Volatility apihooks.py - Inline interrupt hooks

1. # Volatility
2. # Copyright (C) 2007-2013 Volatility Foundation
3. #
4. # Authors:
5. # Michael Hale Ligh <michael.ligh@mnin.org>
6. #
7. # This file is part of Volatility.
8. #
9. # Volatility is free software; you can redistribute it and/or modify
10. # it under the terms of the GNU General Public License as published by
11. # the Free Software Foundation; either version 2 of the License, or
12. # (at your option) any later version.
13. #
14. # Volatility is distributed in the hope that it will be useful,
15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17. # GNU General Public License for more details.
18. #
19. # You should have received a copy of the GNU General Public License
20. # along with Volatility.  If not, see <http://www.gnu.org/licenses/>.
21. #
22.  
23. import re, ntpath
24. import volatility.utils as utils
25. import volatility.obj as obj
26. import volatility.debug as debug
27. import volatility.win32.tasks as tasks
28. import volatility.win32.modules as modules
29. import volatility.plugins.malware.malfind as malfind
30. import volatility.plugins.malware.idt as idt
31. import volatility.plugins.overlays.basic as basic
32. import volatility.plugins.procdump as procdump
33. import volatility.exceptions as exceptions
34.  
35. try:
36.     import distorm3
37.     has_distorm3 = True
38. except ImportError:
39.     has_distorm3 = False
40.  
41. #--------------------------------------------------------------------------------
42. # Constants
43. #--------------------------------------------------------------------------------
44.  
45. # hook modes
46. HOOK_MODE_USER = 1
47. HOOK_MODE_KERNEL = 2
48.  
49. # hook types
50. HOOKTYPE_IAT = 4
51. HOOKTYPE_EAT = 8
52. HOOKTYPE_INLINE = 16
53. HOOKTYPE_NT_SYSCALL = 32
54. HOOKTYPE_CODEPAGE_KERNEL = 64
55. HOOKTYPE_IDT = 128
56. HOOKTYPE_IRP = 256
57. HOOKTYPE_WINSOCK = 512
58.  
59. # names for hook types
60. hook_type_strings = {
61.     HOOKTYPE_IAT             : "Import Address Table (IAT)",
62.     HOOKTYPE_EAT             : "Export Address Table (EAT)",
63.     HOOKTYPE_INLINE          : "Inline/Trampoline",
64.     HOOKTYPE_NT_SYSCALL      : "NT Syscall",
65.     HOOKTYPE_CODEPAGE_KERNEL : "Unknown Code Page Call",
66.     HOOKTYPE_WINSOCK         : "Winsock Procedure Table Hook",
67. }
68.  
69. WINSOCK_TABLE = [
70.     '_WSPAccept',
71.     '_WSPAddressToString',
72.     '_WSPAsyncSelect',
73.     '_WSPBind',
74.     '_WSPCancelBlockingCall',
75.     '_WSPCleanup',
76.     '_WSPCloseSocket',
77.     '_WSPConnect',
78.     '_WSPDuplicateSocket',
79.     '_WSPEnumNetworkEvents',
80.     '_WSPEventSelect',
81.     '_WSPGetOverlappedResult',
82.     '_WSPGetPeerName',
83.     '_WSPGetSockName',
84.     '_WSPGetSockOpt',
85.     '_WSPGetQOSByName',
86.     '_WSPIoctl',
87.     '_WSPJoinLeaf',
88.     '_WSPListen',
89.     '_WSPRecv',
90.     '_WSPRecvDisconnect',
91.     '_WSPRecvFrom',
92.     '_WSPSelect',
93.     '_WSPSend',
94.     '_WSPSendDisconnect',
95.     '_WSPSendTo',
96.     '_WSPSetSockOpt',
97.     '_WSPShutdown',
98.     '_WSPSocket',
99.     '_WSPStringToAddress',
100. ]
101.  
102. #--------------------------------------------------------------------------------
103. # Profile Modifications
104. #--------------------------------------------------------------------------------
105.  
106. class MalwareWSPVTypes(obj.ProfileModification):
107.     before = ['WindowsOverlay']
108.     conditions = {'os': lambda x : x == 'windows',
109.                   'memory_model': lambda x: x == '32bit'}
110.     def modification(self, profile):
111.         profile.vtypes.update({
112.             '_SOCK_PROC_TABLE' : [ None, {
113.             'Functions' : [ 0x0, ['array', 30, ['address']]],
114.             }]})
115.  
116. #--------------------------------------------------------------------------------
117. # Module Group Class
118. #--------------------------------------------------------------------------------
119.  
120. class ModuleGroup(object):
121.     """A class to assist with module lookups"""
122.  
123.     def __init__(self, mod_list):
124.         """Initialize.
125.  
126.        @param mod_list: a list of _LDR_DATA_TABLE_ENTRY objects.
127.        This can be a generator.
128.        """
129.  
130.         self.mods = list(mod_list)
131.         self.mod_name = {}
132.         self.mod_fast = [(mod.DllBase, mod.DllBase + mod.SizeOfImage, mod) for mod in self.mods]
133.  
134.         for mod in self.mods:
135.             name = str(mod.BaseDllName or '').lower()
136.             if name in self.mod_name:
137.                 self.mod_name[name].append(mod)
138.             else:
139.                 self.mod_name[name] = [mod]
140.  
141.     def find_module(self, address):
142.         """Find a module by an address it contains.
143.            
144.        @param address: location in process or kernel AS to
145.        find an owning module.
146.  
147.        When performing thousands of lookups, this method
148.        is actually quicker than tasks.find_module.
149.        """
150.  
151.         for base, end, mod in self.mod_fast:
152.             if address >= base and address <= end:
153.                 return mod
154.  
155.         return obj.NoneObject("")
156.  
157. #--------------------------------------------------------------------------------
158. # Hook Class
159. #--------------------------------------------------------------------------------
160.  
161. class Hook(object):
162.     """A class for API hooks. It helps organize the many
163.    pieces of information required to report on the hook."""
164.  
165.     def __init__(self, hook_type, hook_mode, function_name,
166.                         function_address = None, hook_address = None,
167.                         hook_module = None, victim_module = None):
168.         """
169.        Initalize a hook class instance.
170.  
171.        @params hook_type: one of the HOOK_TYPE_* constants
172.        @params hook_mode: one of the HOOK_MODE_* constants
173.  
174.        @params function_name: name of the function being hooked
175.  
176.        @params function_address: address of the hooked function in
177.            process or kernel memory.
178.  
179.        @params hook_address: address where the hooked function
180.            actually points.
181.  
182.        @params hook_module: the _LDR_DATA_TABLE_ENTRY of the
183.            hooking module (owner of the hook_address). note:
184.            this can be None if the module cannot be identified.
185.  
186.        @params victim_module: the _LDR_DATA_TABLE_ENTRY of the
187.            module being hooked (contains the function_address).
188.            note: this can be a string if checking IAT hooks.
189.  
190.        """
191.         self.hook_mode = hook_mode
192.         self.hook_type = hook_type
193.         self.function_name = function_name
194.         self.function_address = function_address
195.         self.hook_address = hook_address
196.         self.hook_module = hook_module
197.         self.victim_module = victim_module
198.         # List of tuples: address, data pairs
199.         self.disassembled_hops = []
200.  
201.     def add_hop_chunk(self, address, data):
202.         """Support disassembly for multiple hops"""
203.         self.disassembled_hops.append((address, data))
204.  
205.     def _module_name(self, module):
206.         """Return a sanitized module name"""
207.  
208.         # The module can't be identified
209.         if not module:
210.             return '<unknown>'
211.  
212.         # The module is a string name like "ntdll.dll"
213.         if isinstance(module, basic.String) or isinstance(module, str):
214.             return str(module)
215.  
216.         # The module is a _LDR_DATA_TABLE_ENTRY
217.         return str(module.BaseDllName or '') or str(module.FullDllName or '') or '<unknown>'
218.  
219.     @property
220.     def Type(self):
221.         """Translate the hook type into a string"""
222.         return hook_type_strings.get(self.hook_type, "")
223.  
224.     @property
225.     def Mode(self):
226.         """Translate the hook mode into a string"""
227.         if self.hook_mode == HOOK_MODE_USER:
228.             return "Usermode"
229.         else:
230.             return "Kernelmode"
231.  
232.     @property
233.     def Function(self):
234.         """Return the function name if its available"""
235.         return str(self.function_name) or '<unknown>'
236.  
237.     @property
238.     def Detail(self):
239.         """The detail depends on the hook type"""
240.         if self.hook_type == HOOKTYPE_IAT:
241.             return "{0}!{1}".format(self.VictimModule, self.Function)
242.         elif self.hook_type == HOOKTYPE_EAT:
243.             return "{0} at {1:#x}".format(self.Function, self.hook_address)
244.         elif self.hook_type == HOOKTYPE_INLINE:
245.             return "{0}!{1} at {2:#x}".format(self.VictimModule, self.Function, self.function_address)
246.         else:
247.             return self.Function
248.  
249.     @property
250.     def HookModule(self):
251.         """Name of the hooking module"""
252.         return self._module_name(self.hook_module)
253.  
254.     @property
255.     def VictimModule(self):
256.         """Name of the victim module"""
257.         return self._module_name(self.victim_module)
258.  
259. #--------------------------------------------------------------------------------
260. # Whitelist Rules
261. #--------------------------------------------------------------------------------
262.  
263. # The values of each dictionary item is a list of tuples which are regexes
264. # in the format (process, srd_mod, dst_mod, function). If you specify
265. # (".*", ".*", ".*", ".*") then you essentially whitelist all possible hooks
266. # of the given type.
267.  
268. whitelist_rules = {
269.     HOOK_MODE_USER | HOOKTYPE_IAT : [
270.     # Ignore hooks that point inside C runtime libraries
271.     (".*", ".*", "(msvcr|msvcp).+\.dll", ".*"),
272.     # Ignore hooks of WMI that point inside advapi32.dll
273.     (".*", "wmi.dll", "advapi32.dll", ".*"),
274.     # Ignore hooks of winsock that point inside ws2 and   mswsock
275.     (".*", "WSOCK32.dll", "(WS2_32|MSWSOCK)\.dll", ".*"),
276.     # Ignore hooks of SCHANNEL* that point inside secur32.dll
277.     (".*", "schannel.dll", "secur32.dll", ".*"),
278.     # Ignore hooks of Secur32* that point inside SSPICLI
279.     (".*", "Secur32.dll", "SSPICLI.DLL", ".*"),
280.     # Ignore hooks that point inside known modules
281.     (".*", ".*", "(kernel32|gdi32|advapi32|ntdll|shimeng|kernelbase|shlwapi|user32|cfgmgr32)", ".*"),
282.     # Handle some known forwarded imports
283.     (".*", ".*", ".*", "((Enter|Delete|Leave)CriticalSection|(Get|Set)LastError|Heap(ReAlloc|Free|Size|Alloc)|Rtl(Unwind|MoveMemory))"),
284.     # Ignore sfc hooks going to sfc_os
285.     (".*", "sfc\.dll", "sfc_os\.dll", ".*"),
286.     # Ignore netapi32 hooks pointing at netutils or samcli
287.     (".*", "netapi32\.dll", "(netutils|samcli)\.dll", ".*"),
288.     (".*", "setupapi\.dll", "devrtl\.dll", ".*"),
289.     ],
290.     HOOK_MODE_USER | HOOKTYPE_EAT : [
291.     # These modules have so many hooks its really not useful to check
292.     (".*", "(msvcp|msvcr|mfc|wbemcomn|fastprox)", ".*", ".*"),
293.     ],
294.     HOOK_MODE_USER | HOOKTYPE_INLINE : [
295.     # Ignore hooks in the pywin32 service process
296.     ("pythonservice", ".*", ".*", ".*"),
297.     # Many legit hooks land inside these modules
298.     (".*", ".*", "(msvcr|advapi32|version|wbemcomn|ntdll|kernel32|kernelbase|sechost|ole32|shlwapi|user32|gdi32|ws2_32|shell32)", ".*"),
299.     # Ignore hooks of the c runtime DLLs
300.     (".*", "(msvc(p|r)\d{2}|mfc\d{2})\.dll", ".*", ".*"),
301.     # This is a global variable
302.     (".*", "msvcrt\.dll", ".*", "_acmdln"),
303.     # Ignore hooks of MD5Final, MD5Init, MD5Update that point inside advapi32
304.     (".*", ".*", "advapi32.dll", "MD5.+"),
305.     # Ignore hooks of common firefox components
306.     ("firefox\.exe", ".*", "(xul|mozcrt|nspr4)", ".*"),
307.     # Ignore hooks created by Parallels VM software
308.     (".*", "user32.dll", "prl_hook.dll", ".*"),
309.     # Ignore DLL registration functions
310.     (".*", ".*", ".*", "(DllCanUnloadNow|DllRegisterServer|DllUnregisterServer)"),
311.     # Ignore netapi32 hooks pointing at netutils
312.     (".*", "netapi32\.dll", "netutils\.dll", ".*"),
313.     ],
314.     HOOK_MODE_KERNEL | HOOKTYPE_IAT : [
315.     (".*", ".*", "(win32k\.sys|hal\.dll|dump_wmilib\.sys|ntkrnlpa\.exe|ntoskrnl\.exe)", ".*"),
316.     # Ignore hooks of the SCSI module which point inside the dump_scsiport module
317.     (".*", "scsiport\.sys", "dump_scsiport\.sys", ".*"),
318.     # Ignore other storage port hooks
319.     (".*", "storport\.sys", "dump_storport\.sys", ".*"),
320.     ],
321.     HOOK_MODE_KERNEL | HOOKTYPE_EAT : [
322.     ],
323.     HOOK_MODE_KERNEL | HOOKTYPE_INLINE : [
324.     # Ignore kernel hooks that point inside these modules
325.     (".*", ".*", "(hal.dll|ndis.sys|ntkrnlpa.exe|ntoskrnl.exe)", ".*"),
326.     ],
327. }
328.  
329. class ApiHooks(procdump.ProcExeDump):
330.     """Detect API hooks in process and kernel memory"""
331.  
332.     def __init__(self, config, *args, **kwargs):
333.         procdump.ProcExeDump.__init__(self, config, *args, **kwargs)
334.         config.remove_option("DUMP-DIR")
335.  
336.         config.add_option("NO-WHITELIST", short_option = 'N', default = False,
337.                 action = 'store_true',
338.                 help = 'No whitelist (show all hooks, can be verbose)')
339.  
340.         config.add_option("SKIP-KERNEL", short_option = 'R', default = False,
341.                 action = 'store_true',
342.                 help = 'Skip kernel mode checks')
343.  
344.         config.add_option("SKIP-PROCESS", short_option = 'P', default = False,
345.                 action = 'store_true',
346.                 help = 'Skip process checks')
347.  
348.         config.add_option("QUICK", short_option = 'Q', default = False,
349.                 action = 'store_true',
350.                 help = 'Work faster by only analyzing critical processes and dlls')
351.  
352.         self.compiled_rules = self.compile()
353.  
354.         # When the --quick option is set, we only scan the processes
355.         # and dlls in these lists. Feel free to adjust them for
356.         # your own purposes.
357.         self.critical_process = ["explorer.exe", "svchost.exe", "lsass.exe",
358.             "services.exe", "winlogon.exe", "csrss.exe", "smss.exe",
359.             "wininit.exe", "iexplore.exe", "firefox.exe", "spoolsv.exe"]
360.  
361.         self.critical_dlls = ["ntdll.dll", "kernel32.dll", "ws2_32.dll",
362.             "advapi32.dll", "secur32.dll", "crypt32.dll", "user32.dll",
363.             "gdi32.dll", "shell32.dll", "shlwapi.dll", "lsasrv.dll",
364.             "cryptdll.dll", "wsock32.dll", "mswsock.dll", "urlmon.dll",
365.             "csrsrv.dll", "winsrv.dll", "wininet.dll"]
366.  
367.         # When scanning for calls to unknown code pages (UCP), only
368.         # analyze the following drivers. This is based on an analysis of
369.         # the modules rootkits are most likely to infect, but feel free
370.         # to adjust it for your own purposes.
371.         self.ucpscan_modules = ["tcpip.sys", "ntfs.sys", "fastfast.sys",
372.             "wanarp.sys", "ndis.sys", "atapi.sys", "ntoskrnl.exe",
373.             "ntkrnlpa.exe", "ntkrnlmp.exe"]
374.  
375.     @staticmethod
376.     def is_valid_profile(profile):
377.         return (profile.metadata.get('os', 'unknown') == 'windows' and
378.                 profile.metadata.get('memory_model', '32bit') == '32bit')
379.  
380.     def compile(self):
381.         """
382.        Precompile the regular expression rules. Its quicker
383.        if we do this once per plugin run, rather than once per
384.        API hook that needs checking.
385.        """
386.         ret = dict()
387.         for key, rules in whitelist_rules.items():
388.             for rule in rules:
389.                 ruleset = ((re.compile(rule[0], re.I), # Process name
390.                             re.compile(rule[1], re.I), # Source module
391.                             re.compile(rule[2], re.I), # Destination module
392.                             re.compile(rule[3], re.I), # Function name
393.                             ))
394.                 if ret.has_key(key):
395.                     ret[key].append(ruleset)
396.                 else:
397.                     ret[key] = [ruleset]
398.         return ret
399.  
400.     def whitelist(self, rule_key, process, src_mod, dst_mod, function):
401.         """Check if an API hook should be ignored due to whitelisting.
402.  
403.        @param rule_key: a key from the whitelist_rules dictionary which
404.            describes the type of hook (i.e. Usermode IAT or Kernel Inline).
405.  
406.        @param process: name of the suspected victim process.
407.  
408.        @param src_mod: name of the source module whose function has been
409.            hooked. this varies depending on whether we're dealing with IAT
410.            EAT, inline, etc.
411.  
412.        @param dst_mod: name of the module that is the destination of the
413.            hook pointer. this is usually the rootkit dll, exe, or sys,
414.            however, in many cases there is no module name since the rootkit
415.            is trying to be stealthy.
416.  
417.        @param function: name of the function that has been hooked.
418.        """
419.         # There are no whitelist rules for this hook type
420.         if rule_key not in self.compiled_rules:
421.             return False
422.  
423.         for rule in self.compiled_rules[rule_key]:
424.             if (rule[0].search(process) != None and
425.                     rule[1].search(src_mod) != None and
426.                     rule[2].search(dst_mod) != None and
427.                     rule[3].search(function) != None):
428.                 return True
429.  
430.         return False
431.  
432.     def get_idt(self):
433.         """
434.        Build IDT to check for inline hooks that use interrupts, whitelist interrupts
435.        that are handled by common kernel mode modules
436.  
437.        @returns: Dictionary of idt index and handler address
438.        """
439.         idt_data={}
440.         for n, _, addr, module in idt.IDT(self._config).calculate():
441.             for rule in self.compiled_rules[HOOK_MODE_KERNEL | HOOKTYPE_INLINE]:
442.                 if module:
443.                     module_name = str(module.BaseDllName or '')
444.                 else:
445.                     module_name = "UNKNOWN"
446.                 if rule[2].search(module_name) is None:
447.                     idt_data[n] = addr
448.                 else:
449.                     idt_data[n] = None
450.         return idt_data
451.  
452.  
453.     @staticmethod
454.     def check_syscall(addr_space, module, module_group):
455.         """
456.        Enumerate syscall hooks in ntdll.dll. A syscall hook is one
457.        that modifies the function prologue of an NT API function
458.        (i.e. ntdll!NtCreateFile) or swaps the location of the sysenter
459.        with a malicious address.
460.  
461.        @param addr_space: a process AS for the process containing the
462.        ntdll.dll module.
463.  
464.        @param module: the _LDR_DATA_TABLE_ENTRY for ntdll.dll
465.  
466.        @param module_group: a ModuleGroup instance for the process.
467.        """
468.  
469.         # Resolve the real location of KiFastSystem Call for comparison
470.         KiFastSystemCall = module.getprocaddress("KiFastSystemCall")
471.         KiIntSystemCall = module.getprocaddress("KiIntSystemCall")
472.  
473.         if not KiFastSystemCall or not KiIntSystemCall:
474.             #debug.debug("Abort check_syscall, can't find KiFastSystemCall")
475.             return
476.  
477.         # Add the RVA to make it absolute
478.         KiFastSystemCall += module.DllBase
479.         KiIntSystemCall += module.DllBase
480.  
481.         # Check each exported function if its an NT syscall
482.         for _, f, n in module.exports():
483.  
484.             # Ignore forwarded exports
485.             if not f:
486.                 #debug.debug("Skipping forwarded export {0}".format(n or ''))
487.                 continue
488.  
489.             function_address = module.DllBase + f
490.  
491.             if not addr_space.is_valid_address(function_address):
492.                 #debug.debug("Function address {0:#x} for {1} is paged".format(
493.                 #    function_address, n or ''))
494.                 continue
495.  
496.             # Read enough of the function prologue for two instructions
497.             data = addr_space.zread(function_address, 24)
498.  
499.             instructions = []
500.  
501.             for op in distorm3.Decompose(function_address, data, distorm3.Decode32Bits):
502.                 if not op.valid:
503.                     break
504.                 if len(instructions) == 3:
505.                     break
506.                 instructions.append(op)
507.  
508.             i0 = instructions[0]
509.             i1 = instructions[1]
510.             i2 = instructions[2]
511.  
512.             # They both must be properly decomposed and have two operands  
513.             if (not i0 or not i0.valid or len(i0.operands) != 2 or
514.                     not i1 or not i1.valid or len(i1.operands) != 2):
515.                 #debug.debug("Error decomposing prologue for {0} at {1:#x}".format(
516.                 #    n or '', function_address))
517.                 continue
518.  
519.             # Now check the instruction and operand types
520.             if (i0.mnemonic == "MOV" and i0.operands[0].type == 'Register' and
521.                     i0.operands[0].name == 'EAX' and i0.operands[1].type == 'Immediate' and
522.                     i1.mnemonic == "MOV" and i1.operands[0].type == 'Register' and
523.                     i1.operands[0].name == 'EDX' and i0.operands[1].type == 'Immediate'):
524.  
525.                 if i2.operands[0].type == "Register":
526.                     # KiFastSystemCall is already in the register
527.                     syscall_address = i1.operands[1].value
528.                 else:
529.                     # Pointer to where KiFastSystemCall is stored
530.                     syscall_address = obj.Object('address',
531.                         offset = i1.operands[1].value, vm = addr_space)
532.  
533.                 if syscall_address not in [KiFastSystemCall, KiIntSystemCall]:
534.                     hook_module = module_group.find_module(syscall_address)
535.                     hook = Hook(hook_type = HOOKTYPE_NT_SYSCALL,
536.                                 hook_mode = HOOK_MODE_USER,
537.                                 function_name = n or '',
538.                                 function_address = function_address,
539.                                 hook_address = syscall_address,
540.                                 hook_module = hook_module,
541.                                 victim_module = module,
542.                                 )
543.                     # Add the bytes that will later be disassembled in the
544.                     # output to show exactly how the hook works. The first
545.                     # hop is the ntdll!Nt* API and the next hop is the rootkit.
546.                     hook.add_hop_chunk(function_address, data)
547.                     hook.add_hop_chunk(syscall_address, addr_space.zread(syscall_address, 24))
548.                     yield hook
549.  
550.     def check_ucpcall(self, addr_space, module, module_group):
551.         """Scan for calls to unknown code pages.
552.  
553.        @param addr_space: a kernel AS
554.  
555.        @param module: the _LDR_DATA_TABLE_ENTRY to scan
556.  
557.        @param module_group: a ModuleGroup instance for the process.
558.        """
559.  
560.         try:
561.             dos_header = obj.Object("_IMAGE_DOS_HEADER",
562.                 offset = module.DllBase, vm = addr_space)
563.  
564.             nt_header = dos_header.get_nt_header()
565.         except (ValueError, exceptions.SanityCheckException), _why:
566.             #debug.debug('get_nt_header() failed: {0}'.format(why))
567.             return
568.  
569.         # Parse the PE sections for this driver
570.         for sec in nt_header.get_sections(self._config.UNSAFE):
571.  
572.             # Only check executable sections
573.             if not sec.Characteristics & 0x20000000:
574.                 continue
575.  
576.             # Calculate the virtual address of this PE section in memory
577.             sec_va = module.DllBase + sec.VirtualAddress
578.  
579.             # Extract the section's data and make sure its not all zeros
580.             data = addr_space.zread(sec_va, sec.Misc.VirtualSize)
581.  
582.             if data == "\x00" * len(data):
583.                 continue
584.  
585.             # Disassemble instructions in the section
586.             for op in distorm3.DecomposeGenerator(sec_va, data, distorm3.Decode32Bits):
587.  
588.                 if (op.valid and ((op.flowControl == 'FC_CALL' and
589.                         op.mnemonic == "CALL") or
590.                         (op.flowControl == 'FC_UNC_BRANCH' and
591.                         op.mnemonic == "JMP")) and
592.                         op.operands[0].type == 'AbsoluteMemoryAddress'):
593.  
594.                     # This is ADDR, which is the IAT location
595.                     const = op.operands[0].disp & 0xFFFFFFFF
596.  
597.                     # Abort if ADDR is not a valid address
598.                     if not addr_space.is_valid_address(const):
599.                         continue
600.  
601.                     # This is what [ADDR] points to - the absolute destination
602.                     call_dest = obj.Object("address", offset = const, vm = addr_space)
603.  
604.                     # Abort if [ADDR] is not a valid address
605.                     if not addr_space.is_valid_address(call_dest):
606.                         continue
607.  
608.                     check1 = module_group.find_module(const)
609.                     check2 = module_group.find_module(call_dest)
610.  
611.                     # If ADDR or [ADDR] point to an unknown code page
612.                     if not check1 or not check2:
613.                         hook = Hook(hook_type = HOOKTYPE_CODEPAGE_KERNEL,
614.                                     hook_mode = HOOK_MODE_KERNEL,
615.                                     function_name = "",
616.                                     function_address = op.address,
617.                                     hook_address = call_dest,
618.                                     )
619.                         # Add the location we found the call
620.                         hook.add_hop_chunk(op.address,
621.                             data[op.address - sec_va : op.address - sec_va + 24])
622.  
623.                         # Add the rootkit stub
624.                         hook.add_hop_chunk(call_dest, addr_space.zread(call_dest, 24))
625.                         yield hook
626.  
627.     def check_wsp(self, addr_space, module, module_group):
628.         """
629.        Check for hooks of non-exported WSP* functions. The
630.        mswsock.dll module contains a global variable which
631.        points to all the internal Winsock functions. We find
632.        the function table by the reference from the exported
633.        WSPStartup API.
634.        
635.        .text:6C88922E 8B 7D 50          mov     edi, [ebp+lpProcTable]
636.        .text:6C889231 6A 1E             push    1Eh
637.        .text:6C889233 59                pop     ecx
638.        .text:6C889234 BE 40 64 8B 6C    mov     esi, offset _SockProcTable
639.        .text:6C889239 F3 A5             rep movsd
640.  
641.        @param addr_space: process AS
642.  
643.        @param module: the _LDR_DATA_TABLE_ENTRY for mswsock.dll
644.  
645.        @param module_group: a ModuleGroup instance for the process.
646.        """
647.  
648.         WSPStartup = module.getprocaddress("WSPStartup")
649.  
650.         if not WSPStartup:
651.             #debug.debug("Abort check_wsp, can't find WSPStartup")
652.             return
653.  
654.         WSPStartup += module.DllBase
655.  
656.         # Opcode pattern to look for
657.         signature = "\x6A\x1E\x59\xBE"
658.  
659.         # Read enough bytes of the function to find our signature
660.         data = addr_space.zread(WSPStartup, 300)
661.  
662.         if data == "\x00" * len(data):
663.             #debug.debug("WSPStartup prologue is paged")
664.             return
665.  
666.         offset = data.find(signature)
667.  
668.         if offset == -1:
669.             #debug.debug("Can't find {0} in WSPStartup".format(repr(signature)))
670.             return
671.  
672.         # Dereference the pointer as our _SockProcTable
673.         p = obj.Object("address",
674.             offset = WSPStartup + offset + len(signature),
675.             vm = addr_space)
676.  
677.         p = p.dereference_as("_SOCK_PROC_TABLE")
678.  
679.         # Enumerate functions in the procedure table
680.         for i, function_address in enumerate(p.Functions):
681.  
682.             function_owner = module_group.find_module(function_address)
683.  
684.             # The function points outside of mwsock, its hooked
685.             if function_owner != module:
686.  
687.                 hook = Hook(hook_type = HOOKTYPE_WINSOCK,
688.                             hook_mode = HOOK_MODE_USER,
689.                             function_name = WINSOCK_TABLE[i],
690.                             function_address = function_address,
691.                             hook_module = function_owner,
692.                             victim_module = module
693.                             )
694.                 hook.add_hop_chunk(function_address,
695.                     addr_space.zread(function_address, 12))
696.  
697.                 yield hook
698.             else:
699.                 # The function points inside mwsock, check inline
700.                 ret = self.check_inline(function_address, addr_space,
701.                     module.DllBase, module.DllBase + module.SizeOfImage,
702.                     self.idt)
703.  
704.                 if not ret:
705.                     #debug.debug("Cannot analyze {0}".format(WINSOCK_TABLE[i]))
706.                     continue
707.  
708.                 (hooked, data, hook_address) = ret
709.  
710.                 if hooked:
711.                     hook_module = module_group.find_module(hook_address)
712.                     if hook_module != module:
713.                         hook = Hook(hook_type = HOOKTYPE_WINSOCK,
714.                                     hook_mode = HOOK_MODE_USER,
715.                                     function_name = WINSOCK_TABLE[i],
716.                                     function_address = function_address,
717.                                     hook_module = hook_module,
718.                                     hook_address = hook_address,
719.                                     victim_module = module
720.                                     )
721.                         hook.add_hop_chunk(function_address, data)
722.                         hook.add_hop_chunk(hook_address, addr_space.zread(hook_address, 12))
723.                         yield hook
724.  
725.     @staticmethod
726.     def check_inline(va, addr_space, mem_start, mem_end, idt = None):
727.         """
728.        Check for inline API hooks. We check for direct and indirect
729.        calls, direct and indirect jumps, and PUSH/RET combinations.
730.  
731.        @param va: the virtual address of the function to check
732.  
733.        @param addr_space: process or kernel AS where the function resides
734.  
735.        @param mem_start: base address of the module containing the
736.            function being checked.
737.  
738.        @param mem_end: end address of the module containing the func
739.            being checked.
740.  
741.        @param idt: whitelisted IDT interrupt handlers removed from the
742.            dict. Not required for compatibility reasons.
743.  
744.        @returns: a tuple of (hooked, data, hook_address)
745.        """
746.  
747.         data = addr_space.zread(va, 24)
748.  
749.         if data == "\x00" * len(data):
750.             #debug.debug("Cannot read function prologue at {0:#x}".format(va))
751.             return None
752.  
753.         outside_module = lambda x: x != None and (x < mem_start or x > mem_end)
754.  
755.         # Number of instructions disassembled so far
756.         n = 0
757.         # Destination address of hooks
758.         d = None
759.         # Save the last PUSH before a CALL
760.         push_val = None
761.         # Save the general purpose registers
762.         regs = {}
763.  
764.         for op in distorm3.Decompose(va, data, distorm3.Decode32Bits):
765.  
766.             # Quit the loop when we have three instructions or when
767.             # a decomposition error is encountered, whichever is first.
768.             if not op.valid or n == 3:
769.                 break
770.  
771.             if op.flowControl == 'FC_CALL':
772.                 # Clear the push value
773.                 if push_val:
774.                     push_val = None
775.                 if op.mnemonic == "CALL" and op.operands[0].type == 'AbsoluteMemoryAddress':
776.                     # Check for CALL [ADDR]
777.                     const = op.operands[0].disp & 0xFFFFFFFF
778.                     d = obj.Object("unsigned int", offset = const, vm = addr_space)
779.                     if outside_module(d):
780.                         break
781.                 elif op.operands[0].type == 'Immediate':
782.                     # Check for CALL ADDR
783.                     d = op.operands[0].value & 0xFFFFFFFF
784.                     if outside_module(d):
785.                         break
786.                 elif op.operands[0].type == 'Register':
787.                     # Check for CALL REG
788.                     d = regs.get(op.operands[0].name)
789.                     if d and outside_module(d):
790.                         break
791.             elif op.flowControl == 'FC_UNC_BRANCH' and op.mnemonic == "JMP":
792.                 # Clear the push value
793.                 if push_val:
794.                     push_val = None
795.                 if op.size > 2:
796.                     if op.operands[0].type == 'AbsoluteMemoryAddress':
797.                         # Check for JMP [ADDR]
798.                         const = op.operands[0].disp & 0xFFFFFFFF
799.                         d = obj.Object("unsigned int", offset = const, vm = addr_space)
800.                         if outside_module(d):
801.                             break
802.                     elif op.operands[0].type == 'Immediate':
803.                         # Check for JMP ADDR
804.                         d = op.operands[0].value & 0xFFFFFFFF
805.                         if outside_module(d):
806.                             break
807.                 elif op.size == 2 and op.operands[0].type == 'Register':
808.                     # Check for JMP REG
809.                     d = regs.get(op.operands[0].name)
810.                     if d and outside_module(d):
811.                         break
812.             elif op.flowControl == 'FC_NONE':
813.                 # Check for PUSH followed by a RET
814.                 if (op.mnemonic == "PUSH" and
815.                         op.operands[0].type == 'Immediate' and op.size == 5):
816.                     # Set the push value
817.                     push_val = op.operands[0].value & 0xFFFFFFFF
818.                 # Check for moving imm values into a register
819.                 if (op.mnemonic == "MOV" and op.operands[0].type == 'Register'
820.                         and op.operands[1].type == 'Immediate'):
821.                     # Clear the push value
822.                     if push_val:
823.                         push_val = None
824.                     # Save the value put into the register
825.                     regs[op.operands[0].name] = op.operands[1].value
826.             elif op.flowControl == 'FC_RET':
827.                 if push_val:
828.                     d = push_val
829.                     if outside_module(d):
830.                         break
831.                 # This causes us to stop disassembling when
832.                 # reaching the end of a function
833.                 break
834.             elif op.flowControl == "FC_INT" and idt:
835.                 # Clear the push value
836.                 if push_val:
837.                     push_val = None
838.                 # Check for INT, ignore INT3
839.                 if op.mnemonic == "INT" and op.size > 1 and op.operands[0].type == 'Immediate':
840.                     # Check interrupt handler address
841.                     d = idt[op.operands[0].value]
842.                     if d and outside_module(d):
843.                         break
844.             n += 1
845.  
846.         # Check EIP after the function prologue
847.         if outside_module(d):
848.             return True, data, d
849.         else:
850.             return False, data, d
851.  
852.     def gather_stuff(self, _addr_space, module):
853.         """Use the Volatility object classes to enumerate
854.        imports and exports. This function can be overriden
855.        to use pefile instead for speed testing"""
856.  
857.         # This is a dictionary where keys are the names of imported
858.         # modules and values are lists of tuples (ord, addr, name).
859.         imports = {}
860.         exports = [(o, module.DllBase + f, n) for o, f, n in module.exports()]
861.  
862.         for dll, o, f, n in module.imports():
863.             dll = dll.lower()
864.             if dll in imports:
865.                 imports[dll].append((o, f, n))
866.             else:
867.                 imports[dll] = [(o, f, n)]
868.  
869.         return imports, exports
870.  
871.     def get_hooks(self, hook_mode, addr_space, module, module_group):
872.         """Enumerate IAT, EAT, Inline hooks. Also acts as a dispatcher
873.        for NT syscall, UCP scans, and winsock procedure table hooks.
874.  
875.        @param hook_mode: one of the HOOK_MODE_* constants
876.  
877.        @param addr_space: a process AS or kernel AS
878.  
879.        @param module: an _LDR_DATA_TABLE_ENTRY for the module being
880.        checked for hooks.
881.  
882.        @param module_group: a ModuleGroup instance for the process.
883.        """
884.  
885.         # We start with the module base name. If that's not available,
886.         # trim the full name down to its base name.
887.         module_name = (str(module.BaseDllName or '') or
888.                        ntpath.basename(str(module.FullDllName or '')))
889.  
890.         # Lowercase for string matching
891.         module_name = module_name.lower()
892.  
893.         if hook_mode == HOOK_MODE_USER:
894.             if module_name == "ntdll.dll":
895.                 for hook in self.check_syscall(addr_space, module, module_group):
896.                     yield hook
897.             elif module_name == "mswsock.dll":
898.                 for hook in self.check_wsp(addr_space, module, module_group):
899.                     yield hook
900.         else:
901.             if module_name in self.ucpscan_modules:
902.                 for hook in self.check_ucpcall(addr_space, module, module_group):
903.                     yield hook
904.  
905.         imports, exports = \
906.             self.gather_stuff(addr_space, module)
907.  
908.         for dll, functions in imports.items():
909.  
910.             valid_owners = module_group.mod_name.get(dll, [])
911.             if not valid_owners:
912.                 #debug.debug("Cannot find any modules named {0}".format(dll))
913.                 continue
914.  
915.             for (_, f, n) in functions:
916.  
917.                 if not f:
918.                     #debug.debug("IAT function {0} is paged or ordinal".format(n or ''))
919.                     continue
920.  
921.                 if not addr_space.is_valid_address(f):
922.                     continue
923.  
924.                 function_owner = module_group.find_module(f)
925.  
926.                 if function_owner not in valid_owners:
927.                     hook = Hook(hook_type = HOOKTYPE_IAT,
928.                                 hook_mode = hook_mode,
929.                                 function_name = n or '',
930.                                 hook_address = f,
931.                                 hook_module = function_owner,
932.                                 victim_module = dll, # only for IAT hooks
933.                                 )
934.                     # Add the rootkit code
935.                     hook.add_hop_chunk(f, addr_space.zread(f, 24))
936.                     yield hook
937.  
938.         for _, f, n in exports:
939.  
940.             if not f:
941.                 #debug.debug("EAT function {0} is paged".format(n or ''))
942.                 continue
943.  
944.             function_address = f
945.  
946.             if not addr_space.is_valid_address(function_address):
947.                 continue
948.  
949.             # Get the module containing the function
950.             function_owner = module_group.find_module(function_address)
951.  
952.             # This is a check for EAT hooks
953.             if function_owner != module:
954.                 hook = Hook(hook_type = HOOKTYPE_EAT,
955.                             hook_mode = hook_mode,
956.                             function_name = n or '',
957.                             hook_address = function_address,
958.                             hook_module = function_owner,
959.                             )
960.                 hook.add_hop_chunk(function_address,
961.                     addr_space.zread(function_address, 24))
962.                 yield hook
963.  
964.                 # No need to check for inline hooks if EAT is hooked
965.                 continue
966.  
967.             ret = self.check_inline(function_address, addr_space,
968.                 module.DllBase, module.DllBase + module.SizeOfImage,
969.                 self.idt)
970.  
971.             if ret == None:
972.                 #debug.debug("Cannot analyze {0}".format(n or ''))
973.                 continue
974.  
975.             (hooked, data, dest_addr) = ret
976.  
977.             if not hooked:
978.                 continue
979.  
980.             if not addr_space.is_valid_address(dest_addr):
981.                 continue
982.  
983.             function_owner = module_group.find_module(dest_addr)
984.             if function_owner != module:
985.                 # only do this for kernel hooks
986.                 #if params['mode'] == HOOK_MODE_KERNEL:
987.                 #    if owner:
988.                 #        if self.in_data_section(owner, status['destaddr']):
989.                 #            continue
990.  
991.                 hook = Hook(hook_type = HOOKTYPE_INLINE,
992.                             hook_mode = hook_mode,
993.                             function_name = n or '',
994.                             function_address = function_address,
995.                             hook_address = dest_addr,
996.                             hook_module = function_owner,
997.                             victim_module = module,
998.                             )
999.                 # Add the function prologue
1000.                 hook.add_hop_chunk(function_address, data)
1001.                 # Add the first redirection
1002.                 hook.add_hop_chunk(dest_addr, addr_space.zread(dest_addr, 24))
1003.                 yield hook
1004.  
1005.     def calculate(self):
1006.  
1007.         addr_space = utils.load_as(self._config)
1008.  
1009.         if not has_distorm3:
1010.             debug.error("Install distorm3 code.google.com/p/distorm/")
1011.  
1012.         if not self.is_valid_profile(addr_space.profile):
1013.             debug.error("This command does not support the selected profile.")
1014.  
1015.         self.idt = self.get_idt()
1016.  
1017.         if not self._config.SKIP_PROCESS:
1018.             for proc in self.filter_tasks(tasks.pslist(addr_space)):
1019.                 process_name = str(proc.ImageFileName).lower()
1020.  
1021.                 if (self._config.QUICK and
1022.                         process_name not in self.critical_process):
1023.                     #debug.debug("Skipping non-critical process {0} ({1})".format(
1024.                     #    process_name, proc.UniqueProcessId))
1025.                     continue
1026.  
1027.                 process_space = proc.get_process_address_space()
1028.                 if not process_space:
1029.                     #debug.debug("Cannot acquire process AS for {0} ({1})".format(
1030.                     #    process_name, proc.UniqueProcessId))
1031.                     continue
1032.  
1033.                 module_group = ModuleGroup(proc.get_load_modules())
1034.  
1035.                 for dll in module_group.mods:
1036.  
1037.                     if not process_space.is_valid_address(dll.DllBase):
1038.                         continue
1039.  
1040.                     dll_name = str(dll.BaseDllName or '').lower()
1041.  
1042.                     if (self._config.QUICK and
1043.                             dll_name not in self.critical_dlls and
1044.                             dll.DllBase != proc.Peb.ImageBaseAddress):
1045.                         #debug.debug("Skipping non-critical dll {0} at {1:#x}".format(
1046.                         #    dll_name, dll.DllBase))
1047.                         continue
1048.  
1049.                     #debug.debug("Analyzing {0}!{1}".format(process_name, dll_name))
1050.  
1051.                     for hook in self.get_hooks(HOOK_MODE_USER,
1052.                             process_space, dll, module_group):
1053.                         yield proc, dll, hook
1054.  
1055.         if not self._config.SKIP_KERNEL:
1056.             process_list = list(tasks.pslist(addr_space))
1057.             module_group = ModuleGroup(modules.lsmod(addr_space))
1058.  
1059.             for mod in module_group.mods:
1060.  
1061.                 #module_name = str(mod.BaseDllName or '')
1062.                 #debug.debug("Analyzing {0}".format(module_name))
1063.  
1064.                 kernel_space = tasks.find_space(addr_space,
1065.                     process_list, mod.DllBase)
1066.  
1067.                 if not kernel_space:
1068.                     #debug.debug("No kernel AS for {0} at {1:#x}".format(
1069.                     #    module_name, mod.DllBase))
1070.                     continue
1071.  
1072.                 for hook in self.get_hooks(HOOK_MODE_KERNEL,
1073.                         kernel_space, mod, module_group):
1074.                     yield None, mod, hook
1075.  
1076.     def render_text(self, outfd, data):
1077.         for process, module, hook in data:
1078.  
1079.             if not self._config.NO_WHITELIST:
1080.  
1081.                 if process:
1082.                     process_name = str(process.ImageFileName)
1083.                 else:
1084.                     process_name = ''
1085.  
1086.                 if self.whitelist(hook.hook_mode | hook.hook_type,
1087.                                     process_name, hook.VictimModule,
1088.                                     hook.HookModule, hook.Function):
1089.                     #debug.debug("Skipping whitelisted function: {0} {1} {2} {3}".format(
1090.                     #    process_name, hook.VictimModule, hook.HookModule,
1091.                     #    hook.Function))
1092.                     continue
1093.  
1094.             outfd.write("*" * 72 + "\n")
1095.             outfd.write("Hook mode: {0}\n".format(hook.Mode))
1096.             outfd.write("Hook type: {0}\n".format(hook.Type))
1097.  
1098.             if process:
1099.                 outfd.write('Process: {0} ({1})\n'.format(
1100.                     process.UniqueProcessId, process.ImageFileName))
1101.  
1102.             outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
1103.                 str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
1104.                 module.DllBase, module.DllBase + module.SizeOfImage))
1105.  
1106.             outfd.write("Function: {0}\n".format(hook.Detail))
1107.             outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
1108.             outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
1109.  
1110.             for n, info in enumerate(hook.disassembled_hops):
1111.                 (address, data) = info
1112.                 s = ["{0:#x} {1:<16} {2}".format(o, h, i)
1113.                         for o, i, h in
1114.                         malfind.Disassemble(data, int(address))
1115.                     ]
1116.                 outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
1117.                 outfd.write("\n\n")