From 1f4f8c07bbbd5c21052ab34bb23d204e54dd790e Mon Sep 17 00:00:00 2001
From: Matan Dobrushin <matandobr@gmail.com>
Date: Sat, 16 Dec 2017 19:15:02 +0200
Subject: [PATCH 1/2] django version update

django 2 does not support python 2.7 so the version should be specified
to pip
---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 07b9a8b..ec02457 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
 pexpect
-django
+django==1.11.7
 distorm3
 geoip2
 pycrypto

From cd1e1251bb8ca154321719483bfb343825201006 Mon Sep 17 00:00:00 2001
From: Matan Dobrushin <matandobr@gmail.com>
Date: Sat, 16 Dec 2017 19:17:21 +0200
Subject: [PATCH 2/2] malfind dumps download

simple fix to generate the files to download based on pslist result
---
 web/views.py | 70 +++++++++++++++++++++++++++++++++-------------------
 1 file changed, 45 insertions(+), 25 deletions(-)

diff --git a/web/views.py b/web/views.py
index de5006c..84d2ee2 100644
--- a/web/views.py
+++ b/web/views.py
@@ -339,6 +339,17 @@ def create_session(request):
     return redirect('/')
 
 
+def get_pslist_dict(session_id):
+    # returns {'pid' : 'ADDRESS', ...} dict
+    old_result = db.get_plugin_byname('pslist', session_id)
+    if old_result:
+        pid_addr = {}
+        for result in old_result['plugin_output']['rows']:
+            pid_addr[result[3]] = result[1]
+        return pid_addr
+    return None
+
+
 def run_plugin(session_id, plugin_id, pid=None, plugin_options=None):
     """
     return the results json from a plugin
@@ -391,6 +402,8 @@ def try_run(plugin_name, dump_dir=None, output_style=None, pid=None, plugin_opti
         # Get details from the plugin
         plugin_row = db.get_pluginbyid(plugin_id)
         plugin_name = plugin_row['plugin_name'].lower()
+        if plugin_name in ["malfind"]:
+            dump_dir = tempfile.mkdtemp()
         logger.debug('Running Plugin: {0}'.format(plugin_name))
         # Set plugin status
         new_values = {'status': 'processing'}
@@ -543,28 +556,35 @@ def try_run(plugin_name, dump_dir=None, output_style=None, pid=None, plugin_opti
 
                 results = new_results
 
-            # ToDo
-            '''
             if plugin_row['plugin_name'] in ['malfind']:
-                logger.debug('Processing Rows')
-                # Convert text to rows
-                new_results = plugin_row['plugin_output']
-
-                if len(file_list) == 0:
-                    new_results['rows'].append([process, pid, 'Not Stored'])
+                try:
+                    pslist = get_pslist_dict(session_id)
+                except TypeError:
+                    pslist = None
+                if pslist:
+                    logger.debug('Processing Rows')
+                    logger.debug('Store malfind injections')
+                    # Convert text to rows
+                    new_results = []
+
+                    for row in results['rows']:
+                        pid = row[1]
+                        injection_address = row[2]
+                        proc_addr = pslist[pid]
+                        injection_name = "process.{0}.{1}.dmp".format(proc_addr, injection_address)
+                        injection_path = os.path.join(dump_dir, injection_name)
+                        if os.path.exists(injection_path):
+                            file_data = open(injection_path, 'rb').read()
+                            sha256 = hashlib.sha256(file_data).hexdigest()
+                            file_id = db.create_file(file_data, session_id, sha256, injection_name)
+                            row_file = '<a class="text-success" href="/download/file/' + str(file_id) + '/"> Download</a>'
+                            row.append(row_file)
+                        else:
+                            logger.debug('Injection {0}.{1} has not been found'.format(proc_addr, injection_address))
+                            row_file = '<a disabled class="text-success" href="#">Download</a>'
+                            row.append(row_file)
                 else:
-                    for dump_file in file_list:
-                        logger.debug('Store memdump file')
-                        file_data = open(os.path.join(temp_dir, dump_file), 'rb').read()
-                        sha256 = hashlib.sha256(file_data).hexdigest()
-                        file_id = db.create_file(file_data, session_id, sha256, dump_file)
-                        row_file = '<a class="text-success" href="#" ' \
-                              'onclick="ajaxHandler(\'filedetails\', {\'file_id\':\'' + str(file_id) + '\'}, false ); return false">' \
-                              'File Details</a>'
-                        new_results['rows'].append([process, pid, row_file])
-
-                results = new_results
-            '''
+                    logger.error('In order to generate malfind downloads, please run pslist first!')
 
             # Remove the dumpdir
             shutil.rmtree(dump_dir)
@@ -608,11 +628,11 @@ def try_run(plugin_name, dump_dir=None, output_style=None, pid=None, plugin_opti
                 if plugin_row['plugin_name'] in ['hivelist', 'hivescan']:
                     row.append('Use the "dumpregistry" plugin to view hive keys')
 
-                # Add option to process malfind
-                if plugin_row['plugin_name'] in ['malfind']:
-                    ajax_string = "onclick=\"ajaxHandler('malfind_export', {'plugin_id':'" + str(plugin_id) + \
-                                  "', 'rowid':'" + str(counter) + "'}, true )\"; return false"
-                    row.append('<a class="text-success" href="#" ' + ajax_string + '>Extract Injected</a>')
+                # # Add option to process malfind
+                # if plugin_row['plugin_name'] in ['malfind']:
+                #     ajax_string = "onclick=\"ajaxHandler('malfind_export', {'plugin_id':'" + str(plugin_id) + \
+                #                   "', 'rowid':'" + str(counter) + "'}, true )\"; return false"
+                #     row.append('<a class="text-success" href="#" ' + ajax_string + '>Extract Injected</a>')
 
                 counter += 1