本文整理汇总了Python中volatility.win32.modules.lsmod函数的典型用法代码示例。如果您正苦于以下问题:Python lsmod函数的具体用法?Python lsmod怎么用?Python lsmod使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了lsmod函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
## Get a sorted list of module addresses
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
ssdts = set()
if addr_space.profile.metadata.get("memory_model", "32bit") == "32bit":
# Gather up all SSDTs referenced by threads
print "[x86] Gathering all referenced SSDTs from KTHREADs..."
for proc in tasks.pslist(addr_space):
for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"):
ssdt_obj = thread.Tcb.ServiceTable.dereference_as("_SERVICE_DESCRIPTOR_TABLE")
ssdts.add(ssdt_obj)
else:
print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..."
# The NT module always loads first
ntos = list(modules.lsmod(addr_space))[0]
func_rva = ntos.getprocaddress("KeAddSystemServiceTable")
if func_rva == None:
raise StopIteration("Cannot locate KeAddSystemServiceTable")
KeAddSystemServiceTable = ntos.DllBase + func_rva
for table_rva in find_tables(KeAddSystemServiceTable, addr_space):
ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", ntos.DllBase + table_rva, addr_space)
ssdts.add(ssdt_obj)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt_obj in ssdts:
for i, desc in enumerate(ssdt_obj.Descriptors):
# Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit
# should be greater than 0 but not unbelievably high
if (
desc.is_valid()
and desc.ServiceLimit > 0
and desc.ServiceLimit < 0xFFFF
and desc.KiServiceTable > 0x80000000
):
tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v()))
print "Finding appropriate address space for tables..."
tables_with_vm = []
procs = list(tasks.pslist(addr_space))
for idx, table, n in tables:
vm = tasks.find_space(addr_space, procs, table)
if vm:
tables_with_vm.append((idx, table, n, vm))
else:
debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table))
for idx, table, n, vm in sorted(tables_with_vm, key=itemgetter(0)):
yield idx, table, n, vm, mods, mod_addrs示例2: render_text
def render_text(self, outfd, data):
# Kernel AS for looking up modules
kernel_space = utils.load_as(self._config)
# Modules sorted for address lookups
mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space))
mod_addrs = sorted(mods.keys())
for session in data:
outfd.write("*" * 50 + "\n")
outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format(
session.obj_offset,
session.SessionId,
len(list(session.processes())),
))
outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format(
session.PagedPoolStart,
session.PagedPoolEnd,
))
for process in session.processes():
outfd.write(" Process: {0} {1} {2}\n".format(
process.UniqueProcessId,
process.ImageFileName,
process.CreateTime,
))
for image in session.images():
module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address))
outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format(
image.obj_offset,
image.Address,
str(module and module.BaseDllName or '')
))示例3: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a IDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
# Get the GDT for access to selector bases
gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
for i, entry in kpcr.idt_entries():
# Where the IDT entry points.
addr = entry.Address
# Per MITRE, add the GDT selector base if available.
# This allows us to detect sneaky attempts to hook IDT
# entries by changing the entry's GDT selector.
gdt_entry = gdt.get(entry.Selector.v())
if gdt_entry != None and "Code" in gdt_entry.Type:
addr += gdt_entry.Base
# Lookup the function's owner
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))
yield i, entry, addr, module示例4: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
tasklist = []
modslist = []
if self._config.SCAN:
if not self._config.KERNEL_ONLY:
for t in filescan.PSScan(self._config).calculate():
v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
if v:
tasklist.append(v)
if not self._config.PROCESS_ONLY:
modslist = [m for m in modscan.ModScan(self._config).calculate()]
else:
if not self._config.KERNEL_ONLY:
tasklist = [t for t in tasks.pslist(addr_space)]
if not self._config.PROCESS_ONLY:
modslist = [m for m in modules.lsmod(addr_space)]
for task in tasklist:
for mod in task.get_load_modules():
yield task, mod
for mod in modslist:
yield None, mod示例5: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error as e:
debug.error('Error parsing regular expression: %s' % e)
mods = dict((mod.DllBase.v(), mod) for mod in modules.lsmod(addr_space))
# We need the process list to find spaces for some drivers. Enumerate them here
# instead of inside the find_space function, so we only have to do it once.
procs = list(tasks.pslist(addr_space))
if self._config.BASE:
if self._config.BASE in mods:
mod_name = mods[self._config.BASE].BaseDllName
else:
mod_name = "UNKNOWN"
yield addr_space, procs, int(self._config.BASE), mod_name
else:
for mod in list(mods.values()):
if self._config.REGEX:
if not mod_re.search(str(mod.FullDllName or '')) and not mod_re.search(str(mod.BaseDllName or '')):
continue
yield addr_space, procs, mod.DllBase.v(), mod.BaseDllName示例6: __init__
def __init__(self, start, stack_base, stack_limit, eproc, modules=None, module_addrs=None, *args, **kwargs):
EBP.__init__(self, start, stack_base, stack_limit, eproc, *args, **kwargs)
if modules == None:
self.modules = dict( (m.DllBase, m) for m in list(sysmods.lsmod(eproc.get_process_address_space())) + list(eproc.get_load_modules()) )
self.module_addrs = sorted(self.modules.keys())
else:
self.modules = modules
self.module_addrs = module_addrs
mod = tasks.find_module(self.modules, self.module_addrs, self.eip)
self.security_cookie = None
self.cookie = None
security_cookie_addr = None
if mod != None:
load_config = mod.get_load_config_directory()
if load_config == None:
# Attempt to use PDB symbols to locate this module's ___security_cookie
addrs = eproc.lookup("{0}/.data!___security_cookie".format(str(mod.BaseDllName)))
if len(addrs) > 0:
security_cookie_addr = addrs[0]
else:
# Use _IMAGE_LOAD_CONFIG_DIRECTORY to locate this module's ___security_cookie
security_cookie_addr = load_config.SecurityCookie
if security_cookie_addr != None and self.addrspace.is_valid_address(security_cookie_addr):
self.security_cookie = self.addrspace.read_long_phys(self.addrspace.vtop(security_cookie_addr))
if self.addrspace.is_valid_address(self.ebp - self.alignment):
self.cookie = self.addrspace.read_long_phys(self.addrspace.vtop(self.ebp - self.alignment))示例7: render_text
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
# Compile the regular expression for filtering by driver name
if self._config.regex != None:
mod_re = re.compile(self._config.regex, re.I)
else:
mod_re = None
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
bits = addr_space.profile.metadata.get('memory_model', '32bit')
self.table_header(None, [('i', ">4"),
('Funcs', "36"),
('addr', '[addrpad]'),
('name', '')
])
for driver in data:
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
# Continue if a regex was supplied and it doesn't match
if mod_re != None:
if not (mod_re.search(driver_name) or
mod_re.search(driver_name)): continue
# Write the standard header for each driver object
outfd.write("{0}\n".format("-" * 50))
outfd.write("DriverName: {0}\n".format(driver_name))
outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart))
outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize))
outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo))
# Write the address and owner of each IRP function
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
# This is where we check for inline hooks once the
# ApiHooks plugin is ported to 2.1.
self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name)
if self._config.verbose:
data = addr_space.zread(function, 64)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data,
start = function, bits = bits, stoponret = True)
]))
outfd.write("\n")示例8: calculate
def calculate(self):
if not has_pydeep:
debug.error(
"Please install ssdeep and pydeep from http://ssdeep.sourceforge.net/ and https://github.com/kbandla/pydeep"
)
addr_space = utils.load_as(self._config)
self._addr_space = addr_space
page_sig = self._pydeep_page()
if page_sig == None:
debug.error("Pydeep was not able to hash the input")
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigSSDeepScanner(address_space=session_space, rules=rules)
for hit, address in scanner.scan(start_offset=start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadSSDeepScanner(task=task, pydeep_hash=page_sig)
for sig, vStart, vLength, offset, alike in scanner.scan():
yield (task, sig, vStart, vLength, offset, alike, scanner.address_space.zread(offset, 0x1000))示例9: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
for mod in modules.lsmod(addr_space):
# Finding the TC kernel module
if str(mod.BaseDllName).lower() != "truecrypt.sys":
continue
for offset, password in self.scan_module(addr_space, mod.DllBase, self._config.MIN_LENGTH):
yield offset, password示例10: calculate
def calculate(self):
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
addr_space = utils.load_as(self._config)
rules = self._compile_rules()
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address, 1024))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit, scanner.address_space.zread(address, 1024))示例11: calculate
def calculate(self):
# All scanners will share a kernel and physical space
self.kern_space = utils.load_as(self._config)
self.phys_space = utils.load_as(self._config, astype = 'physical')
# We currently dont support x64
if not self.is_valid_profile(self.kern_space.profile):
debug.error("This command does not support the selected profile.")
# Get the OS version we're analyzing
version = (self.kern_space.profile.metadata.get('major', 0),
self.kern_space.profile.metadata.get('minor', 0))
modlist = list(modules.lsmod(self.kern_space))
mods = dict((self.kern_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
# First few routines are valid on all OS versions
for info in self.get_fs_callbacks():
yield info, mods, mod_addrs
for info in self.get_bugcheck_callbacks():
yield info, mods, mod_addrs
for info in self.get_shutdown_callbacks():
yield info, mods, mod_addrs
for info in self.get_generic_callbacks():
yield info, mods, mod_addrs
for info in self.get_bugcheck_reason_callbacks(modlist[0]):
yield info, mods, mod_addrs
for info in self.get_kernel_callbacks(modlist[0]):
yield info, mods, mod_addrs
# Valid for Vista and later
if version >= (6, 0):
for info in self.get_dbgprint_callbacks():
yield info, mods, mod_addrs
for info in self.get_registry_callbacks():
yield info, mods, mod_addrs
for info in self.get_pnp_callbacks():
yield info, mods, mod_addrs
# Valid for XP
if version == (5, 1):
for info in self.get_registry_callbacks_legacy(modlist[0]):
yield info, mods, mod_addrs示例12: Win32KBase
def Win32KBase(self):
"""Get the base address of the win32k.sys as mapped
into this session's memory.
Since win32k.sys is always the first image to be
mapped, we can just grab the first list entry.
Update: we no longer use the session image list, because
it seems to have gone away in Win8/2012."""
for mod in modules.lsmod(self.obj_vm):
if str(mod.BaseDllName or '').lower() == "win32k.sys":
return mod.DllBase
return obj.Object("Cannot find win32k.sys base address")示例13: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
for mod in modules.lsmod(addr_space):
# Finding the TC kernel module
if str(mod.BaseDllName).lower() != "truecrypt.sys":
continue
dos_header = obj.Object("_IMAGE_DOS_HEADER", offset=mod.DllBase, vm=addr_space)
nt_header = dos_header.get_nt_header()
# Finding the PE data section
data_section = None
for sec in nt_header.get_sections():
if str(sec.Name) == ".data":
data_section = sec
break
if not data_section:
break
base = sec.VirtualAddress + mod.DllBase
size = sec.Misc.VirtualSize
# Looking for the Length member, DWORD-aligned
ints = obj.Object("Array", targetType="int", offset=base, count=size / 4, vm=addr_space)
for length in ints:
# Min and max passphrase lengths
if length >= self._config.MIN_LENGTH and length <= 64:
offset = length.obj_offset + 4
passphrase = addr_space.read(offset, length)
if not passphrase:
continue
# All characters in the range must be ASCII
chars = [c for c in passphrase if ord(c) >= 0x20 and ord(c) <= 0x7F]
if len(chars) != length:
continue
# At least three zero-bad bytes must follow
if addr_space.read(offset + length, 3) != "\x00" * 3:
continue
yield offset, passphrase示例14: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
drivers = dtree.DriverIrp(self._config).calculate()
driver_name = "UNKNOWN"
service_key = "UNKNOWN"
driver_name3 = "UNKNOWN"
module_name = "UNKNOWN"
if self._config.ADDR:
find_address = self._config.ADDR
module_name = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(find_address))
if module_name:
module_name = module_name.BaseDllName or module_name.FullDllName
for driver in drivers:
if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
header = driver.get_object_header()
driver_name = header.NameInfo.Name
driver_name = str(driver.get_object_header().NameInfo.Name or '')
service_key = str(driver.DriverExtension.ServiceKeyName or '')
driver_name3 = str(driver.DriverName or '')
break
yield (module_name, driver_name, service_key, driver_name3)
else:
for driver in drivers:
driver_name = str(driver.get_object_header().NameInfo.Name or '')
service_key = str(driver.DriverExtension.ServiceKeyName or '')
driver_name3 = str(driver.DriverName or '')
owning_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(driver.DriverStart))
module_name = "UNKNOWN"
if owning_module:
module_name = owning_module.BaseDllName or owning_module.FullDllName
yield (module_name, driver_name, service_key, driver_name3)示例15: get_target_mod_name
def get_target_mod_name(self):
addr_space = utils.load_as(self._config)
# kernel mod
if self._config.PID == None:
all_mods = list(modules.lsmod(addr_space))
for mod in all_mods:
if self._config.BASE == mod.DllBase:
return os.path.splitext(str(mod.BaseDllName))[0]
# user mod
else:
for prc in tasks.pslist(addr_space):
if prc.UniqueProcessId == self._config.PID:
print "pid: %d" % prc.UniqueProcessId
for mod in prc.get_load_modules():
print "mod: %x" % mod.DllBase
if self._config.BASE == mod.DllBase:
return os.path.splitext(str(mod.BaseDllName))[0]
break
return "unknown"