本文整理汇总了Python中volatility.utils.load_as函数的典型用法代码示例。如果您正苦于以下问题:Python load_as函数的具体用法?Python load_as怎么用?Python load_as使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了load_as函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: calculate
def calculate(self):
## Just grab the AS and scan it using our scanner
address_space = utils.load_as(self._config, astype = 'physical')
## Will need the kernel AS for later:
kernel_as = utils.load_as(self._config)
for offset in PoolScanSymlink().scan(address_space):
pool_obj = obj.Object("_POOL_HEADER", vm = address_space,
offset = offset)
## We work out the object from the end of the
## allocation (bottom up).
pool_alignment = obj.VolMagic(address_space).PoolAlignment.v()
link_obj = obj.Object("_OBJECT_SYMBOLIC_LINK", vm = address_space,
offset = (offset + pool_obj.BlockSize * pool_alignment -
common.pool_align(kernel_as, "_OBJECT_SYMBOLIC_LINK", pool_alignment)),
native_vm = kernel_as)
## The _OBJECT_HEADER is immediately below the _OBJECT_SYMBOLIC_LINK
object_obj = obj.Object(
"_OBJECT_HEADER", vm = address_space,
offset = link_obj.obj_offset -
address_space.profile.get_obj_offset('_OBJECT_HEADER', 'Body'),
native_vm = kernel_as
)
if object_obj.get_object_type() != "SymbolicLink":
continue
yield object_obj, link_obj示例2: calculate
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
encrypted_kdbg_profiles = []
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and
(buf.profile.metadata.get('major', 0),
buf.profile.metadata.get('minor', 0)) >= (6, 2)):
encrypted_kdbg_profiles.append(p)
self._config.update('PROFILE', origprofile)
# keep track of the number of potential KDBGs we find
count = 0
if origprofile not in encrypted_kdbg_profiles:
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
suspects = []
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
suspects.append((l, kdbg))
count += 1
for p, k in suspects:
if not self._config.FORCE:
yield p, k
continue
self._config.update("PROFILE", p)
nspace = utils.load_as(self._config, astype = "any")
for offset in scanner.scan(nspace):
val = nspace.read(offset, maxlen + 0x10)
if val.find(proflens[p]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = nspace)
yield p, kdbg
self._config.update('PROFILE', origprofile)
# only perform the special win8/2012 scan if we didn't find
# any others and if a virtual x64 address space is available
if count == 0:
if origprofile in encrypted_kdbg_profiles:
encrypted_kdbg_profiles = [origprofile]
for profile in encrypted_kdbg_profiles:
self._config.update('PROFILE', profile)
aspace = utils.load_as(self._config, astype = 'any')
if hasattr(aspace, 'vtop'):
for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
yield profile, kdbg 示例3: calculate
def calculate(self):
self.kernel_address_space = utils.load_as(self._config)
self.flat_address_space = utils.load_as(self._config, astype = 'physical')
if not(bool(self._config.DIR)):
debug.error("--dir needs to be present")
if not(bool(self._config.pid) ^ bool(self._config.eproc) ^ bool(self._config.fobj) ^ bool(self._config.pool)):
if not(bool(self._config.pid) or bool(self._config.eproc) or bool(self._config.fobj) or bool(self._config.pool)):
debug.error("exactly *ONE* of the options --pid, --eproc, --fobj or --pool must be specified (you have not specified _any_ of these options)")
else:
debug.error("exactly *ONE* of the options --pid, --eproc, --fobj or --pool must be specified (you have used _multiple_ such options)")
if bool(self._config.pid):
# --pid
eproc_matches = [ eproc for eproc in tasks.pslist(self.kernel_address_space) if eproc.UniqueProcessId == self._config.pid ]
if len(eproc_matches) != 1:
debug.error("--pid needs to take a *VALID* PID argument (could not find PID {0} in the process listing for this memory image)".format(self._config.pid))
return self.dump_from_eproc(eproc_matches[0])
elif bool(self._config.eproc):
# --eproc
return self.dump_from_eproc(obj.Object("_EPROCESS", offset = self._config.eproc, vm = self.kernel_address_space))
elif bool(self._config.fobj):
# --fobj
try:
file_object = obj.Object("_FILE_OBJECT", offset = self._config.fobj, vm = self.flat_address_space)
if bool(self._config.reconstruct):
# --reconstruct
return [ (file_object, self.parse_string(file_object.FileName)) ]
else:
return filter(None, [ self.dump_file_object(file_object) ])
except ExportException as exn:
debug.error(exn)
else:
# --pool
return self.dump_from_pool()示例4: calculate
def calculate(self):
# Virtual kernel space for dereferencing pointers
kernel_space = utils.load_as(self._config)
# Physical space for scanning
flat_space = utils.load_as(self._config, astype = 'physical')
if not self.is_valid_profile(kernel_space.profile):
debug.error("This command does not support the selected profile.")
# Scan for TCP listeners also known as sockets
for offset in PoolScanTcpListener().scan(flat_space):
tcpentry = obj.Object('_TCP_LISTENER', offset = offset,
vm = flat_space, native_vm = kernel_space)
# Only accept IPv4 or IPv6
if tcpentry.AddressFamily not in (AF_INET, AF_INET6):
continue
# For TcpL, the state is always listening and the remote port is zero
for ver, laddr, raddr in tcpentry.dual_stack_sockets():
yield tcpentry, "TCP" + ver, laddr, tcpentry.Port, raddr, 0, "LISTENING"
# Scan for TCP endpoints also known as connections
for offset in PoolScanTcpEndpoint().scan(flat_space):
tcpentry = obj.Object('_TCP_ENDPOINT', offset = offset,
vm = flat_space, native_vm = kernel_space)
if tcpentry.AddressFamily == AF_INET:
proto = "TCPv4"
elif tcpentry.AddressFamily == AF_INET6:
proto = "TCPv6"
else:
continue
# These are our sanity checks
if (tcpentry.State.v() not in tcpip_vtypes.TCP_STATE_ENUM or
(not tcpentry.LocalAddress and (not tcpentry.Owner or
tcpentry.Owner.UniqueProcessId == 0 or
tcpentry.Owner.UniqueProcessId > 65535))):
continue
yield tcpentry, proto, tcpentry.LocalAddress, tcpentry.LocalPort, \
tcpentry.RemoteAddress, tcpentry.RemotePort, tcpentry.State
# Scan for UDP endpoints
for offset in PoolScanUdpEndpoint().scan(flat_space):
udpentry = obj.Object('_UDP_ENDPOINT', offset = offset,
vm = flat_space, native_vm = kernel_space)
# Only accept IPv4 or IPv6
if udpentry.AddressFamily not in (AF_INET, AF_INET6):
continue
# For UdpA, the state is always blank and the remote end is asterisks
for ver, laddr, _ in udpentry.dual_stack_sockets():
yield udpentry, "UDP" + ver, laddr, udpentry.Port, "*", "*", ""示例5: calculate
def calculate(self):
flat_space = utils.load_as(self._config, astype = 'physical')
kernel_space = utils.load_as(self._config)
# Scan for window station objects
for offset in PoolScanWind().scan(flat_space):
window_station = obj.Object("tagWINDOWSTATION",
offset = offset, vm = flat_space)
# Basic sanity checks are included here
if not window_station.is_valid():
continue
# Find an address space for this window station's session
session = self.find_session_space(
kernel_space, window_station.dwSessionId)
if not session:
continue
# Reset the object's native VM so pointers are
# dereferenced in session space
window_station.set_native_vm(session.obj_vm)
for winsta in window_station.traverse():
if winsta.is_valid():
yield winsta示例6: calculate
def calculate(self):
eproc = {}
found = {}
cmdline = {}
pathname = {}
# Brute force search for eproc blocks in pool memory
address_space = utils.load_as(self._config)
for eprocess in filescan.PSScan(self._config).calculate():
eproc[eprocess.obj_offset] = eprocess
found[eprocess.obj_offset] = 1
# Walking the active process list.
# Remove any tasks we find here from the brute force search if the --short option is set.
# Anything left is something which was hidden/terminated/of interest.
address_space = utils.load_as(self._config)
for task in tasks.pslist(address_space):
phys = address_space.vtop(task.obj_offset)
if phys in eproc:
if self._config.SHORT :
del eproc[phys]
del found[phys]
else:
found[phys] = 0
# Grab command line and parameters
peb = task.Peb
if peb:
cmdline[phys] = peb.ProcessParameters.CommandLine
pathname[phys] = peb.ProcessParameters.ImagePathName
ret = [eproc, found, cmdline, pathname]
return ret示例7: calculate
def calculate(self):
## Just grab the AS and scan it using our scanner
address_space = utils.load_as(self._config, astype="physical")
kernel_as = utils.load_as(self._config)
for offset in PoolScanProcess().scan(address_space):
eprocess = obj.Object("_EPROCESS", vm=address_space, native_vm=kernel_as, offset=offset)
yield eprocess示例8: calculate
def calculate(self):
## Here we scan the physical address space
address_space = utils.load_as(self._config, astype = 'physical')
kernel_as = utils.load_as(self._config)
scanner = PoolScanThreadFast()
for found in scanner.scan(address_space):
thread = obj.Object('_ETHREAD', vm = address_space,
native_vm = kernel_as, offset = found)
yield thread示例9: virtual_process_from_physical_offset
def virtual_process_from_physical_offset(self, offset):
pspace = utils.load_as(self._config, astype = 'physical')
vspace = utils.load_as(self._config)
task = obj.Object("task_struct", vm = pspace, offset = offset)
parent = obj.Object("task_struct", vm = vspace, offset = task.parent)
for child in parent.children.list_of_type("task_struct", "sibling"):
if child.obj_vm.vtop(child.obj_offset) == task.obj_offset:
return child
return obj.NoneObject("Unable to bounce back from task_struct->parent->task_struct")示例10: calculate
def calculate(self):
# start with a physical space so we can find processes without a DTB
addr_space = utils.load_as(self._config, astype = 'physical')
meta = addr_space.profile.metadata
win10 = (meta.get("major"), meta.get("minor")) == (6, 4)
# if the user selected virtual space or if we're on win10, switch
# to a virtual kernel space
if self._config.VIRTUAL or win10:
addr_space = utils.load_as(self._config)
return self.scan_results(addr_space)示例11: __config
def __config(self):
"""Creates a volatility configuration."""
if self.config != None and self.addr_space != None:
return self.config
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
base_conf = {
"profile": "WinXPSP2x86",
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://" + self.memdump,
"plugins": None,
"debug": None,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
if self.osprofile:
base_conf["profile"] = self.osprofile
for key, value in base_conf.items():
self.config.update(key, value)
# Deal with Volatility support for KVM/qemu memory dump.
# See: #464.
try:
self.addr_space = utils.load_as(self.config)
except exc.AddrSpaceError as e:
if self._get_dtb():
self.addr_space = utils.load_as(self.config)
else:
raise
self.plugins = registry.get_plugin_classes(commands.Command,
lower=True)
return self.config示例12: calculate
def calculate(self):
# All scanners will share a kernel and physical space
self.kern_space = utils.load_as(self._config)
self.phys_space = utils.load_as(self._config, astype = 'physical')
# We currently dont support x64
if not self.is_valid_profile(self.kern_space.profile):
debug.error("This command does not support the selected profile.")
# Get the OS version we're analyzing
version = (self.kern_space.profile.metadata.get('major', 0),
self.kern_space.profile.metadata.get('minor', 0))
modlist = list(modules.lsmod(self.kern_space))
mods = dict((self.kern_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
# First few routines are valid on all OS versions
for info in self.get_fs_callbacks():
yield info, mods, mod_addrs
for info in self.get_bugcheck_callbacks():
yield info, mods, mod_addrs
for info in self.get_shutdown_callbacks():
yield info, mods, mod_addrs
for info in self.get_generic_callbacks():
yield info, mods, mod_addrs
for info in self.get_bugcheck_reason_callbacks(modlist[0]):
yield info, mods, mod_addrs
for info in self.get_kernel_callbacks(modlist[0]):
yield info, mods, mod_addrs
# Valid for Vista and later
if version >= (6, 0):
for info in self.get_dbgprint_callbacks():
yield info, mods, mod_addrs
for info in self.get_registry_callbacks():
yield info, mods, mod_addrs
for info in self.get_pnp_callbacks():
yield info, mods, mod_addrs
# Valid for XP
if version == (5, 1):
for info in self.get_registry_callbacks_legacy(modlist[0]):
yield info, mods, mod_addrs示例13: doProcessors
def doProcessors(config):
''' Retrieve IDT data. '''
physical_address_space = utils.load_as(config)
kernel_address_space = utils.load_as(config,astype='kernel')
processors_obj = datastruct.rootType()
proc_num = 0
for kpcr in FindKPCR(physical_address_space):
processor_obj = processors_obj.Processor.add()
processor_obj.ID = proc_num
proc_num += 1
IdtBase = kpcr.IdtBase
IDTs = obj.Array(None,physical_address_space.address_mask(IdtBase.v()),physical_address_space,count=256,target=IdtBase.target)
for idt in IDTs:
entry_obj = processor_obj.InterruptDescriptorTable.IDTEntry.add()
iswin32 = not idt.m('OffsetMiddle')
if iswin32:
idttype = idt.Access & 0x1f
if idt.Access >= 256 or (idt.Access & 0x80) != 0x80:
entry_obj.InvalidGate = ''
elif idttype==0x5:
entry_obj.TaskGate = ''
elif idttype==0x6 or idttype==0xe:
entry_obj.InterruptGate = ''
elif idttype==0x7 or idttype==0xf:
entry_obj.TrapGate = ''
else:
entry_obj.InvalidGate = ''
entry_obj.Address = (idt.ExtendedOffset << 16) | idt.Offset
entry_obj.Attributes = idt.Access
else:
idttype = idt.Type
if idt.Reserved0!=0 or idt.Reserved1!=0 or idt.Present==0:
entry_obj.InvalidGate = ''
elif idttype==0x5:
entry_obj.TaskGate = ''
elif idttype==0xe:
entry_obj.InterruptGate = ''
elif idttype==0xf:
entry_obj.TrapGate = ''
else:
entry_obj.InvalidGate = ''
entry_obj.Address = ((idt.OffsetHigh & 0xffffffff) << 32) | ((idt.OffsetMiddle & 0xffff) << 16) | (idt.OffsetLow & 0xffff)
entry_obj.Attributes = (idt.IstIndex << 13) | (idt.Type << 3) | (idt.Dpl<<1) | idt.Present
entry_obj.Selector = idt.Selector.v()
module = find_module(config,entry_obj.Address)
if module:
entry_obj.Module = module.FullDllName.v()
return processors_obj示例14: calculate
def calculate(self):
flat_space = utils.load_as(self._config, astype = 'physical')
kernel_space = utils.load_as(self._config)
# Scan for atom tables
for offset in PoolScanAtom().scan(flat_space):
# There's no way to tell which session or window station
# owns an atom table by *just* looking at the atom table,
# so we have to instantiate it from the default kernel AS.
atom_table = obj.Object('_RTL_ATOM_TABLE', offset = offset,
vm = flat_space, native_vm = kernel_space)
if atom_table.is_valid():
yield atom_table示例15: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
for objct in self.scan_results(addr_space):
if isinstance(objct, _UDP_ENDPOINT):
# For UdpA, the state is always blank and the remote end is asterisks
for ver, laddr, _ in objct.dual_stack_sockets():
yield objct, "UDP" + ver, laddr, objct.Port, "*", "*", ""
elif isinstance(objct, _TCP_ENDPOINT):
if objct.AddressFamily == AF_INET:
proto = "TCPv4"
elif objct.AddressFamily == AF_INET6:
proto = "TCPv6"
yield objct, proto, objct.LocalAddress, objct.LocalPort, \
objct.RemoteAddress, objct.RemotePort, objct.State
elif isinstance(objct, _TCP_LISTENER):
# For TcpL, the state is always listening and the remote port is zero
for ver, laddr, raddr in objct.dual_stack_sockets():
yield objct, "TCP" + ver, laddr, objct.Port, raddr, 0, "LISTENING"