Beispiel #1
0
addr_t
windows_find_eprocess(
    vmi_instance_t vmi,
    char *name)
{
    addr_t start_address = 0;
    check_magic_func check = get_check_magic_func(vmi);

    if (vmi->os.windows_instance.pname_offset == 0) {
        vmi->os.windows_instance.pname_offset =
            find_pname_offset(vmi, check);
        if (vmi->os.windows_instance.pname_offset == 0) {
            dbprint("--failed to find pname_offset\n");
            return 0;
        }
        else {
            dbprint("**set os.windows_instance.pname_offset (0x%x)\n",
                    vmi->os.windows_instance.pname_offset);
        }
    }

    if (vmi->init_task) {
        start_address =
            vmi->init_task - vmi->os.windows_instance.tasks_offset;
    }

    return find_process_by_name(vmi, check, start_address, name);
}
Beispiel #2
0
int
find_pname_offset(
    vmi_instance_t vmi,
    check_magic_func check)
{
    addr_t block_pa = 0;
    addr_t offset = 0;
    uint32_t value = 0;
    void *bm = 0;

    bm = boyer_moore_init((unsigned char *)"Idle", 4);

#define BLOCK_SIZE 1024 * 1024 * 1
    unsigned char block_buffer[BLOCK_SIZE];

    if (NULL == check) {
        check = get_check_magic_func(vmi);
    }

    for (block_pa = 4096; block_pa + BLOCK_SIZE < vmi->max_physical_address; block_pa += BLOCK_SIZE) {
        if ( VMI_FAILURE == vmi_read_pa(vmi, block_pa, BLOCK_SIZE, block_buffer, NULL) ) {
            continue;
        }

        for (offset = 0; offset < BLOCK_SIZE; offset += 8) {
            memcpy(&value, block_buffer + offset, 4);

            if (check(value)) { // look for specific magic #
                dbprint
                    (VMI_DEBUG_MISC, "--%s: found magic value 0x%.8"PRIx32" @ offset 0x%.8"PRIx64"\n",
                     __FUNCTION__, value, block_pa + offset);

                unsigned char haystack[0x500];

                if ( VMI_FAILURE == vmi_read_pa(vmi, block_pa + offset, 0x500, haystack, NULL) ) {
                    continue;
                }

                int i = boyer_moore2(bm, haystack, 0x500);

                if (-1 == i) {
                    continue;
                }
                else {
                    vmi->init_task = block_pa + offset;
                    dbprint
                        (VMI_DEBUG_MISC, "--%s: found Idle process at 0x%.8"PRIx64" + 0x%x\n",
                         __FUNCTION__, block_pa + offset, i);
                    boyer_moore_fini(bm);
                    return i;
                }
            }
        }
    }
    boyer_moore_fini(bm);
    return 0;
}
Beispiel #3
0
static addr_t
find_process_by_name(
    vmi_instance_t vmi,
    check_magic_func check,
    addr_t start_address,
    const char *name)
{

    dbprint(VMI_DEBUG_MISC, "--searching for process by name: %s\n", name);

    addr_t block_pa = 0;
    addr_t offset = 0;
    uint32_t value = 0;
    size_t read = 0;

    unsigned char block_buffer[VMI_PS_4KB];

    if (NULL == check) {
        check = get_check_magic_func(vmi);
    }

    for (block_pa = start_address; block_pa + VMI_PS_4KB < vmi->max_physical_address;
         block_pa += VMI_PS_4KB) {
        read = vmi_read_pa(vmi, block_pa, block_buffer, VMI_PS_4KB);
        if (VMI_PS_4KB != read) {
            continue;
        }

        for (offset = 0; offset < VMI_PS_4KB; offset += 8) {
            memcpy(&value, block_buffer + offset, 4);

            if (check(value)) { // look for specific magic #

                char *procname = windows_get_eprocess_name(vmi, block_pa + offset);
                if (procname) {
                    if (strncmp(procname, name, 50) == 0) {
                        free(procname);
                        return block_pa + offset;
                    }
                    free(procname);
                }
            }
        }
    }
    return 0;
}
Beispiel #4
0
static addr_t
find_process_by_name(
    vmi_instance_t vmi,
    check_magic_func check,
    addr_t start_address,
    const char *name)
{
    addr_t block_pa = 0;
    addr_t offset = 0;
    uint32_t value = 0;
    size_t read = 0;

#define BLOCK_SIZE 1024 * 1024 * 1
    unsigned char block_buffer[BLOCK_SIZE];

    if (NULL == check) {
        check = get_check_magic_func(vmi);
    }

    for (block_pa = start_address; block_pa < vmi->size;
         block_pa += BLOCK_SIZE) {
        read = vmi_read_pa(vmi, block_pa, block_buffer, BLOCK_SIZE);
        if (BLOCK_SIZE != read) {
            continue;
        }

        for (offset = 0; offset < BLOCK_SIZE; offset += 8) {
            memcpy(&value, block_buffer + offset, 4);

            if (check(value)) { // look for specific magic #

                char *procname =
                    windows_get_eprocess_name(vmi, block_pa + offset);
                if (procname) {
                    if (strncmp(procname, name, 50) == 0) {
                        free(procname);
                        return block_pa + offset;
                    }
                    free(procname);
                }
            }
        }
    }
    return 0;
}
Beispiel #5
0
addr_t
windows_find_eprocess(
    vmi_instance_t vmi,
    const char *name)
{

    addr_t start_address = 0;
    windows_instance_t windows = vmi->os_data;
    check_magic_func check = get_check_magic_func(vmi);

    if (windows == NULL) {
        return 0;
    }

    if (!windows->pname_offset) {
        if(windows->rekall_profile) {
            if ( VMI_FAILURE == rekall_profile_symbol_to_rva(windows->rekall_profile, "_EPROCESS", "ImageFileName", &windows->pname_offset) )
                return 0;
        } else {
            windows->pname_offset = find_pname_offset(vmi, check);
        }

        if (!windows->pname_offset) {
            dbprint(VMI_DEBUG_MISC, "--failed to find pname_offset\n");
            return 0;
        } else {
            dbprint(VMI_DEBUG_MISC, "**set os.windows_instance.pname_offset (0x%"PRIx64")\n",
                    windows->pname_offset);
        }
    }

    if (vmi->init_task) {
        start_address = vmi->init_task;
    }

    return find_process_by_name(vmi, check, start_address, name);
}
Beispiel #6
0
int
find_pname_offset(
    vmi_instance_t vmi,
    check_magic_func check)
{
    addr_t block_pa = 0;
    addr_t offset = 0;
    uint32_t value = 0;
    size_t read = 0;
    void *bm = 0;

    bm = boyer_moore_init("Idle", 4);

#define BLOCK_SIZE 1024 * 1024 * 1
    unsigned char block_buffer[BLOCK_SIZE];

    if (NULL == check) {
        check = get_check_magic_func(vmi);
    }

    for (block_pa = 4096; block_pa < vmi->size; block_pa += BLOCK_SIZE) {
        read = vmi_read_pa(vmi, block_pa, block_buffer, BLOCK_SIZE);
        if (BLOCK_SIZE != read) {
            continue;
        }

        for (offset = 0; offset < BLOCK_SIZE; offset += 8) {
            memcpy(&value, block_buffer + offset, 4);

            if (check(value)) { // look for specific magic #
                dbprint
                    ("--%s: found magic value 0x%.8"PRIx32" @ offset 0x%.8"PRIx64"\n",
                     __FUNCTION__, value, block_pa + offset);

                unsigned char haystack[0x500];

                read =
                    vmi_read_pa(vmi, block_pa + offset, haystack,
                                0x500);
                if (0x500 != read) {
                    continue;
                }

                int i = boyer_moore2(bm, haystack, 0x500);

                if (-1 == i) {
                    continue;
                }
                else {
                    vmi->init_task =
                        block_pa + offset +
                        vmi->os.windows_instance.tasks_offset;
                    dbprint
                        ("--%s: found Idle process at 0x%.8"PRIx64" + 0x%x\n",
                         __FUNCTION__, block_pa + offset, i);
                    boyer_moore_fini(bm);
                    return i;
                }
            }
        }
    }
    boyer_moore_fini(bm);
    return 0;
}