Nested reflected memory introspection (type extraction)
Sounds funny? What were looking to provide is a recursive memory translation layer that can reflect symbol information to populate the type system.
Analyze.py has examples of using this for walking the eproc list entry.
Now using the types provided through vtero.SymForKernel.xStructInfo(symFile,"_EPROCESS") we can extract any type information we would like and have them dynamically populated into the runtime as a properties in an object hierarchy.
LIST_ENTRY are frequently processed through pointers not at the start of a typedef which requires their offset to be calculated. Any variable member can be isolated to it's byte position with "OffsetPos" member. This is used to help with LIST_ENTRY traversal.
More complex type walking can be done, the string handling below can be automated to an extent also looking for IsPtr will indicate if a secondary virtual load is needed (such is always the case for strings)
# Example of walking process list
def WalkProcListExample():
#
# WALK _EPROCESS LIST
#
# Get detected symbol file to use for loaded vtero
symFile = ""
for pdb in vtero.KernelProc.PDBFiles:
if pdb.Contains("ntkrnlmp"):
symFile = pdb
# Get a typedef
x = vtero.SymForKernel.xStructInfo(symFile,"_EPROCESS")
ProcListOffsetOf = x.ActiveProcessLinks.Flink.OffsetPos
ImagePath = ""
psHead = vtero.GetSymValueLong(vtero.KernelProc,"PsActiveProcessHead")
_EPROC_ADDR = psHead
while True:
memRead = vtero.KernelProc.GetVirtualLong(_EPROC_ADDR - ProcListOffsetOf)
_EPROC = vtero.SymForKernel.xStructInfo(symFile,"_EPROCESS", memRead)
# prep and acquire memory for strings
# TODO: We should scan structures for UNICODE_STRING automatically since extracting them is something * wants
ImagePtrIndex = _EPROC.SeAuditProcessCreationInfo.ImageFileName.OffsetPos / 8
ImagePathPtr = memRead[ImagePtrIndex];
if ImagePathPtr != 0:
ImagePathArr = vtero.KernelProc.GetVirtualByte(ImagePathPtr + 0x10);
ImagePath = Text.Encoding.Unicode.GetString(ImagePathArr).Split('\x00')[0]
else:
ImagePath = ""
_EPROC_ADDR = memRead[ProcListOffsetOf / 8]
print "Process ID [" + _EPROC.UniqueProcessId.Value.ToString("X") + "] EXE [" + ImagePath,
print "] CR3/DTB [" + _EPROC.Pcb.DirectoryTableBase.Value.ToString("X") + "] VADROOT [" + _EPROC.VadRoot.Value.ToString("X") + "]"
if _EPROC_ADDR == psHead:
breakAnd here's the output...
>>> WalkProcListExample()
Process ID [4] EXE [??? ] CR3/DTB [1AA000] VADROOT [FFFFE00173B84E30]
Process ID [E8] EXE [\Device\HarddiskVolume2\Windows\System32\smss.exe ] CR3/DTB [103070000] VADROOT [FFFFE001746AA360]
Process ID [144] EXE [\Device\HarddiskVolume2\Windows\System32\csrss.exe ] CR3/DTB [3013000] VADROOT [FFFFE00174A1E480]
Process ID [184] EXE [\Device\HarddiskVolume2\Windows\System32\csrss.exe ] CR3/DTB [105D06000] VADROOT [FFFFE00174A98970]
Process ID [18C] EXE [\Device\HarddiskVolume2\Windows\System32\wininit.exe ] CR3/DTB [105919000] VADROOT [FFFFE00174AD34D0]
Process ID [1B8] EXE [\Device\HarddiskVolume2\Windows\System32\services.exe ] CR3/DTB [10AB2C000] VADROOT [FFFFE00173C85300]
Process ID [1C0] EXE [\Device\HarddiskVolume2\Windows\System32\WerFault.exe ] CR3/DTB [10AD37000] VADROOT [0]
Process ID [1C8] EXE [\Device\HarddiskVolume2\Windows\System32\lsass.exe ] CR3/DTB [10593F000] VADROOT [FFFFE00173C84B20]
Process ID [210] EXE [\Device\HarddiskVolume2\Windows\System32\svchost.exe ] CR3/DTB [1D55000] VADROOT [FFFFE00174A1FCC0]
Process ID [250] EXE [\Device\HarddiskVolume2\Windows\System32\winlogon.exe ] CR3/DTB [10A40C000] VADROOT [FFFFE00174AD9EF0]
Process ID [264] EXE [\Device\HarddiskVolume2\Windows\System32\svchost.exe ] CR3/DTB [10A068000] VADROOT [FFFFE00174BFA570]
Process ID [2C0] EXE [\Device\HarddiskVolume2\Windows\System32\dwm.exe ] CR3/DTB [1070D6000] VADROOT [FFFFE00174D6F5C0]
Process ID [2D8] EXE [\Device\HarddiskVolume2\Windows\System32\svchost.exe ] CR3/DTB [10849A000] VADROOT [FFFFE00175384380]
Process ID [300] EXE [\Device\HarddiskVolume2\Windows\System32\svchost.exe ] CR3/DTB [1086F6000] VADROOT [FFFFE00174AB7D40]
Process ID [334] EXE [\Device\HarddiskVolume2\Windows\System32\svchost.exe ] CR3/DTB [1096C3000] VADROOT [FFFFE00174FE9BA0]
Process ID [388] EXE [\Device\HarddiskVolume2\Windows\System32\svchost.exe ] CR3/DTB [1036CB000] VADROOT [FFFFE00174DA84F0]
Process ID [12C] EXE [\Device\HarddiskVolume2\Windows\System32\svchost.exe ] CR3/DTB [2EDA000] VADROOT [FFFFE00174E1A830]
Process ID [2D0] EXE [\Device\HarddiskVolume2\Windows\System32\spoolsv.exe ] CR3/DTB [59EB000] VADROOT [FFFFE00174EB9220]
Process ID [270] EXE [\Device\HarddiskVolume2\Windows\System32\svchost.exe ] CR3/DTB [67F3000] VADROOT [FFFFE00175EA3290]
Process ID [63C] EXE [\Device\HarddiskVolume2\Windows\System32\taskhostex.exe ] CR3/DTB [C447000] VADROOT [FFFFE0017511D4E0]
Process ID [6A4] EXE [\Device\HarddiskVolume2\Windows\explorer.exe ] CR3/DTB [DD2F000] VADROOT [FFFFE00174E3F610]
Process ID [58C] EXE [\Device\HarddiskVolume2\Windows\System32\ServerManager.exe ] CR3/DTB [12DB2000] VADROOT [FFFFE00175138540]
Process ID [5A4] EXE [\Device\HarddiskVolume2\Windows\System32\Taskmgr.exe ] CR3/DTB [25D3B000] VADROOT [FFFFE001764571E0]
Process ID [500] EXE [\Device\HarddiskVolume2\Windows\System32\msdtc.exe ] CR3/DTB [32573000] VADROOT [FFFFE001751F49B0]
Process ID [120] EXE [\Device\HarddiskVolume2\Windows\System32\cmd.exe ] CR3/DTB [2587F000] VADROOT [FFFFE001751A2940]
Process ID [4D8] EXE [\Device\HarddiskVolume2\Windows\System32\conhost.exe ] CR3/DTB [510AC000] VADROOT [FFFFE00174F6B430]
Process ID [76C] EXE [\Device\HarddiskVolume2\Users\Administrator\Downloads\osrbang.exe ] CR3/DTB [512BB000] VADROOT [FFFFE00175371E10]
Process ID [0] EXE [ ] CR3/DTB [FFFFF80104F8B458] VADROOT [0]