New profile for Debian 10.2 x64

Mac/scripts/check_for_dups.py

@@ -0,0 +1,59 @@
+import os, sys, re, zipfile, hashlib
+
+def get_hash(profpkg, f, skip_first=False):
+    data = profpkg.read(f.filename)
+    data = data.split("\n")
+    if skip_first:
+        data = data[5:]
+
+    return hashlib.md5("".join(data)).hexdigest()
+
+def main():
+    path = "."
+
+    pairs = {}
+
+    for path, _, files in os.walk(path):
+        for fn in files:
+            full_path = os.path.join(path, fn)
+            if zipfile.is_zipfile(full_path):
+                profpkg = zipfile.ZipFile(full_path)
+
+                syms = ""
+                vtypes = ""
+
+                for f in profpkg.filelist:
+                    if 'symbol.dsymutil' in f.filename.lower():
+                        syms = get_hash(profpkg, f, skip_first=True)
+
+                    elif f.filename.endswith(".vtypes"):
+                        vtypes = get_hash(profpkg, f)                      
+
+
+                if syms == "" or vtypes == "":
+                    print "BROKE ON %s" % full_path
+                    exit()
+
+                key = "%s|%s" % (syms, vtypes)
+
+                if not key in pairs:
+                    pairs[key] = []
+
+                pairs[key].append(full_path)
+
+
+    for paths in pairs.values():
+        if len(paths) > 1:
+            print paths
+
+
+
+
+
+
+
+
+
+
+if __name__ == "__main__":
+    main()

Mac/scripts/check_for_symbol.py

@@ -0,0 +1,81 @@
+import os, sys, re, zipfile
+
+def exec_vtypes(filename):
+    env = {}
+    exec(filename, dict(__builtins__ = None), env)
+    return env["mac_types"]
+
+def parse_dsymutil(data, wanted_symbol):
+    """Parse the symbol file."""
+
+    ret = 0
+
+    # get the system map
+    for line in data.splitlines():
+        ents = line.split()
+
+        match = re.search("\[.*?\(([^\)]+)\)\s+[0-9A-Fa-z]+\s+\d+\s+([0-9A-Fa-f]+)\s'(\w+)'", line)
+
+        if match:
+            (sym_type, addr, name) = match.groups()
+            sym_type = sym_type.strip()
+
+            addr = int(addr, 16)
+
+            if addr == 0 or name == "":
+                continue
+
+            if name == wanted_symbol:
+                ret = addr
+                break
+
+    return ret
+
+def main():
+    path = sys.argv[1]
+
+    lenargs = len(sys.argv)
+
+    if lenargs == 3:
+        sym = sys.argv[2]
+    else:
+        structname = sys.argv[2]
+        member     = sys.argv[3]
+
+    for path, _, files in os.walk(path):
+        for fn in files:
+            full_path = os.path.join(path, fn)
+            if zipfile.is_zipfile(full_path):
+                #print "checking %s" % full_path
+
+                profpkg = zipfile.ZipFile(full_path)
+
+                for f in profpkg.filelist:
+                    if lenargs == 3 and 'symbol.dsymutil' in f.filename.lower():
+                        ret = parse_dsymutil(profpkg.read(f.filename), sym)
+
+                        if ret == 0:
+                            print "NOT FOUND: %s" % full_path
+
+                        #print "%s -> %x" % (sym, ret)
+
+                        break
+
+                    elif lenargs == 4 and f.filename.endswith(".vtypes"):
+                        v = exec_vtypes(profpkg.read(f.filename))                       
+
+                        if structname in v:
+                            member_info = v[structname][1]
+
+                            if member in member_info:
+                                info = member_info[member]
+                                print "found: %s | %s" % (full_path, info)
+                            else:
+                                print "member %s not found!" % full_path
+                        else:
+                            print "struct %s not found in %s!" % (structname, full_path)
+
+                        break
+
+if __name__ == "__main__":
+    main()

Mac/scripts/generate_profile_list.py

@@ -0,0 +1,116 @@
+# Volatility
+#
+# This file is part of Volatility.
+#
+# Volatility is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Volatility is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Volatility.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+'''
+This helper script generates (kernel version, version address pairs)
+to help generate the list used by mac_get_profiles
+
+Run it from the Mac directory of the Volatility profiles repo
+'''
+
+import os, sys, re
+import zipfile
+
+def parse_dsymutil(data, module):
+    """Parse the symbol file."""
+    sys_map = {}
+    sys_map[module] = {}
+
+    want_lower = ["_IdlePML4"]        
+
+    type_map = {}
+    type_map[module] = {}
+
+    # get the system map
+    for line in data.splitlines():
+        ents = line.split()
+
+        match = re.search("\[.*?\(([^\)]+)\)\s+[0-9A-Fa-z]+\s+\d+\s+([0-9A-Fa-f]+)\s'(\w+)'", line)
+
+        if match:
+            (sym_type, addr, name) = match.groups()
+            sym_type = sym_type.strip()
+
+            addr = int(addr, 16)
+
+            if addr == 0 or name == "":
+                continue
+
+            if not name in sys_map[module]:
+                sys_map[module][name] = [(addr, sym_type)]
+
+            # every symbol is in the symbol table twice
+            # except for the entries in 'want_lower', we need the higher address for all 
+            oldaddr = sys_map[module][name][0][0]
+            if addr < oldaddr and name in want_lower:
+                sys_map[module][name] = [(addr, sym_type)]
+
+            if not addr in type_map[module]:
+                type_map[module][addr] = (name, [sym_type])
+
+            type_map[module][addr][1].append(sym_type)
+
+    return sys_map["kernel"]
+
+print "profiles = ["
+
+for path in set("."):
+    for path, _, files in os.walk(path):
+        for fn in files:
+            if zipfile.is_zipfile(os.path.join(path, fn)):
+                lg = "BAD"
+                aslr = -1
+                name = "BAD"
+                comm_offset = -1
+
+                profpkg = zipfile.ZipFile(os.path.join(path, fn))
+                for f in profpkg.filelist:
+                    if 'symbol.dsymutil' in f.filename.lower():
+                        data = parse_dsymutil(profpkg.read(f.filename), "kernel")
+
+                        if "_lowGlo" in data:
+                            lg = data["_lowGlo"][0][0]
+                        else:
+                            lg = "0"
+
+                        if "_BootPML4" in data:
+                            aslr = 1
+                        else:
+                            aslr = 0
+
+                        name = fn.replace(".zip", "")
+                        name = 'Mac' + name.replace('.', '_')
+
+                        if name.find("Intel") == -1:
+                            name = name + "x64"
+                        else:
+                            name = name + "x86"
+
+                    elif '.vtypes' in f.filename.lower():
+                        env = {}
+                        exec(profpkg.read(f.filename), dict(__builtins__ = None), env)
+                        mtypes    = env['mac_types']
+                        comm_offset = mtypes['proc'][1]['p_comm'][0]
+
+                if lg == "BAD" or aslr == -1 or name == "BAD" or comm_offset == -1:
+                    print "BROKEN PARSING FOR %s" % (os.path.join(path, fn))
+                else:
+                    print "[\"%s\", %s, %s, %d]," % (name, data["_version"][0][0], lg, aslr)
+
+print "]"
+