this is an example of every haystack-reverse commands.
The zeus.vmem.856.dump is there https://dl.dropboxusercontent.com/u/10222931/HAYSTACK/zeus.vmem.856.dump.tgz
It was extracted from pid 856 from the zeus.img image from http://malwarecookbook.googlecode.com/svn-history/r26/trunk/17/1/zeus.vmem.zip
In [1]:
!haystack-reverse --help
usage: haystack-reverse [-h] [--debug | --quiet] [--interactive] [--nommap] dump_folder_name
Reverse the data structure from the process memoryThe process dump is a folder produced by a haystack-dump script.
positional arguments:
dump_folder_name Use this memory dump folder
optional arguments:
-h, --help show this help message and exit
--debug Set verbosity to DEBUG
--quiet Set verbosity to ERROR only
--interactive drop to python command line after action
--nommap disable mmap()-ing
First we need to generate the analysis for the process memory dump.
In [3]:
!haystack-reverse ../test/dumps/vol/zeus.vmem.856.dump
INFO:reverse.api:Reversing Fields
INFO:model:[+] <FieldReverser>: START
INFO:model:[+] <FieldReverser>: START on heap 0x90000
INFO:model:[+] <FieldReverser>: START on heap 0x190000
INFO:model:[+] <FieldReverser>: START on heap 0x1a0000
INFO:model:[+] <FieldReverser>: START on heap 0x350000
INFO:model:[+] <FieldReverser>: START on heap 0x3b0000
INFO:model:[+] <FieldReverser>: START on heap 0x460000
INFO:model:[+] <FieldReverser>: START on heap 0xc30000
INFO:model:[+] <FieldReverser>: START on heap 0xd60000
INFO:model:[+] <FieldReverser>: START on heap 0xe20000
INFO:model:[+] <FieldReverser>: START on heap 0xe80000
INFO:model:[+] <FieldReverser>: START on heap 0x7f6f0000
INFO:reverse.api:Fixing Text Fields
INFO:model:[+] <TextFieldCorrection>: START
INFO:model:[+] <TextFieldCorrection>: START on heap 0x90000
INFO:model:[+] <TextFieldCorrection>: START on heap 0x190000
INFO:model:[+] <TextFieldCorrection>: START on heap 0x1a0000
INFO:model:[+] <TextFieldCorrection>: START on heap 0x350000
INFO:model:[+] <TextFieldCorrection>: START on heap 0x3b0000
INFO:model:[+] <TextFieldCorrection>: START on heap 0x460000
INFO:model:[+] <TextFieldCorrection>: START on heap 0xc30000
INFO:model:[+] <TextFieldCorrection>: START on heap 0xd60000
INFO:model:[+] <TextFieldCorrection>: START on heap 0xe20000
INFO:model:[+] <TextFieldCorrection>: START on heap 0xe80000
INFO:model:[+] <TextFieldCorrection>: START on heap 0x7f6f0000
INFO:reverse.api:Reversing DoubleLinkedListReverser
INFO:model:[+] <DoubleLinkedListReverser>: START
INFO:model:[+] <DoubleLinkedListReverser>: START on heap 0x90000
INFO:model:[+] <DoubleLinkedListReverser>: START on heap 0x190000
INFO:model:[+] <DoubleLinkedListReverser>: START on heap 0x1a0000
INFO:model:[+] <DoubleLinkedListReverser>: START on heap 0x350000
INFO:model:[+] <DoubleLinkedListReverser>: START on heap 0x3b0000
INFO:model:[+] <DoubleLinkedListReverser>: START on heap 0x460000
INFO:model:[+] <DoubleLinkedListReverser>: START on heap 0xc30000
INFO:model:[+] <DoubleLinkedListReverser>: START on heap 0xd60000
INFO:model:[+] <DoubleLinkedListReverser>: START on heap 0xe20000
INFO:model:[+] <DoubleLinkedListReverser>: START on heap 0xe80000
INFO:model:[+] <DoubleLinkedListReverser>: START on heap 0x7f6f0000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x190000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:model:[+] <CommonTypeReverser>: START
INFO:model:[+] <CommonTypeReverser>: START on heap 0x90000
INFO:reverse.api:Reversing PointerFields
INFO:model:[+] <PointerFieldReverser>: START
INFO:model:[+] <PointerFieldReverser>: START on heap 0x90000
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
INFO:model:[+] <PointerFieldReverser>: START on heap 0x190000
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
INFO:model:[+] <PointerFieldReverser>: START on heap 0x1a0000
INFO:model:[+] <PointerFieldReverser>: START on heap 0x350000
INFO:model:[+] <PointerFieldReverser>: START on heap 0x3b0000
INFO:model:[+] <PointerFieldReverser>: START on heap 0x460000
INFO:model:[+] <PointerFieldReverser>: START on heap 0xc30000
INFO:model:[+] <PointerFieldReverser>: START on heap 0xd60000
INFO:model:[+] <PointerFieldReverser>: START on heap 0xe20000
INFO:model:[+] <PointerFieldReverser>: START on heap 0xe80000
INFO:model:[+] <PointerFieldReverser>: START on heap 0x7f6f0000
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
INFO:reverse.api:Saving reversed records instances
INFO:context: [.] saved in 6.64 secs
INFO:reverse.api:[+] saving headers
INFO:context: [.] saved in 0.43 secs
INFO:reverse.api:[+] saving headers
INFO:context: [.] saved in 0.01 secs
INFO:reverse.api:[+] saving headers
INFO:context: [.] saved in 0.02 secs
INFO:reverse.api:[+] saving headers
INFO:context: [.] saved in 0.17 secs
INFO:reverse.api:[+] saving headers
INFO:context: [.] saved in 0.07 secs
INFO:reverse.api:[+] saving headers
INFO:context: [.] saved in 0.08 secs
INFO:reverse.api:[+] saving headers
INFO:context: [.] saved in 0.00 secs
INFO:reverse.api:[+] saving headers
INFO:context: [.] saved in 0.20 secs
INFO:reverse.api:[+] saving headers
INFO:context: [.] saved in 0.12 secs
INFO:reverse.api:[+] saving headers
INFO:context: [.] saved in 0.01 secs
INFO:reverse.api:[+] saving headers
INFO:reverse.api:Saving reversed records types
INFO:reverse.api:Reversing PointerGraph
INFO:model:[+] <PointerGraphReverser>: START
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
INFO:reversers:[+] Heap 0x90000 Graph += 2660 Nodes
INFO:reversers:[+] Heap 0x90000 Graph += 3814 Edges
INFO:reversers:[+] Heap 0x190000 Graph += 139 Nodes
INFO:reversers:[+] Heap 0x190000 Graph += 269 Edges
INFO:reversers:[+] Heap 0x1a0000 Graph += 0 Nodes
INFO:reversers:[+] Heap 0x1a0000 Graph += 0 Edges
INFO:reversers:[+] Heap 0x350000 Graph += 1 Nodes
INFO:reversers:[+] Heap 0x350000 Graph += 0 Edges
INFO:reversers:[+] Heap 0x3b0000 Graph += 2 Nodes
INFO:reversers:[+] Heap 0x3b0000 Graph += 1 Edges
INFO:reversers:[+] Heap 0x460000 Graph += 1 Nodes
INFO:reversers:[+] Heap 0x460000 Graph += 0 Edges
INFO:reversers:[+] Heap 0xc30000 Graph += 110 Nodes
INFO:reversers:[+] Heap 0xc30000 Graph += 97 Edges
INFO:reversers:[+] Heap 0xd60000 Graph += 79 Nodes
INFO:reversers:[+] Heap 0xd60000 Graph += 73 Edges
INFO:reversers:[+] Heap 0xe20000 Graph += 8 Nodes
INFO:reversers:[+] Heap 0xe20000 Graph += 4 Edges
INFO:reversers:[+] Heap 0xe80000 Graph += 6 Nodes
INFO:reversers:[+] Heap 0xe80000 Graph += 4 Edges
WARNING:utils:misuse of closestFloorValue
WARNING:utils:misuse of closestFloorValue
INFO:reversers:[+] Heap 0x7f6f0000 Graph += 95 Nodes
INFO:reversers:[+] Heap 0x7f6f0000 Graph += 166 Edges
INFO:reversers:[+] Process Graph == 3079 Nodes
INFO:reversers:[+] Process Graph == 4428 Edges
INFO:reversers:[+] Process Heaps Graph == 2265 Nodes
INFO:reversers:[+] Process Heaps Graph == 2462 Edges
INFO:reverse.api:Reversing strings
INFO:model:[+] <StringsReverser>: START
INFO:model:[+] <StringsReverser>: START on heap 0x90000
INFO:model:[+] <StringsReverser>: START on heap 0x190000
INFO:model:[+] <StringsReverser>: START on heap 0x1a0000
INFO:model:[+] <StringsReverser>: START on heap 0x350000
INFO:model:[+] <StringsReverser>: START on heap 0x3b0000
INFO:model:[+] <StringsReverser>: START on heap 0x460000
INFO:model:[+] <StringsReverser>: START on heap 0xc30000
INFO:model:[+] <StringsReverser>: START on heap 0xd60000
INFO:model:[+] <StringsReverser>: START on heap 0xe20000
INFO:model:[+] <StringsReverser>: START on heap 0xe80000
INFO:model:[+] <StringsReverser>: START on heap 0x7f6f0000
INFO:reverse.api:Analysis results are in /home/other/Compil/python-haystack/test/dumps/vol/zeus.vmem.856.dump/cache
Then we can start to use some of the cli
In [5]:
!ls -al ../test/dumps/vol/zeus.vmem.856.dump/cache/
total 4536
drwxrwxr-x 3 jal jal 4096 mar 15 17:14 .
drwxrwxr-x 3 jal jal 20480 jan 20 21:08 ..
-rw-rw-r-- 1 jal jal 228 mar 15 17:14 190000.ctx
-rw-rw-r-- 1 jal jal 42545 mar 15 17:14 190000.graph.gexf
-rw-rw-r-- 1 jal jal 97335 mar 15 17:14 190000.headers_values.py
-rw-rw-r-- 1 jal jal 1088 jan 20 21:08 190000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 1088 jan 20 21:08 190000.heap.pointers.values
-rw-rw-r-- 1 jal jal 1120 jan 20 21:08 190000.mchunks.addrs
-rw-rw-r-- 1 jal jal 1120 jan 20 21:08 190000.mchunks.sizes
-rw-rw-r-- 1 jal jal 3337 mar 15 17:14 190000.strings
-rw-rw-r-- 1 jal jal 228 mar 15 17:14 1a0000.ctx
-rw-rw-r-- 1 jal jal 318 mar 15 17:14 1a0000.graph.gexf
-rw-rw-r-- 1 jal jal 0 mar 15 17:14 1a0000.headers_values.py
-rw-rw-r-- 1 jal jal 80 jan 20 21:08 1a0000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 80 jan 20 21:08 1a0000.heap.pointers.values
-rw-rw-r-- 1 jal jal 0 mar 15 17:14 1a0000.strings
-rw-rw-r-- 1 jal jal 228 mar 15 17:14 350000.ctx
-rw-rw-r-- 1 jal jal 695 mar 15 17:14 350000.graph.gexf
-rw-rw-r-- 1 jal jal 87 mar 15 17:14 350000.headers_values.py
-rw-rw-r-- 1 jal jal 80 jan 20 21:08 350000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 80 jan 20 21:08 350000.heap.pointers.values
-rw-rw-r-- 1 jal jal 88 jan 20 21:08 350000.mchunks.addrs
-rw-rw-r-- 1 jal jal 88 jan 20 21:08 350000.mchunks.sizes
-rw-rw-r-- 1 jal jal 0 mar 15 17:14 350000.strings
-rw-rw-r-- 1 jal jal 228 mar 15 17:14 3b0000.ctx
-rw-rw-r-- 1 jal jal 814 mar 15 17:14 3b0000.graph.gexf
-rw-rw-r-- 1 jal jal 8194 mar 15 17:14 3b0000.headers_values.py
-rw-rw-r-- 1 jal jal 80 jan 20 21:08 3b0000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 80 jan 20 21:08 3b0000.heap.pointers.values
-rw-rw-r-- 1 jal jal 88 jan 20 21:08 3b0000.mchunks.addrs
-rw-rw-r-- 1 jal jal 88 jan 20 21:08 3b0000.mchunks.sizes
-rw-rw-r-- 1 jal jal 0 mar 15 17:14 3b0000.strings
-rw-rw-r-- 1 jal jal 228 mar 15 17:14 460000.ctx
-rw-rw-r-- 1 jal jal 695 mar 15 17:14 460000.graph.gexf
-rw-rw-r-- 1 jal jal 87 mar 15 17:14 460000.headers_values.py
-rw-rw-r-- 1 jal jal 80 jan 20 21:08 460000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 80 jan 20 21:08 460000.heap.pointers.values
-rw-rw-r-- 1 jal jal 88 jan 20 21:08 460000.mchunks.addrs
-rw-rw-r-- 1 jal jal 88 jan 20 21:08 460000.mchunks.sizes
-rw-rw-r-- 1 jal jal 0 mar 15 17:14 460000.strings
-rw-rw-r-- 1 jal jal 228 jan 22 16:22 531000.ctx
-rw-rw-r-- 1 jal jal 318 jan 22 16:22 531000.graph.gexf
-rw-rw-r-- 1 jal jal 80 jan 20 21:08 531000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 80 jan 20 21:08 531000.heap.pointers.values
-rw-rw-r-- 1 jal jal 231 mar 15 17:14 7f6f0000.ctx
-rw-rw-r-- 1 jal jal 27035 mar 15 17:14 7f6f0000.graph.gexf
-rw-rw-r-- 1 jal jal 34640 mar 15 17:14 7f6f0000.headers_values.py
-rw-rw-r-- 1 jal jal 424 jan 20 21:08 7f6f0000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 424 jan 20 21:08 7f6f0000.heap.pointers.values
-rw-rw-r-- 1 jal jal 592 jan 20 21:08 7f6f0000.mchunks.addrs
-rw-rw-r-- 1 jal jal 592 jan 20 21:08 7f6f0000.mchunks.sizes
-rw-rw-r-- 1 jal jal 1989 mar 15 17:14 7f6f0000.strings
-rw-rw-r-- 1 jal jal 227 mar 15 17:14 90000.ctx
-rw-rw-r-- 1 jal jal 623558 mar 15 17:14 90000.graph.gexf
-rw-rw-r-- 1 jal jal 1733271 mar 15 17:14 90000.headers_values.py
-rw-rw-r-- 1 jal jal 4848 jan 20 21:08 90000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 4848 jan 20 21:08 90000.heap.pointers.values
-rw-rw-r-- 1 jal jal 14336 jan 20 21:08 90000.mchunks.addrs
-rw-rw-r-- 1 jal jal 14336 jan 20 21:08 90000.mchunks.sizes
-rw-rw-r-- 1 jal jal 33237 mar 15 17:14 90000.strings
-rw-rw-r-- 1 jal jal 229 mar 15 17:14 c30000.ctx
-rw-rw-r-- 1 jal jal 26931 mar 15 17:14 c30000.graph.gexf
-rw-rw-r-- 1 jal jal 54837 mar 15 17:14 c30000.headers_values.py
-rw-rw-r-- 1 jal jal 328 jan 20 21:08 c30000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 328 jan 20 21:08 c30000.heap.pointers.values
-rw-rw-r-- 1 jal jal 912 jan 20 21:08 c30000.mchunks.addrs
-rw-rw-r-- 1 jal jal 912 jan 20 21:08 c30000.mchunks.sizes
-rw-rw-r-- 1 jal jal 3341 mar 15 17:14 c30000.strings
-rw-rw-r-- 1 jal jal 229 mar 15 17:14 d60000.ctx
-rw-rw-r-- 1 jal jal 14321 mar 15 17:14 d60000.graph.gexf
-rw-rw-r-- 1 jal jal 46236 mar 15 17:14 d60000.headers_values.py
-rw-rw-r-- 1 jal jal 112 jan 20 21:08 d60000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 112 jan 20 21:08 d60000.heap.pointers.values
-rw-rw-r-- 1 jal jal 384 jan 20 21:08 d60000.mchunks.addrs
-rw-rw-r-- 1 jal jal 384 jan 20 21:08 d60000.mchunks.sizes
-rw-rw-r-- 1 jal jal 2198 mar 15 17:14 d60000.strings
-rw-rw-r-- 1 jal jal 229 mar 15 17:14 e20000.ctx
-rw-rw-r-- 1 jal jal 1815 mar 15 17:14 e20000.graph.gexf
-rw-rw-r-- 1 jal jal 18777 mar 15 17:14 e20000.headers_values.py
-rw-rw-r-- 1 jal jal 96 jan 20 21:08 e20000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 96 jan 20 21:08 e20000.heap.pointers.values
-rw-rw-r-- 1 jal jal 112 jan 20 21:08 e20000.mchunks.addrs
-rw-rw-r-- 1 jal jal 112 jan 20 21:08 e20000.mchunks.sizes
-rw-rw-r-- 1 jal jal 0 mar 15 17:14 e20000.strings
-rw-rw-r-- 1 jal jal 229 mar 15 17:14 e80000.ctx
-rw-rw-r-- 1 jal jal 1477 mar 15 17:14 e80000.graph.gexf
-rw-rw-r-- 1 jal jal 19686 mar 15 17:14 e80000.headers_values.py
-rw-rw-r-- 1 jal jal 88 jan 20 21:08 e80000.heap.pointers.offsets
-rw-rw-r-- 1 jal jal 88 jan 20 21:08 e80000.heap.pointers.values
-rw-rw-r-- 1 jal jal 104 jan 20 21:08 e80000.mchunks.addrs
-rw-rw-r-- 1 jal jal 104 jan 20 21:08 e80000.mchunks.sizes
-rw-rw-r-- 1 jal jal 104 mar 15 17:14 e80000.strings
-rw-rw-r-- 1 jal jal 734097 mar 15 17:14 graph.gexf
-rw-rw-r-- 1 jal jal 572566 mar 15 17:14 graph.heaps.gexf
-rw-rw-r-- 1 jal jal 101801 mar 15 17:14 headers_values.py
drwxrwxr-x 2 jal jal 69632 jan 20 21:49 structs
In [6]:
!cat ../test/dumps/vol/zeus.vmem.856.dump/cache/*.strings| grep -a http
0xc64e8,64,u'http://193.104.41.75/cbd/75.bro\x00'
0xc32d98,32,'http://193.104.41.75/cbd/75.bro�'
0xc329f8,64,'Ahttps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome'
Mhh interesting string... I wonder what memory chunk was that allocated in.
In [10]:
!haystack-reverse-show ../test/dumps/vol/zeus.vmem.856.dump 0xc64e8
class struct_c64e8(ctypes.Structure): # rlevel:50 SIG:T64 size:64
_fields_ = [
( 'utf16_0' , ctypes.c_char*64 ), # # ctypes.c_char: u'http://193.104.41.75/cbd/75.bro\x00'
]
Ah, that make sense.. It's a classic utf16 string. The whole allocated memory chunk is being used for a string.
Lets look at the bytes behind the scene.
In [13]:
!haystack-reverse-hex ../test/dumps/vol/zeus.vmem.856.dump 0xc64e8
'h\x00t\x00t\x00p\x00:\x00/\x00/\x001\x009\x003\x00.\x001\x000\x004\x00.\x004\x001\x00.\x007\x005\x00/\x00c\x00b\x00d\x00/\x007\x005\x00.\x00b\x00r\x00o\x00\x00\x00'
I wonder if this record was referenced in some other record... Maybe we can find a parent record that points to this string...
In [14]:
!haystack-reverse-parents ../test/dumps/vol/zeus.vmem.856.dump 0xc64e8
None
Tough luck... What about the others ?
In [15]:
!haystack-reverse-parents ../test/dumps/vol/zeus.vmem.856.dump 0xc32d98
None
In [16]:
!haystack-reverse-parents ../test/dumps/vol/zeus.vmem.856.dump 0xc329f8
#0xc31e90
class struct_c31e90(ctypes.Structure): # rlevel:50 SIG:P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4P4a8 size:336
_fields_ = [
( 'ptr_string_c32000_0' , ctypes.c_void_p ), # @ 0x00c32000 # [vol_mapping_058]
( 'ptr_string_c32020_4' , ctypes.c_void_p ), # @ 0x00c32020 # [vol_mapping_058]
( 'ptr_string_c32040_8' , ctypes.c_void_p ), # @ 0x00c32040 # [vol_mapping_058]
( 'ptr_string_c32060_12' , ctypes.c_void_p ), # @ 0x00c32060 # [vol_mapping_058]
( 'ptr_string_c320a8_16' , ctypes.c_void_p ), # @ 0x00c320a8 # [vol_mapping_058]
( 'ptr_string_c320d0_20' , ctypes.c_void_p ), # @ 0x00c320d0 # [vol_mapping_058]
( 'ptr_string_c320f8_24' , ctypes.c_void_p ), # @ 0x00c320f8 # [vol_mapping_058]
( 'ptr_string_c32120_28' , ctypes.c_void_p ), # @ 0x00c32120 # [vol_mapping_058]
( 'ptr_string_c32148_32' , ctypes.c_void_p ), # @ 0x00c32148 # [vol_mapping_058]
( 'ptr_string_c32170_36' , ctypes.c_void_p ), # @ 0x00c32170 # [vol_mapping_058]
( 'ptr_string_c32198_40' , ctypes.c_void_p ), # @ 0x00c32198 # [vol_mapping_058]
( 'ptr_string_c321c0_44' , ctypes.c_void_p ), # @ 0x00c321c0 # [vol_mapping_058]
( 'ptr_string_c32230_48' , ctypes.c_void_p ), # @ 0x00c32230 # [vol_mapping_058]
( 'ptr_string_c322a8_52' , ctypes.c_void_p ), # @ 0x00c322a8 # [vol_mapping_058]
( 'ptr_string_c322c0_56' , ctypes.c_void_p ), # @ 0x00c322c0 # [vol_mapping_058]
( 'ptr_string_c32378_60' , ctypes.c_void_p ), # @ 0x00c32378 # [vol_mapping_058]
( 'ptr_string_c32088_64' , ctypes.c_void_p ), # @ 0x00c32088 # [vol_mapping_058]
( 'ptr_struct_c31fe8_68' , ctypes.c_void_p ), # @ 0x00c31fe9 # Unaligned pointer value
( 'ptr_string_c323e0_72' , ctypes.c_void_p ), # @ 0x00c323e1 # Unaligned pointer value
( 'ptr_string_c32418_76' , ctypes.c_void_p ), # @ 0x00c32418 # [vol_mapping_058]
( 'ptr_string_c323f8_80' , ctypes.c_void_p ), # @ 0x00c323f8 # [vol_mapping_058]
( 'ptr_string_c32460_84' , ctypes.c_void_p ), # @ 0x00c32460 # [vol_mapping_058]
( 'ptr_string_c324a0_88' , ctypes.c_void_p ), # @ 0x00c324a0 # [vol_mapping_058]
( 'ptr_string_c324c8_92' , ctypes.c_void_p ), # @ 0x00c324c8 # [vol_mapping_058]
( 'ptr_struct_c32480_96' , ctypes.c_void_p ), # @ 0x00c32481 # Unaligned pointer value
( 'ptr_string_c32448_100' , ctypes.c_void_p ), # @ 0x00c32449 # Unaligned pointer value
( 'ptr_string_c324f0_104' , ctypes.c_void_p ), # @ 0x00c324f1 # Unaligned pointer value
( 'ptr_string_c32508_108' , ctypes.c_void_p ), # @ 0x00c32509 # Unaligned pointer value
( 'ptr_struct_c32528_112' , ctypes.c_void_p ), # @ 0x00c32529 # Unaligned pointer value
( 'ptr_struct_c32540_116' , ctypes.c_void_p ), # @ 0x00c32541 # Unaligned pointer value
( 'ptr_string_c32558_120' , ctypes.c_void_p ), # @ 0x00c32559 # Unaligned pointer value
( 'ptr_string_c32570_124' , ctypes.c_void_p ), # @ 0x00c32571 # Unaligned pointer value
( 'ptr_string_c32590_128' , ctypes.c_void_p ), # @ 0x00c32591 # Unaligned pointer value
( 'ptr_string_c325b0_132' , ctypes.c_void_p ), # @ 0x00c325b1 # Unaligned pointer value
( 'ptr_struct_c325e0_136' , ctypes.c_void_p ), # @ 0x00c325e1 # Unaligned pointer value
( 'ptr_struct_c32600_140' , ctypes.c_void_p ), # @ 0x00c32601 # Unaligned pointer value
( 'ptr_struct_c32628_144' , ctypes.c_void_p ), # @ 0x00c32629 # Unaligned pointer value
( 'ptr_struct_c32650_148' , ctypes.c_void_p ), # @ 0x00c32651 # Unaligned pointer value
( 'ptr_struct_c32678_152' , ctypes.c_void_p ), # @ 0x00c32679 # Unaligned pointer value
( 'ptr_struct_c326a0_156' , ctypes.c_void_p ), # @ 0x00c326a1 # Unaligned pointer value
( 'ptr_string_c326b8_160' , ctypes.c_void_p ), # @ 0x00c326b9 # Unaligned pointer value
( 'ptr_struct_c326d8_164' , ctypes.c_void_p ), # @ 0x00c326d9 # Unaligned pointer value
( 'ptr_string_c326f8_168' , ctypes.c_void_p ), # @ 0x00c326f9 # Unaligned pointer value
( 'ptr_struct_c32720_172' , ctypes.c_void_p ), # @ 0x00c32721 # Unaligned pointer value
( 'ptr_string_c32740_176' , ctypes.c_void_p ), # @ 0x00c32741 # Unaligned pointer value
( 'ptr_struct_c32758_180' , ctypes.c_void_p ), # @ 0x00c32759 # Unaligned pointer value
( 'ptr_struct_c32778_184' , ctypes.c_void_p ), # @ 0x00c32779 # Unaligned pointer value
( 'ptr_string_c32790_188' , ctypes.c_void_p ), # @ 0x00c32791 # Unaligned pointer value
( 'ptr_struct_c327a8_192' , ctypes.c_void_p ), # @ 0x00c327a9 # Unaligned pointer value
( 'ptr_struct_c327c0_196' , ctypes.c_void_p ), # @ 0x00c327c1 # Unaligned pointer value
( 'ptr_struct_c327d8_200' , ctypes.c_void_p ), # @ 0x00c327d9 # Unaligned pointer value
( 'ptr_struct_c327f0_204' , ctypes.c_void_p ), # @ 0x00c327f1 # Unaligned pointer value
( 'ptr_string_c32808_208' , ctypes.c_void_p ), # @ 0x00c32809 # Unaligned pointer value
( 'ptr_struct_c32820_212' , ctypes.c_void_p ), # @ 0x00c32821 # Unaligned pointer value
( 'ptr_string_c32838_216' , ctypes.c_void_p ), # @ 0x00c32839 # Unaligned pointer value
( 'ptr_string_c32850_220' , ctypes.c_void_p ), # @ 0x00c32851 # Unaligned pointer value
( 'ptr_string_c32868_224' , ctypes.c_void_p ), # @ 0x00c32869 # Unaligned pointer value
( 'ptr_string_c32888_228' , ctypes.c_void_p ), # @ 0x00c32889 # Unaligned pointer value
( 'ptr_string_c328a0_232' , ctypes.c_void_p ), # @ 0x00c328a1 # Unaligned pointer value
( 'ptr_struct_c328b8_236' , ctypes.c_void_p ), # @ 0x00c328b9 # Unaligned pointer value
( 'ptr_string_c328d0_240' , ctypes.c_void_p ), # @ 0x00c328d1 # Unaligned pointer value
( 'ptr_string_c328f0_244' , ctypes.c_void_p ), # @ 0x00c328f1 # Unaligned pointer value
( 'ptr_struct_c32908_248' , ctypes.c_void_p ), # @ 0x00c32909 # Unaligned pointer value
( 'ptr_string_c32928_252' , ctypes.c_void_p ), # @ 0x00c32929 # Unaligned pointer value
( 'ptr_string_c32940_256' , ctypes.c_void_p ), # @ 0x00c32941 # Unaligned pointer value
( 'ptr_struct_c32958_260' , ctypes.c_void_p ), # @ 0x00c32959 # Unaligned pointer value
( 'ptr_string_c32970_264' , ctypes.c_void_p ), # @ 0x00c32971 # Unaligned pointer value
( 'ptr_struct_c32988_268' , ctypes.c_void_p ), # @ 0x00c32989 # Unaligned pointer value
( 'ptr_struct_c329a0_272' , ctypes.c_void_p ), # @ 0x00c329a1 # Unaligned pointer value
( 'ptr_struct_c329d0_276' , ctypes.c_void_p ), # @ 0x00c329d1 # Unaligned pointer value
( 'ptr_string_c329f8_280' , ctypes.c_void_p ), # @ 0x00c329f9 # Unaligned pointer value
( 'ptr_string_c32338_284' , ctypes.c_void_p ), # @ 0x00c32339 # Unaligned pointer value
( 'ptr_struct_c32a48_288' , ctypes.c_void_p ), # @ 0x00c32a49 # Unaligned pointer value
( 'ptr_string_c32a88_292' , ctypes.c_void_p ), # @ 0x00c32a88 # [vol_mapping_058]
( 'ptr_struct_c32a68_296' , ctypes.c_void_p ), # @ 0x00c32a69 # Unaligned pointer value
( 'ptr_string_c32ad0_300' , ctypes.c_void_p ), # @ 0x00c32ad0 # [vol_mapping_058]
( 'ptr_string_c32af0_304' , ctypes.c_void_p ), # @ 0x00c32af0 # [vol_mapping_058]
( 'ptr_string_c32ab8_308' , ctypes.c_void_p ), # @ 0x00c32ab9 # Unaligned pointer value
( 'ptr_struct_c32b08_312' , ctypes.c_void_p ), # @ 0x00c32b09 # Unaligned pointer value
( 'ptr_struct_c32b20_316' , ctypes.c_void_p ), # @ 0x00c32b21 # Unaligned pointer value
( 'ptr_string_c32b88_320' , ctypes.c_void_p ), # @ 0x00c32b88 # [vol_mapping_058]
( 'ptr_string_c32c30_324' , ctypes.c_void_p ), # @ 0x00c32c30 # [vol_mapping_058]
( 'zerroes_328' , ctypes.c_ubyte*8 ), # # array
]
That looks interesting. A record made of 82x 4-bytes pointers and some trailings zeroes/padding.
Let's see if we can check that out with haystack CLI.
In [17]:
!cat ../test/structures/zeus/records.py
import ctypes
class array_of_pointers(ctypes.Structure):
_fields_ = [('array', ctypes.CString*82)]
class array_of_wcharp(ctypes.Structure):
_fields_ = [('array', ctypes.CWString*82)]
So, due to a little monkey patching, there is a CString ctypes types available in the haystack ctypes module.
In [18]:
!haystack-show ../test/dumps/vol/zeus.vmem.856.dump test.structures.zeus.records.array_of_pointers 0xc31e90
[# --------------- 0x1
{ # <array_of_pointers at 0xc31e90>
"array": [
"l" , # (CString)
"u" , # (CString)
"l" , # (CString)
"s" , # (CString)
"w" , # (CString)
"s" , # (CString)
"e" , # (CString)
"_" , # (CString)
"_" , # (CString)
"_" , # (CString)
"_" , # (CString)
"_" , # (CString)
"s" , # (CString)
"U" , # (CString)
"s" , # (CString)
"s" , # (CString)
"u" , # (CString)
"software" , # (CString)
"system" , # (CString)
"%" , # (CString)
"%" , # (CString)
"n" , # (CString)
"o" , # (CString)
"z" , # (CString)
"*%u.%u.%u.%u*" , # (CString)
"winsta0" , # (CString)
"default" , # (CString)
"gdiplus.dll" , # (CString)
"ole32.dll" , # (CString)
"gdi32.dll" , # (CString)
"DISPLAY" , # (CString)
"GdiplusStartup" , # (CString)
"GdiplusShutdown" , # (CString)
"GdipCreateBitmapFromHBITMAP" , # (CString)
"GdipDisposeImage" , # (CString)
"GdipGetImageEncodersSize" , # (CString)
"GdipGetImageEncoders" , # (CString)
"GdipSaveImageToStream" , # (CString)
"CreateStreamOnHGlobal" , # (CString)
"CreateDCA" , # (CString)
"CreateCompatibleDC" , # (CString)
"GetDeviceCaps" , # (CString)
"CreateCompatibleBitmap" , # (CString)
"SelectObject" , # (CString)
"BitBlt" , # (CString)
"DeleteObject" , # (CString)
"DeleteDC" , # (CString)
"reboot" , # (CString)
"shutdown" , # (CString)
"resetgrab" , # (CString)
"upcfg" , # (CString)
"kbot" , # (CString)
"rename_bot" , # (CString)
"getcerts" , # (CString)
"getmff" , # (CString)
"delmff" , # (CString)
"sethomepage" , # (CString)
"bc_add" , # (CString)
"bc_del" , # (CString)
"block_url" , # (CString)
"unblock_url" , # (CString)
"block_fake" , # (CString)
"unblock_fake" , # (CString)
"kos" , # (CString)
"rexeci" , # (CString)
"rexec" , # (CString)
"lexeci" , # (CString)
"lexec" , # (CString)
"application/x-www-form-urlencoded" , # (CString)
"Content-Type: %s
ZCID: %s" , # (CString)
"https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome" , # (CString)
"CustomerServiceMenuEntryPoint?custAction=75" , # (CString)
"Q%u: %s
A%u: %s
" , # (CString)
"d" , # (CString)
"Accept-Encoding:
" , # (CString)
"%" , # (CString)
"*" , # (CString)
"getfile" , # (CString)
"addsf" , # (CString)
"delsf" , # (CString)
"s" , # (CString)
"f" , # (CString)
],
}]
Oh, that is pretty good... but it seems the first few strings are not quite right..
In [19]:
!haystack-reverse-hex ../test/dumps/vol/zeus.vmem.856.dump 0x00c32000
!haystack-reverse-show ../test/dumps/vol/zeus.vmem.856.dump 0x00c32000
'l\x00o\x00w\x00s\x00e\x00c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
class string_c32000(ctypes.Structure): # rlevel:50 SIG:T12a12 size:24
_fields_ = [
( 'utf16_0' , ctypes.c_char*12 ), # # ctypes.c_char: u'lowsec'
( 'zerroes_12' , ctypes.c_ubyte*12 ), # # array
]
Mhh, it seems the first few strings are utf16 strings. Lets try with a Wide char string type.
In [20]:
!haystack-show ../test/dumps/vol/zeus.vmem.856.dump test.structures.zeus.records.array_of_wcharp 0xc31e90
[# --------------- 0x1
{ # <array_of_wcharp at 0xc31e90>
"array": [
"l�o�w�s�e�c" , # (CWString)
"u�s�e�r�.�d�s" , # (CWString)
"l�o�c�a�l�.�d�s" , # (CWString)
"s�d�r�a�6�4�.�e�x�e" , # (CWString)
"w�i�n�l�o�g�o�n�.�e�x�e" , # (CWString)
"s�v�c�h�o�s�t�.�e�x�e" , # (CWString)
"e�x�p�l�o�r�e�r�.�e�x�e" , # (CWString)
"_�A�V�I�R�A�_�2�1�1�0" , # (CWString)
"_�A�V�I�R�A�_�2�1�0�1" , # (CWString)
"_�A�V�I�R�A�_�2�1�0�8" , # (CWString)
"_�A�V�I�R�A�_�2�1�0�9" , # (CWString)
"_�A�V�I�R�A�_�2�1�0�9�9" , # (CWString)
"s�o�f�t�w�a�r�e�\�m�i�c�r�o�s�o�f�t�\�w�i�n�d�o�w�s� �n�t�\�c�u�r�r�e�n�t�v�e�r�s�i�o�n�\�n�e�t�w�o�r�k" , # (CWString)
"U�I�D" , # (CWString)
"s�o�f�t�w�a�r�e�\�m�i�c�r�o�s�o�f�t�\�w�i�n�d�o�w�s� �n�t�\�c�u�r�r�e�n�t�v�e�r�s�i�o�n�\�w�i�n�l�o�g�o�n" , # (CWString)
"s�o�f�t�w�a�r�e�\�m�i�c�r�o�s�o�f�t�\�w�i�n�d�o�w�s�\�c�u�r�r�e�n�t�v�e�r�s�i�o�n�\�r�u�n" , # (CWString)
"u�s�e�r�i�n�i�t" , # (CWString)
"software" , # (CWString)
"system" , # (CWString)
"%�0�8�X�%�0�8�X�%�0�8�X�%�X" , # (CWString)
"%�s�_�%�0�8�X" , # (CWString)
"n�t�d�l�l�.�d�l�l" , # (CWString)
"o�u�t�p�o�s�t�.�e�x�e" , # (CWString)
"z�l�c�l�i�e�n�t�.�e�x�e" , # (CWString)
"*%u.%u.%u.%u*" , # (CWString)
"winsta0" , # (CWString)
"default" , # (CWString)
"gdiplus.dll" , # (CWString)
"ole32.dll" , # (CWString)
"gdi32.dll" , # (CWString)
"DISPLAY" , # (CWString)
"GdiplusStartup" , # (CWString)
"GdiplusShutdown" , # (CWString)
"GdipCreateBitmapFromHBITMAP" , # (CWString)
"GdipDisposeImage" , # (CWString)
"GdipGetImageEncodersSize" , # (CWString)
"GdipGetImageEncoders" , # (CWString)
"GdipSaveImageToStream" , # (CWString)
"CreateStreamOnHGlobal" , # (CWString)
"CreateDCA" , # (CWString)
"CreateCompatibleDC" , # (CWString)
"GetDeviceCaps" , # (CWString)
"CreateCompatibleBitmap" , # (CWString)
"SelectObject" , # (CWString)
"BitBlt" , # (CWString)
"DeleteObject" , # (CWString)
"DeleteDC" , # (CWString)
"reboot" , # (CWString)
"shutdown" , # (CWString)
"resetgrab" , # (CWString)
"upcfg" , # (CWString)
"kbot" , # (CWString)
"rename_bot" , # (CWString)
"getcerts" , # (CWString)
"getmff" , # (CWString)
"delmff" , # (CWString)
"sethomepage" , # (CWString)
"bc_add" , # (CWString)
"bc_del" , # (CWString)
"block_url" , # (CWString)
"unblock_url" , # (CWString)
"block_fake" , # (CWString)
"unblock_fake" , # (CWString)
"kos" , # (CWString)
"rexeci" , # (CWString)
"rexec" , # (CWString)
"lexeci" , # (CWString)
"lexec" , # (CWString)
"application/x-www-form-urlencoded" , # (CWString)
"Content-Type: %s
ZCID: %s" , # (CWString)
"https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome" , # (CWString)
"CustomerServiceMenuEntryPoint?custAction=75" , # (CWString)
"Q%u: %s
A%u: %s
" , # (CWString)
"d�r�i�v�e�r�s�\�e�t�c�\�h�o�s�t�s" , # (CWString)
"Accept-Encoding:
" , # (CWString)
"%�0�8�X�.�u�f" , # (CWString)
"*�.�u�f" , # (CWString)
"getfile" , # (CWString)
"addsf" , # (CWString)
"delsf" , # (CWString)
"s�o�f�t�w�a�r�e�\�m�i�c�r�o�s�o�f�t�\�w�i�n�d�o�w�s�\�c�u�r�r�e�n�t�v�e�r�s�i�o�n�\�e�x�p�l�o�r�e�r�\�c�o�m�d�l�g�3�2" , # (CWString)
"f�i�l�e�s�e�a�r�c�h�\�%�0�6�X�_�%�s" , # (CWString)
],
}]
Well, that more or less works.
Ultimately, you might want to clean the cache ( REMOVES ALL ANALYSIS FILES )
Content source: trolldbois/python-haystack-reverse
Similar notebooks: