当前位置: 首页>>代码示例>>Python>>正文


Python modules.lsmod函数代码示例

本文整理汇总了Python中volatility.win32.modules.lsmod函数的典型用法代码示例。如果您正苦于以下问题:Python lsmod函数的具体用法?Python lsmod怎么用?Python lsmod使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。


在下文中一共展示了lsmod函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)

        ## Get a sorted list of module addresses
        mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
        mod_addrs = sorted(mods.keys())

        ssdts = set()

        if addr_space.profile.metadata.get("memory_model", "32bit") == "32bit":
            # Gather up all SSDTs referenced by threads
            print "[x86] Gathering all referenced SSDTs from KTHREADs..."
            for proc in tasks.pslist(addr_space):
                for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"):
                    ssdt_obj = thread.Tcb.ServiceTable.dereference_as("_SERVICE_DESCRIPTOR_TABLE")
                    ssdts.add(ssdt_obj)
        else:
            print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..."
            # The NT module always loads first
            ntos = list(modules.lsmod(addr_space))[0]
            func_rva = ntos.getprocaddress("KeAddSystemServiceTable")
            if func_rva == None:
                raise StopIteration("Cannot locate KeAddSystemServiceTable")
            KeAddSystemServiceTable = ntos.DllBase + func_rva
            for table_rva in find_tables(KeAddSystemServiceTable, addr_space):
                ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", ntos.DllBase + table_rva, addr_space)
                ssdts.add(ssdt_obj)

        # Get a list of *unique* SSDT entries. Typically we see only two.
        tables = set()

        for ssdt_obj in ssdts:
            for i, desc in enumerate(ssdt_obj.Descriptors):
                # Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit
                # should be greater than 0 but not unbelievably high
                if (
                    desc.is_valid()
                    and desc.ServiceLimit > 0
                    and desc.ServiceLimit < 0xFFFF
                    and desc.KiServiceTable > 0x80000000
                ):
                    tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v()))

        print "Finding appropriate address space for tables..."
        tables_with_vm = []
        procs = list(tasks.pslist(addr_space))
        for idx, table, n in tables:
            vm = tasks.find_space(addr_space, procs, table)
            if vm:
                tables_with_vm.append((idx, table, n, vm))
            else:
                debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table))

        for idx, table, n, vm in sorted(tables_with_vm, key=itemgetter(0)):
            yield idx, table, n, vm, mods, mod_addrs
开发者ID:rabbileibo,项目名称:volatility,代码行数:55,代码来源:ssdt.py

示例2: render_text

    def render_text(self, outfd, data):

        # Kernel AS for looking up modules 
        kernel_space = utils.load_as(self._config)

        # Modules sorted for address lookups 
        mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space))
        mod_addrs = sorted(mods.keys())

        for session in data:
            outfd.write("*" * 50 + "\n")
            outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format(
                session.obj_offset,
                session.SessionId,
                len(list(session.processes())),
                ))
            outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format(
                session.PagedPoolStart,
                session.PagedPoolEnd,
                ))
            for process in session.processes():
                outfd.write(" Process: {0} {1} {2}\n".format(
                    process.UniqueProcessId,
                    process.ImageFileName,
                    process.CreateTime,
                    ))
            for image in session.images():
                module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address))
                outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format(
                    image.obj_offset,
                    image.Address,
                    str(module and module.BaseDllName or '')
                    ))
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:33,代码来源:sessions.py

示例3: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)

        # Currently we only support x86. The x64 does still have a IDT
        # but hooking is prohibited and results in bugcheck.
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")

        mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
        mod_addrs = sorted(mods.keys())

        for kpcr in tasks.get_kdbg(addr_space).kpcrs():
            # Get the GDT for access to selector bases
            gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
            for i, entry in kpcr.idt_entries():
                # Where the IDT entry points.
                addr = entry.Address
                # Per MITRE, add the GDT selector  base if available.
                # This allows us to detect sneaky attempts to hook IDT
                # entries by changing the entry's GDT selector.
                gdt_entry = gdt.get(entry.Selector.v())
                if gdt_entry != None and "Code" in gdt_entry.Type:
                    addr += gdt_entry.Base

                # Lookup the function's owner
                module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))

                yield i, entry, addr, module
开发者ID:RaptorFactor,项目名称:volatility,代码行数:28,代码来源:idt.py

示例4: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)

        tasklist = []
        modslist = []

        if self._config.SCAN:
            if not self._config.KERNEL_ONLY:
                for t in filescan.PSScan(self._config).calculate():
                    v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
                    if v:
                        tasklist.append(v)
            if not self._config.PROCESS_ONLY:
                modslist = [m for m in modscan.ModScan(self._config).calculate()]
        else:
            if not self._config.KERNEL_ONLY:
                tasklist = [t for t in tasks.pslist(addr_space)]
            if not self._config.PROCESS_ONLY:
                modslist = [m for m in modules.lsmod(addr_space)]

        for task in tasklist:
            for mod in task.get_load_modules():
                yield task, mod

        for mod in modslist:
            yield None, mod
开发者ID:Austi,项目名称:volatility,代码行数:26,代码来源:enumfunc.py

示例5: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.REGEX:
            try:
                if self._config.IGNORE_CASE:
                    mod_re = re.compile(self._config.REGEX, re.I)
                else:
                    mod_re = re.compile(self._config.REGEX)
            except re.error as e:
                debug.error('Error parsing regular expression: %s' % e)

        mods = dict((mod.DllBase.v(), mod) for mod in modules.lsmod(addr_space))
        # We need the process list to find spaces for some drivers. Enumerate them here
        # instead of inside the find_space function, so we only have to do it once. 
        procs = list(tasks.pslist(addr_space))

        if self._config.BASE:
            if self._config.BASE in mods:
                mod_name = mods[self._config.BASE].BaseDllName
            else:
                mod_name = "UNKNOWN"
            yield addr_space, procs, int(self._config.BASE), mod_name
        else:
            for mod in list(mods.values()):
                if self._config.REGEX:
                    if not mod_re.search(str(mod.FullDllName or '')) and not mod_re.search(str(mod.BaseDllName or '')):
                        continue
                yield addr_space, procs, mod.DllBase.v(), mod.BaseDllName
开发者ID:carmaa,项目名称:volatility-2.2-python3,代码行数:29,代码来源:moddump.py

示例6: __init__

 def __init__(self, start, stack_base, stack_limit, eproc, modules=None, module_addrs=None, *args, **kwargs):
   EBP.__init__(self, start, stack_base, stack_limit, eproc, *args, **kwargs)
   if modules == None:
     self.modules = dict( (m.DllBase, m) for m in list(sysmods.lsmod(eproc.get_process_address_space())) + list(eproc.get_load_modules()) )
     self.module_addrs = sorted(self.modules.keys())
   else:
     self.modules = modules
     self.module_addrs = module_addrs
   mod = tasks.find_module(self.modules, self.module_addrs, self.eip)
   self.security_cookie = None
   self.cookie = None
   security_cookie_addr = None
   if mod != None:
     load_config = mod.get_load_config_directory()
     if load_config == None:
       # Attempt to use PDB symbols to locate this module's ___security_cookie
       addrs = eproc.lookup("{0}/.data!___security_cookie".format(str(mod.BaseDllName)))
       if len(addrs) > 0:
         security_cookie_addr = addrs[0]
     else:
       # Use _IMAGE_LOAD_CONFIG_DIRECTORY to locate this module's ___security_cookie
       security_cookie_addr = load_config.SecurityCookie
     if security_cookie_addr != None and self.addrspace.is_valid_address(security_cookie_addr):
       self.security_cookie = self.addrspace.read_long_phys(self.addrspace.vtop(security_cookie_addr))
     if self.addrspace.is_valid_address(self.ebp - self.alignment):
       self.cookie = self.addrspace.read_long_phys(self.addrspace.vtop(self.ebp - self.alignment))
开发者ID:binsrc,项目名称:volatility-1,代码行数:26,代码来源:exportstack.py

示例7: render_text

    def render_text(self, outfd, data):

        addr_space = utils.load_as(self._config)

        # Compile the regular expression for filtering by driver name 
        if self._config.regex != None:
            mod_re = re.compile(self._config.regex, re.I)
        else:
            mod_re = None

        mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
        mod_addrs = sorted(mods.keys())

        bits = addr_space.profile.metadata.get('memory_model', '32bit')

        self.table_header(None, [('i', ">4"),
                                 ('Funcs', "36"),
                                 ('addr', '[addrpad]'),
                                 ('name', '')
                                 ])

        for driver in data:

            header = driver.get_object_header()

            driver_name = str(header.NameInfo.Name or '')
            # Continue if a regex was supplied and it doesn't match 
            if mod_re != None:
                if not (mod_re.search(driver_name) or
                        mod_re.search(driver_name)): continue

            # Write the standard header for each driver object 
            outfd.write("{0}\n".format("-" * 50))
            outfd.write("DriverName: {0}\n".format(driver_name))
            outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart))
            outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize))
            outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo))

            # Write the address and owner of each IRP function 
            for i, function in enumerate(driver.MajorFunction):
                function = driver.MajorFunction[i]
                module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
                if module:
                    module_name = str(module.BaseDllName or '')
                else:
                    module_name = "Unknown"
                # This is where we check for inline hooks once the 
                # ApiHooks plugin is ported to 2.1. 
                self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name)

                if self._config.verbose:
                    data = addr_space.zread(function, 64)
                    outfd.write("\n".join(
                        ["{0:#x} {1:<16} {2}".format(o, h, i)
                        for o, i, h in malfind.Disassemble(data = data, 
                            start = function, bits = bits, stoponret = True)
                    ]))
                    outfd.write("\n")
开发者ID:vortessence,项目名称:vortessence,代码行数:58,代码来源:devicetree.py

示例8: calculate

    def calculate(self):

        if not has_pydeep:
            debug.error(
                "Please install ssdeep and pydeep from http://ssdeep.sourceforge.net/ and https://github.com/kbandla/pydeep"
            )

        addr_space = utils.load_as(self._config)
        self._addr_space = addr_space

        page_sig = self._pydeep_page()
        if page_sig == None:
            debug.error("Pydeep was not able to hash the input")

        if self._config.KERNEL:

            # Find KDBG so we know where kernel memory begins. Do not assume
            # the starting range is 0x80000000 because we may be dealing with
            # an image with the /3GB boot switch.
            kdbg = tasks.get_kdbg(addr_space)

            start = kdbg.MmSystemRangeStart.dereference_as("Pointer")

            # Modules so we can map addresses to owners
            mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
            mod_addrs = sorted(mods.keys())

            # There are multiple views (GUI sessions) of kernel memory.
            # Since we're scanning virtual memory and not physical,
            # all sessions must be scanned for full coverage. This
            # really only has a positive effect if the data you're
            # searching for is in GUI memory.
            sessions = []

            for proc in tasks.pslist(addr_space):
                sid = proc.SessionId
                # Skip sessions we've already seen
                if sid == None or sid in sessions:
                    continue

                session_space = proc.get_process_address_space()
                if session_space == None:
                    continue

                sessions.append(sid)
                scanner = DiscontigSSDeepScanner(address_space=session_space, rules=rules)

                for hit, address in scanner.scan(start_offset=start):
                    module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
                    yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))

        else:
            for task in self.filter_tasks(tasks.pslist(addr_space)):
                scanner = VadSSDeepScanner(task=task, pydeep_hash=page_sig)
                for sig, vStart, vLength, offset, alike in scanner.scan():
                    yield (task, sig, vStart, vLength, offset, alike, scanner.address_space.zread(offset, 0x1000))
开发者ID:xueyi28,项目名称:volgui,代码行数:56,代码来源:ssdeepscan.py

示例9: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)

        for mod in modules.lsmod(addr_space):

            # Finding the TC kernel module
            if str(mod.BaseDllName).lower() != "truecrypt.sys":
                continue

            for offset, password in self.scan_module(addr_space, mod.DllBase, self._config.MIN_LENGTH):
                yield offset, password
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:11,代码来源:tcaudit.py

示例10: calculate

    def calculate(self):

        if not has_yara:
            debug.error("Please install Yara from code.google.com/p/yara-project")

        addr_space = utils.load_as(self._config)

        rules = self._compile_rules()

        if self._config.KERNEL:

            # Find KDBG so we know where kernel memory begins. Do not assume
            # the starting range is 0x80000000 because we may be dealing with
            # an image with the /3GB boot switch. 
            kdbg = tasks.get_kdbg(addr_space)

            start = kdbg.MmSystemRangeStart.dereference_as("Pointer")

            # Modules so we can map addresses to owners
            mods = dict((addr_space.address_mask(mod.DllBase), mod)
                        for mod in modules.lsmod(addr_space))
            mod_addrs = sorted(mods.keys())

            # There are multiple views (GUI sessions) of kernel memory.
            # Since we're scanning virtual memory and not physical, 
            # all sessions must be scanned for full coverage. This 
            # really only has a positive effect if the data you're
            # searching for is in GUI memory. 
            sessions = []

            for proc in tasks.pslist(addr_space):
                sid = proc.SessionId
                # Skip sessions we've already seen 
                if sid == None or sid in sessions:
                    continue

                session_space = proc.get_process_address_space()
                if session_space == None:
                    continue

                sessions.append(sid)
                scanner = DiscontigYaraScanner(address_space = session_space,
                                               rules = rules)

                for hit, address in scanner.scan(start_offset = start):
                    module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
                    yield (module, address, hit, session_space.zread(address, 1024))

        else:
            for task in self.filter_tasks(tasks.pslist(addr_space)):
                scanner = VadYaraScanner(task = task, rules = rules)
                for hit, address in scanner.scan():
                    yield (task, address, hit, scanner.address_space.zread(address, 1024))
开发者ID:Austi,项目名称:volatility,代码行数:53,代码来源:malfind.py

示例11: calculate

    def calculate(self):
        # All scanners will share a kernel and physical space 
        self.kern_space = utils.load_as(self._config)
        self.phys_space = utils.load_as(self._config, astype = 'physical')

        # We currently dont support x64
        if not self.is_valid_profile(self.kern_space.profile):
            debug.error("This command does not support the selected profile.")

        # Get the OS version we're analyzing
        version = (self.kern_space.profile.metadata.get('major', 0),
                   self.kern_space.profile.metadata.get('minor', 0))

        modlist = list(modules.lsmod(self.kern_space))
        mods = dict((self.kern_space.address_mask(mod.DllBase), mod) for mod in modlist)
        mod_addrs = sorted(mods.keys())

        # First few routines are valid on all OS versions 
        for info in self.get_fs_callbacks():
            yield info, mods, mod_addrs

        for info in self.get_bugcheck_callbacks():
            yield info, mods, mod_addrs

        for info in self.get_shutdown_callbacks():
            yield info, mods, mod_addrs

        for info in self.get_generic_callbacks():
            yield info, mods, mod_addrs

        for info in self.get_bugcheck_reason_callbacks(modlist[0]):
            yield info, mods, mod_addrs

        for info in self.get_kernel_callbacks(modlist[0]):
            yield info, mods, mod_addrs

        # Valid for Vista and later
        if version >= (6, 0):
            for info in self.get_dbgprint_callbacks():
                yield info, mods, mod_addrs

            for info in self.get_registry_callbacks():
                yield info, mods, mod_addrs

            for info in self.get_pnp_callbacks():
                yield info, mods, mod_addrs

        # Valid for XP 
        if version == (5, 1):
            for info in self.get_registry_callbacks_legacy(modlist[0]):
                yield info, mods, mod_addrs
开发者ID:MemForsKing,项目名称:memfors4all,代码行数:51,代码来源:callbacksf.py

示例12: Win32KBase

    def Win32KBase(self):
        """Get the base address of the win32k.sys as mapped 
        into this session's memory. 

        Since win32k.sys is always the first image to be 
        mapped, we can just grab the first list entry.

        Update: we no longer use the session image list, because
        it seems to have gone away in Win8/2012."""
        
        for mod in modules.lsmod(self.obj_vm):
            if str(mod.BaseDllName or '').lower() == "win32k.sys":
                return mod.DllBase
        return obj.Object("Cannot find win32k.sys base address")
开发者ID:Safe3,项目名称:volatility,代码行数:14,代码来源:win32k_core.py

示例13: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)

        for mod in modules.lsmod(addr_space):

            # Finding the TC kernel module
            if str(mod.BaseDllName).lower() != "truecrypt.sys":
                continue

            dos_header = obj.Object("_IMAGE_DOS_HEADER", offset=mod.DllBase, vm=addr_space)
            nt_header = dos_header.get_nt_header()

            # Finding the PE data section
            data_section = None
            for sec in nt_header.get_sections():
                if str(sec.Name) == ".data":
                    data_section = sec
                    break

            if not data_section:
                break

            base = sec.VirtualAddress + mod.DllBase
            size = sec.Misc.VirtualSize

            # Looking for the Length member, DWORD-aligned
            ints = obj.Object("Array", targetType="int", offset=base, count=size / 4, vm=addr_space)

            for length in ints:
                # Min and max passphrase lengths
                if length >= self._config.MIN_LENGTH and length <= 64:
                    offset = length.obj_offset + 4
                    passphrase = addr_space.read(offset, length)
                    if not passphrase:
                        continue
                    # All characters in the range must be ASCII
                    chars = [c for c in passphrase if ord(c) >= 0x20 and ord(c) <= 0x7F]
                    if len(chars) != length:
                        continue
                    # At least three zero-bad bytes must follow
                    if addr_space.read(offset + length, 3) != "\x00" * 3:
                        continue
                    yield offset, passphrase
开发者ID:phulc,项目名称:Hit,代码行数:43,代码来源:tcaudit.py

示例14: calculate

    def calculate(self):
        addr_space = utils.load_as(self._config)

        modlist = list(modules.lsmod(addr_space))
        mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
        mod_addrs = sorted(mods.keys())
            
        drivers = dtree.DriverIrp(self._config).calculate()    
        driver_name = "UNKNOWN"
        service_key = "UNKNOWN"
        driver_name3 = "UNKNOWN"
        module_name = "UNKNOWN"

        if self._config.ADDR:
            find_address = self._config.ADDR
            
            module_name = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(find_address))
            if module_name:
                module_name = module_name.BaseDllName or module_name.FullDllName

            for driver in drivers:
                if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
                    header = driver.get_object_header()
                    driver_name = header.NameInfo.Name
                    driver_name  = str(driver.get_object_header().NameInfo.Name or '') 
                    service_key = str(driver.DriverExtension.ServiceKeyName or '') 
                    driver_name3 = str(driver.DriverName or '') 
                    break
            
            yield (module_name, driver_name, service_key, driver_name3)

        else:                
            for driver in drivers:
                driver_name  = str(driver.get_object_header().NameInfo.Name or '')
                service_key = str(driver.DriverExtension.ServiceKeyName or '')
                driver_name3 = str(driver.DriverName or '')
                
                owning_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(driver.DriverStart))
                module_name = "UNKNOWN"
                if owning_module:
                    module_name = owning_module.BaseDllName or owning_module.FullDllName

                yield (module_name, driver_name, service_key, driver_name3)
开发者ID:chansonzhang,项目名称:volatility,代码行数:43,代码来源:drivermodule.py

示例15: get_target_mod_name

 def get_target_mod_name(self):
     addr_space = utils.load_as(self._config)
     # kernel mod
     if self._config.PID == None:         
         all_mods = list(modules.lsmod(addr_space))            
         for mod in all_mods:
             if self._config.BASE == mod.DllBase: 
                 return os.path.splitext(str(mod.BaseDllName))[0]
     # user mod
     else:
         for prc in tasks.pslist(addr_space):
             if prc.UniqueProcessId == self._config.PID:
                 print "pid: %d" % prc.UniqueProcessId
                 for mod in prc.get_load_modules():
                     print "mod: %x" % mod.DllBase
                     if self._config.BASE == mod.DllBase: 
                         return os.path.splitext(str(mod.BaseDllName))[0]
                 break     
     return "unknown"
开发者ID:naveen12,项目名称:community,代码行数:19,代码来源:symbolizemod.py


注:本文中的volatility.win32.modules.lsmod函数示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。