本文整理汇总了Python中volatility.debug.debug函数的典型用法代码示例。如果您正苦于以下问题:Python debug函数的具体用法?Python debug怎么用?Python debug使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了debug函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: generate_suggestions
def generate_suggestions(self):
"""Generates a single response of True or False depending on whether the space is a valid Windows AS"""
# This constraint looks for self referential values within
# the paging tables
try:
if self.obj_vm.pae:
pde_base = 0xC0600000
pd = self.obj_vm.get_pdpte(0) & 0xFFFFFFFFFF000
else:
pde_base = 0xC0300000
pd = self.obj_vm.dtb
if self.obj_vm.vtop(pde_base) == pd:
yield True
raise StopIteration
except addrspace.ASAssertionError as _e:
pass
debug.debug("Failed to pass the Moyix Valid IA32 AS test", 3)
# This constraint verifies that _KUSER_ SHARED_DATA is shared
# between user and kernel address spaces.
if (self.obj_vm.vtop(0xFFDF0000)) == (self.obj_vm.vtop(0x7FFE0000)):
if self.obj_vm.vtop(0xFFDF0000) != None:
yield True
raise StopIteration
debug.debug("Failed to pass the labarum_x Valid IA32 AS test", 3)
yield False
示例2: get_autoruns
def get_autoruns(self):
debug.debug('Started get_autoruns()')
results = []
hive_key_list = []
try:
# Gather all software run keys
self.regapi.reset_current()
for run_key in SOFTWARE_RUN_KEYS:
hive_key_list += [k for k in self.regapi.reg_yield_key(hive_name='software', key=run_key)]
# Gather all ntuser run keys
self.regapi.reset_current()
for run_key in NTUSER_RUN_KEYS:
hive_key_list += [k for k in self.regapi.reg_yield_key(hive_name='ntuser.dat', key=run_key)]
# hive_key = (key pointer, hive_name)
for hive_key in hive_key_list:
results += self.parse_autoruns_key(hive_key)
except Exception as e:
debug.warning('get_autoruns() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_autoruns()')
return results
示例3: load_modifications
def load_modifications(self):
""" Find all subclasses of the modification type and applies them
Each modification object can specify the metadata with which it can work
Allowing the overlay to decide which profile it should act on
"""
# Collect together all the applicable modifications
mods = {}
for i in self._get_subclasses(ProfileModification):
modname = i.__name__
instance = i()
# Leave abstract modifications out of the dependency tree
# Also don't consider the base ProfileModification object
if not modname.startswith("Abstract") and i != ProfileModification:
if modname in mods:
raise RuntimeError("Duplicate profile modification name {0} found".format(modname))
mods[instance.__class__.__name__] = instance
# Run through the modifications in dependency order
self._mods = []
for modname in self._resolve_mod_dependencies(mods.values()):
mod = mods.get(modname, None)
# We check for invalid/mistyped modification names, AbstractModifications should be caught by this too
if not mod:
# Note, this does not allow for optional dependencies
raise RuntimeError("No concrete ProfileModification found for " + modname)
if mod.check(self):
debug.debug("Applying modification from " + mod.__class__.__name__)
self._mods.append(mod.__class__.__name__)
mod.modification(self)
示例4: parse_task_xml
def parse_task_xml(self, xml, f_name):
raw = xml
xml = re.sub('\x00\x00+', '', xml) + '\x00'
if xml:
try:
xml = xml.decode('utf-16')
xml = re.sub(r"<Task(.*?)>", "<Task>", xml)
xml = xml.encode('utf-16')
root = ET.fromstring(xml)
d = {}
for e in root.findall("./RegistrationInfo/Date"):
d['Date'] = e.text or ''
for e in root.findall("./RegistrationInfo/Description"):
d['Description'] = e.text or ''
for e in root.findall("./Actions"):
d['Actions'] = self.visit_all_children(e)
for e in root.findall("./Settings/Enabled"):
d['Enabled'] = e.text or ''
for e in root.findall("./Settings/Hidden"):
d['Hidden'] = e.text or ''
for t in root.findall("./Triggers/*"):
d['Triggers'] = self.visit_all_children(t)
if not d.get("Actions", {}).get('Exec', {}).get("Command", False):
return None
return d
except UnicodeDecodeError as e:
debug.warning('Error while parsing the following task: {}'.format(f_name))
debug.debug('UnicodeDecodeError for: {}'.format(repr(raw)))
示例5: mmap
def mmap(self, address):
size = 32 * 1024
debug.debug("[mmap] - mapping: (%x, %x)" % (address, size))
address_page = address & self.mask
debug.debug("[mmap] - addr_page: %x" % address_page)
self.mu.mem_map(address_page, size)
self.mappings.append((address_page, size))
示例6: calculate
def calculate(self):
address_space = utils.load_as(self._config, astype = 'physical')
if not self.is_valid_profile(address_space.profile):
debug.error("This command does not support the selected profile.")
scanner = PrefetchScanner(config = self._config, needles = ['SCCA'])
scanner_mam = PrefetchScanner(config = self._config, needles = ['MAM\x04'])
pf_headers = []
if(address_space.profile.metadata.get('major') == 6 and address_space.profile.metadata.get('minor') == 4): # Win10
scanner_mam.load_libmscompression()
debug.debug("Scanning for MAM compressed data, this can take a while.............")
if not os.path.isdir(self._config.MAM_DIR):
debug.error(self._config.MAM_DIR + " is not a directory. Please specify a mam dump directory (--mam-dir)")
for offset in scanner_mam.scan(address_space):
pf_header = scanner_mam.carve_mam(address_space, offset, self._config.MAM_DIR)
if pf_header > 0 and scanner_mam.is_valid():
pf_headers.append(pf_header)
debug.debug("Scanning for Prefetch files, this can take a while.............")
for offset in scanner.scan(address_space):
pf_header = scanner.carve(address_space, offset)
if scanner.is_valid():
pf_headers.append(pf_header)
# This list may have duplicate pf_header entries since
# we're not doing unique validation, just scanning.
# Uniquing makes sense for reducing repetetive entries
for unique_pf_entry in scanner.dedup(pf_headers):
yield unique_pf_entry
示例7: load_as
def load_as(config, astype = 'virtual', **kwargs):
"""Loads an address space by stacking valid ASes on top of each other (priority order first)"""
base_as = None
error = exceptions.AddrSpaceError()
# Start off requiring another round
found = True
## A full iteration through all the classes without anyone
## selecting us means we are done:
while found:
debug.debug("Voting round")
found = False
for cls in sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values(),
key = lambda x: x.order if hasattr(x, 'order') else 10):
debug.debug("Trying {0} ".format(cls))
try:
base_as = cls(base_as, config, astype = astype, **kwargs)
debug.debug("Succeeded instantiating {0}".format(base_as))
found = True
break
except addrspace.ASAssertionError, e:
debug.debug("Failed instantiating {0}: {1}".format(cls.__name__, e), 2)
error.append_reason(cls.__name__, e)
continue
except Exception, e:
debug.debug("Failed instantiating (exception): {0}".format(e))
error.append_reason(cls.__name__ + " - EXCEPTION", e)
continue
示例8: _init_ksymtab
def _init_ksymtab(self):
phys_as = utils.load_as(self._config, astype='physical')
start_addr, _ = phys_as.get_available_addresses().next()
# First 16 MB of physical memory
self.kernel_image = phys_as.read(start_addr, 0x1000000)
# Init page_offset
if phys_as.profile.metadata.get('memory_model', '32bit') != '32bit':
raise NotImplementedError
self.ksymtab_initialized = True
# Locate the physical offset of the ksymtab_strings section
for match in re.finditer('init_task\0', self.kernel_image):
offset = match.start()
symbol_char = re.compile(r'[0-9a-z_]')
if symbol_char.match(self.kernel_image[offset - 1:offset]):
# 'init_task' is a substring of another symbol like 'xxx_init_task'
continue
# TODO: Choose the right one, not the first.
# Find the beginning of the ksymtab_strings section
char = self.kernel_image[offset]
while offset > 0 and (symbol_char.match(char) or char == '\x00'):
offset -= 1
char = self.kernel_image[offset]
debug.debug("Found the physical offset of the ksymtab_strings "
"section: {0:#010x}".format(offset))
self.ksymtab_strings_offset = offset
return
debug.warning("Can't locate a ksymtab_strings section")
示例9: __init__
def __init__(self, dump, code, stack, gcounter):
self.gcounter = gcounter
code = int(code, 16)
stack = int(stack, 16)
self.fix = 2**64
self.mask = 0xFFFFFFFFFFFFF000
self.mappings = []
self.unicorn_code = code
self.unicorn_stack = stack
# shadow stack for this emulator instance
self.shadow = OrderedDict()
debug.debug("[emulator] - init unicorn...")
# Volatility interaction
self.dump = dump
self.current_ip = code
# TODO: support other archs and modes
self.mu = Uc(UC_ARCH_X86, UC_MODE_64)
#size = 128 * 1024 * 1024
size = 1 * 4096
# unicorn code
self.mu.mem_map(code & self.mask, size)
self.mappings.append((code, size))
#size = 256 * 1024 * 1024
size = 10 * 4096
# unicorn generic stack
self.mu.mem_map(stack & self.mask, size)
self.mappings.append((stack, size))
self.set_hooks()
self.branch_point = []
示例10: hook_mem_access
def hook_mem_access(self, uc, access, address, size, value, user_data):
if access == UC_MEM_WRITE:
debug.debug("[hook_mem_access] - write operation - %x %x %x" % (address, size, value))
self.shadow[hex(address).strip("L")] = hex(value).strip("L")
else:
debug.debug("[hook_mem_access] - read operation - %x %x %x" % (address, size, value))
return True
示例11: emu
def emu(self, size):
ip = int(self.get_ip(), 16)
debug.debug("[emu] - (%x, %x)" % (ip, size))
try:
self.mu.emu_start(ip, ip + size, timeout=10000, count=1)
except UcError as e:
debug.debug("Error %s" % e)
示例12: write_data
def write_data(self, address, content):
address = int(address, 16)
if not self.mapped(address):
self.mmap(address)
debug.debug("[write_data] - at address: %x" % address)
debug.debug(repr(content))
self.mu.mem_write(address, content)
示例13: __init__
def __init__(self, reason = '', strict = False):
if not hasattr(sys, "frozen"):
debug.debug("None object instantiated: " + reason, 2)
self.reason = reason
self.strict = strict
if strict:
self.bt = get_bt_string()
示例14: __init__
def __init__(self, fh):
if not "b" in fh.mode.lower():
raise ValueError("Invalid file handler: file must be opened in binary mode (and not {0})".format(fh.mode))
self.fh = fh
## Must start with one of the magic values
magic = self.reada_long(0)
debug("{0:x}".format(magic))
## Resolve version and magic
if magic == 0xbed2bed0:
self.version = 0
elif magic == 0xbad1bad1:
self.version = 1
elif magic == 0xbed2bed2:
self.version = 2
elif magic == 0xbed3bed3:
self.version = 3
else:
raise ParserException("Header signature invalid", magic)
## determine offset sizes.
# this is used whenever the vmsn specifications use 4\8 byte ints dependant of version, so "offset" is a bit misleading.
self.offset_size = 4 if self.version == 0 else 8
## Read group count
self.group_count = self.reada_long(8)
示例15: render_text
def render_text(self, outfd, data):
"""Render the plugin's default text output"""
debug.debug(self.params)
# Check for data
if data:
task, vad, params = data
# Get a magic object from the buffer
buffer_space = addrspace.BufferAddressSpace(
config = self._config,
data = params['decoded_magic'])
magic_obj = obj.Object(self.magic_struct,
offset = 0, vm = buffer_space)
outfd.write("*" * 50 + "\n")
outfd.write("{0:<30} : {1}\n".format("ZBot", self.zbot + self.zbotversion))
outfd.write("{0:<30} : {1}\n".format("Process", task.ImageFileName))
outfd.write("{0:<30} : {1}\n".format("Pid", task.UniqueProcessId))
outfd.write("{0:<30} : {1}\n".format("Address", vad.Start))
# grab the URLs from the decoded buffer
decoded_config = params['decoded_config']
urls = []
while "http" in decoded_config:
url = decoded_config[decoded_config.find("http"):]
urls.append(url[:url.find('\x00')])
decoded_config = url[url.find('\x00'):]
for i, url in enumerate(urls):
outfd.write("{0:<30} : {1}\n".format("URL {0}".format(i), url))
outfd.write("{0:<30} : {1}\n".format("Identifier",
''.join([chr(c) for c in magic_obj.guid if c != 0])))
outfd.write("{0:<30} : {1}\n".format("Mutant key", magic_obj.guid_xor_key))
outfd.write("{0:<30} : {1}\n".format("XOR key", magic_obj.xorkey))
outfd.write("{0:<30} : {1}\n".format("Registry",
"HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\{0}".format(magic_obj.keyname)))
outfd.write("{0:<30} : {1}\n".format(" Value 1", magic_obj.value1))
outfd.write("{0:<30} : {1}\n".format(" Value 2", magic_obj.value2))
outfd.write("{0:<30} : {1}\n".format(" Value 3", magic_obj.value3))
outfd.write("{0:<30} : {1}\n".format("Executable", magic_obj.exefile))
outfd.write("{0:<30} : {1}\n".format("Data file", magic_obj.datfile))
outfd.write("{0:<30} : \n{1}\n".format("Config RC4 key",
"\n".join(
["{0:#010x} {1:<48} {2}".format(vad.Start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(params['config_key'])
])))
rc4_offset = task.obj_vm.profile.get_obj_offset(self.magic_struct, 'rc4key')
creds_key = params['decoded_magic'][rc4_offset:rc4_offset + RC4_KEYSIZE]
outfd.write("{0:<30} : \n{1}\n".format("Credential RC4 key",
"\n".join(
["{0:#010x} {1:<48} {2}".format(vad.Start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(creds_key)
])))