/usr/lib/python2.7/dist-packages/rekall/plugins/windows/malware/psxview.py is in python-rekall-core 1.6.0+dfsg-2.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 | # Rekall Memory Forensics
# Copyright (c) 2010, 2011, 2012 Michael Ligh <michael.ligh@mnin.org>
# Copyright 2013 Google Inc. All Rights Reserved.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# pylint: disable=protected-access
from rekall.plugins.windows import common
class WindowsPsxView(common.WinProcessFilter):
"Find hidden processes with various process listings"
__name = "psxview"
METHODS = common.WinProcessFilter.METHODS + [
"PSScan", "Thrdproc"]
__args = [
dict(name="method", choices=METHODS, type="ChoiceArray",
default=METHODS, help="Method to list processes.",
override=True),
]
def render(self, renderer):
headers = [
dict(type="_EPROCESS", name="_EPROCESS"),
]
for method in self.plugin_args.method:
headers.append((method, method, "%s" % len(method)))
renderer.table_header(headers)
for eprocess in self.filter_processes():
row = [eprocess]
for method in self.plugin_args.method:
row.append(eprocess.obj_offset in
self.session.GetParameter("pslist_%s" % method))
renderer.table_row(*row)
class PsListPSScanHook(common.AbstractWindowsParameterHook):
name = "pslist_PSScan"
def calculate(self):
"""Enumerate processes by scanning for _EPROCESS."""
result = set()
psscan = self.session.plugins.psscan()
pslist = self.session.plugins.pslist()
for row in psscan.collect():
physical_eprocess = row["offset_p"]
if physical_eprocess.obj_vm == self.session.physical_address_space:
eprocess = pslist.virtual_process_from_physical_offset(
physical_eprocess)
else:
eprocess = physical_eprocess
if eprocess != None:
result.add(eprocess.obj_offset)
self.session.logging.debug(
"Listed %s processes using PSScan", len(result))
return result
class PsListThrdprocHook(common.AbstractWindowsParameterHook):
name = "pslist_Thrdproc"
def calculate(self):
"""Enumerate processes by scanning for threads."""
result = set()
thrdscan_plugin = self.session.plugins.thrdscan()
for results in thrdscan_plugin.collect():
ethread = self.session.profile._ETHREAD(results[0])
if ethread.ExitTime != 0:
continue
# Bounce back to the threads owner
process = ethread.Tcb.m('Process').dereference_as(
'_EPROCESS', vm=self.session.kernel_address_space)
if not process:
process = ethread.m('ThreadsProcess').dereference(
vm=self.session.kernel_address_space)
# Make sure the bounce succeeded
if (process and process.ExitTime == 0 and
process.UniqueProcessId > 0 and
process.UniqueProcessId < 0xFFFF):
result.add(process.obj_offset)
self.session.logging.debug(
"Listed %s processes using Thrdproc", len(result))
return result
|