本文整理汇总了Python中volatility.win32.tasks.find_module函数的典型用法代码示例。如果您正苦于以下问题:Python find_module函数的具体用法?Python find_module怎么用?Python find_module使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了find_module函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: render_text
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
syscalls = addr_space.profile.syscalls
bits32 = addr_space.profile.metadata.get('memory_model', '32bit') == '32bit'
# Print out the entries for each table
for idx, table, n, vm, mods, mod_addrs in data:
outfd.write("SSDT[{0}] at {1:x} with {2} entries\n".format(idx, table, n))
for i in range(n):
if bits32:
# These are absolute function addresses in kernel memory.
syscall_addr = obj.Object('address', table + (i * 4), vm).v()
else:
# These must be signed long for x64 because they are RVAs relative
# to the base of the table and can be negative.
offset = obj.Object('long', table + (i * 4), vm).v()
# The offset is the top 20 bits of the 32 bit number.
syscall_addr = table + (offset >> 4)
try:
syscall_name = syscalls[idx][i]
except IndexError:
syscall_name = "UNKNOWN"
syscall_mod = tasks.find_module(mods, mod_addrs, addr_space.address_mask(syscall_addr))
if syscall_mod:
syscall_modname = syscall_mod.BaseDllName
else:
syscall_modname = "UNKNOWN"
outfd.write(" Entry {0:#06x}: {1:#x} ({2}) owned by {3}\n".format(idx * 0x1000 + i,
syscall_addr,
syscall_name,
syscall_modname))
## check for inline hooks if in --verbose mode, we're analyzing
## an x86 model system and the sycall_mod is available
if (self._config.VERBOSE and
addr_space.profile.metadata.get('memory_model', '32bit') == '32bit' and
syscall_mod is not None):
## leverage this static method from apihooks
ret = apihooks.ApiHooks.check_inline(va = syscall_addr, addr_space = vm,
mem_start = syscall_mod.DllBase,
mem_end = syscall_mod.DllBase + syscall_mod.SizeOfImage)
## could not analyze the memory
if ret == None:
continue
(hooked, data, dest_addr) = ret
## the function isn't hooked
if not hooked:
continue
## we found a hook, try to resolve the hooker. no mask required because
## we currently only work on x86 anyway
hook_mod = tasks.find_module(mods, mod_addrs, dest_addr)
if hook_mod:
hook_name = hook_mod.BaseDllName
else:
hook_name = "UNKNOWN"
## report it now
outfd.write(" ** INLINE HOOK? => {0:#x} ({1})\n".format(dest_addr, hook_name))示例2: render_text
def render_text(self, outfd, data):
# Kernel AS for looking up modules
kernel_space = utils.load_as(self._config)
# Modules sorted for address lookups
mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space))
mod_addrs = sorted(mods.keys())
for session in data:
outfd.write("*" * 50 + "\n")
outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format(
session.obj_offset,
session.SessionId,
len(list(session.processes())),
))
outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format(
session.PagedPoolStart,
session.PagedPoolEnd,
))
for process in session.processes():
outfd.write(" Process: {0} {1} {2}\n".format(
process.UniqueProcessId,
process.ImageFileName,
process.CreateTime,
))
for image in session.images():
module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address))
outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format(
image.obj_offset,
image.Address,
str(module and module.BaseDllName or '')
))示例3: __init__
def __init__(self, start, stack_base, stack_limit, eproc, modules=None, module_addrs=None, *args, **kwargs):
EBP.__init__(self, start, stack_base, stack_limit, eproc, *args, **kwargs)
if modules == None:
self.modules = dict( (m.DllBase, m) for m in list(sysmods.lsmod(eproc.get_process_address_space())) + list(eproc.get_load_modules()) )
self.module_addrs = sorted(self.modules.keys())
else:
self.modules = modules
self.module_addrs = module_addrs
mod = tasks.find_module(self.modules, self.module_addrs, self.eip)
self.security_cookie = None
self.cookie = None
security_cookie_addr = None
if mod != None:
load_config = mod.get_load_config_directory()
if load_config == None:
# Attempt to use PDB symbols to locate this module's ___security_cookie
addrs = eproc.lookup("{0}/.data!___security_cookie".format(str(mod.BaseDllName)))
if len(addrs) > 0:
security_cookie_addr = addrs[0]
else:
# Use _IMAGE_LOAD_CONFIG_DIRECTORY to locate this module's ___security_cookie
security_cookie_addr = load_config.SecurityCookie
if security_cookie_addr != None and self.addrspace.is_valid_address(security_cookie_addr):
self.security_cookie = self.addrspace.read_long_phys(self.addrspace.vtop(security_cookie_addr))
if self.addrspace.is_valid_address(self.ebp - self.alignment):
self.cookie = self.addrspace.read_long_phys(self.addrspace.vtop(self.ebp - self.alignment))示例4: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a IDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
# Get the GDT for access to selector bases
gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
for i, entry in kpcr.idt_entries():
# Where the IDT entry points.
addr = entry.Address
# Per MITRE, add the GDT selector base if available.
# This allows us to detect sneaky attempts to hook IDT
# entries by changing the entry's GDT selector.
gdt_entry = gdt.get(entry.Selector.v())
if gdt_entry != None and "Code" in gdt_entry.Type:
addr += gdt_entry.Base
# Lookup the function's owner
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))
yield i, entry, addr, module示例5: callbacks
def callbacks(self):
"""Volatility callbacks plugin.
@see volatility/plugins/malware/callbacks.py
"""
results = []
command = self.plugins["callbacks"](self.config)
for (sym, cb, detail), mods, mod_addrs in command.calculate():
module = tasks.find_module(mods, mod_addrs, self.addr_space.address_mask(cb))
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
new = {
"type": str(sym),
"callback": hex(int(cb)),
"module": str(module_name),
"details": str(detail or "-"),
}
results.append(new)
return dict(config={}, data=results)示例6: render_text
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
syscalls = addr_space.profile.syscalls
bits32 = addr_space.profile.metadata.get('memory_model', '32bit') == '32bit'
# Print out the entries for each table
for idx, table, n, vm, mods, mod_addrs in data:
outfd.write("SSDT[{0}] at {1:x} with {2} entries\n".format(idx, table, n))
for i in range(n):
if bits32:
# These are absolute function addresses in kernel memory.
syscall_addr = obj.Object('address', table + (i * 4), vm).v()
else:
# These must be signed long for x64 because they are RVAs relative
# to the base of the table and can be negative.
offset = obj.Object('long', table + (i * 4), vm).v()
# The offset is the top 20 bits of the 32 bit number.
syscall_addr = table + (offset >> 4)
try:
syscall_name = syscalls[idx][i]
except IndexError:
syscall_name = "UNKNOWN"
syscall_mod = tasks.find_module(mods, mod_addrs, syscall_addr)
if syscall_mod:
syscall_modname = syscall_mod.BaseDllName
else:
syscall_modname = "UNKNOWN"
outfd.write(" Entry {0:#06x}: {1:#x} ({2}) owned by {3}\n".format(idx * 0x1000 + i,
syscall_addr,
syscall_name,
syscall_modname))示例7: render_text
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
# Compile the regular expression for filtering by driver name
if self._config.regex != None:
mod_re = re.compile(self._config.regex, re.I)
else:
mod_re = None
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
bits = addr_space.profile.metadata.get('memory_model', '32bit')
self.table_header(None, [('i', ">4"),
('Funcs', "36"),
('addr', '[addrpad]'),
('name', '')
])
for driver in data:
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
# Continue if a regex was supplied and it doesn't match
if mod_re != None:
if not (mod_re.search(driver_name) or
mod_re.search(driver_name)): continue
# Write the standard header for each driver object
outfd.write("{0}\n".format("-" * 50))
outfd.write("DriverName: {0}\n".format(driver_name))
outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart))
outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize))
outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo))
# Write the address and owner of each IRP function
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
# This is where we check for inline hooks once the
# ApiHooks plugin is ported to 2.1.
self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name)
if self._config.verbose:
data = addr_space.zread(function, 64)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data,
start = function, bits = bits, stoponret = True)
]))
outfd.write("\n")示例8: check
def check(self):
"""This check is True for system threads whose start address
do not map back to known/loaded kernel drivers."""
module = tasks.find_module(self.mods,
self.mod_addrs, self.thread.StartAddress)
return ('PS_CROSS_THREAD_FLAGS_SYSTEM' in self.flags and
module == None)示例9: get_hooked_tables
def get_hooked_tables(self, addr_space):
"""This function finds SSDTs in an address space, checks
if there are any hooked functions in the SSDTs, and returns
a dictionary where SSDT base addresses are the keys and the
values are lists of hooked function names.
@param addr_space: a kernel address space.
"""
# Names of the legit executive modules for SSDT tables
executive_modules = [
# SSDT 0
["ntoskrnl.exe", "ntkrnlpa.exe", "ntkrnlmp.exe", "ntkrpamp.exe"],
# SSDT 1
["win32k.sys"],
# SSDT 2
["spud.sys"],
# SSDT 3
[]]
syscalls = addr_space.profile.syscalls
hooked_tables = {}
for info in ssdt.SSDT(self._config).calculate():
idx, table, n, vm, mods, mod_addrs = info
# This is straight out of ssdt.py. Too bad there's no better way
# to not duplicate code?
for i in range(n):
if self.bits32:
# These are absolute function addresses in kernel memory.
syscall_addr = obj.Object('address', table + (i * 4), vm).v()
else:
# These must be signed long for x64 because they are RVAs
# relative to the base of the table and can be negative.
offset = obj.Object('long', table + (i * 4), vm).v()
# The offset is the top 20 bits of the 32 bit number.
syscall_addr = table + (offset >> 4)
try:
syscall_name = syscalls[idx][i]
except IndexError:
syscall_name = "UNKNOWN"
syscall_mod = tasks.find_module(mods, mod_addrs, syscall_addr)
if syscall_mod:
syscall_modname = syscall_mod.BaseDllName
else:
syscall_modname = "UNKNOWN"
if str(syscall_modname).lower() not in executive_modules[idx]:
fields = (i, syscall_name, syscall_addr, syscall_modname)
if hooked_tables.has_key(table):
hooked_tables[table].append(fields)
else:
hooked_tables[table] = [(fields)]
return hooked_tables示例10: calculate
def calculate(self):
if not has_pydeep:
debug.error(
"Please install ssdeep and pydeep from http://ssdeep.sourceforge.net/ and https://github.com/kbandla/pydeep"
)
addr_space = utils.load_as(self._config)
self._addr_space = addr_space
page_sig = self._pydeep_page()
if page_sig == None:
debug.error("Pydeep was not able to hash the input")
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigSSDeepScanner(address_space=session_space, rules=rules)
for hit, address in scanner.scan(start_offset=start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadSSDeepScanner(task=task, pydeep_hash=page_sig)
for sig, vStart, vLength, offset, alike in scanner.scan():
yield (task, sig, vStart, vLength, offset, alike, scanner.address_space.zread(offset, 0x1000))示例11: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
drivers = dtree.DriverIrp(self._config).calculate()
driver_name = "UNKNOWN"
service_key = "UNKNOWN"
driver_name3 = "UNKNOWN"
module_name = "UNKNOWN"
if self._config.ADDR:
find_address = self._config.ADDR
module_name = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(find_address))
if module_name:
module_name = module_name.BaseDllName or module_name.FullDllName
for driver in drivers:
if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
header = driver.get_object_header()
driver_name = header.NameInfo.Name
driver_name = str(driver.get_object_header().NameInfo.Name or '')
service_key = str(driver.DriverExtension.ServiceKeyName or '')
driver_name3 = str(driver.DriverName or '')
break
yield (module_name, driver_name, service_key, driver_name3)
else:
for driver in drivers:
driver_name = str(driver.get_object_header().NameInfo.Name or '')
service_key = str(driver.DriverExtension.ServiceKeyName or '')
driver_name3 = str(driver.DriverName or '')
owning_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(driver.DriverStart))
module_name = "UNKNOWN"
if owning_module:
module_name = owning_module.BaseDllName or owning_module.FullDllName
yield (module_name, driver_name, service_key, driver_name3)示例12: check
def check(self):
"""This check is True for system threads whose start address
do not map back to known/loaded kernel drivers."""
# Take the address space from any module object
addr_space = self.mods.values()[0].obj_vm
module = tasks.find_module(self.mods,
self.mod_addrs, addr_space.address_mask(self.thread.StartAddress))
return ('PS_CROSS_THREAD_FLAGS_SYSTEM' in self.flags and
module == None)示例13: calculate
def calculate(self):
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
addr_space = utils.load_as(self._config)
rules = self._compile_rules()
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address, 1024))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit, scanner.address_space.zread(address, 1024))示例14: get_alloc
def get_alloc(self, addr_space):
'''
Mimics volatility's PPP plugin.
'''
import volatility.plugins.malware.callbacks as callbacks
import volatility.win32.tasks as tasks
# for conn in connections.Connections(self.vol.config).calculate():
vol_callback = callbacks.Callbacks(self.vol.config)
for (sym, cb, detail), mods, mod_addrs in vol_callback.calculate():
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
yield Callback(module, sym, cb, detail, 0)示例15: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
drivers = dtree.DriverIrp(self._config).calculate()
found_driver = "UNKNOWN"
if self._config.ADDR:
find_address = self._config.ADDR
found_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(find_address))
if found_module:
found_module = found_module.BaseDllName or found_module.FullDllName
else:
found_module = "UNKNOWN"
for driver in drivers:
if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
header = driver.get_object_header()
found_driver = header.NameInfo.Name
break
yield (found_module, found_driver)
else:
for driver in drivers:
driver_name = driver.get_object_header().NameInfo.Name
owning_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(driver.DriverStart))
if owning_module:
module_name = owning_module.BaseDllName or owning_module.FullDllName
else:
module_name = "UNKNOWN"
yield (module_name, driver_name)