Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/trolldbois/ctypes-kernel
python-haystack extensions for kernel structures
https://github.com/trolldbois/ctypes-kernel
Last synced: about 1 month ago
JSON representation
python-haystack extensions for kernel structures
- Host: GitHub
- URL: https://github.com/trolldbois/ctypes-kernel
- Owner: trolldbois
- Created: 2011-03-30T00:56:24.000Z (over 13 years ago)
- Default Branch: master
- Last Pushed: 2011-07-28T03:34:00.000Z (over 13 years ago)
- Last Synced: 2024-05-01T19:19:28.062Z (7 months ago)
- Language: C
- Homepage:
- Size: 266 KB
- Stars: 5
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README
Awesome Lists containing this project
README
Useless proof of concept base on python-haystack.
Total volatility ripoff and seriously flawed non-cross platform forensic tool.
ctypes-kernel is an extension to haystack, for kernel structures.
It's purpose is to be a simple 'volatility' for linux kernels.
It could easily be extended to other system memdump's...
Basic Idea :
a) convert Kernel headers to ctypes using ctypeslib tools. (kernel config specific)
b) get a kernel memdump and a system map.
c) map ctypes classes onto the memdump.
c2) use them, as-is
d) translate ctypes classes to POPOs.
e) done, you can play with kernel structures.
optional f) : You don't have the system.map, you can search for C structures with python-haystack.
#include
INFO:generate:module ctypes_linux_generated has 398 members for 398 class
#include
#include
INFO:generate:module ctypes_linux_generated has 399 members for 399 class
>>> sched ^ schedsock
set(['sa_family_t'])
#include
#include
#include
INFO:generate:module ctypes_linux_generated has 405 members for 405 class
>>> schedsock ^ schedsockmm
set(['N5pte_t4DOT_16E', 'pte_t', 'pte_fn_t', 'compound_page_dtor', 'work_fn_t', 'vm_fault'])
#include
#include
#include
#include
INFO:generate:module ctypes_linux_generated has 405 members for 405 class
>>> schedsockmm ^ schedsockmmnet
set([])
import ctypes_linux_generated_sched
import ctypes_linux_generated_schedsock
sched = set(ctypes_linux_generated_sched.__dict__)
schedsock = set(ctypes_linux_generated_schedsock.__dict__)
sched ^ schedsock
import ctypes_linux_generated_schedsockmm
schedsockmm = set(ctypes_linux_generated_schedsockmm.__dict__)
schedsock ^ schedsockmm
import ctypes_linux_generated_schedsockmmnet
schedsockmmnet = set(ctypes_linux_generated_schedsockmmnet.__dict__)
schedsockmm ^ schedsockmmnet
have to disable CONFIG_STRICT_DEVMEM
avec volatility :
init_task = 0xc034e300
0xc034e300 - 0x34e3d4
0xbfffff2cL
DTB value : Directory Table Base
>>> hex(3915776)
'0x3bc000'
c037f000 T __init_begin
....
c03bc000 B __bss_start
c03bc000 B __init_end
c03bc000 B swapper_pg_dir
virtual to physical is done by vtop()
TESTS :
jal@skippy:~/Compil/ctypes-kernel$ haystack --string --memfile 2.6.35-28-generic-pae-kmem.memdump kernel.ctypes_linux.task_struct refresh 0x0008056e0 > out/init_task
give swapper pid 0
0x0008056e0 = @initTaskAddr - base_offset 0x0c000000
tasks (@0x9f871e8) : {
next (@0x9f871e8) : 0xf74701b0 (FIELD NOT LOADED)
prev (@0x9f871ec) : 0xf3793470 (FIELD NOT LOADED)
>>> b=0xf74701b0
>>> hex(0xffffffff-b)
'0x8b8fe4f'
0x08b8fe4f
haystack --string --memfile 2.6.35-28-generic-pae-kmem.memdump kernel.ctypes_linux_generated.list_head refresh 0x08b8fe4f > out/next_head
NNNNNOOOOOPE