From d257c92a57e307e99dab8536398aa7f0555ffd08 Mon Sep 17 00:00:00 2001 From: Oleksii Shevchuk Date: Tue, 11 Apr 2017 14:33:31 +0300 Subject: [PATCH] Add options for memorpy optimizations and required length --- pupy/modules/memstrings.py | 26 ++++++++++++++++++++++---- pupy/packages/all/memstrings.py | 8 ++++---- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/pupy/modules/memstrings.py b/pupy/modules/memstrings.py index 54e5d271..db2582ec 100644 --- a/pupy/modules/memstrings.py +++ b/pupy/modules/memstrings.py @@ -5,7 +5,7 @@ from pupylib.utils.rpyc_utils import obtain __class_name__="MemStrings" -@config(cat="memstrings", compat=["windows", "linux"]) +@config(cat="creds", compat=["windows", "linux"]) class MemStrings(PupyModule): """ Dump printable strings from process memory for futher analysis @@ -15,8 +15,21 @@ class MemStrings(PupyModule): def init_argparse(self): self.arg_parser = PupyArgumentParser(prog='memstrings', description=self.__doc__) action = self.arg_parser.add_mutually_exclusive_group(required=True) - action.add_argument('-p', '--pid', nargs='*', type=int, default=[]) - action.add_argument('-n', '--name', nargs='*', default=[]) + action.add_argument('-p', '--pid', nargs='*', type=int, default=[], + help='Include processes with specified pids') + action.add_argument('-n', '--name', nargs='*', default=[], + help='Include processes with specified names') + self.arg_parser.add_argument('-o', '--omit', type=str, default='isrx', + help='Avoid scanning: ' + 'i - ranges with file mapping; ' + 's - ranges with shared region; ' + 'x - ranges with executable region; ' + 'r - ranges with read-only region') + self.arg_parser.add_argument('-l', '--min-length', type=int, default=4, + help='Show only strings which are longer then specified length') + self.arg_parser.add_argument('-m', '--max-length', type=int, default=51, + help='Show only strings which are shorter then specified length') + self.arg_parser.add_argument( '-log', help='Save output to file. Omit output to stdout. You can use vars: ' @@ -26,7 +39,12 @@ class MemStrings(PupyModule): def run(self, args): targets = args.pid + args.name - dump = self.client.conn.modules.memstrings.find_strings(targets) + dump = self.client.conn.modules.memstrings.find_strings( + targets, + min_length=args.min_length, + max_length=args.max_length, + omit=args.omit + ) dump = obtain(dump) if not dump: self.error('No dumps received') diff --git a/pupy/packages/all/memstrings.py b/pupy/packages/all/memstrings.py index ac7968e3..5732857e 100644 --- a/pupy/packages/all/memstrings.py +++ b/pupy/packages/all/memstrings.py @@ -11,7 +11,7 @@ def try_int(x): except: return x -def find_strings(targets, min_length=4): +def find_strings(targets, min_length=4, max_length=51, omit='isxr'): if not targets: return {} @@ -21,8 +21,9 @@ def find_strings(targets, min_length=4): targets = set([ try_int(x) for x in targets ]) results = {} + printable = re.compile('^[\x20-\x7e]{{{},{}}}$'.format(min_length, max_length)) + for process in memorpy.Process.list(): - print os.path.basename(process.get('name')), process.get('name'), targets if not ( os.path.basename(process.get('name')) in targets or process.get('pid') in targets ): @@ -35,9 +36,8 @@ def find_strings(targets, min_length=4): } mw = memorpy.MemWorker(pid=process.get('pid')) - printable = re.compile('^[\x20-\x7e]{{{},}}$'.format(min_length)) duplicates = set() - for _, (cstring,) in mw.mem_search('([^\x00]+)', ftype='groups', optimizations='i'): + for _, (cstring,) in mw.mem_search('([^\x00]+)', ftype='groups', optimizations=omit): if printable.match(cstring): if not cstring in duplicates: duplicates.add(cstring)