本文整理汇总了Python中volatility.plugins.linux.common.set_plugin_members函数的典型用法代码示例。如果您正苦于以下问题:Python set_plugin_members函数的具体用法?Python set_plugin_members怎么用?Python set_plugin_members使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了set_plugin_members函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: render_text
def render_text(self, outfd, data):
linux_common.set_plugin_members(self)
self.edir = self._config.DUMP_DIR
if not self.edir:
debug.error("No output directory given.")
if not os.path.isdir(self.edir):
debug.error(self.edir + " is not a directory")
for task in linux_netstat.linux_netstat(self._config).calculate():
sfop = task.obj_vm.profile.get_symbol("socket_file_ops")
dfop = task.obj_vm.profile.get_symbol("sockfs_dentry_operations")
for (filp, fdnum) in task.lsof():
if filp.f_op == sfop or filp.dentry.d_op == dfop:
iaddr = filp.dentry.d_inode
skt = task.SOCKET_I(iaddr)
sk = skt.sk
for msg in self.process_queue(
"receive", task.pid, fdnum, sk.sk_receive_queue):
outfd.write(msg + "\n")
for msg in self.process_queue(
"write", task.pid, fdnum, sk.sk_write_queue):
outfd.write(msg + "\n")示例2: calculate
def calculate(self):
linux_common.set_plugin_members(self)
find_file = self._config.FIND
inode_addr = self._config.inode
outfile = self._config.outfile
listfiles = self._config.LISTFILES
if listfiles:
for (_, _, file_path, file_dentry) in self.walk_sbs():
yield (file_path, file_dentry.d_inode)
elif find_file and len(find_file):
for (_, _, file_path, file_dentry) in self.walk_sbs():
if file_path == find_file:
yield (file_path, file_dentry.d_inode)
break
elif inode_addr and inode_addr > 0 and outfile and len(outfile) > 0:
inode = obj.Object("inode", offset = inode_addr, vm = self.addr_space)
f = open(outfile, "wb")
for page in self.get_file_contents(inode):
f.write(page)
f.close()
else:
debug.error("Incorrect command line parameters given.")示例3: calculate
def calculate(self):
linux_common.set_plugin_members(self)
# a list of root directory entries
if self._config.DUMP_DIR and self._config.SB:
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
# this path never 'yield's, just writes the filesystem to disk
tmpfs_sbs = self.get_tmpfs_sbs()
sb_idx = self._config.SB - 1
if sb_idx >= len(tmpfs_sbs):
debug.error("Invalid superblock number given. Please use the -L option to determine valid numbers.")
root_dentry = tmpfs_sbs[sb_idx][0].s_root
self.walk_sb(root_dentry)
elif self._config.LIST_SBS:
# vfsmnt.mnt_sb.s_root
tmpfs_sbs = self.get_tmpfs_sbs()
for (i, (_sb, path)) in enumerate(tmpfs_sbs):
yield (i + 1, path)
else:
debug.error("No sb number/output directory combination given and list superblocks not given")示例4: calculate
def calculate(self):
linux_common.set_plugin_members(self)
ntables_ptr = obj.Object("Pointer", offset = self.get_profile_symbol("neigh_tables"), vm = self.addr_space)
for ntable in linux_common.walk_internal_list("neigh_table", "next", ntables_ptr):
yield self.handle_table(ntable)示例5: calculate
def calculate(self):
linux_common.set_plugin_members(self)
find_file = self._config.FIND
inode_addr = self._config.inode
outfile = self._config.outfile
listfiles = self._config.LISTFILES
if listfiles:
for (_, _, file_path, file_dentry) in self.walk_sbs():
yield (file_path, file_dentry.d_inode)
elif find_file and len(find_file):
for (_, _, file_path, file_dentry) in self.walk_sbs():
if file_path == find_file:
yield (file_path, file_dentry.d_inode)
break
elif inode_addr and inode_addr > 0 and outfile and len(outfile) > 0:
inode = obj.Object("inode", offset = inode_addr, vm = self.addr_space)
try:
f = open(outfile, "wb")
except IOError, e:
debug.error("Unable to open output file (%s): %s" % (outfile, str(e)))
for page in self.get_file_contents(inode):
f.write(page)
f.close()示例6: calculate
def calculate(self):
linux_common.set_plugin_members(self)
modules = linux_lsmod.linux_lsmod(self._config).get_modules()
f_op_members = self.profile.types["file_operations"].keywords["members"].keys()
f_op_members.remove("owner")
if self._config.INODE:
inode = obj.Object("inode", offset=self._config.INODE, vm=self.addr_space)
if not inode.is_valid():
debug.error(
"Invalid inode address given. Please use linux_find_file to determine valid inode addresses."
)
for (hooked_member, hook_address) in self.verify_ops(inode.i_fop, f_op_members, modules):
yield ("inode at {0:x}".format(inode.obj_offset), hooked_member, hook_address)
else:
funcs = [self.check_open_files_fop, self.check_proc_fop, self.check_proc_root_fops, self.check_file_cache]
for func in funcs:
for (name, member, address) in func(f_op_members, modules):
yield (name, member, address)示例7: calculate
def calculate(self):
linux_common.set_plugin_members(self)
ps_sources = {}
# The keys are names of process sources
# The values are the virtual offset of the task_struct
ps_sources['pslist'] = self._get_pslist()
ps_sources['pid_hash'] = self._get_pid_hash()
ps_sources['kmem_cache'] = self._get_kmem_cache()
ps_sources['parents'] = self._get_task_parents()
ps_sources['thread_leaders'] = self._get_thread_leaders()
# Build a list of offsets from all sources
seen_offsets = []
for source in ps_sources:
tasks = ps_sources[source]
for offset in tasks:
if offset not in seen_offsets:
seen_offsets.append(offset)
yield offset, obj.Object("task_struct", offset = offset, vm = self.addr_space), ps_sources示例8: calculate
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
linux_common.set_plugin_members(self)
if self._config.KERNEL:
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
else:
kernel_start = 0xffffffff80000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
tasks = self.filter_tasks()
for task in tasks:
scanner = VmaYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))示例9: calculate
def calculate(self):
linux_common.set_plugin_members(self)
init_task_addr = self.get_profile_symbol("init_task")
init_task = obj.Object("task_struct", vm = self.addr_space, offset = init_task_addr)
pidlist = self._config.PID
pnamelist = self._config.PROCNAMES
#pdb.set_trace
if pidlist:
pidlist = [int(p) for p in self._config.PID.split(',')]
if pnamelist:
pnamelist = [str(q) for q in self._config.PROCNAMES.split(',')]
print pidlist
print pnamelist
# walk the ->tasks list, note that this will *not* display "swapper"
for task in init_task.tasks:
type(task.comm)
#print task.comm
if not pidlist and not pnamelist:
yield task
else:
if pidlist and task.pid in pidlist:
yield task
if pnamelist and str(task.comm) in pnamelist:
yield task示例10: calculate
def calculate(self):
linux_common.set_plugin_members(self)
for dentry_offset in self._compare_filps():
dentry = obj.Object("dentry", offset = dentry_offset, vm = self.addr_space)
if dentry.d_count > 0 and dentry.d_inode.is_reg() and dentry.d_flags == 128:
yield dentry示例11: calculate
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
linux_common.set_plugin_members(self)
if self._config.KERNEL:
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
else:
kernel_start = 0xffffffff80000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address, 64))
else:
for task in pslist.linux_pslist(self._config).calculate():
scanner = VmaYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address, 64))示例12: calculate
def calculate(self):
linux_common.set_plugin_members(self)
for (_, _, file_path, file_dentry)in linux_find_file.linux_find_file(self._config).walk_sbs():
inode = file_dentry.d_inode
yield inode, inode.i_ino, file_path示例13: calculate
def calculate(self):
"""
Get all the python strings for a task, and assume those strings
might be keys of a dictionary entry. Return the valid dictionary
entries from that pool of maybes.
This repeats a lot of linux_python_strings's code, but we want to get
python strings per task, so we can optimize the bytstring search.
"""
linux_common.set_plugin_members(self)
tasks = [task for task in linux_pslist.linux_pslist.calculate(self)
if _is_python_task(task)]
for task in tasks:
addr_space = task.get_process_address_space()
memory_model = addr_space.profile.metadata.get('memory_model',
'32bit')
pack_format = "I" if memory_model == '32bit' else "Q"
bytestrings = [
# the hash as bytes
struct.pack(pack_format.lower(), py_string.ob_shash) +
# the pointer the PyStringObject as bytes
struct.pack(pack_format, py_string.obj_offset)
for py_string in find_python_strings(task)
]
for address in task.search_process_memory(bytestrings,
heap_only=True):
py_dict_entry = obj.Object("_PyDictEntry",
offset=address,
vm=addr_space)
if py_dict_entry.is_valid():
yield task, py_dict_entry示例14: calculate
def calculate(self):
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
for elf, elf_start, elf_end, soname, needed in task.elfs():
yield task, elf, elf_start, elf_end, soname, needed示例15: calculate
def calculate(self):
linux_common.set_plugin_members(self)
modules_addr = self.get_profile_symbol("modules")
modules = obj.Object("list_head", vm = self.addr_space, offset = modules_addr)
# walk the modules list
for module in modules.list_of_type("module", "list"):
#if str(module.name) == "rootkit":
# continue
if self._config.PARAMS:
if not hasattr(module, "kp"):
debug.error("Gathering module parameters is not supported in this profile.")
params = self.get_params(module)
else:
params = ""
if self._config.SECTIONS:
sections = self.get_sections(module)
else:
sections = []
yield (module, sections, params)