rekall.plugins.windows.connections

1 # Rekall Memory Forensics 2 # 3 # Copyright 2013 Google Inc. All Rights Reserved. 4 # 5 # Authors: 6 # Mike Auty <mike.auty@gmail.com> 7 # 8 # This program is free software; you can redistribute it and/or modify 9 # it under the terms of the GNU General Public License as published by 10 # the Free Software Foundation; either version 2 of the License, or (at 11 # your option) any later version. 12 # 13 # This program is distributed in the hope that it will be useful, but 14 # WITHOUT ANY WARRANTY; without even the implied warranty of 15 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 16 # General Public License for more details. 17 # 18 # You should have received a copy of the GNU General Public License 19 # along with this program; if not, write to the Free Software 20 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 # 22 23 from rekall.plugins.overlays.windows import tcpip_vtypes 24 from rekall.plugins.windows import common 25 26 # pylint: disable=protected-access 27

28 -class Connections(tcpip_vtypes.TcpipPluginMixin, 29 common.WindowsCommandPlugin):

30 """ 31 Print list of open connections [Windows XP Only] 32 --------------------------------------------- 33 34 This module enumerates the active connections from tcpip.sys. 35 36 Note that if you are using a hibernated image this might not work 37 because Windows closes all sockets before hibernating. You might 38 find it more effective to do conscan instead. 39 40 Active TCP connections are found in a hash table. The Hash table is given by 41 the _TCBTable symbol. The size of the hash table is found in the 42 _MaxHashTableSize variable. 43 """ 44 45 __name = "connections" 46 47 mode = "mode_xp" 48 49 table_header = [ 50 dict(name="offset_v", style="address"), 51 dict(name="local_net_address", width=25), 52 dict(name="remote_net_address", width=25), 53 dict(name="pid", width=6) 54 ] 55

56 - def collect(self):

57 # The _TCBTable is a pointer to the hash table. 58 TCBTable = self.tcpip_profile.get_constant_object( 59 "TCBTable", 60 target="Pointer", 61 vm=self.kernel_address_space, 62 target_args=dict( 63 target="Array", 64 target_args=dict( 65 count=int(self.tcpip_profile.get_constant_object( 66 "MaxHashTableSize", "unsigned int")), 67 68 target="Pointer", 69 target_args=dict( 70 target="_TCPT_OBJECT" 71 ) 72 ) 73 ) 74 ) 75 76 # Walk the hash table and print all the conenctions. 77 for slot in TCBTable.deref(): 78 for conn in slot.walk_list("Next"): 79 offset = conn.obj_offset 80 local = "{0}:{1}".format(conn.LocalIpAddress, conn.LocalPort) 81 remote = "{0}:{1}".format(conn.RemoteIpAddress, conn.RemotePort) 82 yield (offset, local, remote, conn.Pid)

83 84

85 -class Sockets(tcpip_vtypes.TcpipPluginMixin, 86 common.WindowsCommandPlugin):

87 """ 88 Print list of open sockets. [Windows xp only] 89 --------------------------------------------- 90 91 This module enumerates the active sockets from tcpip.sys 92 93 Note that if you are using a hibernated image this might not work 94 because Windows closes all sockets before hibernating. 95 96 _ADDRESS_OBJECT are arranged in a hash table found by the _AddrObjTable 97 symbol. The hash table has a size found by the _AddrObjTableSize symbol. 98 """ 99 100 name = "sockets" 101 mode = "mode_xp" 102 103 table_header = [ 104 dict(name="offset_v", style="address"), 105 dict(name="pid", width=6, align="r"), 106 dict(name="port", width=6, align="r"), 107 dict(name="proto", width=6, align="r"), 108 dict(name="protocol", width=10), 109 dict(name="address", width=15), 110 dict(name="create_time") 111 ] 112

113 - def column_types(self):

114 sock = self.tcpip_profile._ADDRESS_OBJECT() 115 return dict(offset_v=sock, 116 pid=sock.Pid, 117 port=sock.LocalPort, 118 proto=int(sock.Protocol), 119 protocol=sock.Protocol, 120 address=sock.LocalIpAddress, 121 create_time=sock.CreateTime)

122

123 - def collect(self):

124 AddrObjTable = self.tcpip_profile.get_constant_object( 125 "AddrObjTable", 126 target="Pointer", 127 vm=self.kernel_address_space, 128 target_args=dict( 129 target="Array", 130 target_args=dict( 131 count=int(self.tcpip_profile.get_constant_object( 132 "AddrObjTableSize", "unsigned int")), 133 134 target="Pointer", 135 target_args=dict( 136 target="_ADDRESS_OBJECT" 137 ) 138 ) 139 ) 140 ) 141 142 for slot in AddrObjTable.deref(): 143 for sock in slot.walk_list("Next"): 144 yield dict(offset_v=sock, 145 pid=sock.Pid, 146 port=sock.LocalPort, 147 proto=int(sock.Protocol), 148 protocol=sock.Protocol, 149 address=sock.LocalIpAddress, 150 create_time=sock.CreateTime)

151

Source Code for Module rekall.plugins.windows.connections