More Related Content Similar to POC Fuzzy Hashing Similar to POC Fuzzy Hashing (20) More from Vincent Ohprecio More from Vincent Ohprecio (7) 1. 3/6/13 IPython Notebook
Demo POC for scraping memory dumps of IP Addresses
How to extract data out of a Memory Dump
I [] ipr tm
n 7: mot ie
ipr src
mot tut
ipr hslb
mot ahi
""
"
Dm PCfrsrpn mmr dmso I Adess
eo O o caig eoy up f P drse
""
"
flnm ="ro/eko/e/emm
ieae /otDstpmmdve"
.
.
Open a file in a variable memory_dump
I [] mmr_up=oe(ieae "b)
n 3: eoydm pnflnm, r"
I [] mmr_up
n 4: eoydm
Ot4: <pnfl 'ro/eko/e/emm,md 'b a 0a4d8
u[] oe ie /otDstpmmdve' oe r' t x368>
.
.
.
.
127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 1/7
2. 3/6/13 IPython Notebook
Here I build a byte reader data structure to buffer reads 18 bytes at a time
I [] dfbt_edrmmr_up nme_ye)
n 5: e yerae(eoydm, ubrbts:
''
'
Ra tebts
ed h ye
''
'
bt =mmr_upra(ubrbts
ye eoydm.ednme_ye)
rtr bt
eun ye
I [] bt_edrmmr_up 1)
n 7: yerae(eoydm, 8
Ot7: 'x0x8nca0e*+x0x1x1xcx0x1
u[] cadx0x8x1##000000'
.
.
.
This function reads and byte and creates and MD5
I [] dfhsigbt_edrmmr_up nme_ye)
n 8: e ahn_yerae(eoydm, ubrbts:
''
'
Ra tebtsadrtr M5
ed h ye n eun D
''
'
bt =mmr_upra(ubrbts
ye eoydm.ednme_ye)
m=hslbm5)
ahi.d(
mudt(ye
.paebt)
hs_ye=mhxiet)
ahbt .edgs(
rtr bt,hs_ye
eun ye ahbt
.
.
.
127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 2/7
3. 3/6/13 IPython Notebook
POC rolling 18 byte block fuzzy hashing tool implemented in python
I [0: f =oe(ieae "b)
n 1] d pnflnm, r"
i0
=
freeeti rne(,6:
o lmn n ag 05)
bfe =hsigbt_edrf,1)
ufr ahn_yerae(d 8
pitbfe
rn ufr
(cadx0x8x1##000000' 'd36c13e11213cb59)
'x0x8nca0e*+x0x1x1xcx0x1, fd79a1e8508338c4'
(cafxfx8x1##000000' '0639ffacedb64a62)
'x0x8nca0g,-x0x1x1xcx0x1, 7b4c0c82486fd694'
(cahx0x8x1##000000' '793c4b13e228fa20)
'x0x8nca0i+*x0x1x1xcx0x3, e34565a6bb7e255b'
(capx0x8x1##000000' 'cd1f770fb3b86f3d)
'x0x8nca0q.+x0x1x1xcx0x4, 614a22ee763d4923'
(caJx0x8x1##000000' '1fbf16bb1da067b8)
'x0x8nca0K/*x0x1x1xcx0x5, 785b6d4c6daa0512'
(catx0x8x1$$000000' '0faeed1a922d538b)
'x0x8nca0u*+x0x1x1xcx0x6, 176c844834f1586c'
(caLx0x8x1$#000000' '2600a0d4ab2ead45)
'x0x8nca0N,*x0x1x1xcx0x7, 9f81a81d36c770db'
(caOx0x8nx1x0x8x1xb.000' '6d8c72731e862543)
'x0x8nca0ca00##x1x0x1, ac858ab9129f1885'
(0000ca0ca00$$00' 'c4483b38e787c4a4)
'x1xcx0x8x0x8nxcx0x8x1xb*+x0x1, 37afcd99bf081570'
(0000ca00ca0ca00#x2,
'x1xcx0x8x0x8x1xbx0x8nxex0x8x1xc0'
'a70c2caea81a417b)
c2c93886dcddbd8d'
(10000c0cccccccccc'
'x2x3x0x1x1x0x0tx0x0x0x0x0x0x0x0x0x0,
'fb4e3ae67b16a75c)
5de06b9a8496bda7'
(ccccccccc00aaaaaa'
'x0x0x0x0x0x0x0x0xcxcx0x0x0x0x0x0xan,
'ff5741c3e907f412)
4c8ebe296b3c9055'
(eeee' '29e4c3747e5e38a8)
'nnnnnnnxfxaxaxannnnnnn, 1dda71491fd9d34c'
(00000000000000000'
'nxbxbxbxbxbxbxbxbxbxbxbxbxbxbxbxbxb,
'344aa4527f82c05b)
cea8675ccbdb975d'
(cccccccccfffffffff'
'x0x0x0x0x0x0x0x0xexexfxfxfxfxfxfxfxf,
'285f36ad9ccd6856)
2f47f13e4fcf6e12'
(ffffffffffffffffff'
'xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf,
'cdbfcf73c4d7b3db)
e49c6f5d9f3e49db'
(ffffffffffffffffff'
'xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf,
'cdbfcf73c4d7b3db)
e49c6f5d9f3e49db'
(ffffffffffffffffff'
'xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf,
'cdbfcf73c4d7b3db)
e49c6f5d9f3e49db'
(ffffffffffffffffff'
'xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfx0xe,
'778827377a095798)
eea0f816b762ddcf'
(ffffffffffffffffff'
'xexexexexexexexexexexexexexexexexexe,
'a604aa0424c13a13)
186352da94a2a3fe'
(ffffffffffffffffff'
'xexexexexexexexexexexexexexexexexexe,
'a604aa0424c13a13)
186352da94a2a3fe'
(ffffffffffffffffff'
'xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf,
'cdbfcf73c4d7b3db)
e49c6f5d9f3e49db'
(ffffffffffffffffff'
'xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf,
'cdbfcf73c4d7b3db)
e49c6f5d9f3e49db'
(fffffffffffffefefe'
'xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf,
'641b5299d61fd819)
8a7fa649e1561163'
(ffffffffffffffffff'
'xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf,
'cdbfcf73c4d7b3db)
e49c6f5d9f3e49db'
(ffffffffffffffffff'
'xfxfxfxfxfxfxfxfxfxexfxfxfxfxfxfxfxf,
'38e74902000f89a0)
9cfbd70402926dae'
(ffffffffffffcccccc'
'xfxfxfxfxfxfxfxfxfxfxfx0x0x0x0x0x0x0,
'6f458fd099c69cd4)
a5343b1275b9e0cf'
(ccccccccccc000'
'x0x0x0x0x0x0x0x0x0x0xcxcxcxcnnnn,
'04aa064bf5f99169)
b46efaca3ed1b993'
(' 'b67107f535835d3f)
'nnnnnnnnnnnnnnnnnn, 1b0184acc8b28d91'
(' 'b67107f535835d3f)
'nnnnnnnnnnnnnnnnnn, 1b0184acc8b28d91'
(aaaaaaaaaafffff'
'nnnx0x0x0x0x0x0x0x0x0x0xexexexexe,
'23cf4af308883dc0)
a5b3cab9165f7938'
(ffffffffeeeeebbbbb'
'xexexexexexexexfxfxfxfxfx0x0x0x0x0x0,
'45648183117d05b4)
5fedcf5511c0648c'
(bbbbbbbbbbbbbbbbbb'
'x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0x0,
'608cc186bed65a3a)
3ebdc39932ad0357'
(bbbbbbbbbbbbbeeeee'
'x0x0x0x0x0x0x0x0x0x0x0x0x0xexexexexe,
127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 3/7
4. 3/6/13 IPython Notebook
'26eceb5fba16cc3b)
ac8de2aa9e62b635'
(eeeeeeeeeeeeeeeeee'
'xexexexexexexexexexexexexexexfxfxfxf,
'2e43457c6da5f5cf)
b5546af8baa51df2'
(eeeeeeeeeeeeeeeeee'
'xfxfxfxfxexexexexexexexexexexexexexe,
'4397099b03457506)
4e46820c152325f9'
(eeeeeeeecccccccc00'
'xexexexexexexexex0x0xex0x0x0x0xcxcxc,
'0eed77ba05be8559)
de5e32f64082cec2'
(000ccccccc0aaaaa'
'xcxcxcx0x0x0x0x0x0xcx0x0x0x0x0xann,
'6366bd4a7a990c57)
4a1e20387d64dee2'
(0effffffffff'
'nnnnnnxfx0xexexexexexexexexexe,
'50822940e6f853c6)
0273ad09bf60944c'
(ffffffffffffffc0ff'
'xexexexexexexexexexexexexexex0x8xexe,
'660c649d2e309a7c)
7257c4f032c365fa'
(ffeeeeeeeeefffffff'
'xexexfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf,
'18dc66292c32e2fd)
bb7669973c58593e'
(ffffffffffffffffff'
'xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf,
'cdbfcf73c4d7b3db)
e49c6f5d9f3e49db'
(ffffffffffffffffff'
'xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf,
'cdbfcf73c4d7b3db)
e49c6f5d9f3e49db'
(ffffffffffffffffff'
'xfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxfxf,
'cdbfcf73c4d7b3db)
e49c6f5d9f3e49db'
(ffffffff' '0cf796a9a6863247)
'xfxfxfxfxfxfxfxannnnnnnnnn, 3ebc6b1ec6b14119'
(' 'b67107f535835d3f)
'nnnnnnnnnnnnnnnnnn, 1b0184acc8b28d91'
(afffffffff' '15b73a1d2516319c)
'nnnnnnnx0nxexexexexexexexexe, bc8158c169bb1f18'
(ffffffffffffffeeee'
'xexexexexexexexexexexexex0x0xexexexe,
'bee1ac49d75aa56f)
1c2cd1abc5361e18'
(eeeeeeeeeeeeeeeeee'
'xexexexexexexexexexexexexexexexexexe,
'1da91ccb734047a2)
71ed7be1d2882aac'
(eeeeeeeeeeeeeeeeee'
'xexexexexexexexexexexexexexexexexexe,
'1da91ccb734047a2)
71ed7be1d2882aac'
(eeeeeeeeeeeeeeeeee'
'xexexexexexexexexexexexexexexexexexe,
'1da91ccb734047a2)
71ed7be1d2882aac'
(eeeeeeeffeffffffff'
'xexexexexexfxexexfxfxexexexexexexexe,
'f41b6ab4285e86a7)
f1b774ceefeaacfa'
(ffffffffffffffffff'
'xexexexexexexexexexexexexexexexexexe,
'a604aa0424c13a13)
186352da94a2a3fe'
(ffffffffeeeeefffff'
'xexexexexexexexfxfxfxfxfxexexexexexe,
'0220ff3000ed8cd3)
acfa5c37c4dd254f'
(ffffff00000.xcx0x1tx0x9,
'xexexexexexex0x1x1xcx00000a'
'17bf376b268b01e1)
a87e5b83338d5921'
(ca0dx0xbx200##0000' '6d74ce449645d1ca)
'x0xbx1ca0fx0x1%$x1xcx0x1, f9da040c42d7335d'
.
.
.
Demo to parse the mem file with 10 of 56 records each of length 18
I [] f =oe(ieae "b)
n 6: d pnflnm, r"
I [] i=0
n 7:
127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 4/7
5. 3/6/13 IPython Notebook
I [] ''
n 8: '
Dm t pretemmfl wt 1 o 5 rcrsec o lnt 1
eo o as h e ie ih 0 f 6 eod ah f egh 8
''
'
freeeti rne(,0:
o lmn n ag 01)
bfe =bt_edrf,1)
ufr yerae(d 8
pit10""
rn 0**
piti
rn
sucAdes=src.nakfo(B,bfe,)
oredrs tutupc_rm'' ufr0,
src.nakfo(B,bfe,)
tutupc_rm'' ufr1,
src.nakfo(B,bfe,)
tutupc_rm'' ufr2,
src.nakfo(B,bfe,)
tutupc_rm'' ufr3
pit"edn Suc I Ades
rn Raig ore P drs"
tm.le(.)
iesep05
dsiaindrs =src.nakfo(B,bfe,)
etntoAdes tutupc_rm'' ufr4,
src.nakfo(B,bfe,)
tutupc_rm'' ufr5,
src.nakfo(B,bfe,)
tutupc_rm'' ufr6,
src.nakfo(B,bfe,)
tutupc_rm'' ufr7
pit"edn DsiainI Ades
rn Raig etnto P drs"
tm.le(.)
iesep05
sucPr =src.nakfo(H,ufr8
oreot tutupc_rm''bfe,)
dsiainot=src.nakfo(H,ufr1)
etntoPr tutupc_rm''bfe,0
poooUe =src.nakfo(H,ufr1)
rtclsd tutupc_rm''bfe,2
tmSap=src.nakfo(B,bfe,4,
ietm tutupc_rm'' ufr1)
src.nakfo(B,bfe,5,
tutupc_rm'' ufr1)
src.nakfo(B,bfe,6,
tutupc_rm'' ufr1)
src.nakfo(B,bfe,7
tutupc_rm'' ufr1)
abcd=sucAdes
,,, oredrs
efgh=dsiaindrs
,,, etntoAdes
j=sucPr
oreot
k=dsiainot
etntoPr
pit"oredrs =" ""ji(sra0)srb0)src0)srd0))
rn sucAdes , ..on[t([],t([],t([],t([]]
pit"etntoAdes=" ""ji(sre0)srf0)srg0)srh0))
rn dsiaindrs , ..on[t([],t([],t([],t([]]
pit"oreot=" j0
rn sucPr , []
pit"etntoPr =" k0
rn dsiainot , []
pit"rtclsd=" poooUe
rn poooUe , rtclsd
pit"ietm =" tmSap
rn tmSap , ietm
tm.le()
iesep2
ii1
=+
**************************************************
**************************************************
0
sucAdes= 12181.0
oredrs 9.6.010
dsiaindrs = 1218111
etntoAdes 9.6..0
sucPr = 177
oreot 08
dsiainot= 103
etntoPr 14
poooUe = (5,
rtclsd 26)
tmSap= (1) (2) (,,(,)
ietm (,, 1,, 0) 1)
**************************************************
**************************************************
1
sucAdes= 12181.0
oredrs 9.6.012
dsiaindrs = 2718113
etntoAdes 0.6..0
sucPr = 129
oreot 19
dsiainot= 155
etntoPr 15
127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 5/7
6. 3/6/13 IPython Notebook
poooUe = (5,
rtclsd 26)
tmSap= (1) (2) (,,(,)
ietm (,, 1,, 0) 1)
**************************************************
**************************************************
2
sucAdes= 12181.0
oredrs 9.6.014
dsiaindrs = 1218115
etntoAdes 9.6..0
sucPr = 103
oreot 14
dsiainot= 177
etntoPr 08
poooUe = (5,
rtclsd 26)
tmSap= (1) (2) (,,(,)
ietm (,, 1,, 0) 3)
**************************************************
**************************************************
3
sucAdes= 12181.1
oredrs 9.6.012
dsiaindrs = 1218113
etntoAdes 9.6..1
sucPr = 181
oreot 11
dsiainot= 103
etntoPr 14
poooUe = (5,
rtclsd 26)
tmSap= (1) (2) (,,(,)
ietm (,, 1,, 0) 4)
**************************************************
**************************************************
4
sucAdes= 12181.4
oredrs 9.6.07
dsiaindrs = 121817
etntoAdes 9.6..5
sucPr = 107
oreot 26
dsiainot= 177
etntoPr 08
poooUe = (5,
rtclsd 26)
tmSap= (1) (2) (,,(,)
ietm (,, 1,, 0) 5)
**************************************************
**************************************************
5
sucAdes= 12181.1
oredrs 9.6.016
dsiaindrs = 1218117
etntoAdes 9.6..1
sucPr = 178
oreot 08
dsiainot= 104
etntoPr 14
poooUe = (5,
rtclsd 26)
tmSap= (1) (2) (,,(,)
ietm (,, 1,, 0) 6)
**************************************************
**************************************************
6
sucAdes= 12181.6
oredrs 9.6.07
dsiaindrs = 121817
etntoAdes 9.6..8
sucPr = 130
oreot 10
dsiainot= 177
etntoPr 08
poooUe = (5,
rtclsd 26)
tmSap= (1) (2) (,,(,)
ietm (,, 1,, 0) 7)
**************************************************
**************************************************
7
sucAdes= 12181.9
oredrs 9.6.07
dsiaindrs = 12181.
etntoAdes 9.6.01
sucPr = 420
oreot 30
dsiainot= 21
etntoPr 87
poooUe = (11,
rtclsd 181)
tmSap= (3,,(,,(,,(,)
ietm (5) 1) 0) 1)
**************************************************
**************************************************
8
sucAdes= 11..
oredrs .208
dsiaindrs = 12181.2
etntoAdes 9.6.01
sucPr = 420
oreot 30
dsiainot= 21
etntoPr 87
poooUe = (08,
rtclsd 178)
tmSap= (3,,(3) (,,(,)
ietm (6) 4,, 0) 1)
**************************************************
**************************************************
127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 6/7
7. 3/6/13 IPython Notebook
9
sucAdes= 11..
oredrs .208
dsiaindrs = 121811
etntoAdes 9.6..1
sucPr = 420
oreot 30
dsiainot= 39
etntoPr 54
poooUe = (30,
rtclsd 420)
tmSap= (1) (2) (5) (,)
ietm (,, 1,, 3,, 2)
127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 7/7
![3/6/13 IPython Notebook
Demo POC for scraping memory dumps of IP Addresses
How to extract data out of a Memory Dump
I [] ipr tm
n 7: mot ie
ipr src
mot tut
ipr hslb
mot ahi
""
"
Dm PCfrsrpn mmr dmso I Adess
eo O o caig eoy up f P drse
""
"
flnm ="ro/eko/e/emm
ieae /otDstpmmdve"
.
.
Open a file in a variable memory_dump
I [] mmr_up=oe(ieae "b)
n 3: eoydm pnflnm, r"
I [] mmr_up
n 4: eoydm
Ot4: <pnfl 'ro/eko/e/emm,md 'b a 0a4d8
u[] oe ie /otDstpmmdve' oe r' t x368>
.
.
.
.
127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 1/7](https://image.slidesharecdn.com/ipythonnotebookpocmemoryforensics-130306115408-phpapp01/85/ipython-notebook-poc-memory-forensics-1-320.jpg)
![3/6/13 IPython Notebook
Here I build a byte reader data structure to buffer reads 18 bytes at a time
I [] dfbt_edrmmr_up nme_ye)
n 5: e yerae(eoydm, ubrbts:
''
'
Ra tebts
ed h ye
''
'
bt =mmr_upra(ubrbts
ye eoydm.ednme_ye)
rtr bt
eun ye
I [] bt_edrmmr_up 1)
n 7: yerae(eoydm, 8
Ot7: 'x0x8nca0e*+x0x1x1xcx0x1
u[] cadx0x8x1##000000'
.
.
.
This function reads and byte and creates and MD5
I [] dfhsigbt_edrmmr_up nme_ye)
n 8: e ahn_yerae(eoydm, ubrbts:
''
'
Ra tebtsadrtr M5
ed h ye n eun D
''
'
bt =mmr_upra(ubrbts
ye eoydm.ednme_ye)
m=hslbm5)
ahi.d(
mudt(ye
.paebt)
hs_ye=mhxiet)
ahbt .edgs(
rtr bt,hs_ye
eun ye ahbt
.
.
.
127.0.0.1:8888/9eff193a-7992-4664-a42e-449b27966323/print 2/7](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)