本文整理汇总了Python中volatility.addrspace.BaseAddressSpace方法的典型用法代码示例。如果您正苦于以下问题:Python addrspace.BaseAddressSpace方法的具体用法?Python addrspace.BaseAddressSpace怎么用?Python addrspace.BaseAddressSpace使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.addrspace的用法示例。
在下文中一共展示了addrspace.BaseAddressSpace方法的10个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: __init__
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BaseAddressSpace [as 别名]
def __init__(self, base, config, layered = False, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, 'Must be first Address Space')
self.as_assert(config.LOCATION.startswith("file://"), 'Location is not of file scheme')
path = urllib.url2pathname(config.LOCATION[7:])
self.as_assert(os.path.exists(path), 'Filename must be specified and exist')
self.name = os.path.abspath(path)
self.fname = self.name
self.mode = 'rb'
if config.WRITE:
self.mode += '+'
self.fhandle = open(self.fname, self.mode)
self.fhandle.seek(0, 2)
self.fsize = self.fhandle.tell()
self._long_struct = struct.Struct("=I")
# Abstract Classes cannot register options, and since this checks config.WRITE in __init__, we define the option here 示例2: print_info
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BaseAddressSpace [as 别名]
def print_info():
""" Returns the results """
categories = {addrspace.BaseAddressSpace: 'Address Spaces',
commands.Command : 'Plugins',
obj.Profile: 'Profiles',
scan.ScannerCheck: 'Scanner Checks'}
for c, n in sorted(categories.items()):
lower = (c == commands.Command)
plugins = registry.get_plugin_classes(c, lower = lower)
print "\n"
print "{0}".format(n)
print "-" * len(n)
result = []
max_length = 0
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
max_length = max(len(clsname), max_length)
for (name, doc) in result:
print "{0:{2}} - {1:15}".format(name, doc, max_length) 示例3: __init__
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BaseAddressSpace [as 别名]
def __init__(self, base, config, hive_addr, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config)
self.hive = obj.Object("_HHIVE", hive_addr, base)
# Win10_17063 introduced the Registry process, change base to its address space
meta = self.profile.metadata
version = (meta.get("major", 0), meta.get("minor", 0), meta.get("build", 0))
if version >= (6, 4, 17063):
for t in win32.tasks.pslist(self.base):
if str(t.ImageFileName) == "Registry" and int(t.InheritedFromUniqueProcessId) == 4:
reg_proc = t
break
if reg_proc:
self.base = reg_proc.get_process_address_space()
else:
## If we get here we couldn't find the Registry process so address translation
## probably won't work
debug.warning("Couldn't locate Registry process. Registry address translation may fail.")
else:
self.base = base
self.baseblock = self.hive.BaseBlock.v()
self.flat = self.hive.Flat.v() > 0 示例4: __init__
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BaseAddressSpace [as 别名]
def __init__(self, base, config, layered = False, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, 'Must be first Address Space')
self.as_assert(config.LOCATION.startswith("file://"), 'Location is not of file scheme')
path = urllib.url2pathname(config.LOCATION[7:])
self.as_assert(os.path.exists(path), 'Filename must be specified and exist')
self.name = os.path.abspath(path)
self.fname = self.name
self.mode = 'rb'
if config.WRITE:
self.mode += '+'
self.fhandle = open(self.fname, self.mode)
self.fhandle.seek(0, 2)
self.fsize = self.fhandle.tell()
# Abstract Classes cannot register options, and since this checks config.WRITE in __init__, we define the option here 示例5: load_as
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BaseAddressSpace [as 别名]
def load_as(config, astype = 'virtual', **kwargs):
"""Loads an address space by stacking valid ASes on top of each other (priority order first)"""
base_as = None
error = exceptions.AddrSpaceError()
# Start off requiring another round
found = True
## A full iteration through all the classes without anyone
## selecting us means we are done:
while found:
debug.debug("Voting round")
found = False
for cls in sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values(),
key = lambda x: x.order if hasattr(x, 'order') else 10):
debug.debug("Trying {0} ".format(cls))
try:
base_as = cls(base_as, config, astype = astype, **kwargs)
debug.debug("Succeeded instantiating {0}".format(base_as))
found = True
break
except addrspace.ASAssertionError, e:
debug.debug("Failed instantiating {0}: {1}".format(cls.__name__, e), 2)
error.append_reason(cls.__name__, e)
continue
except Exception, e:
debug.debug("Failed instantiating (exception): {0}".format(e))
error.append_reason(cls.__name__ + " - EXCEPTION", e)
continue 示例6: __init__
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BaseAddressSpace [as 别名]
def __init__(self, base, config, hive_addr, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config)
self.base = base
self.hive = obj.Object("_HHIVE", hive_addr, base)
self.baseblock = self.hive.BaseBlock.v()
self.flat = self.hive.Flat.v() > 0 示例7: __getstate__
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BaseAddressSpace [as 别名]
def __getstate__(self):
result = addrspace.BaseAddressSpace.__getstate__(self)
result['hive_addr'] = self.hive.obj_offset
return result 示例8: get_config
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BaseAddressSpace [as 别名]
def get_config(profile, target_path):
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = "file://{0}".format(target_path)
return config 示例9: __init__
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BaseAddressSpace [as 别名]
def __init__(self, base, config, layered=False, **kwargs):
self.as_assert(libvmi, "The LibVMI python bindings must be installed")
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base is None or layered, 'Must be first Address Space')
self.as_assert(config.LOCATION.startswith("vmi://"),
"Location doesn't start with vmi://")
domain = config.LOCATION[len("vmi://"):]
self.vmi = Libvmi(domain, partial=True)
self.dtb = self.vmi.get_vcpureg(X86Reg.CR3.value, 0) 示例10: __init__
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BaseAddressSpace [as 别名]
def __init__(self, base, config, **kwargs):
self.as_assert(base, "No base Address Space")
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.runs = []
self.PageDict = {}
self.HighestPage = 0
self.PageIndex = 0
self.AddressList = []
self.LookupCache = {}
self.PageCache = Store(50)
self.MemRangeCnt = 0
self.entry_count = 0xFF
self._long_struct = struct.Struct("=I")
# Extract header information
self.as_assert(self.profile.has_type("PO_MEMORY_IMAGE"), "PO_MEMORY_IMAGE is not available in profile")
self.header = obj.Object('PO_MEMORY_IMAGE', 0, base)
## Is the signature right?
if self.header.Signature.lower() not in ['hibr', 'wake']:
self.header = obj.NoneObject("Invalid hibernation header")
volmag = obj.VolMagic(base)
self.entry_count = volmag.HibrEntryCount.v()
PROC_PAGE = volmag.HibrProcPage.v()
# Check it's definitely a hibernation file
self.as_assert(self._get_first_table_page() is not None, "No xpress signature found")
# Extract processor state
self.ProcState = obj.Object("_KPROCESSOR_STATE", PROC_PAGE * 4096, base)
## This is a pointer to the page table - any ASs above us dont
## need to search for it.
self.dtb = self.ProcState.SpecialRegisters.Cr3.v()
# This is a lengthy process, it was cached, but it may be best to delay this
# until it's absolutely necessary and/or convert it into a generator...
self.build_page_cache()