python-haystack extensions for kernel structures
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Useless proof of concept base on python-haystack.
Total volatility ripoff and seriously flawed non-cross platform forensic tool.

ctypes-kernel is an extension to haystack, for kernel structures.
It's purpose is to be a simple 'volatility' for linux kernels.
It could easily be extended to other system memdump's...

Basic Idea :
  a) convert Kernel headers to ctypes using ctypeslib tools. (kernel config specific)
  b) get a kernel memdump and a system map.
  c) map ctypes classes onto the memdump.
    c2) use them, as-is
  d) translate ctypes classes to POPOs.
  e) done, you can play with kernel structures.

optional f) : You don't have the, you can search for C structures with python-haystack.

  #include <linux/sched.h>

INFO:generate:module ctypes_linux_generated has 398 members for 398 class

  #include <linux/sched.h>
  #include <linux/sock.h>

INFO:generate:module ctypes_linux_generated has 399 members for 399 class

>>> sched ^ schedsock

  #include <linux/sched.h>
  #include <linux/sock.h>
  #include <linux/mm.h>

INFO:generate:module ctypes_linux_generated has 405 members for 405 class

>>> schedsock ^ schedsockmm
set(['N5pte_t4DOT_16E', 'pte_t', 'pte_fn_t', 'compound_page_dtor', 'work_fn_t', 'vm_fault'])

  #include <linux/sched.h>
  #include <linux/sock.h>
  #include <linux/mm.h>
  #include <linux/net.h>

INFO:generate:module ctypes_linux_generated has 405 members for 405 class
>>> schedsockmm ^ schedsockmmnet

import ctypes_linux_generated_sched
import ctypes_linux_generated_schedsock
sched = set(ctypes_linux_generated_sched.__dict__)
schedsock = set(ctypes_linux_generated_schedsock.__dict__)
sched ^ schedsock

import ctypes_linux_generated_schedsockmm
schedsockmm = set(ctypes_linux_generated_schedsockmm.__dict__)
schedsock ^ schedsockmm

import ctypes_linux_generated_schedsockmmnet
schedsockmmnet = set(ctypes_linux_generated_schedsockmmnet.__dict__)
schedsockmm ^ schedsockmmnet

have to disable CONFIG_STRICT_DEVMEM

avec volatility :
init_task = 0xc034e300
0xc034e300 - 0x34e3d4

DTB value : Directory Table Base
>>> hex(3915776)

c037f000 T __init_begin
c03bc000 B __bss_start
c03bc000 B __init_end
c03bc000 B swapper_pg_dir

virtual to physical is done by vtop()

jal@skippy:~/Compil/ctypes-kernel$ haystack --string --memfile 2.6.35-28-generic-pae-kmem.memdump kernel.ctypes_linux.task_struct refresh 0x0008056e0 > out/init_task
give swapper pid 0
0x0008056e0 = @initTaskAddr - base_offset 0x0c000000

tasks (@0x9f871e8) : {	<kernel.ctypes_linux_generated.list_head object at 0x9e2ddac>
next (@0x9f871e8) : 0xf74701b0 (FIELD NOT LOADED)
prev (@0x9f871ec) : 0xf3793470 (FIELD NOT LOADED)

>>> b=0xf74701b0
>>> hex(0xffffffff-b)

haystack --string --memfile 2.6.35-28-generic-pae-kmem.memdump kernel.ctypes_linux_generated.list_head refresh 0x08b8fe4f > out/next_head