本文整理汇总了Python中volatility.win32.tasks.pslist函数的典型用法代码示例。如果您正苦于以下问题:Python pslist函数的具体用法?Python pslist怎么用?Python pslist使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了pslist函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: build_pids
def build_pids(self):
if self._config.PROC_NAME:
# PROC_NAME
name_list = self._config.PROC_NAME.split(",")
pid_list = []
for name in name_list:
for task in tasks.pslist(self.addr_space):
if name in str(task.ImageFileName):
pid_list.append(task.UniqueProcessId)
pids = ','.join(map(str, pid_list))
else:
# PROC_NAME_MATCH
name_list = self._config.PROC_NAME_MATCH.split(",")
pid_list = []
for name in name_list:
for task in tasks.pslist(self.addr_space):
if name == str(task.ImageFileName):
pid_list.append(task.UniqueProcessId)
pids = ','.join(map(str, pid_list))
if pids == '':
debug.error("No process matches given name. Please specify a valid name or PID.")
return pids示例2: calculate
def calculate(self):
if not has_pydeep:
debug.error(
"Please install ssdeep and pydeep from http://ssdeep.sourceforge.net/ and https://github.com/kbandla/pydeep"
)
addr_space = utils.load_as(self._config)
self._addr_space = addr_space
page_sig = self._pydeep_page()
if page_sig == None:
debug.error("Pydeep was not able to hash the input")
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigSSDeepScanner(address_space=session_space, rules=rules)
for hit, address in scanner.scan(start_offset=start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadSSDeepScanner(task=task, pydeep_hash=page_sig)
for sig, vStart, vLength, offset, alike in scanner.scan():
yield (task, sig, vStart, vLength, offset, alike, scanner.address_space.zread(offset, 0x1000))示例3: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
## Get a sorted list of module addresses
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
ssdts = set()
if addr_space.profile.metadata.get("memory_model", "32bit") == "32bit":
# Gather up all SSDTs referenced by threads
print "[x86] Gathering all referenced SSDTs from KTHREADs..."
for proc in tasks.pslist(addr_space):
for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"):
ssdt_obj = thread.Tcb.ServiceTable.dereference_as("_SERVICE_DESCRIPTOR_TABLE")
ssdts.add(ssdt_obj)
else:
print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..."
# The NT module always loads first
ntos = list(modules.lsmod(addr_space))[0]
func_rva = ntos.getprocaddress("KeAddSystemServiceTable")
if func_rva == None:
raise StopIteration("Cannot locate KeAddSystemServiceTable")
KeAddSystemServiceTable = ntos.DllBase + func_rva
for table_rva in find_tables(KeAddSystemServiceTable, addr_space):
ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", ntos.DllBase + table_rva, addr_space)
ssdts.add(ssdt_obj)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt_obj in ssdts:
for i, desc in enumerate(ssdt_obj.Descriptors):
# Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit
# should be greater than 0 but not unbelievably high
if (
desc.is_valid()
and desc.ServiceLimit > 0
and desc.ServiceLimit < 0xFFFF
and desc.KiServiceTable > 0x80000000
):
tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v()))
print "Finding appropriate address space for tables..."
tables_with_vm = []
procs = list(tasks.pslist(addr_space))
for idx, table, n in tables:
vm = tasks.find_space(addr_space, procs, table)
if vm:
tables_with_vm.append((idx, table, n, vm))
else:
debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table))
for idx, table, n, vm in sorted(tables_with_vm, key=itemgetter(0)):
yield idx, table, n, vm, mods, mod_addrs示例4: calculate
def calculate(self):
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
addr_space = utils.load_as(self._config)
rules = self._compile_rules()
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address, 1024))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit, scanner.address_space.zread(address, 1024))示例5: find_scouts
def find_scouts(self):
""" Find all 'Scout' level implants using their distinctive watermarks - these index the configuration files, allowing us to obtain AES key information """
scouts = []
# Dynamically generate Yara rules from watermark
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = self.gen_yara_rules()
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
hitdata = scanner.address_space.zread(address, 8)
# Second hit from Yara rule is the 'FIRST_WI' string that we use to differentiate from Elite implants
# This is a wide string, so the second character is a '\x00' - the first hit is on the watermark that we want to use.
if hitdata[1] != "\x00":
scouts.append({"watermark":hitdata, "confidence":4, "pid":str(task.UniqueProcessId), "task":task, "process_name":str(task.ImageFileName), "address_space":scanner.address_space, "address":address, "implant_type":"Scout", "threat_actor":hit.rule.split('__')[2]})
return scouts示例6: scan
def scan(service_path, profile_name, queue_results):
# Find Yara signatures, if file is not available, we need to terminate.
yara_path = os.path.join(os.getcwd(), 'signatures.yar')
if not os.path.exists(yara_path):
yara_path = get_resource(os.path.join('rules', 'signatures.yar'))
if not os.path.exists(yara_path):
raise DetectorError("Unable to find a valid Yara signatures file!")
log.info("Selected Yara signature file at %s", yara_path)
# Retrieve adress space.
space = get_address_space(service_path, profile_name, yara_path)
if space == None:
log.info("Cannot generate address space")
else:
log.info("Address space: {0}, Base: {1}".format(space, space.base))
log.info("Profile: {0}, DTB: {1:#x}".format(space.profile, space.dtb))
rules = yara.compile(yara_path)
log.info("Starting yara scanner...")
matched = []
for process in tasks.pslist(space):
# Skip ourselves.
if process.UniqueProcessId == os.getpid():
continue
try:
process_name = process.ImageFileName
except:
process_name = ''
try:
try:
log.debug("Scanning process %s, pid: %d, ppid: %d, exe: %s, cmdline: %s",
process_name, process.UniqueProcessId, process.InheritedFromUniqueProcessId, process.ImagePathName, process.CommandLine)
except:
log.debug("Scanning process %s, pid: %d", process_name, process.UniqueProcessId)
for hit in rules.match(pid=process.UniqueProcessId):
log.warning("Process %s (pid: %d) matched: %s, Values:", process_name, process.UniqueProcessId, hit.rule)
for entry in hit.strings:
log.warning("\t%d, %s, %s", entry[0], entry[1], entry[2])
# We only store unique results, it's pointless to store results
# for the same rule.
if not hit.rule in matched:
# Add rule to the list of unique matches.
matched.append(hit.rule)
# Add match to the list of results.
queue_results.put(dict(
rule=hit.rule,
detection=hit.meta.get('detection'),
))
except Exception as e:
log.debug("Unable to scan process: %s", e)示例7: calculate
def calculate(self):
self.kernel_address_space = utils.load_as(self._config)
self.flat_address_space = utils.load_as(self._config, astype = 'physical')
if not(bool(self._config.DIR)):
debug.error("--dir needs to be present")
if not(bool(self._config.pid) ^ bool(self._config.eproc) ^ bool(self._config.fobj) ^ bool(self._config.pool)):
if not(bool(self._config.pid) or bool(self._config.eproc) or bool(self._config.fobj) or bool(self._config.pool)):
debug.error("exactly *ONE* of the options --pid, --eproc, --fobj or --pool must be specified (you have not specified _any_ of these options)")
else:
debug.error("exactly *ONE* of the options --pid, --eproc, --fobj or --pool must be specified (you have used _multiple_ such options)")
if bool(self._config.pid):
# --pid
eproc_matches = [ eproc for eproc in tasks.pslist(self.kernel_address_space) if eproc.UniqueProcessId == self._config.pid ]
if len(eproc_matches) != 1:
debug.error("--pid needs to take a *VALID* PID argument (could not find PID {0} in the process listing for this memory image)".format(self._config.pid))
return self.dump_from_eproc(eproc_matches[0])
elif bool(self._config.eproc):
# --eproc
return self.dump_from_eproc(obj.Object("_EPROCESS", offset = self._config.eproc, vm = self.kernel_address_space))
elif bool(self._config.fobj):
# --fobj
try:
file_object = obj.Object("_FILE_OBJECT", offset = self._config.fobj, vm = self.flat_address_space)
if bool(self._config.reconstruct):
# --reconstruct
return [ (file_object, self.parse_string(file_object.FileName)) ]
else:
return filter(None, [ self.dump_file_object(file_object) ])
except ExportException as exn:
debug.error(exn)
else:
# --pool
return self.dump_from_pool()示例8: shimcache_xp
def shimcache_xp(address_space):
"""Enumerate entries from the shared memory section
on XP systems."""
seen = []
shim = lambda x : (x.Tag == "Vad " and
x.VadFlags.Protection == 4)
for process in tasks.pslist(address_space):
for vad, space in process.get_vads(vad_filter = shim):
if space.read(vad.Start, 4) != "\xEF\xBE\xAD\xDE":
continue
records = obj.Object("ShimRecords",
offset = vad.Start,
vm = space)
for entry in records.Entries:
if not entry.is_valid():
continue
entry_offset = space.vtop(entry.obj_offset)
if entry_offset in seen:
continue
seen.append(entry_offset)
yield entry.Path, entry.LastModified, entry.LastUpdate示例9: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
for task in self.filter_tasks(tasks.pslist(addr_space)):
task_space = task.get_process_address_space()
# We must have a process AS
if not task_space:
continue
winsock = None
# Locate the winsock DLL
for mod in task.get_load_modules():
if str(mod.BaseDllName or "").lower() == "ws2_32.dll":
winsock = mod
break
if not winsock:
continue
# Resolve the closesocket API
closesocket = winsock.getprocaddress("closesocket")
if not closesocket:
continue
for vad, process_space in task.get_vads(vad_filter=self._zeus_filter):
if obj.Object("_IMAGE_DOS_HEADER", offset=vad.Start, vm=process_space).e_magic != 0x5A4D:
continue
data = process_space.zread(vad.Start, vad.Length)
scanner = impscan.ImpScan(self._config).call_scan
calls = list(scanner(task_space, vad.Start, data))
for (_, iat_loc, call_dest) in calls:
if call_dest != closesocket:
continue
# Read the DWORD directly after closesocket
struct_base = obj.Object("Pointer", offset=iat_loc + 4, vm=task_space)
# To be valid, it must point within the vad segment
if struct_base < vad.Start or struct_base > (vad.Start + vad.End):
continue
# Grab the key data
key = task_space.read(struct_base + 0x2A, RC4_KEYSIZE)
# Greg's sanity check
if len(key) != RC4_KEYSIZE or key[-2:] != "\x00\x00":
continue
yield task, struct_base, key示例10: _pydeep_page
def _pydeep_page(self):
"""Run pydeep and return the hash"""
page_sig = None
try:
if self._config.SSDEEP_SIG:
# s = self._config.YARA_RULES
## Don't wrap hex or regex rules in quotes
# if s[0] not in ("{", "/"): s = '"' + s + '"'
## Scan for unicode strings
# if self._config.WIDE: s += "wide"
# rules = yara.compile(sources = {
#'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
# })
pass
elif self._config.SSDEEP_FILE:
# rules = yara.compile(self._config.YARA_FILE)
pass
elif self._config.SSDEEP_PIDOFF:
(pid, base) = self._config.SSDEEP_PIDOFF.split(":")
for proc in tasks.pslist(self._addr_space):
if proc.UniqueProcessId == int(pid):
process_space = proc.get_process_address_space()
page_data = process_space.zread(int(base, 16), 0x1000)
page_sig = pydeep.hash_buf(page_data)
if page_sig == "3::":
debug.error("PID XXX and OFFSET YYY null or not found")
else:
debug.error("You must specify an ssdeep hash (-Y), a file to hash (-y), or a PID:BASE pair (-T)")
except Exception as why:
debug.error("Cannot compile rules: {0}".format(str(why)))
return page_sig示例11: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
addr_space.profile.add_types(evt_log_types)
if addr_space.profile.metadata.get('major', 0) != 5:
print "This plugin only works on XP and 2K3"
return
if self._config.VERBOSE:
self.reset_current()
self.set_current("SYSTEM")
ssids = getservicesids.GetServiceSids.calculate(self)
for sid, service in ssids:
self.extrasids[sid] = " (Service: " + service + ")"
else:
for sid in self.extrasids:
self.extrasids[sid] = " (Service: " + self.extrasids[sid] + ")"
self.reset_current()
self.set_current("SOFTWARE")
for k1 in self.reg_enum_key('SOFTWARE', 'Microsoft\\Windows NT\\CurrentVersion\\ProfileList'):
val = self.reg_get_value('SOFTWARE', k1, 'ProfileImagePath')
sid = k1.split("\\")[-1]
if val != None:
self.extrasids[sid] = " (User: " + val.split("\\")[-1] + ")"
for proc in tasks.pslist(addr_space):
if str(proc.ImageFileName).lower() == "services.exe":
map = self.list_mapped_files(proc, pe_only=False, get_data=True)
for key, (name, buf) in map.items():
if name and buf:
name = str(name).lower()
if name.endswith(".evt"):
yield name, buf示例12: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
tasklist = []
modslist = []
if self._config.SCAN:
if not self._config.KERNEL_ONLY:
for t in filescan.PSScan(self._config).calculate():
v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
if v:
tasklist.append(v)
if not self._config.PROCESS_ONLY:
modslist = [m for m in modscan.ModScan(self._config).calculate()]
else:
if not self._config.KERNEL_ONLY:
tasklist = [t for t in tasks.pslist(addr_space)]
if not self._config.PROCESS_ONLY:
modslist = [m for m in modules.lsmod(addr_space)]
for task in tasklist:
for mod in task.get_load_modules():
yield task, mod
for mod in modslist:
yield None, mod示例13: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if not has_yara:
debug.error("You must install yara to use this plugin")
if not self._config.DUMP_DIR:
debug.error("You must supply a --dump-dir parameter")
if self._config.PHYSICAL:
# Find the FileAddressSpace
while addr_space.__class__.__name__ != "FileAddressSpace":
addr_space = addr_space.base
scanner = malfind.DiscontigYaraScanner(address_space = addr_space,
rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield None, cert
else:
for process in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = process, rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield process, cert示例14: calculate
def calculate(self):
eproc = {}
found = {}
cmdline = {}
pathname = {}
# Brute force search for eproc blocks in pool memory
for eprocess in filescan.PSScan(self._config).calculate():
eproc[eprocess.obj_offset] = eprocess
found[eprocess.obj_offset] = 1
# Walking the active process list.
# Remove any tasks we find here from the brute force search if the --short option is set.
# Anything left is something which was hidden/terminated/of interest.
address_space = utils.load_as(self._config)
for task in tasks.pslist(address_space):
phys = address_space.vtop(task.obj_offset)
if phys in eproc:
if self._config.SHORT:
del eproc[phys]
del found[phys]
else:
found[phys] = 0
# Grab command line and parameters
peb = task.Peb
if peb:
cmdline[phys] = peb.ProcessParameters.CommandLine
pathname[phys] = peb.ProcessParameters.ImagePathName
ret = [eproc, found, cmdline, pathname]
return ret示例15: calculate
def calculate(self):
if self._config.OUTPUT == "xlsx" and not has_openpyxl:
debug.error("You must install OpenPyxl for xlsx format:\n\thttps://bitbucket.org/ericgazoni/openpyxl/wiki/Home")
elif self._config.OUTPUT == "xlsx" and not self._config.OUTPUT_FILE:
debug.error("You must specify an output *.xlsx file!\n\t(Example: --output-file=OUTPUT.xlsx)")
addr_space = utils.load_as(self._config)
all_tasks = list(tasks.pslist(addr_space))
ps_sources = {}
# The keys are names of process sources. The values
# are dictionaries whose keys are physical process
# offsets and the values are _EPROCESS objects.
ps_sources['pslist'] = self.check_pslist(all_tasks)
ps_sources['psscan'] = self.check_psscan()
ps_sources['thrdproc'] = self.check_thrdproc(addr_space)
ps_sources['csrss'] = self.check_csrss_handles(all_tasks)
ps_sources['pspcid'] = self.check_pspcid(addr_space)
ps_sources['session'] = self.check_sessions(addr_space)
if addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) >= 2:
ps_sources['deskthrd'] = {}
else:
ps_sources['deskthrd'] = self.check_desktop_thread(addr_space)
# Build a list of offsets from all sources
seen_offsets = []
for source in ps_sources.values():
for offset in source.keys():
if offset not in seen_offsets:
seen_offsets.append(offset)
yield offset, source[offset], ps_sources