当前位置: 首页>>代码示例>>Python>>正文


Python utils.load_as函数代码示例

本文整理汇总了Python中volatility.utils.load_as函数的典型用法代码示例。如果您正苦于以下问题:Python load_as函数的具体用法?Python load_as怎么用?Python load_as使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。


在下文中一共展示了load_as函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: calculate

    def calculate(self):
        ## Just grab the AS and scan it using our scanner
        address_space = utils.load_as(self._config, astype = 'physical')

        ## Will need the kernel AS for later:
        kernel_as = utils.load_as(self._config)

        for offset in PoolScanSymlink().scan(address_space):
            pool_obj = obj.Object("_POOL_HEADER", vm = address_space,
                                 offset = offset)

            ## We work out the object from the end of the
            ## allocation (bottom up).
            pool_alignment = obj.VolMagic(address_space).PoolAlignment.v()

            link_obj = obj.Object("_OBJECT_SYMBOLIC_LINK", vm = address_space,
                     offset = (offset + pool_obj.BlockSize * pool_alignment -
                               common.pool_align(kernel_as, "_OBJECT_SYMBOLIC_LINK", pool_alignment)),
                     native_vm = kernel_as)

            ## The _OBJECT_HEADER is immediately below the _OBJECT_SYMBOLIC_LINK
            object_obj = obj.Object(
                "_OBJECT_HEADER", vm = address_space,
                offset = link_obj.obj_offset -
                address_space.profile.get_obj_offset('_OBJECT_HEADER', 'Body'),
                native_vm = kernel_as
                )

            if object_obj.get_object_type() != "SymbolicLink":
                continue

            yield object_obj, link_obj
开发者ID:Jack47,项目名称:volatility,代码行数:32,代码来源:filescan.py

示例2: calculate

    def calculate(self):
        """Determines the address space"""
        profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]

        encrypted_kdbg_profiles = []
        proflens = {}
        maxlen = 0
        origprofile = self._config.PROFILE
        for p in profilelist:
            self._config.update('PROFILE', p)
            buf = addrspace.BufferAddressSpace(self._config)
            if buf.profile.metadata.get('os', 'unknown') == 'windows':
                proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
                maxlen = max(maxlen, len(proflens[p]))
                if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and 
                            (buf.profile.metadata.get('major', 0), 
                            buf.profile.metadata.get('minor', 0)) >= (6, 2)):
                    encrypted_kdbg_profiles.append(p)
                    
        self._config.update('PROFILE', origprofile)
        # keep track of the number of potential KDBGs we find
        count = 0

        if origprofile not in encrypted_kdbg_profiles:
            scanner = KDBGScanner(needles = proflens.values())

            aspace = utils.load_as(self._config, astype = 'any')

            suspects = []
            for offset in scanner.scan(aspace):
                val = aspace.read(offset, maxlen + 0x10)
                for l in proflens:
                    if val.find(proflens[l]) >= 0:
                        kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
                        suspects.append((l, kdbg))
                        count += 1
            for p, k in suspects:
                if not self._config.FORCE:
                    yield p, k
                    continue
                self._config.update("PROFILE", p)
                nspace = utils.load_as(self._config, astype = "any")
                for offset in scanner.scan(nspace):
                    val = nspace.read(offset, maxlen + 0x10)
                    if val.find(proflens[p]) >= 0:
                        kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = nspace)
                        yield p, kdbg
            self._config.update('PROFILE', origprofile)

        # only perform the special win8/2012 scan if we didn't find 
        # any others and if a virtual x64 address space is available 
        if count == 0:
            if origprofile in encrypted_kdbg_profiles:
                encrypted_kdbg_profiles = [origprofile]
            for profile in encrypted_kdbg_profiles:
                self._config.update('PROFILE', profile)
                aspace = utils.load_as(self._config, astype = 'any')
                if hasattr(aspace, 'vtop'):
                    for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
                        yield profile, kdbg 
开发者ID:BryanSingh,项目名称:volatility,代码行数:60,代码来源:kdbgscan.py

示例3: calculate

	def calculate(self):
		self.kernel_address_space = utils.load_as(self._config)
		self.flat_address_space = utils.load_as(self._config, astype = 'physical')
		if not(bool(self._config.DIR)):
			debug.error("--dir needs to be present")
		if not(bool(self._config.pid) ^ bool(self._config.eproc) ^ bool(self._config.fobj) ^ bool(self._config.pool)):
			if not(bool(self._config.pid) or bool(self._config.eproc) or bool(self._config.fobj) or bool(self._config.pool)):
				debug.error("exactly *ONE* of the options --pid, --eproc, --fobj or --pool must be specified (you have not specified _any_ of these options)")
			else:
				debug.error("exactly *ONE* of the options --pid, --eproc, --fobj or --pool must be specified (you have used _multiple_ such options)")
		if bool(self._config.pid):
			# --pid
			eproc_matches = [ eproc for eproc in tasks.pslist(self.kernel_address_space) if eproc.UniqueProcessId == self._config.pid ]
			if len(eproc_matches) != 1:
				debug.error("--pid needs to take a *VALID* PID argument (could not find PID {0} in the process listing for this memory image)".format(self._config.pid))
			return self.dump_from_eproc(eproc_matches[0])
		elif bool(self._config.eproc):
			# --eproc
			return self.dump_from_eproc(obj.Object("_EPROCESS", offset = self._config.eproc, vm = self.kernel_address_space))
		elif bool(self._config.fobj):
			# --fobj
			try:
				file_object = obj.Object("_FILE_OBJECT", offset = self._config.fobj, vm = self.flat_address_space)
				if bool(self._config.reconstruct):
					# --reconstruct
					return [ (file_object, self.parse_string(file_object.FileName)) ]
				else:
					return filter(None, [ self.dump_file_object(file_object) ])
			except ExportException as exn:
				debug.error(exn)
		else:
			# --pool
			return self.dump_from_pool()
开发者ID:binsrc,项目名称:volatility-1,代码行数:33,代码来源:exportfile.py

示例4: calculate

    def calculate(self):

        # Virtual kernel space for dereferencing pointers
        kernel_space = utils.load_as(self._config)
        # Physical space for scanning 
        flat_space = utils.load_as(self._config, astype = 'physical')

        if not self.is_valid_profile(kernel_space.profile):
            debug.error("This command does not support the selected profile.")

        # Scan for TCP listeners also known as sockets
        for offset in PoolScanTcpListener().scan(flat_space):

            tcpentry = obj.Object('_TCP_LISTENER', offset = offset,
                                  vm = flat_space, native_vm = kernel_space)

            # Only accept IPv4 or IPv6
            if tcpentry.AddressFamily not in (AF_INET, AF_INET6):
                continue

            # For TcpL, the state is always listening and the remote port is zero
            for ver, laddr, raddr in tcpentry.dual_stack_sockets():
                yield tcpentry, "TCP" + ver, laddr, tcpentry.Port, raddr, 0, "LISTENING"

        # Scan for TCP endpoints also known as connections 
        for offset in PoolScanTcpEndpoint().scan(flat_space):

            tcpentry = obj.Object('_TCP_ENDPOINT', offset = offset,
                                  vm = flat_space, native_vm = kernel_space)

            if tcpentry.AddressFamily == AF_INET:
                proto = "TCPv4"
            elif tcpentry.AddressFamily == AF_INET6:
                proto = "TCPv6"
            else:
                continue

            # These are our sanity checks 
            if (tcpentry.State.v() not in tcpip_vtypes.TCP_STATE_ENUM or
                    (not tcpentry.LocalAddress and (not tcpentry.Owner or
                    tcpentry.Owner.UniqueProcessId == 0 or
                    tcpentry.Owner.UniqueProcessId > 65535))):
                continue

            yield tcpentry, proto, tcpentry.LocalAddress, tcpentry.LocalPort, \
                    tcpentry.RemoteAddress, tcpentry.RemotePort, tcpentry.State

        # Scan for UDP endpoints 
        for offset in PoolScanUdpEndpoint().scan(flat_space):

            udpentry = obj.Object('_UDP_ENDPOINT', offset = offset,
                                  vm = flat_space, native_vm = kernel_space)

            # Only accept IPv4 or IPv6
            if udpentry.AddressFamily not in (AF_INET, AF_INET6):
                continue

            # For UdpA, the state is always blank and the remote end is asterisks
            for ver, laddr, _ in udpentry.dual_stack_sockets():
                yield udpentry, "UDP" + ver, laddr, udpentry.Port, "*", "*", ""
开发者ID:Austi,项目名称:volatility,代码行数:60,代码来源:netscan.py

示例5: calculate

    def calculate(self):
        flat_space = utils.load_as(self._config, astype = 'physical')
        kernel_space = utils.load_as(self._config)

        # Scan for window station objects 
        for offset in PoolScanWind().scan(flat_space):

            window_station = obj.Object("tagWINDOWSTATION",
                offset = offset, vm = flat_space)

            # Basic sanity checks are included here 
            if not window_station.is_valid():
                continue

            # Find an address space for this window station's session  
            session = self.find_session_space(
                kernel_space, window_station.dwSessionId)

            if not session:
                continue

            # Reset the object's native VM so pointers are
            # dereferenced in session space 
            window_station.set_native_vm(session.obj_vm)

            for winsta in window_station.traverse():
                if winsta.is_valid():
                    yield winsta
开发者ID:aqwertaqwert,项目名称:my_design_for_graduate,代码行数:28,代码来源:windowstations.py

示例6: calculate

    def calculate(self):
        eproc = {}
        found = {}
        cmdline = {}
        pathname = {}
              
        # Brute force search for eproc blocks in pool memory
        address_space = utils.load_as(self._config)
        for eprocess in filescan.PSScan(self._config).calculate():
            eproc[eprocess.obj_offset] = eprocess
            found[eprocess.obj_offset] = 1
        
        # Walking the active process list.
        # Remove any tasks we find here from the brute force search if the --short option is set.
        # Anything left is something which was hidden/terminated/of interest.
        address_space = utils.load_as(self._config)
        for task in tasks.pslist(address_space):
            phys = address_space.vtop(task.obj_offset)
            if phys in eproc:
                if self._config.SHORT :
                    del eproc[phys]
                    del found[phys] 
                else:
                    found[phys] = 0                
                    
        # Grab command line and parameters            
            peb = task.Peb
            if peb:
                cmdline[phys] = peb.ProcessParameters.CommandLine
                pathname[phys] = peb.ProcessParameters.ImagePathName
                    
        ret = [eproc, found, cmdline, pathname]

        return ret
开发者ID:KokoShunYu,项目名称:sift-files,代码行数:34,代码来源:pstotal.py

示例7: calculate

    def calculate(self):
        ## Just grab the AS and scan it using our scanner
        address_space = utils.load_as(self._config, astype="physical")
        kernel_as = utils.load_as(self._config)

        for offset in PoolScanProcess().scan(address_space):
            eprocess = obj.Object("_EPROCESS", vm=address_space, native_vm=kernel_as, offset=offset)
            yield eprocess
开发者ID:woogers,项目名称:volatility,代码行数:8,代码来源:filescan.py

示例8: calculate

    def calculate(self):
        ## Here we scan the physical address space
        address_space = utils.load_as(self._config, astype = 'physical')
        kernel_as = utils.load_as(self._config)

        scanner = PoolScanThreadFast()
        for found in scanner.scan(address_space):
            thread = obj.Object('_ETHREAD', vm = address_space,
                               native_vm = kernel_as, offset = found)

            yield thread
开发者ID:B-Rich,项目名称:amark,代码行数:11,代码来源:modscan.py

示例9: virtual_process_from_physical_offset

 def virtual_process_from_physical_offset(self, offset):
     pspace = utils.load_as(self._config, astype = 'physical')
     vspace = utils.load_as(self._config)
     task = obj.Object("task_struct", vm = pspace, offset = offset)
     parent = obj.Object("task_struct", vm = vspace, offset = task.parent)
     
     for child in parent.children.list_of_type("task_struct", "sibling"):
         if child.obj_vm.vtop(child.obj_offset) == task.obj_offset:
             return child
     
     return obj.NoneObject("Unable to bounce back from task_struct->parent->task_struct")
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:11,代码来源:pslist.py

示例10: calculate

    def calculate(self):
        # start with a physical space so we can find processes without a DTB 
        addr_space = utils.load_as(self._config, astype = 'physical')
        meta = addr_space.profile.metadata
        win10 = (meta.get("major"), meta.get("minor")) == (6, 4)

        # if the user selected virtual space or if we're on win10, switch 
        # to a virtual kernel space 
        if self._config.VIRTUAL or win10:
            addr_space = utils.load_as(self._config) 

        return self.scan_results(addr_space)
开发者ID:chansonzhang,项目名称:volatility,代码行数:12,代码来源:filescan.py

示例11: __config

    def __config(self):
        """Creates a volatility configuration."""
        if self.config != None and self.addr_space != None:
            return self.config

        self.config = conf.ConfObject()
        self.config.optparser.set_conflict_handler("resolve")
        registry.register_global_options(self.config, commands.Command)
        base_conf = {
            "profile": "WinXPSP2x86",
            "use_old_as": None,
            "kdbg": None,
            "help": False,
            "kpcr": None,
            "tz": None,
            "pid": None,
            "output_file": None,
            "physical_offset": None,
            "conf_file": None,
            "dtb": None,
            "output": None,
            "info": None,
            "location": "file://" + self.memdump,
            "plugins": None,
            "debug": None,
            "cache_dtb": True,
            "filename": None,
            "cache_directory": None,
            "verbose": None,
            "write": False
        }

        if self.osprofile:
            base_conf["profile"] = self.osprofile

        for key, value in base_conf.items():
            self.config.update(key, value)

        # Deal with Volatility support for KVM/qemu memory dump.
        # See: #464.
        try:
          self.addr_space = utils.load_as(self.config)
        except exc.AddrSpaceError as e:
          if self._get_dtb():
              self.addr_space = utils.load_as(self.config)
          else:
              raise

        self.plugins = registry.get_plugin_classes(commands.Command,
                                                   lower=True)

        return self.config
开发者ID:Shane-Carr,项目名称:cuckoo-modified,代码行数:52,代码来源:memory.py

示例12: calculate

    def calculate(self):
        # All scanners will share a kernel and physical space 
        self.kern_space = utils.load_as(self._config)
        self.phys_space = utils.load_as(self._config, astype = 'physical')

        # We currently dont support x64
        if not self.is_valid_profile(self.kern_space.profile):
            debug.error("This command does not support the selected profile.")

        # Get the OS version we're analyzing
        version = (self.kern_space.profile.metadata.get('major', 0),
                   self.kern_space.profile.metadata.get('minor', 0))

        modlist = list(modules.lsmod(self.kern_space))
        mods = dict((self.kern_space.address_mask(mod.DllBase), mod) for mod in modlist)
        mod_addrs = sorted(mods.keys())

        # First few routines are valid on all OS versions 
        for info in self.get_fs_callbacks():
            yield info, mods, mod_addrs

        for info in self.get_bugcheck_callbacks():
            yield info, mods, mod_addrs

        for info in self.get_shutdown_callbacks():
            yield info, mods, mod_addrs

        for info in self.get_generic_callbacks():
            yield info, mods, mod_addrs

        for info in self.get_bugcheck_reason_callbacks(modlist[0]):
            yield info, mods, mod_addrs

        for info in self.get_kernel_callbacks(modlist[0]):
            yield info, mods, mod_addrs

        # Valid for Vista and later
        if version >= (6, 0):
            for info in self.get_dbgprint_callbacks():
                yield info, mods, mod_addrs

            for info in self.get_registry_callbacks():
                yield info, mods, mod_addrs

            for info in self.get_pnp_callbacks():
                yield info, mods, mod_addrs

        # Valid for XP 
        if version == (5, 1):
            for info in self.get_registry_callbacks_legacy(modlist[0]):
                yield info, mods, mod_addrs
开发者ID:MemForsKing,项目名称:memfors4all,代码行数:51,代码来源:callbacksf.py

示例13: doProcessors

def doProcessors(config):
    ''' Retrieve IDT data. '''

    physical_address_space = utils.load_as(config)
    kernel_address_space = utils.load_as(config,astype='kernel')
    processors_obj = datastruct.rootType()
    proc_num = 0
    for kpcr in FindKPCR(physical_address_space):
        processor_obj = processors_obj.Processor.add()
        processor_obj.ID = proc_num
        proc_num += 1
        IdtBase = kpcr.IdtBase
        IDTs = obj.Array(None,physical_address_space.address_mask(IdtBase.v()),physical_address_space,count=256,target=IdtBase.target)
        for idt in IDTs:
            entry_obj = processor_obj.InterruptDescriptorTable.IDTEntry.add()
            iswin32 = not idt.m('OffsetMiddle')
            if iswin32:
                idttype = idt.Access & 0x1f
                if idt.Access >= 256 or (idt.Access & 0x80) != 0x80:
                    entry_obj.InvalidGate = ''
                elif idttype==0x5:
                    entry_obj.TaskGate = ''
                elif idttype==0x6 or idttype==0xe:
                    entry_obj.InterruptGate = ''
                elif idttype==0x7 or idttype==0xf:
                    entry_obj.TrapGate = ''
                else:
                    entry_obj.InvalidGate = ''
                entry_obj.Address = (idt.ExtendedOffset << 16) | idt.Offset
                entry_obj.Attributes = idt.Access
            else:
                idttype = idt.Type
                if idt.Reserved0!=0 or idt.Reserved1!=0 or idt.Present==0:
                    entry_obj.InvalidGate = ''
                elif idttype==0x5:
                    entry_obj.TaskGate = ''
                elif idttype==0xe:
                    entry_obj.InterruptGate = ''
                elif idttype==0xf:
                    entry_obj.TrapGate = ''
                else:
                    entry_obj.InvalidGate = ''
                entry_obj.Address = ((idt.OffsetHigh & 0xffffffff) << 32) | ((idt.OffsetMiddle & 0xffff) << 16) | (idt.OffsetLow & 0xffff)
                entry_obj.Attributes = (idt.IstIndex << 13) | (idt.Type << 3) | (idt.Dpl<<1) | idt.Present

            entry_obj.Selector = idt.Selector.v()
            module = find_module(config,entry_obj.Address)
            if module:
                entry_obj.Module = module.FullDllName.v()

    return processors_obj
开发者ID:r1nswenson,项目名称:volatility,代码行数:51,代码来源:adkpcr.py

示例14: calculate

    def calculate(self):
        flat_space = utils.load_as(self._config, astype = 'physical')
        kernel_space = utils.load_as(self._config)

        # Scan for atom tables
        for offset in PoolScanAtom().scan(flat_space):

            # There's no way to tell which session or window station 
            # owns an atom table by *just* looking at the atom table, 
            # so we have to instantiate it from the default kernel AS. 
            atom_table = obj.Object('_RTL_ATOM_TABLE', offset = offset,
                    vm = flat_space, native_vm = kernel_space)

            if atom_table.is_valid():
                yield atom_table
开发者ID:B-Rich,项目名称:amark,代码行数:15,代码来源:atoms.py

示例15: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")

        for objct in self.scan_results(addr_space):

            if isinstance(objct, _UDP_ENDPOINT):
                # For UdpA, the state is always blank and the remote end is asterisks
                for ver, laddr, _ in objct.dual_stack_sockets():
                    yield objct, "UDP" + ver, laddr, objct.Port, "*", "*", ""
            elif isinstance(objct, _TCP_ENDPOINT):

                if objct.AddressFamily == AF_INET:
                    proto = "TCPv4"
                elif objct.AddressFamily == AF_INET6:
                    proto = "TCPv6"

                yield objct, proto, objct.LocalAddress, objct.LocalPort, \
                    objct.RemoteAddress, objct.RemotePort, objct.State
            elif isinstance(objct, _TCP_LISTENER):
                # For TcpL, the state is always listening and the remote port is zero
                for ver, laddr, raddr in objct.dual_stack_sockets():
                    yield objct, "TCP" + ver, laddr, objct.Port, raddr, 0, "LISTENING"
开发者ID:Iamgublin,项目名称:python-related,代码行数:25,代码来源:netscan.py


注:本文中的volatility.utils.load_as函数示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。