import time
import struct
import hashlib
"""
Demo POC for scraping memory dumps of IP Addresses
"""
filename = "/root/Desktop/mem/devmem"
memory_dump = open(filename, "rb")
memory_dump
<open file '/root/Desktop/mem/devmem', mode 'rb' at 0xa346d88>
def byte_reader(memory_dump, number_bytes):
'''
Read the bytes
'''
byte = memory_dump.read(number_bytes)
return byte
byte_reader(memory_dump, 18)
'\xc0\xa8\nd\xc0\xa8\x01e#*#+\x00\x01\x01\x0c\x00\x01'
def hashing_byte_reader(memory_dump, number_bytes):
'''
Read the bytes and return MD5
'''
byte = memory_dump.read(number_bytes)
m = hashlib.md5()
m.update(byte)
hash_byte = m.hexdigest()
return byte, hash_byte
fd = open(filename, "rb")
i=0
for element in range (0,56):
buffer = hashing_byte_reader(fd, 18)
print buffer
('\xc0\xa8\nd\xc0\xa8\x01e#*#+\x00\x01\x01\x0c\x00\x01', 'fdd3769ca113ee81510281333c8bc549') ('\xc0\xa8\nf\xcf\xa8\x01g#,#-\x00\x01\x01\x0c\x00\x01', '70b643c90fcf8a2c4e8d6bf6d46a9642') ('\xc0\xa8\nh\xc0\xa8\x01i#+#*\x00\x01\x01\x0c\x00\x03', 'e739435c645ba163beb272e82f5a52b0') ('\xc0\xa8\np\xc0\xa8\x01q#.#+\x00\x01\x01\x0c\x00\x04', '6c1d41af2727e0ef7b633bd8469f233d') ('\xc0\xa8\nJ\xc0\xa8\x01K#/#*\x00\x01\x01\x0c\x00\x05', '718f5bbf61d64bcb61ddaaa006571b28') ('\xc0\xa8\nt\xc0\xa8\x01u$*$+\x00\x01\x01\x0c\x00\x06', '107f6ace8e4d418a3942f21d558368cb') ('\xc0\xa8\nL\xc0\xa8\x01N$,#*\x00\x01\x01\x0c\x00\x07', '92f68010aa801dd43a6bc27e7a0dd4b5') ('\xc0\xa8\nO\xc0\xa8\n\x01\xc0\xa8\x01\x0b#.#\x01\x00\x01', 'a6cd885c87a2b793112e98f612858453') ('\x01\x0c\x00\x08\xc0\xa8\n\x0c\xc0\xa8\x01\x0b$*$+\x00\x01', '3c74a4f8c3db9398bef708871c547a04') ('\x01\x0c\x00\x08\xc0\xa8\x01\x0b\xc0\xa8\n\x0e\xc0\xa8\x01\x0c#\x02', 'ca27c09c328c8a6edac8d1dab4d187db') ('\x12\x03\x00\x01\x01\xc0\x00\t\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xc0', '5fdbe40e63ba9ea6874b9166bad7a57c') ('\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xcc\x0c\x00\xa0\xa0\xa0\xa0\xa0\xaa\n', '4fcf85e7b4e12c936eb930c79f045152') ('\n\n\n\n\n\n\n\xef\xea\xea\xea\n\n\n\n\n\n\n', '12d9dea47c13479417fed59ed3384ac8') ('\n\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b', 'c3e4a48a6a7455c2c7bfd8b29c7055db') ('\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xce\xfe\xff\xff\xff\xff\xff\xff\xff\xff', '22f8457ff3163aed49fcccfd66e81526') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff', 'ec4d9bcf6cff57d39cf43de74b93ddbb') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff', 'ec4d9bcf6cff57d39cf43de74b93ddbb') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff', 'ec4d9bcf6cff57d39cf43de74b93ddbb') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf0\xfe', 'e7e7a808f2871367b77a6029d5d7c9f8') ('\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe', '1a8660345a2ad0a49244ac21a33af1e3') ('\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe', '1a8660345a2ad0a49244ac21a33af1e3') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff', 'ec4d9bcf6cff57d39cf43de74b93ddbb') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff', 'ec4d9bcf6cff57d39cf43de74b93ddbb') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xef\xff\xef\xff\xef', '86a471fba5624999ed16516f1d186139') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff', 'ec4d9bcf6cff57d39cf43de74b93ddbb') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xfe\xff\xff\xff\xff\xff\xff\xff\xff', '93c8feb7d47900420020902f68d9aae0') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xf0\xc0\xc0\xc0\xc0\xc0\xc0', 'a65f344538bf1d207959bc96e90ccdf4') ('\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xc0\xcc\x0c\x0c\x0c\n\n\n\n', 'b0446aeaf0a6c4ab3fe5df19b9919639') ('\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n', '1bb607118047afc5c385b82385dd931f') ('\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n', '1bb607118047afc5c385b82385dd931f') ('\n\n\n\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xa0\xfe\xfe\xfe\xfe\xfe', 'a253bc3fc4aabf93106858f8739d3c80') ('\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xff\xef\xef\xef\xef\xe0\xb0\xb0\xb0\xb0\xb0', '54f5e6d4c8f158531111c70d60458bc4') ('\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0', '36e0b8dccc3198963b2eadd6053a537a') ('\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xb0\xee\xee\xee\xee\xee', 'a2c68edcee2ba5af9bea6126bc6c335b') ('\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xef\xef\xef\xef', 'b25e544364a5f78cb6adaa551fd5fc2f') ('\xef\xef\xef\xef\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee', '44e34967802909cb105324352755f096') ('\xee\xee\xee\xee\xee\xee\xee\xee\xc0\xc0\xce\xc0\xc0\xc0\xc0\xcc\x0c\x0c', 'd0ee5eed3727fb6a40058b2ec8e5c529') ('\x0c\x0c\x0c\xc0\xc0\xc0\xc0\xc0\xc0\xcc\x00\xa0\xa0\xa0\xa0\xaa\n\n', '46a316e62b0d348a77da6949d0ece527') ('\n\n\n\n\n\n\x0f\xe0\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe', '05207832a2d90490bef66f0895434cc6') ('\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xc0\x08\xfe\xfe', '7626507cc644f90d322ec330695af7ac') ('\xfe\xfe\xef\xef\xef\xef\xef\xef\xef\xef\xef\xff\xff\xff\xff\xff\xff\xff', 'b1b87d6c6696927932cc53825e923fed') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff', 'ec4d9bcf6cff57d39cf43de74b93ddbb') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff', 'ec4d9bcf6cff57d39cf43de74b93ddbb') ('\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff', 'ec4d9bcf6cff57d39cf43de74b93ddbb') ('\xff\xff\xff\xff\xff\xff\xff\xfa\n\n\n\n\n\n\n\n\n\n', '30ecbfc769b61ae9ca66b81643121497') ('\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n', '1bb607118047afc5c385b82385dd931f') ('\n\n\n\n\n\n\n\xa0\n\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe', 'b1c58b17538ac11d6295b1b613f1198c') ('\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xf0\xf0\xee\xee\xee\xee', '1bce2ec1da1ca4b9cd57356a1ae5168f') ('\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee', '711dead971bcec1bd723848024a7aac2') ('\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee', '711dead971bcec1bd723848024a7aac2') ('\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee\xee', '711dead971bcec1bd723848024a7aac2') ('\xee\xee\xee\xee\xee\xef\xee\xfe\xff\xef\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe', 'ff14b17b764acbe4e2f8e5aea8c6faa7') ('\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe', '1a8660345a2ad0a49244ac21a33af1e3') ('\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xff\xef\xef\xef\xef\xee\xfe\xfe\xfe\xfe\xfe', 'a0c2f2a05fcf3370c040dedd285c4df3') ('\xfe\xfe\xfe\xfe\xfe\xfe\x00\x01\x01\x0c\x00.\x0c\x00\x01\t\x00\xa9', 'a1877bef53b7863b323688db50912e11') ('\xc0\xab\x01d\xc0\xab\x02f\x00\x01#%#$\x01\x0c\x00\x01', 'f69dd7a40c4e04c44926d4753d315cda')
fd = open(filename, "rb")
i = 0
'''
Demo to parse the mem file with 10 of 56 records each of length 18
'''
for element in range (0,10):
buffer = byte_reader(fd, 18)
print 100*"*"
print i
sourceAddress = struct.unpack_from('B', buffer,0),\
struct.unpack_from('B', buffer,1),\
struct.unpack_from('B', buffer,2),\
struct.unpack_from('B', buffer,3)
print "Reading Source IP Address"
time.sleep(0.5)
destinationAddress = struct.unpack_from('B', buffer,4),\
struct.unpack_from('B', buffer,5),\
struct.unpack_from('B', buffer,6),\
struct.unpack_from('B', buffer,7)
print "Reading Destination IP Address"
time.sleep(0.5)
sourcePort = struct.unpack_from('H',buffer,8)
destinationPort = struct.unpack_from('H',buffer,10)
protocolUsed = struct.unpack_from('H',buffer,12)
timeStamp = struct.unpack_from('B', buffer,14),\
struct.unpack_from('B', buffer,15),\
struct.unpack_from('B', buffer,16),\
struct.unpack_from('B', buffer,17)
a,b,c,d = sourceAddress
e,f,g,h = destinationAddress
j = sourcePort
k = destinationPort
print "sourceAddress = ", ".".join([str(a[0]),str(b[0]),str(c[0]),str(d[0])])
print "destinationAddress = ", ".".join([str(e[0]),str(f[0]),str(g[0]),str(h[0])])
print "sourcePort = ", j[0]
print "destinationPort = ", k[0]
print "protocolUsed = ", protocolUsed
print "timeStamp = ", timeStamp
time.sleep(2)
i=i+1
**************************************************************************************************** 0 sourceAddress = 192.168.10.100 destinationAddress = 192.168.1.101 sourcePort = 10787 destinationPort = 11043 protocolUsed = (256,) timeStamp = ((1,), (12,), (0,), (1,)) **************************************************************************************************** 1 sourceAddress = 192.168.10.102 destinationAddress = 207.168.1.103 sourcePort = 11299 destinationPort = 11555 protocolUsed = (256,) timeStamp = ((1,), (12,), (0,), (1,)) **************************************************************************************************** 2 sourceAddress = 192.168.10.104 destinationAddress = 192.168.1.105 sourcePort = 11043 destinationPort = 10787 protocolUsed = (256,) timeStamp = ((1,), (12,), (0,), (3,)) **************************************************************************************************** 3 sourceAddress = 192.168.10.112 destinationAddress = 192.168.1.113 sourcePort = 11811 destinationPort = 11043 protocolUsed = (256,) timeStamp = ((1,), (12,), (0,), (4,)) **************************************************************************************************** 4 sourceAddress = 192.168.10.74 destinationAddress = 192.168.1.75 sourcePort = 12067 destinationPort = 10787 protocolUsed = (256,) timeStamp = ((1,), (12,), (0,), (5,)) **************************************************************************************************** 5 sourceAddress = 192.168.10.116 destinationAddress = 192.168.1.117 sourcePort = 10788 destinationPort = 11044 protocolUsed = (256,) timeStamp = ((1,), (12,), (0,), (6,)) **************************************************************************************************** 6 sourceAddress = 192.168.10.76 destinationAddress = 192.168.1.78 sourcePort = 11300 destinationPort = 10787 protocolUsed = (256,) timeStamp = ((1,), (12,), (0,), (7,)) **************************************************************************************************** 7 sourceAddress = 192.168.10.79 destinationAddress = 192.168.10.1 sourcePort = 43200 destinationPort = 2817 protocolUsed = (11811,) timeStamp = ((35,), (1,), (0,), (1,)) **************************************************************************************************** 8 sourceAddress = 1.12.0.8 destinationAddress = 192.168.10.12 sourcePort = 43200 destinationPort = 2817 protocolUsed = (10788,) timeStamp = ((36,), (43,), (0,), (1,)) **************************************************************************************************** 9 sourceAddress = 1.12.0.8 destinationAddress = 192.168.1.11 sourcePort = 43200 destinationPort = 3594 protocolUsed = (43200,) timeStamp = ((1,), (12,), (35,), (2,))