python-haystack extensions for kernel structures
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
kernel
.gitignore
README
tasks.py

README

Useless proof of concept base on python-haystack.
Total volatility ripoff and seriously flawed non-cross platform forensic tool.


ctypes-kernel is an extension to haystack, for kernel structures.
It's purpose is to be a simple 'volatility' for linux kernels.
It could easily be extended to other system memdump's...

Basic Idea :
  a) convert Kernel headers to ctypes using ctypeslib tools. (kernel config specific)
  b) get a kernel memdump and a system map.
  c) map ctypes classes onto the memdump.
    c2) use them, as-is
  d) translate ctypes classes to POPOs.
  e) done, you can play with kernel structures.

optional f) : You don't have the system.map, you can search for C structures with python-haystack.




  #include <linux/sched.h>

INFO:generate:module ctypes_linux_generated has 398 members for 398 class



  #include <linux/sched.h>
  #include <linux/sock.h>

INFO:generate:module ctypes_linux_generated has 399 members for 399 class

>>> sched ^ schedsock
set(['sa_family_t'])


  #include <linux/sched.h>
  #include <linux/sock.h>
  #include <linux/mm.h>

INFO:generate:module ctypes_linux_generated has 405 members for 405 class

>>> schedsock ^ schedsockmm
set(['N5pte_t4DOT_16E', 'pte_t', 'pte_fn_t', 'compound_page_dtor', 'work_fn_t', 'vm_fault'])


  #include <linux/sched.h>
  #include <linux/sock.h>
  #include <linux/mm.h>
  #include <linux/net.h>

INFO:generate:module ctypes_linux_generated has 405 members for 405 class
>>> schedsockmm ^ schedsockmmnet
set([])




import ctypes_linux_generated_sched
import ctypes_linux_generated_schedsock
sched = set(ctypes_linux_generated_sched.__dict__)
schedsock = set(ctypes_linux_generated_schedsock.__dict__)
sched ^ schedsock

import ctypes_linux_generated_schedsockmm
schedsockmm = set(ctypes_linux_generated_schedsockmm.__dict__)
schedsock ^ schedsockmm

import ctypes_linux_generated_schedsockmmnet
schedsockmmnet = set(ctypes_linux_generated_schedsockmmnet.__dict__)
schedsockmm ^ schedsockmmnet


have to disable CONFIG_STRICT_DEVMEM

avec volatility :
init_task = 0xc034e300
0xc034e300 - 0x34e3d4
0xbfffff2cL

DTB value : Directory Table Base
>>> hex(3915776)
'0x3bc000'

c037f000 T __init_begin
....
c03bc000 B __bss_start
c03bc000 B __init_end
c03bc000 B swapper_pg_dir

virtual to physical is done by vtop()



TESTS :
jal@skippy:~/Compil/ctypes-kernel$ haystack --string --memfile 2.6.35-28-generic-pae-kmem.memdump kernel.ctypes_linux.task_struct refresh 0x0008056e0 > out/init_task
give swapper pid 0
0x0008056e0 = @initTaskAddr - base_offset 0x0c000000


tasks (@0x9f871e8) : {	<kernel.ctypes_linux_generated.list_head object at 0x9e2ddac>
next (@0x9f871e8) : 0xf74701b0 (FIELD NOT LOADED)
prev (@0x9f871ec) : 0xf3793470 (FIELD NOT LOADED)

>>> b=0xf74701b0
>>> hex(0xffffffff-b)
'0x8b8fe4f'
0x08b8fe4f

haystack --string --memfile 2.6.35-28-generic-pae-kmem.memdump kernel.ctypes_linux_generated.list_head refresh 0x08b8fe4f > out/next_head
 NNNNNOOOOOPE