-
-
Save klezVirus/8affd4c86e9c68d03bd91f7598cb186b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Create a timestamp | |
| ts="$(date +%Y%m%d)" | |
| # Determine running directory | |
| cwd="$(pwd $(dirname $0))" | |
| # Define build_file | |
| build_file= | |
| # Define a default set of available plugins | |
| declare -a plugins | |
| plugins+=("address_resolver") | |
| plugins+=("arp") | |
| plugins+=("banner") | |
| plugins+=("bash") | |
| plugins+=("check_afinfo") | |
| plugins+=("check_creds") | |
| plugins+=("check_idt") | |
| plugins+=("check_modules") | |
| plugins+=("check_proc_fops") | |
| plugins+=("check_syscall") | |
| plugins+=("check_task_fops") | |
| plugins+=("check_ttys") | |
| plugins+=("cpuinfo") | |
| plugins+=("dmesg") | |
| plugins+=("dmp") | |
| plugins+=("find_dtb") | |
| plugins+=("heapdump") | |
| plugins+=("heapinfo") | |
| plugins+=("heapobjects") | |
| plugins+=("heaprefs") | |
| plugins+=("heapsearch") | |
| plugins+=("hostname") | |
| plugins+=("idx") | |
| plugins+=("ifconfig") | |
| plugins+=("iomem") | |
| plugins+=("keepassx") | |
| plugins+=("lsmod") | |
| plugins+=("lsmod") | |
| plugins+=("lsmod_parameters") | |
| plugins+=("lsmod_sections") | |
| plugins+=("lsof") | |
| plugins+=("maps") | |
| plugins+=("mcat") | |
| plugins+=("memdump") | |
| plugins+=("memmap") | |
| plugins+=("mfind") | |
| plugins+=("mls") | |
| plugins+=("moddump") | |
| plugins+=("mount") | |
| plugins+=("netstat") | |
| plugins+=("notifier_chains") | |
| plugins+=("pas2vas") | |
| plugins+=("pidhashtable") | |
| plugins+=("psaux") | |
| plugins+=("pslist") | |
| plugins+=("pstree") | |
| plugins+=("psxview") | |
| plugins+=("sigscan") | |
| plugins+=("vaddump") | |
| plugins+=("vadmap") | |
| plugins+=("vtop") | |
| plugins+=("yarascan") | |
| plugins+=("zsh") | |
| # Bail if plugins are not defined | |
| if [ ${#plugins[@]} -eq 0 ]; then | |
| echo "Please define a set of plugins to operate on" && exit 1 | |
| fi | |
| echo "Using ${#plugins[@]} plugins..." | |
| # Find the directory where we can build a profile | |
| builds=( $(find ${cwd} -type f -name "pmem.c" 2>/dev/null) ) | |
| # Bail if nothing is found | |
| if [ ${#builds[@]} -eq 0 ]; then | |
| echo "Could not find any rekall profile build directory" && exit 1 | |
| fi | |
| # Iterate ${builds[@]} | |
| for build in ${builds[@]}; do | |
| # If ${build_dir} is not null skip | |
| [ "${build_file}" != "" ] && continue | |
| # Strip pmem.c from ${build} | |
| build="$(dirname ${build})" | |
| echo "Testing ${build} for profile..." | |
| # Change into ${build} and make the profile | |
| cd ${build} | |
| # Go ahead and build a profile | |
| make profile &>/dev/null | |
| # Test for $(uname -r).zip | |
| if [ -f ${build}/$(uname -r).zip ]; then | |
| build_file="${build}/$(uname -r).zip" | |
| fi | |
| # Change back to ${cwd} | |
| cd ${cwd} | |
| done | |
| # If ${build_dir} not set bail | |
| if [ "${build_file}" == "" ]; then | |
| echo "Unable to build profile for $(uname -r)" && exit 1 | |
| fi | |
| # Export the profile to make things quick | |
| rekal convert_profile ${build_file} $(uname -r).json &> /dev/null | |
| # Test for $(uname -r).json or bail | |
| if [ ! -f $(uname -r).json ]; then | |
| echo "Could not convert profile to JSON file" && exit 1 | |
| fi | |
| echo "Built $(uname -r).json profile..." | |
| # Build a logging environment | |
| mkdir -p ${cwd}/${ts} | |
| # Go ahead and do some work robot | |
| for plugin in ${plugins[@]}; do | |
| echo "Running ${plugin}..." | |
| rekal --live Memory ${plugin} --profile ${cwd}/$(uname -r).json &> ${ts}/${plugin}.log | |
| done | |
| # Define the yara rules uri | |
| rules_uri="https://github.com/Yara-Rules/rules/archive/master.zip" | |
| # Define a default set of available yara rules | |
| declare -a rules | |
| rules=( $(find / -type f -name "*.yar" 2>/dev/null) ) | |
| # If ${#rules[@]} is 0 | |
| if [ ${#rules[@]} -eq 0 ]; then | |
| echo "Attempting to download yara rules..." | |
| # Download the latest .zip archive from github.com | |
| wget -k ${rules_uri} -O ${cwd}/yara.rules.zip &>/dev/null | |
| if [ -f yara.rules.zip ]; then | |
| unzip yara.rules.zip ${cwd}/yara.rules 2>/dev/null | |
| fi | |
| # Try again if still empty | |
| [ ${#rules[@]} -eq 0 ] && rules=( $(find ${cwd}/yara.rules/ -xdev -type f -name "*.yar") ) | |
| fi | |
| # Bail if still not found | |
| if [ ${#rules[@]} -eq 0 ]; then | |
| echo "Unable to locate any yara rules..." && exit 1 | |
| fi | |
| echo "Using ${#rules[@]}..." | |
| # Iterate ${rules[@]} | |
| for rule in ${rules[@]}; do | |
| echo "Running ${rule}..." | |
| # Fire off a rekall memory analysis of ${rule} & log it for prosperity | |
| rekall --live Memory --profile ${cwd}/$(uname -r).json yarascan --yara_file=${rule} &> ${ts}/$(basename ${rule}).log | |
| done |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Create a timestamp | |
| ts="$(date +%Y%m%d)" | |
| # Determine running directory | |
| cwd="$(pwd $(dirname $0))" | |
| # Define build_file | |
| build_file= | |
| # Define a default set of available plugins | |
| declare -a plugins | |
| plugins+=("address_resolver") | |
| plugins+=("arp") | |
| plugins+=("banner") | |
| plugins+=("bash") | |
| plugins+=("check_afinfo") | |
| plugins+=("check_creds") | |
| plugins+=("check_idt") | |
| plugins+=("check_modules") | |
| plugins+=("check_proc_fops") | |
| plugins+=("check_syscall") | |
| plugins+=("check_task_fops") | |
| plugins+=("check_ttys") | |
| plugins+=("cpuinfo") | |
| plugins+=("dmesg") | |
| plugins+=("dmp") | |
| plugins+=("find_dtb") | |
| plugins+=("heapdump") | |
| plugins+=("heapinfo") | |
| plugins+=("heapobjects") | |
| plugins+=("heaprefs") | |
| plugins+=("heapsearch") | |
| plugins+=("hostname") | |
| plugins+=("idx") | |
| plugins+=("ifconfig") | |
| plugins+=("iomem") | |
| plugins+=("keepassx") | |
| plugins+=("lsmod") | |
| plugins+=("lsmod") | |
| plugins+=("lsmod_parameters") | |
| plugins+=("lsmod_sections") | |
| plugins+=("lsof") | |
| plugins+=("maps") | |
| plugins+=("mcat") | |
| plugins+=("memdump") | |
| plugins+=("memmap") | |
| plugins+=("mfind") | |
| plugins+=("mls") | |
| plugins+=("moddump") | |
| plugins+=("mount") | |
| plugins+=("netstat") | |
| plugins+=("notifier_chains") | |
| plugins+=("pas2vas") | |
| plugins+=("pidhashtable") | |
| plugins+=("psaux") | |
| plugins+=("pslist") | |
| plugins+=("pstree") | |
| plugins+=("psxview") | |
| plugins+=("sigscan") | |
| plugins+=("vaddump") | |
| plugins+=("vadmap") | |
| plugins+=("vtop") | |
| plugins+=("yarascan") | |
| plugins+=("zsh") | |
| # Bail if plugins are not defined | |
| if [ ${#plugins[@]} -eq 0 ]; then | |
| echo "Please define a set of plugins to operate on" && exit 1 | |
| fi | |
| echo "Using ${#plugins[@]} plugins..." | |
| # Find the directory where we can build a profile | |
| builds=( $(find ${cwd} -type f -name "pmem.c" 2>/dev/null) ) | |
| # Bail if nothing is found | |
| if [ ${#builds[@]} -eq 0 ]; then | |
| echo "Could not find any rekall profile build directory" && exit 1 | |
| fi | |
| # Iterate ${builds[@]} | |
| for build in ${builds[@]}; do | |
| # If ${build_dir} is not null skip | |
| [ "${build_file}" != "" ] && continue | |
| # Strip pmem.c from ${build} | |
| build="$(dirname ${build})" | |
| echo "Testing ${build} for profile..." | |
| # Change into ${build} and make the profile | |
| cd ${build} | |
| # Go ahead and build a profile | |
| make profile &>/dev/null | |
| # Test for $(uname -r).zip | |
| if [ -f ${build}/$(uname -r).zip ]; then | |
| build_file="${build}/$(uname -r).zip" | |
| fi | |
| # Change back to ${cwd} | |
| cd ${cwd} | |
| done | |
| # If ${build_dir} not set bail | |
| if [ "${build_file}" == "" ]; then | |
| echo "Unable to build profile for $(uname -r)" && exit 1 | |
| fi | |
| # Export the profile to make things quick | |
| rekal convert_profile ${build_file} $(uname -r).json &> /dev/null | |
| # Test for $(uname -r).json or bail | |
| if [ ! -f $(uname -r).json ]; then | |
| echo "Could not convert profile to JSON file" && exit 1 | |
| fi | |
| echo "Built $(uname -r).json profile..." | |
| # Build a logging environment | |
| mkdir -p ${cwd}/${ts} | |
| # Go ahead and do some work robot | |
| for plugin in ${plugins[@]}; do | |
| echo "Running ${plugin}..." | |
| rekal --live Memory ${plugin} --profile ${cwd}/$(uname -r).json &> ${ts}/${plugin}.log | |
| done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment