volatility-plugins/findevilproc.py at master · shr3ddersec/volatility-plugins · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# findevilproc
__author__ = "fdivrp"
__version__ = "0.1"
__license__ = "MIT"

import os
import sys

import volatility.debug as debug
import volatility.conf as conf
import volatility.utils as utils
import volatility.plugins.procdump as procdump
import volatility.plugins.taskmods as taskmods

import findevilinfo

class findEvilProc(procdump.ProcDump):
    """ Find potential known bad processes
    """

    def __init__(self, config, *args, **kwargs):
        procdump.ProcDump.__init__(self, config, *args, **kwargs)
        self._config.DUMP_DIR = os.getcwd() + os.sep + "dump_tmp"
        if not os.path.exists(self._config.DUMP_DIR):
            os.mkdir(self._config.DUMP_DIR)
            print "Creating Dump Dir {}".format(str(self._config.DUMP_DIR))
        else:
            print "Dump Dir Already Exists {}".format(str(self._config.DUMP_DIR))

    def render_text(self, outfd, data):
        """ Dump processes and check for known bad
        https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/procdump.py
        """

        # Compile Yara Rules if configured
        if findevilinfo.YARA_RULES_DIR != "C:\IR\loki\signature-base\yara":
            ys = findevilinfo.YaraClass()

         # render_text from procdump
        self.table_header(outfd,
                          [("Name", "20"),
                           ("Result", "25"),
                           ("Hash", "64"),
                           ("Verdict", "10"),
                           ("Signed", "8"),
                           ("Entropy", "12"),
                           ("Yara", ""),])

        for task in data:
            task_space = task.get_process_address_space()
            if task_space == None:
                result = "Error: Cannot acquire process AS"
            elif task.Peb == None:
                # we must use m() here, because any other attempt to
                # reference task.Peb will try to instantiate the _PEB
                result = "Error: PEB at {0:#x} is unavailable (possibly due to paging)".format(task.m('Peb'))
            elif task_space.vtop(task.Peb.ImageBaseAddress) == None:
                result = "Error: ImageBaseAddress at {0:#x} is unavailable (possibly due to paging)".format(task.Peb.ImageBaseAddress)
            else:
                dump_file = "executable." + str(task.UniqueProcessId) + ".exe"
                result = self.dump_pe(task_space,
                                task.Peb.ImageBaseAddress,
                                dump_file)

                # Full path of dumped file, get hash, VT, signed, entropy, yara
                dumped_file = "{}{}{}".format(self._config.DUMP_DIR, os.sep, dump_file)

                file_hash = findevilinfo.get_hash(dumped_file)
                signed = findevilinfo.check_signed(dumped_file)
                entropy = findevilinfo.get_entropy(dumped_file)

                if findevilinfo.VT_API_KEY == "1bd0591633fbf1443f6863da8821e60d2baa3ec75e2a76bb8bbaa11dc3a9840e":
                    verdict = "NO_API_KEY"
                else:
                    verdict = findevilinfo.get_VT_verdict(file_hash)

                if findevilinfo.YARA_RULES_DIR == "C:\IR\loki\signature-base\yara":
                    yara_hits = "NO_YARA_RULES_DIR"
                else:
                    yara_hits = ys.scan(dumped_file)

                self.table_row(outfd,
                            task.ImageFileName,
                            result,
                            file_hash,
                            verdict,
                            signed,
                            entropy,
                            yara_hits)