rekall.plugins.windows.malware.psxview

1 # Rekall Memory Forensics 2 # Copyright (c) 2010, 2011, 2012 Michael Ligh <michael.ligh@mnin.org> 3 # Copyright 2013 Google Inc. All Rights Reserved. 4 # 5 # This program is free software; you can redistribute it and/or modify 6 # it under the terms of the GNU General Public License as published by 7 # the Free Software Foundation; either version 2 of the License, or (at 8 # your option) any later version. 9 # 10 # This program is distributed in the hope that it will be useful, but 11 # WITHOUT ANY WARRANTY; without even the implied warranty of 12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 13 # General Public License for more details. 14 # 15 # You should have received a copy of the GNU General Public License 16 # along with this program; if not, write to the Free Software 17 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 18 # 19 20 # pylint: disable=protected-access 21 22 23 from rekall.plugins.windows import common 24 25

26 -class WindowsPsxView(common.WinProcessFilter):

27 "Find hidden processes with various process listings" 28 29 __name = "psxview" 30 31 METHODS = common.WinProcessFilter.METHODS + [ 32 "PSScan", "Thrdproc"] 33 34 __args = [ 35 dict(name="method", choices=list(METHODS), type="ChoiceArray", 36 default=list(METHODS), help="Method to list processes.", 37 override=True), 38 ] 39

40 - def render(self, renderer):

41 headers = [ 42 dict(type="_EPROCESS", name="_EPROCESS"), 43 ] 44 45 for method in self.plugin_args.method: 46 headers.append((method, method, "%s" % len(method))) 47 48 renderer.table_header(headers) 49 50 for eprocess in self.filter_processes(): 51 row = [eprocess] 52 53 for method in self.plugin_args.method: 54 row.append(eprocess.obj_offset in 55 self.session.GetParameter("pslist_%s" % method)) 56 renderer.table_row(*row)

57 58

59 -class PsListPSScanHook(common.AbstractWindowsParameterHook):

60 name = "pslist_PSScan" 61

62 - def calculate(self):

63 """Enumerate processes by scanning for _EPROCESS.""" 64 result = set() 65 66 psscan = self.session.plugins.psscan() 67 pslist = self.session.plugins.pslist() 68 for row in psscan.collect(): 69 physical_eprocess = row["offset_p"] 70 if physical_eprocess.obj_vm == self.session.physical_address_space: 71 eprocess = pslist.virtual_process_from_physical_offset( 72 physical_eprocess) 73 else: 74 eprocess = physical_eprocess 75 76 if eprocess != None: 77 result.add(eprocess.obj_offset) 78 79 self.session.logging.debug( 80 "Listed %s processes using PSScan", len(result)) 81 82 return result

83 84

85 -class PsListThrdprocHook(common.AbstractWindowsParameterHook):

86 name = "pslist_Thrdproc" 87

88 - def calculate(self):

89 """Enumerate processes by scanning for threads.""" 90 result = set() 91 92 thrdscan_plugin = self.session.plugins.thrdscan() 93 for results in thrdscan_plugin.collect(): 94 ethread = self.session.profile._ETHREAD(results[0]) 95 96 if ethread.ExitTime != 0: 97 continue 98 99 # Bounce back to the threads owner 100 process = ethread.Tcb.m('Process').dereference_as( 101 '_EPROCESS', vm=self.session.kernel_address_space) 102 103 if not process: 104 process = ethread.m('ThreadsProcess').dereference( 105 vm=self.session.kernel_address_space) 106 107 # Make sure the bounce succeeded 108 if (process and process.ExitTime == 0 and 109 process.UniqueProcessId > 0 and 110 process.UniqueProcessId < 0xFFFF): 111 112 result.add(process.obj_offset) 113 114 self.session.logging.debug( 115 "Listed %s processes using Thrdproc", len(result)) 116 117 return result

118

Source Code for Module rekall.plugins.windows.malware.psxview