1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25 from rekall.plugins.windows import common
26 from rekall.plugins.overlays.windows import tcpip_vtypes
27
28
29
30
31 AF_INET = 2
32 AF_INET6 = 0x17
35 """PoolScanner for Udp Endpoints"""
36
38 super(PoolScanUdpEndpoint, self).__init__(**kwargs)
39 min_size = self.profile.get_obj_size("_UDP_ENDPOINT")
40 if not min_size:
41 raise RuntimeError(repr(min_size))
42
43 self.checks = [
44 ('PoolTagCheck', dict(
45 tag=self.profile.get_constant("UDP_END_POINT_POOLTAG"))),
46
47 ('CheckPoolSize', dict(min_size=min_size)),
48
49 ('CheckPoolType', dict(non_paged=True, free=True, paged=True)),
50
51 ('CheckPoolIndex', dict(value=0)),
52 ]
53
56 """PoolScanner for Tcp Listeners"""
57
59 super(PoolScanTcpListener, self).__init__(**kwargs)
60 min_size = self.profile.get_obj_size("_TCP_LISTENER")
61 if not min_size:
62 raise RuntimeError(repr(min_size))
63
64 self.checks = [
65 ('PoolTagCheck', dict(
66 tag=self.profile.get_constant("TCP_LISTENER_POOLTAG"))),
67
68 ('CheckPoolSize', dict(min_size=min_size)),
69
70 ('CheckPoolType', dict(non_paged=True, free=True, paged=True)),
71
72 ('CheckPoolIndex', dict(value=0)),
73 ]
74
77 """PoolScanner for TCP Endpoints"""
78
80 super(PoolScanTcpEndpoint, self).__init__(**kwargs)
81 min_size = self.profile.get_obj_size("_TCP_ENDPOINT")
82 if not min_size:
83 raise RuntimeError(repr(min_size))
84
85 self.checks = [
86 ('PoolTagCheck', dict(
87 tag=self.profile.get_constant("TCP_END_POINT_POOLTAG"))),
88
89 ('CheckPoolSize', dict(min_size=min_size)),
90
91 ('CheckPoolType', dict(non_paged=True, free=True, paged=True)),
92
93 ('CheckPoolIndex', dict(value=0)),
94 ]
95
96
97 -class WinNetscan(tcpip_vtypes.TcpipPluginMixin,
98 common.PoolScannerPlugin):
99 """Scan a Vista, 2008 or Windows 7 image for connections and sockets"""
100
101 __name = "netscan"
102
103 table_header = [
104 dict(name="offset", style="address"),
105 dict(name="protocol", width=8),
106 dict(name="local_addr", width=20),
107 dict(name="remote_addr", width=30),
108 dict(name="state", width=16),
109 dict(name="pid", width=5, align="r"),
110 dict(name="owner", width=14),
111 dict(name="created")
112 ]
113
114 scanner_defaults = dict(
115 scan_kernel_nonpaged_pool=True
116 )
117
118 @classmethod
124
126 scanner = PoolScanTcpListener(
127 profile=self.tcpip_profile, session=self.session,
128 address_space=run.address_space)
129
130 for pool_obj in scanner.scan(run.start, run.length):
131 pool_header_end = pool_obj.obj_offset + pool_obj.obj_size
132 tcpentry = self.tcpip_profile._TCP_LISTENER(
133 vm=run.address_space, offset=pool_header_end)
134
135
136 af_inet = tcpentry.InetAF.dereference(vm=self.kernel_address_space)
137 if af_inet.AddressFamily not in (AF_INET, AF_INET6):
138 continue
139
140
141
142 for ver, laddr, raddr in tcpentry.dual_stack_sockets(
143 vm=self.kernel_address_space):
144 yield (tcpentry, "TCP" + ver, laddr,
145 tcpentry.Port, raddr, 0, "LISTENING")
146
147
148 scanner = PoolScanTcpEndpoint(
149 profile=self.tcpip_profile, session=self.session,
150 address_space=run.address_space)
151
152 for pool_obj in scanner.scan(run.start, run.length):
153 pool_header_end = pool_obj.obj_offset + pool_obj.obj_size
154 tcpentry = self.tcpip_profile._TCP_ENDPOINT(
155 vm=run.address_space, offset=pool_header_end)
156
157 af_inet = tcpentry.InetAF.dereference(vm=self.kernel_address_space)
158 if af_inet.AddressFamily == AF_INET:
159 proto = "TCPv4"
160 elif af_inet.AddressFamily == AF_INET6:
161 proto = "TCPv6"
162 else:
163 continue
164
165
166 owner = tcpentry.Owner.dereference_as(
167 vm=self.kernel_address_space, profile=self.session.profile)
168
169
170 local_addr = tcpentry.LocalAddress(vm=self.kernel_address_space)
171 remote_addr = tcpentry.RemoteAddress(vm=self.kernel_address_space)
172
173
174 if tcpentry.State.v() not in tcpip_vtypes.TCP_STATE_ENUM:
175 continue
176
177 if not owner and not local_addr:
178 continue
179
180 yield (tcpentry, proto, local_addr, tcpentry.LocalPort,
181 remote_addr, tcpentry.RemotePort, tcpentry.State)
182
183
184 scanner = PoolScanUdpEndpoint(
185 profile=self.tcpip_profile, session=self.session,
186 address_space=run.address_space)
187
188 for pool_obj in scanner.scan(run.start, run.length):
189 pool_header_end = pool_obj.obj_offset + pool_obj.obj_size
190 udpentry = self.tcpip_profile._UDP_ENDPOINT(
191 vm=run.address_space, offset=pool_header_end)
192
193 af_inet = udpentry.InetAF.dereference(vm=self.kernel_address_space)
194
195
196 if af_inet.AddressFamily not in (AF_INET, AF_INET6):
197 continue
198
199
200
201 for ver, laddr, _ in udpentry.dual_stack_sockets(
202 vm=self.kernel_address_space):
203 yield (udpentry, "UDP" + ver, laddr, udpentry.Port,
204 "*", "*", "")
205
207 for run in self.generate_memory_ranges():
208 for (net_object, proto, laddr, lport, raddr, rport,
209 state) in self.generate_hits(run):
210 lendpoint = "{0}:{1}".format(laddr, lport)
211 rendpoint = "{0}:{1}".format(raddr, rport)
212
213 owner = net_object.Owner.dereference_as(
214 vm=self.kernel_address_space, profile=self.session.profile)
215
216 yield (net_object.obj_offset, proto, lendpoint,
217 rendpoint, state,
218 owner.UniqueProcessId,
219 owner.ImageFileName,
220 net_object.CreateTime)
221