rekall.plugins.windows.connscan

Source Code for Module rekall.plugins.windows.connscan

1 # Rekall Memory Forensics 2 # Copyright (C) 2008 Volatile Systems 3 # Copyright (c) 2008 Brendan Dolan-Gavitt <bdolangavitt@wesleyan.edu> 4 # Copyright 2013 Google Inc. All Rights Reserved. 5 # 6 # This program is free software; you can redistribute it and/or modify 7 # it under the terms of the GNU General Public License as published by 8 # the Free Software Foundation; either version 2 of the License, or (at 9 # your option) any later version. 10 # 11 # This program is distributed in the hope that it will be useful, but 12 # WITHOUT ANY WARRANTY; without even the implied warranty of 13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 # General Public License for more details. 15 # 16 # You should have received a copy of the GNU General Public License 17 # along with this program; if not, write to the Free Software 18 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 19 # 20 21 """ 22 This module implements the fast connection scanning 23 24 @author: AAron Walters and Brendan Dolan-Gavitt 25 @license: GNU General Public License 2.0 or later 26 @contact: awalters@volatilesystems.com,bdolangavitt@wesleyan.edu 27 @organization: Volatile Systems 28 """ 29 30 # pylint: disable=protected-access 31 from rekall import plugin 32 from rekall.plugins.overlays.windows import tcpip_vtypes 33 from rekall.plugins.windows import common 34 35

36 -class PoolScanConnFast(common.PoolScanner):

37 checks = [('PoolTagCheck', dict(tag="TCPT")), 38 ('CheckPoolSize', dict(condition=lambda x: x >= 0x198)), 39 ('CheckPoolType', dict(non_paged=True, paged=True, free=True)), 40 ('CheckPoolIndex', dict(value=0))]

41 42

43 -class ConnScan(tcpip_vtypes.TcpipPluginMixin, 44 common.WinScanner, 45 common.AbstractWindowsCommandPlugin):

46 """ Scan Physical memory for _TCPT_OBJECT objects (tcp connections) 47 """ 48 49 __name = "connscan" 50 51 table_header = [ 52 dict(name="offset_p", style="address"), 53 dict(name="local_net_address", align="l", width=25), 54 dict(name="remote_net_address", align="l", width=25), 55 dict(name="pid", width=10, align="r") 56 ] 57 58 scanner_defaults = dict( 59 scan_physical=True 60 ) 61 62 mode = "mode_xp" 63

64 - def column_types(self):

65 tcp_obj = self.tcpip_profile._TCPT_OBJECT() 66 return dict(offset_p=tcp_obj, 67 local_net_address="172.16.176.143:1034", 68 remote_net_address="131.107.115.254:80", 69 pid=tcp_obj.Pid)

70

71 - def collect(self):

72 """Search the physical address space for _TCPT_OBJECTs. 73 74 Yields: 75 _TCPT_OBJECT instantiated on the physical address space. 76 """ 77 for run in self.generate_memory_ranges(): 78 # The pool is managed by the kernel so we need to use the kernel's 79 # profile here. 80 scanner = PoolScanConnFast( 81 session=self.session, profile=self.profile, 82 address_space=run.address_space) 83 84 for pool_obj in scanner.scan(run.start, maxlen=run.length): 85 # The struct is allocated out of the pool (i.e. its not an 86 # object). 87 tcp_obj = self.tcpip_profile._TCPT_OBJECT( 88 vm=run.address_space, 89 offset=pool_obj.obj_offset + pool_obj.obj_size) 90 91 local = "{0}:{1}".format(tcp_obj.LocalIpAddress, 92 tcp_obj.LocalPort) 93 94 remote = "{0}:{1}".format(tcp_obj.RemoteIpAddress, 95 tcp_obj.RemotePort) 96 97 yield tcp_obj, local, remote, tcp_obj.Pid

98