']]], 631 'CreateTime' : [0x58, ['WinFileTime', {}]], 632 'LocalAddr' : [0x80, ['pointer', ['_LOCAL_ADDRESS_WIN10_UDP']]], 633 'InetAF' : [0x20, ['pointer', ['_INETAF']]], 634 'Port' : [0x78, ['unsigned be short']], 635 }], 636 }

637 638 639 640 -class _TCP_LISTENER(obj.Struct):

641 """Class for objects found in TcpL pools""" 642

643 - def dual_stack_sockets(self, vm=None):

644 """Handle Windows dual-stack sockets""" 645 646 # If this pointer is valid, the socket is bound to 647 # a specific IP address. Otherwise, the socket is 648 # listening on all IP addresses of the address family. 649 local_addr = self.LocalAddr.dereference(vm=vm) 650 651 # Switch to the correct address space. 652 af_inet = self.InetAF.dereference(vm=vm) 653 654 # Note the remote address is always INADDR_ANY or 655 # INADDR6_ANY for sockets. The moment a client 656 # connects to the listener, a TCP_ENDPOINT is created 657 # and that structure contains the remote address. 658 if local_addr: 659 inaddr = local_addr.pData.dereference().dereference() 660 if af_inet.AddressFamily == AF_INET: 661 yield "v4", inaddr.addr4, inaddr_any 662 else: 663 yield "v6", inaddr.addr6, inaddr6_any 664 else: 665 yield "v4", inaddr_any, inaddr_any 666 if af_inet.AddressFamily.v() == AF_INET6: 667 yield "v6", inaddr6_any, inaddr6_any

668

669 670 -class _TCP_ENDPOINT(_TCP_LISTENER):

671 """Class for objects found in TcpE pools""" 672

673 - def _ipv4_or_ipv6(self, in_addr, vm=None):

674 af_inet = self.InetAF.dereference(vm=vm) 675 if af_inet.AddressFamily == AF_INET: 676 return in_addr.addr4 677 else: 678 return in_addr.addr6

679

680 - def LocalAddress(self, vm=None):

681 inaddr = self.AddrInfo.dereference(vm=vm).Local.\ 682 pData.dereference().dereference() 683 684 return self._ipv4_or_ipv6(inaddr, vm=vm)

685

686 - def RemoteAddress(self, vm=None):

687 inaddr = self.AddrInfo.dereference(vm=vm).\ 688 Remote.dereference() 689 690 return self._ipv4_or_ipv6(inaddr, vm=vm)

691

692 693 -class _UDP_ENDPOINT(_TCP_LISTENER):

694 """Class for objects found in UdpA pools"""

695

696 -class _UDP_ENDPOINT_WIN10x64(_UDP_ENDPOINT):

697 """Class for objects found in UdpA pools""" 698

699 - def dual_stack_sockets(self, vm=None):

700 """Handle Windows dual-stack sockets""" 701 702 # If this pointer is valid, the socket is bound to 703 # a specific IP address. Otherwise, the socket is 704 # listening on all IP addresses of the address family. 705 local_addr = self.LocalAddr.dereference(vm=vm) 706 707 # Switch to the correct address space. 708 af_inet = self.InetAF.dereference(vm=vm) 709 710 # Note the remote address is always INADDR_ANY or 711 # INADDR6_ANY for sockets. The moment a client 712 # connects to the listener, a TCP_ENDPOINT is created 713 # and that structure contains the remote address. 714 if local_addr: 715 inaddr = local_addr.pData.dereference() 716 if af_inet.AddressFamily == AF_INET: 717 yield "v4", inaddr.addr4, inaddr_any 718 else: 719 yield "v6", inaddr.addr6, inaddr6_any 720 else: 721 yield "v4", inaddr_any, inaddr_any 722 if af_inet.AddressFamily.v() == AF_INET6: 723 yield "v6", inaddr6_any, inaddr6_any

724

725 -class TcpipPluginMixin(object):

726 """A mixin for plugins that want to use tcpip.sys profiles.""" 727 728 @classmethod

729 - def args(cls, parser):

730 super(TcpipPluginMixin, cls).args(parser) 731 parser.add_argument("--tcpip_guid", default=None, 732 help="Force this profile to be used for tcpip.")

733

734 - def __init__(self, tcpip_guid=None, **kwargs):

735 super(TcpipPluginMixin, self).__init__(**kwargs) 736 # For the address resolver to load this GUID. 737 if tcpip_guid: 738 self.session.SetCache("tcpip_guid", tcpip_guid) 739 740 tcpip_module = self.session.address_resolver.GetModuleByName("tcpip") 741 self.tcpip_profile = tcpip_module.profile 742 if not self.tcpip_profile: 743 raise RuntimeError("Unable to load the profile for tcpip.sys")

744

745 746 -class Tcpip(pe_vtypes.BasicPEProfile):

747 """A profile for the TCPIP driver.""" 748 749 @classmethod

750 - def Initialize(cls, profile):

751 super(Tcpip, cls).Initialize(profile) 752 version = profile.session.profile.metadata("version") 753 754 # Network Object Classess for Vista, 2008, 7, and 10 x86 and x64 755 profile.add_classes(dict(_TCP_LISTENER=_TCP_LISTENER, 756 _TCP_ENDPOINT=_TCP_ENDPOINT)) 757 if version >= 10.0: 758 profile.add_classes(dict(_UDP_ENDPOINT=_UDP_ENDPOINT_WIN10x64)) 759 else: 760 profile.add_classes(dict(_UDP_ENDPOINT=_UDP_ENDPOINT)) 761 762 # Switch on the kernel version. FIXME: This should be done using the 763 # generate_types module. 764 if profile.metadata("arch") == "AMD64": 765 # Windows 10 766 if version >= 10.0: 767 profile.add_overlay(tcpip_vtypes_win10_64) 768 769 # Vista SP1. 770 elif version == 6.0: 771 profile.add_overlay(tcpip_vtypes_vista_64) 772 profile.add_overlay({ 773 '_TCP_ENDPOINT': [None, { 774 'Owner' : [0x210, ['pointer', ['_EPROCESS']]], 775 }], 776 }) 777 778 # Windows 7 779 elif version >= 6.1: 780 profile.add_overlay(tcpip_vtypes_vista_64) 781 profile.add_overlay(tcpip_vtypes_win7_64) 782 783 # Win2k3 784 elif version == 5.2: 785 profile.add_overlay(tcpip_vtypes_2003_x64) 786 787 elif profile.metadata("arch") == "I386": 788 profile.add_overlay(tcpip_vtypes) 789 790 # Win2k3 791 if version == 5.2: 792 profile.add_overlay(tcpip_vtypes_2003_sp1_sp2) 793 794 # Vista 795 elif version == 6.0: 796 profile.add_overlay(tcpip_vtypes_vista) 797 798 # Windows 7 799 elif version >= 6.1: 800 profile.add_overlay(tcpip_vtypes_vista) 801 profile.add_overlay(tcpip_vtypes_7) 802 803 # Windows 10 804 elif version >= 10.0: 805 profile.add_overlay(tcpip_vtypes_vista) 806 profile.add_overlay(tcpip_vtypes_win10_32) 807 808 # Pool tags 809 profile.add_constants(dict(UDP_END_POINT_POOLTAG="UdpA", 810 TCP_LISTENER_POOLTAG="TcpL", 811 TCP_END_POINT_POOLTAG="TcpE")) 812 813 814 profile.add_overlay(overlays) 815 816 return profile

817

818 819 -class TcpipHook(kb.ParameterHook):

820 name = "tcpip_profile" 821

822 - def calculate(self):

823 index = self.session.LoadProfile("tcpip/index") 824 image_base = self.session.address_resolver.get_address_by_name("tcpip") 825 826 for guess, _ in index.LookupIndex(image_base): 827 return guess

828