本文整理汇总了Python中volatility.registry.get_plugin_classes函数的典型用法代码示例。如果您正苦于以下问题:Python get_plugin_classes函数的具体用法?Python get_plugin_classes怎么用?Python get_plugin_classes使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了get_plugin_classes函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: list_plugins
def list_plugins():
result = "\n\tSupported Plugin Commands:\n\n"
cmds = registry.get_plugin_classes(commands.Command, lower = True)
profs = registry.get_plugin_classes(obj.Profile)
if config.PROFILE == None:
config.update("PROFILE", "WinXPSP2x86")
if config.PROFILE not in profs:
raise BaseException("Invalid profile " + config.PROFILE + " selected")
profile = profs[config.PROFILE]()
wrongprofile = ""
for cmdname in sorted(cmds):
command = cmds[cmdname]
helpline = command.help() or ''
## Just put the title line (First non empty line) in this
## abbreviated display
for line in helpline.splitlines():
if line:
helpline = line
break
if command.is_valid_profile(profile):
result += "\t\t{0:15}\t{1}\n".format(cmdname, helpline)
else:
wrongprofile += "\t\t{0:15}\t{1}\n".format(cmdname, helpline)
if wrongprofile and config.VERBOSE:
result += "\n\tPlugins requiring a different profile:\n\n"
result += wrongprofile
return result示例2: init_config
def init_config(self):
"""
Volatility 설정 초기화
:return:
"""
if self.config is not None and self.addr_space is not None:
return self.config
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
base_conf = {
"profile": "WinXPSP2x86",
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://" + self.memdump,
"plugins": 'plugins',
"debug": 4,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
self.config.parse_options()
if self.osprofile:
base_conf["profile"] = self.osprofile
self.update_config(base_conf)
# 사용가능한 플러그인 목록 저장
# self.plugins = Dictionary
# key: 플러그인 클래스 이름
# value: 플러그인 클래스 인스턴스
self.plugins = registry.get_plugin_classes(commands.Command, lower=True)
profs = registry.get_plugin_classes(obj.Profile)
profile = profs[self.config.PROFILE]()
# self.plugins에서 플러그인 리스트 추출
for cmd_name, command in self.plugins.items():
if command.is_valid_profile(profile):
self.plugin_list.append(cmd_name)
return self.config示例3: list_plugins
def list_plugins(self):
plugin_list = []
cmds = registry.get_plugin_classes(commands.Command, lower=True)
profs = registry.get_plugin_classes(obj.Profile)
profile_type = self.config.PROFILE
if profile_type not in profs:
print "Not a valid profile"
profile = profs[profile_type]()
for cmdname in sorted(cmds):
command = cmds[cmdname]
helpline = command.help() or ''
if command.is_valid_profile(profile):
plugin_list.append([cmdname, helpline])
return plugin_list示例4: render_text
def render_text(self, outfd, data):
checks = registry.get_plugin_classes(MalthfindRule)
for thread, addr_space, thread_start_function, thread_callstack in data:
has_comment = False
s = "\n------\n\n"
s += "ETHREAD: {0:#010x} Pid: {1} Tid: {2}\n".format(
thread.obj_offset,
thread.Cid.UniqueProcess, thread.Cid.UniqueThread)
s += "Owning Process: {0}\n".format(
thread.owning_process().ImageFileName)
s += "Attached Process: {0}\n".format(
thread.attached_process().ImageFileName)
s += "Thread Flags: {0}\n".format(str(thread.CrossThreadFlags))
# get all currently implemented rules
# and run them against the threads callstack
for cls_name, cls in checks.items():
thread_callstack = cls(thread_callstack).check()
if len(thread_callstack.mal_pattern) > 0:
if len(thread_callstack.callstack) > 0:
s += "Malicious patterns detected: "
first_pattern = True
for pattern in thread_callstack.mal_pattern:
if first_pattern:
s += pattern
first_pattern = False
else:
s += ", " + pattern
s += "\nCallstack:\n"
if thread_callstack.eip:
s += "\t{0:<8} {3:<8} {1:<8} {2}\n".format("No.", "RetAddr", "Function", "Ebp")
s += "\t{0:<8} 0x{5:08x} 0x{1:08x} {2}!{3}+0x{4:<8x}\n".format("[eip]", thread_callstack.callstack[0].function.address,
thread_callstack.callstack[0].owning_module_name, thread_callstack.callstack[0].function.name,
thread_callstack.callstack[0].ret_address - thread_callstack.callstack[0].function.address,
0)
thread_callstack.callstack.remove(thread_callstack.callstack[0])
i = 0
for item in thread_callstack.callstack:
s += "\t{0:<8} 0x{5:08x} 0x{1:08x} {2}!{3}+0x{4:<8x}\n".format("[" + str(i) + "]", item.function.address,
item.owning_module_name, item.function.name,
item.ret_address - item.function.address, item.frame_address)
i += 1
if item.comment != "":
has_comment = True
else:
s += "Couldn't acquire threads _KTRAP_FRAME\n"
if has_comment:
outfd.write("{0}\n".format(s))示例5: print_info
def print_info():
""" Returns the results """
categories = {addrspace.BaseAddressSpace: 'Address Spaces',
commands.Command : 'Plugins',
obj.Profile: 'Profiles',
scan.ScannerCheck: 'Scanner Checks'}
for c, n in sorted(categories.items()):
lower = (c == commands.Command)
plugins = registry.get_plugin_classes(c, lower = lower)
print "\n"
print "{0}".format(n)
print "-" * len(n)
result = []
max_length = 0
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
max_length = max(len(clsname), max_length)
for (name, doc) in result:
print "{0:{2}} - {1:15}".format(name, doc, max_length)示例6: guess_profile
def guess_profile(self, memimg):
'''
Using one of the user-specified memory image files, try to guess a
working Volatility profile. This can easily take on the order of
minutes.
@memimg: a memory image file name
@return: the guessed Volatiltiy profile string
'''
sys.stderr.write("Auto configuring profile. This may take a some time.\n")
self.set_memimg(memimg)
# Must set a dummy profile or volatility dies
self.set_profile('WinXPSP2x86')
chosen = None
profilelist = [p.__name__ for p in registry.get_plugin_classes(obj.Profile).values()]
for profile in profilelist:
self.config.update('profile', profile)
addr_space = utils.load_as(self.config, astype='any')
if hasattr(addr_space, "dtb"):
chosen = profile
break
return chosen示例7: load_as
def load_as(config, astype = 'virtual', **kwargs):
"""Loads an address space by stacking valid ASes on top of each other (priority order first)"""
base_as = None
error = exceptions.AddrSpaceError()
# Start off requiring another round
found = True
## A full iteration through all the classes without anyone
## selecting us means we are done:
while found:
debug.debug("Voting round")
found = False
for cls in sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values(),
key = lambda x: x.order if hasattr(x, 'order') else 10):
debug.debug("Trying {0} ".format(cls))
try:
base_as = cls(base_as, config, astype = astype, **kwargs)
debug.debug("Succeeded instantiating {0}".format(base_as))
found = True
break
except addrspace.ASAssertionError, e:
debug.debug("Failed instantiating {0}: {1}".format(cls.__name__, e), 2)
error.append_reason(cls.__name__, e)
continue
except Exception, e:
debug.debug("Failed instantiating (exception): {0}".format(e))
error.append_reason(cls.__name__ + " - EXCEPTION", e)
continue示例8: __init__
def __init__(self):
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
#sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
#sys.stderr.flush()
self.config = conf.ConfObject()
self.cmds = {}
#self.profile = "--profile=Linuxcentos5_5x86"
self.vmprocessMap = {}
self.config.add_option("INFO", default = None, action = "store_true",
cache_invalidator = False,
help = "Print information about all registered objects")
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
registry.register_global_options(self.config, commands.Command)
# Reset the logging level now we know whether debug is set or not
debug.setup(self.config.DEBUG)
#pdb.set_trace()
## Try to find the first thing that looks like a module name
self.cmds = registry.get_plugin_classes(commands.Command, lower = True)示例9: calculate
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
self._config.update('PROFILE', origprofile)
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
yield l, kdbg示例10: _run_all_checks
def _run_all_checks(self, checks, pool_header):
"""Execute all constraint checks.
@param checks: a dictionary with check names as keys and
another dictionary of arguments as the values.
@param pool_header: the target _POOL_HEADER to check
@returns False if any checks fail, otherwise True.
"""
for check, args in checks:
if check == "CheckPoolSize":
if not self._check_pool_size(args, pool_header):
return False
elif check == "CheckPoolType":
if not self._check_pool_type(args, pool_header):
return False
elif check == "CheckPoolIndex":
if not self._check_pool_index(args, pool_header):
return False
else:
custom_check = registry.get_plugin_classes(scan.ScannerCheck)[check](pool_header.obj_vm, **args)
return custom_check.check(pool_header.PoolTag.obj_offset)
return True示例11: execute
def execute(self):
""" Executes the plugin command."""
# Check we can support the plugins
profs = registry.get_plugin_classes(obj.Profile)
if self._config.PROFILE not in profs:
debug.error("Invalid profile " + self._config.PROFILE + " selected")
if not self.is_valid_profile(profs[self._config.PROFILE]()):
debug.error("This command does not support the profile " + self._config.PROFILE)
# # Executing plugins is done in two stages - first we calculate
data = self.calculate()
## Then we render the result in some way based on the
## requested output mode:
function_name = "render_{0}".format(self._config.OUTPUT)
if self._config.OUTPUT_FILE:
outfd = open(self._config.OUTPUT_FILE, 'w')
# TODO: We should probably check that this won't blat over an existing file
else:
outfd = sys.stdout
try:
func = getattr(self, function_name)
except AttributeError:
## Try to find out what formats are supported
result = []
for x in dir(self):
if x.startswith("render_"):
_a, b = x.split("_", 1)
result.append(b)
print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result)
return
func(outfd, data)示例12: calculate
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
encrypted_kdbg_profiles = []
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and
(buf.profile.metadata.get('major', 0),
buf.profile.metadata.get('minor', 0)) >= (6, 2)):
encrypted_kdbg_profiles.append(p)
self._config.update('PROFILE', origprofile)
# keep track of the number of potential KDBGs we find
count = 0
if origprofile not in encrypted_kdbg_profiles:
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
suspects = []
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
suspects.append((l, kdbg))
count += 1
for p, k in suspects:
if not self._config.FORCE:
yield p, k
continue
self._config.update("PROFILE", p)
nspace = utils.load_as(self._config, astype = "any")
for offset in scanner.scan(nspace):
val = nspace.read(offset, maxlen + 0x10)
if val.find(proflens[p]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = nspace)
yield p, kdbg
self._config.update('PROFILE', origprofile)
# only perform the special win8/2012 scan if we didn't find
# any others and if a virtual x64 address space is available
if count == 0:
if origprofile in encrypted_kdbg_profiles:
encrypted_kdbg_profiles = [origprofile]
for profile in encrypted_kdbg_profiles:
self._config.update('PROFILE', profile)
aspace = utils.load_as(self._config, astype = 'any')
if hasattr(aspace, 'vtop'):
for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
yield profile, kdbg 示例13: search_stack_frames
def search_stack_frames(self, start, stack_base, stack_limit, yara_rules, frame_delta=32, unwind=DEFAULT_UNWIND):
"""
Use Yara to search kernel/user stack frames within +/- frame_delta of the frame's start
address.
Frames to search are chosen by using the strategies specifed by the unwind parameter.
yara_rules - compiled Yara rules, built for example with:
1. yara.compile("/path/to/yara.rules")
or 2. yara.compile(source="rule dummy { condition: true }")
"""
if not yara_installed:
debug.error("In order to search the stack frames, it is necessary to install yara")
stack_registry = registry.get_plugin_classes(StackTop)
for unwind_strategy_nm in unwind.split(","):
if unwind_strategy_nm not in stack_registry:
raise ValueError("{0} is not a known stack unwind strategy".format(unwind_strategy_nm))
unwind_strategy = stack_registry[unwind_strategy_nm](start, stack_base, stack_limit, self)
for frame in itertools.chain(unwind_strategy.up(), unwind_strategy.down()):
search_data = self.get_process_address_space().zread(frame.start - frame_delta, 2* frame_delta)
for match in yara_rules.match(data = search_data):
for moffset, name, value in match.strings:
# Match offset here is converted into frame start address and a +/- frame_delta
yield match, name, value, frame.start, moffset-frame_delta
raise StopIteration示例14: profile_list
def profile_list(self):
"""
return a list of profiles
:return: list
"""
prof_list = []
profs = registry.get_plugin_classes(obj.Profile)
for profile in profs.iterkeys():
prof_list.append(profile)
return sorted(prof_list)示例15: profile_list
def profile_list():
plugins = registry.get_plugin_classes(obj.Profile)
result = []
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
return json.dumps(result)