本文整理汇总了Python中volatility.addrspace.BufferAddressSpace方法的典型用法代码示例。如果您正苦于以下问题:Python addrspace.BufferAddressSpace方法的具体用法?Python addrspace.BufferAddressSpace怎么用?Python addrspace.BufferAddressSpace使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.addrspace的用法示例。
在下文中一共展示了addrspace.BufferAddressSpace方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: start_time
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def start_time(self):
nsecs_per = 1000000
start_time = self.p_start
start_secs = start_time.tv_sec + (start_time.tv_usec / nsecs_per)
# convert the integer as little endian. we catch struct.error
# here because if the process has exited (i.e. detected with mac_dead_procs)
# then the timestamp may not be valid. start_secs could be negative
# or higher than can fit in a 32-bit "I" integer field.
try:
data = struct.pack("<I", start_secs)
except struct.error:
return ""
bufferas = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = data)
dt = obj.Object("UnixTimeStamp", offset = 0, vm = bufferas, is_utc = True)
return dt 示例2: calculate
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'):
bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
if version <= (5, 1):
ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas)
elif version <= (6, 0):
ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas)
elif version == (6, 1):
ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas)
elif version == (6, 2) or version == (6, 3):
ap = obj.Object("AuditPolData8", offset = 0, vm = bufferas)
else:
ap = obj.Object("AuditPolData10", offset = 0, vm = bufferas)
if ap == None:
debug.error("No AuditPol data found")
yield data_raw, ap 示例3: parse_data_dict
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def parse_data_dict(self, dat_raw):
item = {}
item["ID"] = -1
item["focus"] = -1
item["time"] = "N/A"
bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw)
uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas)
if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None:
return None
if hasattr(uadata, "ID"):
item["ID"] = int(uadata.ID)
if hasattr(uadata, "Count"):
item["count"] = int(uadata.Count)
else:
item["count"] = int(uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5)
if hasattr(uadata, "FocusCount"):
seconds = (uadata.FocusTime + 500) / 1000.0
time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime
item["focus"] = int(uadata.FocusCount)
item["time"] = str(time)
item["lastupdate"] = str(uadata.LastUpdated)
return item 示例4: parse_data
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def parse_data(self, dat_raw):
bufferas = addrspace.BufferAddressSpace(self._config, data = dat_raw)
uadata = obj.Object("_VOLUSER_ASSIST_TYPES", offset = 0, vm = bufferas)
if len(dat_raw) < bufferas.profile.get_obj_size('_VOLUSER_ASSIST_TYPES') or uadata == None:
return None
output = ""
if hasattr(uadata, "ID"):
output = "\n{0:15} {1}".format("ID:", uadata.ID)
if hasattr(uadata, "Count"):
output += "\n{0:15} {1}".format("Count:", uadata.Count)
else:
output += "\n{0:15} {1}".format("Count:", uadata.CountStartingAtFive if uadata.CountStartingAtFive < 5 else uadata.CountStartingAtFive - 5)
if hasattr(uadata, "FocusCount"):
seconds = (uadata.FocusTime + 500) / 1000.0
time = datetime.timedelta(seconds = seconds) if seconds > 0 else uadata.FocusTime
output += "\n{0:15} {1}\n{2:15} {3}".format("Focus Count:", uadata.FocusCount, "Time Focused:", time)
output += "\n{0:15} {1}\n".format("Last updated:", uadata.LastUpdated)
return output 示例5: __str__
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def __str__(self):
bufferas = addrspace.BufferAddressSpace(self.obj_vm._config, data = "\x00\x00\x00\x00\x00\x00\x00\x00")
nulltime = obj.Object("WinTimeStamp", vm = bufferas, offset = 0, is_utc = True)
try:
modified = str(self.ModifiedTime)
except struct.error:
modified = nulltime
try:
mftaltered = str(self.MFTAlteredTime)
except struct.error:
mftaltered = nulltime
try:
creation = str(self.CreationTime)
except struct.error:
creation = nulltime
try:
accessed = str(self.FileAccessedTime)
except struct.error:
accessed = nulltime
return "{0:20} {1:30} {2:30} {3:30} {4}".format(creation, modified, mftaltered, accessed,
self.remove_unprintable(self.get_name())) 示例6: __str__
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def __str__(self):
bufferas = addrspace.BufferAddressSpace(self.obj_vm._config, data = "\x00\x00\x00\x00\x00\x00\x00\x00")
nulltime = obj.Object("WinTimeStamp", vm = bufferas, offset = 0, is_utc = True)
try:
modified = str(self.ModifiedTime)
except struct.error:
modified = nulltime
try:
mftaltered = str(self.MFTAlteredTime)
except struct.error:
mftaltered = nulltime
try:
creation = str(self.CreationTime)
except struct.error:
creation = nulltime
try:
accessed = str(self.FileAccessedTime)
except struct.error:
accessed = nulltime
return "{0:20} {1:30} {2:30} {3:30} {4}".format(creation, modified, mftaltered, accessed, self.get_type()) 示例7: calculate
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'):
bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
if version <= (5, 1):
ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas)
elif version <= (6, 0):
ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas)
else:
ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas)
if ap == None:
debug.error("No AuditPol data found")
yield data_raw, ap 示例8: get_sid_string
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def get_sid_string(self, data):
"""Take a buffer of data from the event record
and parse it as a SID.
@param data: buffer of data from SidOffset of the
event record to SidOffset + SidLength.
@returns: sid string
"""
sid_name = ""
bufferas = addrspace.BufferAddressSpace(self._config, data = data)
sid = obj.Object("_SID", offset = 0, vm = bufferas)
for i in sid.IdentifierAuthority.Value:
id_auth = i
sid_string = "S-" + "-".join(str(i) for i in (sid.Revision, id_auth) + tuple(sid.SubAuthority))
if sid_string in getsids.well_known_sids:
sid_name = " ({0})".format(getsids.well_known_sids[sid_string])
else:
sid_name_re = getsids.find_sid_re(sid_string, getsids.well_known_sid_re)
if sid_name_re:
sid_name = " ({0})".format(sid_name_re)
else:
sid_name = self.extrasids.get(sid_string, "")
sid_string += sid_name
return sid_string 示例9: __init__
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def __init__(self, window_size = 8):
self.buffer = addrspace.BufferAddressSpace(conf.DummyConfig(), data = '\x00' * 1024)
self.window_size = window_size
self.constraints = []
self.error_count = 0 示例10: format_value
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def format_value(self, value, fmt):
""" Formats an individual field using the table formatting codes"""
profile = addrspace.BufferAddressSpace(self._config).profile
return ("{0:" + self._formatlookup(profile, fmt) + "}").format(value) 示例11: table_header
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def table_header(self, outfd, title_format_list = None):
"""Table header renders the title row of a table
This also stores the header types to ensure
everything is formatted appropriately.
It must be a list of tuples rather than a dict for ordering purposes.
"""
titles = []
rules = []
self._formatlist = []
profile = addrspace.BufferAddressSpace(self._config).profile
for (k, v) in title_format_list:
spec = fmtspec.FormatSpec(self._formatlookup(profile, v))
# If spec.minwidth = -1, this field is unbounded length
if spec.minwidth != -1:
spec.minwidth = max(spec.minwidth, len(k))
# Get the title specification to follow the alignment of the field
titlespec = fmtspec.FormatSpec(formtype = 's', minwidth = max(spec.minwidth, len(k)))
titlespec.align = spec.align if spec.align in "<>^" else "<"
# Add this to the titles, rules, and formatspecs lists
titles.append(("{0:" + titlespec.to_string() + "}").format(k))
rules.append("-" * titlespec.minwidth)
self._formatlist.append(spec)
# Write out the titles and line rules
if outfd:
outfd.write(self.tablesep.join(titles) + "\n")
outfd.write(self.tablesep.join(rules) + "\n") 示例12: time_object
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def time_object(self):
nsecs = self.time_as_integer
# Build a timestamp object from the integer
time_val = struct.pack("<I", nsecs)
time_buf = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = time_val)
time_obj = obj.Object("UnixTimeStamp", offset = 0, vm = time_buf, is_utc = True)
return time_obj 示例13: as_timestamp
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def as_timestamp(self):
time_val = struct.pack("<I", self.tv_sec)
time_buf = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = time_val)
time_obj = obj.Object("UnixTimeStamp", offset = 0, vm = time_buf, is_utc = True)
return time_obj 示例14: get_time
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def get_time(self):
if not hasattr(self, "base_calendartime"):
return "N/A"
data = struct.pack("<I", self.base_calendartime)
bufferas = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = data)
dt = obj.Object("UnixTimeStamp", offset = 0, vm = bufferas, is_utc = True)
return dt 示例15: flags
# 需要导入模块: from volatility import addrspace [as 别名]
# 或者: from volatility.addrspace import BufferAddressSpace [as 别名]
def flags(self):
"""Returns the file's flags"""
data = struct.pack('=I', self.FileFlags & self.FileFlagsMask)
addr_space = addrspace.BufferAddressSpace(self.obj_vm.get_config(), 0, data)
bitmap = {'Debug': 0,
'Prerelease': 1,
'Patched': 2,
'Private Build': 3,
'Info Inferred': 4,
'Special Build' : 5,
}
return obj.Object('Flags', offset = 0, vm = addr_space, bitmap = bitmap)