Created
March 5, 2019 03:18
-
-
Save jarcode-foss/f0420fa37d971ae8fe44f74b87887df3 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import os | |
| import sys | |
| import json | |
| import stat | |
| import logging | |
| import libvirt | |
| from io import StringIO | |
| from pathlib import Path | |
| from tempfile import TemporaryDirectory, NamedTemporaryFile | |
| from rekall import plugins, session | |
| def format_config(domain, config, old_format=False): | |
| if not old_format: | |
| formatted_config = """ | |
| %s { | |
| ostype = "Windows"; | |
| rekall_profile = "%s"; | |
| } | |
| """ % (domain, config['rekall_profile']) | |
| else: | |
| formatted_config = """ | |
| %s { | |
| ostype = "Windows"; | |
| win_pdbase = %s; | |
| win_pid = %s; | |
| win_tasks = %s; | |
| win_pname = %s; | |
| } | |
| """ % (domain, | |
| hex(config['win_pdbase']), | |
| hex(config['win_pid']), | |
| hex(config['win_tasks']), | |
| hex(config['win_pname']) | |
| ) | |
| return formatted_config | |
| def extract_config(ram_dump): | |
| home = os.getenv('HOME') | |
| local_cache_path = os.path.join(home, '.rekall_cache') | |
| try: | |
| os.makedirs(local_cache_path) | |
| except OSError: # already exists | |
| pass | |
| logging.info('Analyzing RAM dump with Rekall') | |
| s = session.Session( | |
| filename=ram_dump, | |
| autodetect=["rsds"], | |
| logger=logging.getLogger(), | |
| autodetect_build_local='none', | |
| format='data', | |
| profile_path=[ | |
| local_cache_path, | |
| "http://profiles.rekall-forensic.com" | |
| ]) | |
| pdbase = s.profile.get_obj_offset('_KPROCESS', 'DirectoryTableBase') | |
| tasks = s.profile.get_obj_offset('_EPROCESS', 'ActiveProcessLinks') | |
| name = s.profile.get_obj_offset('_EPROCESS', 'ImageFileName') | |
| pid = s.profile.get_obj_offset('_EPROCESS', 'UniqueProcessId') | |
| config = { | |
| "ostype": "Windows", | |
| "win_pdbase": pdbase, | |
| "win_tasks": tasks, | |
| "win_pid": pid, | |
| "win_pname": name, | |
| } | |
| return config | |
| def get_windows_config(domain): | |
| with TemporaryDirectory() as tmp_dir: | |
| with NamedTemporaryFile(dir=tmp_dir) as ram_dump: | |
| # chmod to be r/w by everyone | |
| os.chmod(ram_dump.name, | |
| stat.S_IRUSR | stat.S_IWUSR | | |
| stat.S_IRGRP | stat.S_IWGRP | | |
| stat.S_IROTH | stat.S_IWOTH) | |
| # take a ram dump | |
| logging.info('Dumping physical memory to %s', ram_dump.name) | |
| flags = libvirt.VIR_DUMP_MEMORY_ONLY | libvirt.VIR_DUMP_CRASH | |
| dumpformat = libvirt.VIR_DOMAIN_CORE_DUMP_FORMAT_RAW | |
| domain.coreDumpWithFormat(ram_dump.name, dumpformat, flags) | |
| config = extract_config(ram_dump.name) | |
| return config | |
| con = libvirt.open("qemu:///system") | |
| # print(get_windows_config(con.lookupByName("win10"))) | |
| print(format_config("win10", extract_config("dump.elf"), True)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment