本文整理汇总了Python中volatility.debug.error函数的典型用法代码示例。如果您正苦于以下问题:Python error函数的具体用法?Python error怎么用?Python error使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了error函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: render_text
def render_text(self, outfd, data):
if (not self._config.DUMP_DIR or
not os.path.isdir(self._config.DUMP_DIR)):
debug.error("Please specify an existing output dir (--dump-dir)")
self.table_header(outfd, [("Task", "10"),
("VM Start", "[addrpad]"),
("VM End", "[addrpad]"),
("Length", "[addr]"),
("Path", "")])
for (task, vma) in data:
if not self._config.VMA or vma.vm_start == self._config.VMA:
file_name = "task.{0}.{1:#x}.vma".format(task.pid, vma.vm_start)
file_path = os.path.join(self._config.DUMP_DIR, file_name)
outfile = open(file_path, "wb+")
for page in self.read_addr_range(task, vma.vm_start, vma.vm_end):
outfile.write(page)
outfile.close()
self.table_row(outfd, task.pid,
vma.vm_start,
vma.vm_end,
vma.vm_end - vma.vm_start,
file_path)示例2: render_text
def render_text(self, outfd, data):
"""Renders the tasks to disk images, outputting progress as they go"""
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
self.table_header(outfd,
[("Process(V)", "[addrpad]"),
("ImageBase", "[addrpad]"),
("Name", "20"),
("Result", "")])
for task in data:
task_space = task.get_process_address_space()
if task_space == None:
result = "Error: Cannot acquire process AS"
elif task.Peb == None:
# we must use m() here, because any other attempt to
# reference task.Peb will try to instantiate the _PEB
result = "Error: PEB at {0:#x} is paged".format(task.m('Peb'))
elif task_space.vtop(task.Peb.ImageBaseAddress) == None:
result = "Error: ImageBaseAddress at {0:#x} is paged".format(task.Peb.ImageBaseAddress)
else:
dump_file = "executable." + str(task.UniqueProcessId) + ".exe"
result = self.dump_pe(task_space,
task.Peb.ImageBaseAddress,
dump_file)
self.table_row(outfd,
task.obj_offset,
task.Peb.ImageBaseAddress,
task.ImageFileName,
result)示例3: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
for objct in self.scan_results(addr_space):
if isinstance(objct, _UDP_ENDPOINT):
# For UdpA, the state is always blank and the remote end is asterisks
for ver, laddr, _ in objct.dual_stack_sockets():
yield objct, "UDP" + ver, laddr, objct.Port, "*", "*", ""
elif isinstance(objct, _TCP_ENDPOINT):
if objct.AddressFamily == AF_INET:
proto = "TCPv4"
elif objct.AddressFamily == AF_INET6:
proto = "TCPv6"
yield objct, proto, objct.LocalAddress, objct.LocalPort, \
objct.RemoteAddress, objct.RemotePort, objct.State
elif isinstance(objct, _TCP_LISTENER):
# For TcpL, the state is always listening and the remote port is zero
for ver, laddr, raddr in objct.dual_stack_sockets():
yield objct, "TCP" + ver, laddr, objct.Port, raddr, 0, "LISTENING"示例4: apply_types
def apply_types(addr_space, ver):
"""Apply the TrueCrypt types for a specific version of TC.
@param addr_space: <volatility.BaseAddressSpace>
@param ver: <string> version
"""
mm_model = addr_space.profile.metadata.get('memory_model', '32bit')
try:
vtypes = TrueCryptMaster.version_map[ver][mm_model]
addr_space.profile.vtypes.update(vtypes)
addr_space.profile.merge_overlay({
'EXTENSION' : [ None, {
'wszVolume' : [ None, ['String', dict(length = 260, encoding = "utf16")]],
}],
'CRYPTO_INFO_t' : [ None, {
'mode' : [ None, ['Enumeration', dict(target = "long",
choices = {1: 'XTS',
2: 'LWR',
3: 'CBC',
4: 'OUTER_CBC',
5: 'INNER_CBC'})]],
'ea' : [ None, ['Enumeration', dict(target = "long",
choices = {1: 'AES',
2: 'SERPENT',
3: 'TWOFISH',
4: 'BLOWFISH',
5: 'CAST',
6: 'TRIPLEDES'})]],
}]})
addr_space.profile.compile()
except KeyError:
debug.error("Truecrypt version {0} is not supported".format(ver))示例5: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
return win32.network.determine_sockets(addr_space)示例6: generator
def generator(self, data):
if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
for task in data:
for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
if self._is_vad_empty(vad, address_space):
continue
content = address_space.zread(vad.Start, 64)
yield (0, [str(task.ImageFileName),
int(task.UniqueProcessId),
Address(vad.Start),
str(vad.Tag),
str(vadinfo.PROTECT_FLAGS.get(vad.VadFlags.Protection.v(), "")),
str(vad.VadFlags),
Bytes(content)])
# Dump the data if --dump-dir was supplied
if self._config.DUMP_DIR:
filename = os.path.join(self._config.DUMP_DIR,
"process.{0:#x}.{1:#x}.dmp".format(
task.obj_offset, vad.Start))
self.dump_vad(filename, vad, address_space)示例7: search_stack_frames
def search_stack_frames(self, start, stack_base, stack_limit, yara_rules, frame_delta=32, unwind=DEFAULT_UNWIND):
"""
Use Yara to search kernel/user stack frames within +/- frame_delta of the frame's start
address.
Frames to search are chosen by using the strategies specifed by the unwind parameter.
yara_rules - compiled Yara rules, built for example with:
1. yara.compile("/path/to/yara.rules")
or 2. yara.compile(source="rule dummy { condition: true }")
"""
if not yara_installed:
debug.error("In order to search the stack frames, it is necessary to install yara")
stack_registry = registry.get_plugin_classes(StackTop)
for unwind_strategy_nm in unwind.split(","):
if unwind_strategy_nm not in stack_registry:
raise ValueError("{0} is not a known stack unwind strategy".format(unwind_strategy_nm))
unwind_strategy = stack_registry[unwind_strategy_nm](start, stack_base, stack_limit, self)
for frame in itertools.chain(unwind_strategy.up(), unwind_strategy.down()):
search_data = self.get_process_address_space().zread(frame.start - frame_delta, 2* frame_delta)
for match in yara_rules.match(data = search_data):
for moffset, name, value in match.strings:
# Match offset here is converted into frame start address and a +/- frame_delta
yield match, name, value, frame.start, moffset-frame_delta
raise StopIteration示例8: calculate
def calculate(self):
common.set_plugin_members(self)
if not self.addr_space.profile.obj_has_member("fs_event_watcher", "proc_name"):
debug.error("This plugin only supports OS X >= 10.8.2. Please file a bug if you are running against a version matching this criteria.")
event_types = ["CREATE_FILE", "DELETE", "STAT_CHANGED", "RENAME", "CONTENT_MODIFIED", "EXCHANGE", "FINDER_INFO_CHANGED", "CREATE_DIR", "CHOWN"]
event_types = event_types + ["XATTR_MODIFIED", "XATTR_REMOVED", "DOCID_CREATED", "DOCID_CHANGED"]
table_addr = self.addr_space.profile.get_symbol("_watcher_table")
arr = obj.Object(theType = "Array", targetType = "Pointer", count = 8, vm = self.addr_space, offset = table_addr)
for watcher_addr in arr:
if not watcher_addr.is_valid():
continue
watcher = watcher_addr.dereference_as("fs_event_watcher")
name = self.addr_space.read(watcher.proc_name.obj_offset, 33)
if name:
idx = name.find("\x00")
if idx != -1:
name = name[:idx]
events = ""
event_arr = obj.Object(theType = "Array", targetType = "unsigned char", offset = watcher.event_list.v(), count = 13, vm = self.addr_space)
for (i, event) in enumerate(event_arr):
if event == 1:
events = events + event_types[i] + ", "
if len(events) and events[-1] == " " and events[-2] == ",":
events = events[:-2]
yield watcher_addr, name, watcher.pid, events示例9: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
tag = self._config.TAG
if tag == None:
debug.error("You must enter a --tag to find")
minsize = self._config.MIN_SIZE
maxsize = self._config.MAX_SIZE
poolsize = lambda x : x >= minsize and x <= maxsize
if self._config.PAGED:
paged = True
non_paged = False
else:
paged = False
non_paged = True
scanner = GenericPoolScan()
scanner.checks = [
('PoolTagCheck', dict(tag = tag)),
('CheckPoolSize', dict(condition = poolsize)),
('CheckPoolType', dict(paged = paged, non_paged = non_paged)),
]
for offset in scanner.scan(addr_space):
pool = obj.Object("_POOL_HEADER", offset = offset, vm = addr_space)
buf = addr_space.zread(offset, minsize)
yield pool, buf示例10: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error as e:
debug.error('Error parsing regular expression: %s' % e)
mods = dict((mod.DllBase.v(), mod) for mod in modules.lsmod(addr_space))
# We need the process list to find spaces for some drivers. Enumerate them here
# instead of inside the find_space function, so we only have to do it once.
procs = list(tasks.pslist(addr_space))
if self._config.BASE:
if self._config.BASE in mods:
mod_name = mods[self._config.BASE].BaseDllName
else:
mod_name = "UNKNOWN"
yield addr_space, procs, int(self._config.BASE), mod_name
else:
for mod in list(mods.values()):
if self._config.REGEX:
if not mod_re.search(str(mod.FullDllName or '')) and not mod_re.search(str(mod.BaseDllName or '')):
continue
yield addr_space, procs, mod.DllBase.v(), mod.BaseDllName示例11: get_processes
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
bounce_back = taskmods.DllList.virtual_process_from_physical_offset
if self._config.OFFSET != None:
tasks = [bounce_back(addr_space, self._config.OFFSET)]
elif self._config.SCAN:
procs = list(filescan.PSScan(self._config).calculate())
tasks = []
for task in procs:
tasks.append(bounce_back(addr_space, task.obj_offset))
else:
tasks = win32.tasks.pslist(addr_space)
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(",")]
tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks示例12: calculate
def calculate(self):
linux_common.set_plugin_members(self)
phys_addr_space = utils.load_as(self._config, astype="physical")
if phys_addr_space.profile.metadata.get("memory_model", "32bit") == "32bit":
fmt = "<I"
else:
fmt = "<Q"
needles = []
for sym in phys_addr_space.profile.get_all_symbol_names("kernel"):
if sym.find("_sched_class") != -1:
addr = phys_addr_space.profile.get_symbol(sym)
needles.append(struct.pack(fmt, addr))
if len(needles) == 0:
debug.error("Unable to scan for processes. Please file a bug report.")
back_offset = phys_addr_space.profile.get_obj_offset("task_struct", "sched_class")
scanner = poolscan.MultiPoolScanner(needles)
for _, offset in scanner.scan(phys_addr_space):
ptask = obj.Object("task_struct", offset=offset - back_offset, vm=phys_addr_space)
if not ptask.exit_state.v() in [0, 16, 32, 16 | 32]:
continue
if not (0 < ptask.pid < 66000):
continue
yield ptask示例13: _compile_rules
def _compile_rules(self):
"""Compile the YARA rules from command-line parameters.
@returns: a YARA object on which you can call 'match'
This function causes the plugin to exit if the YARA
rules have syntax errors or are not supplied correctly.
"""
rules = None
try:
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Option for case insensitive searches
if self._config.CASE: s += " nocase"
# Scan for unicode and ascii strings
if self._config.WIDE: s += " wide ascii"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE and os.path.isfile(self._config.YARA_FILE):
rules = yara.compile(self._config.YARA_FILE)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
except yara.SyntaxError, why:
debug.error("Cannot compile rules: {0}".format(str(why)))示例14: calculate
def calculate(self):
"""Begin carving and analysing"""
#Check output dir is provided
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
#Carve packets from all mempages
self.addr_space = utils.load_as(self._config)
for mempage in self.addr_space.get_available_addresses():
self.carve_packets(self.addr_space.zread(mempage[0], mempage[1]))
#Analyze the carved/parsed packets
packet_stats = self.analyze_packets(self.parsed_packets)
#Dump files to dump-dir
self.dump_packets_to_pcap(self.hex_packets, os.path.abspath(os.path.join(self._config.DUMP_DIR, 'packets.pcap')))
with open(os.path.abspath(os.path.join(self._config.DUMP_DIR, 'ips.txt')), 'w') as fd:
for ip_to_check in packet_stats['unique_public_ips']:
fd.write(ip_to_check + '\n')
return packet_stats示例15: render_text
def render_text(self, outfd, data):
if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
for o, addr, hit, content in data:
outfd.write("Rule: {0}\n".format(hit.rule))
# Find out if the hit is from user or kernel mode
if o == None:
outfd.write("Owner: (Unknown Kernel Memory)\n")
filename = "kernel.{0:#x}.dmp".format(addr)
elif o.obj_name == "_EPROCESS":
outfd.write("Owner: Process {0} Pid {1}\n".format(o.ImageFileName,
o.UniqueProcessId))
filename = "process.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr)
else:
outfd.write("Owner: {0}\n".format(o.BaseDllName))
filename = "kernel.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr)
# Dump the data if --dump-dir was supplied
if self._config.DUMP_DIR:
path = os.path.join(self._config.DUMP_DIR, filename)
fh = open(path, "wb")
fh.write(content)
fh.close()
outfd.write("".join(
["{0:#010x} {1:<48} {2}\n".format(addr + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
]))