本文整理汇总了Python中volatility.debug.warning函数的典型用法代码示例。如果您正苦于以下问题:Python warning函数的具体用法?Python warning怎么用?Python warning使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了warning函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: calculate
def calculate(self):
linux_common.set_plugin_members(self)
phys_addr_space = utils.load_as(self._config, astype = 'physical')
if phys_addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
fmt = "<I"
else:
fmt = "<Q"
needles = []
for sym in phys_addr_space.profile.get_all_symbol_names("kernel"):
if sym.find("_sched_class") != -1:
addr = phys_addr_space.profile.get_symbol(sym)
needles.append(struct.pack(fmt, addr))
if len(needles) == 0:
debug.warning("Unable to scan for processes. Please file a bug report.")
else:
back_offset = phys_addr_space.profile.get_obj_offset("task_struct", "sched_class")
scanner = poolscan.MultiPoolScanner(needles)
for _, offset in scanner.scan(phys_addr_space):
ptask = obj.Object("task_struct", offset = offset - back_offset, vm = phys_addr_space)
if not ptask.exit_state.v() in [0, 16, 32, 16|32]:
continue
if not (0 < ptask.pid < 66000):
continue
yield ptask示例2: get_autoruns
def get_autoruns(self):
debug.debug('Started get_autoruns()')
results = []
hive_key_list = []
try:
# Gather all software run keys
self.regapi.reset_current()
for run_key in SOFTWARE_RUN_KEYS:
hive_key_list += [k for k in self.regapi.reg_yield_key(hive_name='software', key=run_key)]
# Gather all ntuser run keys
self.regapi.reset_current()
for run_key in NTUSER_RUN_KEYS:
hive_key_list += [k for k in self.regapi.reg_yield_key(hive_name='ntuser.dat', key=run_key)]
# hive_key = (key pointer, hive_name)
for hive_key in hive_key_list:
results += self.parse_autoruns_key(hive_key)
except Exception as e:
debug.warning('get_autoruns() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_autoruns()')
return results示例3: get_entries
def get_entries(addr_space, regapi):
regapi.reset_current()
currentcs = regapi.reg_get_currentcontrolset()
if currentcs == None:
currentcs = "ControlSet001"
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
xp = False
if version <= (5, 1):
key = currentcs + '\\' + "Control\\Session Manager\\AppCompatibility"
xp = True
else:
key = currentcs + '\\' + "Control\\Session Manager\\AppCompatCache"
data_raw = regapi.reg_get_value('system', key, "AppCompatCache")
if data_raw == None or len(data_raw) < 0x1c:
debug.warning("No ShimCache data found")
raise StopIteration
bufferas = addrspace.BufferAddressSpace(addr_space.get_config(), data = data_raw)
shimdata = obj.Object("ShimRecords", offset = 0, vm = bufferas)
if shimdata == None:
debug.warning("No ShimCache data found")
raise StopIteration
for e in shimdata.Entries:
if xp:
yield e.Path, e.LastModified, e.LastUpdate
else:
yield ShimCache.remove_unprintable(bufferas.read(int(e.PathOffset), int(e.Length))), e.LastModified, None示例4: download_pdbfile
def download_pdbfile(self, db, guid, module_id, filename, path):
db.execute("SELECT id FROM pdb WHERE guid=? AND file=?", (str(guid.upper()).rstrip('\0'), str(filename).rstrip('\0')))
row = db.fetchone()
if row == None:
db.execute("INSERT INTO pdb(guid, file) VALUES (?, ?)", (str(guid.upper()).rstrip('\0'), str(filename).rstrip('\0')))
db.execute("SELECT LAST_INSERT_ROWID() FROM pdb")
row = db.fetchone()
pdb_id = row[0]
db.execute("SELECT * FROM mod_pdb WHERE module_id=? AND pdb_id=?", (module_id, pdb_id))
row = db.fetchone()
if row == None:
db.execute("INSERT INTO mod_pdb(module_id, pdb_id) VALUES (?, ?)", (module_id, pdb_id))
self._sym_db_conn.commit()
for sym_url in SYM_URLS:
url = "{0}/{1}/{2}/".format(sym_url, filename, guid)
proxy = urllib2.ProxyHandler()
opener = urllib2.build_opener(proxy)
tries = [ filename[:-1] + '_', filename ]
for t in tries:
debug.info("Trying {0}".format(url+t))
outfile = os.path.join(path, t)
try:
PDBOpener().retrieve(url+t, outfile, reporthook=self.progress)
debug.info("Downloaded symbols and cached at {0}".format(outfile))
if t.endswith("_"):
self.cabextract(outfile, path)
debug.info("Unpacked download into {0}".format(path))
os.remove(outfile)
db.execute("UPDATE pdb SET downloaded_at=DATETIME('now'), src=? WHERE id=? AND guid=? AND file=?", (sym_url, pdb_id, str(guid.upper()).rstrip('\0'), str(filename).rstrip('\0')))
self._sym_db_conn.commit()
return
except urllib2.HTTPError, e:
debug.warning("HTTP error {0}".format(e.code))示例5: draw_branch
def draw_branch(pad, inherited_from):
for task in data.values():
if task.InheritedFromUniqueProcessId == inherited_from:
first_column = "{0} {1:#x}:{2:20}".format(
"." * pad,
task.obj_offset,
str(task.ImageFileName or '')
)
self.table_row(outfd,
first_column,
task.UniqueProcessId,
task.InheritedFromUniqueProcessId,
task.ActiveThreads,
task.ObjectTable.HandleCount,
task.CreateTime)
if self._config.VERBOSE:
outfd.write("{0} audit: {1}\n".format(
' ' * pad, str(task.SeAuditProcessCreationInfo.ImageFileName.Name or '')))
process_params = task.Peb.ProcessParameters
if process_params:
outfd.write("{0} cmd: {1}\n".format(
' ' * pad, str(process_params.CommandLine or '')))
outfd.write("{0} path: {1}\n".format(
' ' * pad, str(process_params.ImagePathName or '')))
try:
del data[int(task.UniqueProcessId)]
except KeyError:
debug.warning("PID {0} PPID {1} has already been seen".format(task.UniqueProcessId, task.InheritedFromUniqueProcessId))
draw_branch(pad + 1, task.UniqueProcessId) 示例6: calculate
def calculate(self):
linux_common.set_plugin_members(self)
# Automatically initialize task_struct offsets
task_struct.init_offsets(self.addr_space)
if not all([task_struct.is_offset_defined(memname) for memname in ['comm', 'tasks', 'mm']]):
debug.warning("Some of required members of 'task_struct' structure were not found.")
return
ksymbol_command = linux_auto_ksymbol(self._config)
init_task_addr = ksymbol_command.get_symbol('init_task')
if init_task_addr is None:
debug.warning("Can't locate the first process (swapper).")
return
init_task = obj.Object('task_struct', offset=init_task_addr, vm=self.addr_space)
tasks_dtb_list = []
for task in init_task.tasks:
if mm_struct.is_offset_defined('pgd'):
pgd = task.mm.pgd
if pgd:
tasks_dtb_list.append(self.addr_space.vtop(pgd))
yield task
# List unnamed potentially hidden or terminated processes
# auto-discovered by dtblist command.
dtblist_command = linux_auto_dtblist(self._config)
for dtb in dtblist_command.calculate():
if dtb not in tasks_dtb_list:
yield dtb示例7: parse_task_xml
def parse_task_xml(self, xml, f_name):
raw = xml
xml = re.sub('\x00\x00+', '', xml) + '\x00'
if xml:
try:
xml = xml.decode('utf-16')
xml = re.sub(r"<Task(.*?)>", "<Task>", xml)
xml = xml.encode('utf-16')
root = ET.fromstring(xml)
d = {}
for e in root.findall("./RegistrationInfo/Date"):
d['Date'] = e.text or ''
for e in root.findall("./RegistrationInfo/Description"):
d['Description'] = e.text or ''
for e in root.findall("./Actions"):
d['Actions'] = self.visit_all_children(e)
for e in root.findall("./Settings/Enabled"):
d['Enabled'] = e.text or ''
for e in root.findall("./Settings/Hidden"):
d['Hidden'] = e.text or ''
for t in root.findall("./Triggers/*"):
d['Triggers'] = self.visit_all_children(t)
if not d.get("Actions", {}).get('Exec', {}).get("Command", False):
return None
return d
except UnicodeDecodeError as e:
debug.warning('Error while parsing the following task: {}'.format(f_name))
debug.debug('UnicodeDecodeError for: {}'.format(repr(raw)))示例8: merge_overlay
def merge_overlay(self, overlay):
"""Applies an overlay to the profile's vtypes"""
for k, v in overlay.items():
if k not in self.vtypes:
debug.warning("Overlay structure {0} not present in vtypes".format(k))
else:
self.vtypes[k] = self._apply_overlay(self.vtypes[k], v)示例9: hash
def hash(self, data, alghConfig):
try:
retdata = fhash.sdhash(data).hexdigest()
except ValueError:
retdata = '-'
debug.warning("SDHash needs an input of at least 512 bytes. Too short: {!s}".format(len(data)))
return retdata示例10: add_types
def add_types(self, vtypes, overlay = None):
""" Add in a deprecated function that mimics the previous add_types function """
debug.warning("Deprecation warning: A plugin is making use of profile.add_types")
self.vtypes.update(vtypes)
if overlay:
self.merge_overlay(overlay)
self.compile()示例11: calculate
def calculate(self):
common.set_plugin_members(self)
pidlist = None
try:
if self._config.PID:
pidlist = [int(p) for p in self._config.PID.split(',')]
except:
pass
p = self.addr_space.profile.get_symbol("_allproc")
procsaddr = obj.Object("proclist", offset = p, vm = self.addr_space)
proc = obj.Object("proc", offset = procsaddr.lh_first, vm = self.addr_space)
seen = []
while proc.is_valid():
if proc.obj_offset in seen:
debug.warning("Recursive process list detected (a result of non-atomic acquisition). Use mac_tasks or mac_psxview)")
break
else:
seen.append(proc.obj_offset)
if not pidlist or proc.p_pid in pidlist:
yield proc
proc = proc.p_list.le_next.dereference()示例12: get_section
def get_section(self, sect):
ret = None
if self.isPE:
if sect.split(':')[0] == 'pe':
# PE Header
ret = self.strings_str(self.get_header(sect)) if self.strings else self.get_header(sect)
else:
# PE Section
split = sect.split(':')
if len(split) > 1 and split[1] == 'header':
# Section header
for section in self.pDump.sections:
if split[0] == section.Name.translate(None, '\x00'):
ret = self.strings_str(section.__pack__()) if self.strings else section.__pack__()
if not ret:
debug.warning('Unknown section: {!s} for {!s}. Please specify a valid section.'.format(sect, self.pName))
else:
# Section content
for section in self.pDump.sections:
if sect == section.Name.translate(None, '\x00'):
ret = self.strings_str(section.get_data()) if self.strings else section.get_data()
if not ret:
debug.warning('Unknown section: {!s} for {!s}. Please specify a valid section.'.format(sect, self.pName))
else:
raise exc.NoPE(self.pName)
# Dump data to disk
if self.mirror: self.dump_hashed_data(ret, sect)
return ret示例13: _init_ksymtab
def _init_ksymtab(self):
phys_as = utils.load_as(self._config, astype='physical')
start_addr, _ = phys_as.get_available_addresses().next()
# First 16 MB of physical memory
self.kernel_image = phys_as.read(start_addr, 0x1000000)
# Init page_offset
if phys_as.profile.metadata.get('memory_model', '32bit') != '32bit':
raise NotImplementedError
self.ksymtab_initialized = True
# Locate the physical offset of the ksymtab_strings section
for match in re.finditer('init_task\0', self.kernel_image):
offset = match.start()
symbol_char = re.compile(r'[0-9a-z_]')
if symbol_char.match(self.kernel_image[offset - 1:offset]):
# 'init_task' is a substring of another symbol like 'xxx_init_task'
continue
# TODO: Choose the right one, not the first.
# Find the beginning of the ksymtab_strings section
char = self.kernel_image[offset]
while offset > 0 and (symbol_char.match(char) or char == '\x00'):
offset -= 1
char = self.kernel_image[offset]
debug.debug("Found the physical offset of the ksymtab_strings "
"section: {0:#010x}".format(offset))
self.ksymtab_strings_offset = offset
return
debug.warning("Can't locate a ksymtab_strings section")示例14: search_process_memory
def search_process_memory(self, s, heap_only=False):
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if heap_only:
if not (vma.vm_start <= self.mm.start_brk and vma.vm_end >= self.mm.brk):
continue
offset = vma.vm_start
out_of_range = vma.vm_start + (vma.vm_end - vma.vm_start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)示例15: calculate
def calculate(self):
#check pid is valid before we spend time getting sections
tasks = list(taskmods.DllList.calculate(self))
pids = []
for task in tasks:
pids.append(int(task.UniqueProcessId))
if not(int(self._config.PID) in pids):
debug.error("Error - Invalid PID")
#get handles for all processes by reseting the pid filter
self.pid = self._config.PID
self._config.PID = ""
self.segments = self.get_section_segments()
#revert pid option
self._config.PID = self.pid
#Check profile
profile = self._config.profile
if profile != "Win7SP1x86" and profile != "WinXPSP3x86":
debug.warning("Warning - {0} profile not supported".format(self._config.profile))
#analyze through each process
for task in taskmods.DllList.calculate(self):
for data in self.analyze(task):
yield data