本文整理汇总了Python中volatility.debug.debug方法的典型用法代码示例。如果您正苦于以下问题:Python debug.debug方法的具体用法?Python debug.debug怎么用?Python debug.debug使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.debug的用法示例。
在下文中一共展示了debug.debug方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: get_winlogon_registrations
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def get_winlogon_registrations(self):
debug.debug('Started get_winlogon_registrations()')
results = []
notify_key = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify"
try:
self.regapi.reset_current()
for subkey in self.regapi.reg_get_all_subkeys(hive_name='software', key=notify_key):
parsed_entry = self.parse_winlogon_registration_key(subkey)
if parsed_entry and (self._config.VERBOSE or (parsed_entry[0].split('\\')[-1] not in WINLOGON_REGISTRATION_KNOWN_DLLS)):
results.append(parsed_entry)
except Exception as e:
debug.warning('get_winlogon_registrations() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_winlogon_registrations()')
return results
# Returns None or (str(dllname), [(str(trigger)),str(event))], key.LastWriteTime, key path, [int(pids)]) 示例2: parse_winlogon_registration_key
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def parse_winlogon_registration_key(self, key):
dllname = ""
events = []
pids = []
key_path = self.regapi.reg_get_key_path(key) or str(key.Name)
try:
for v_name, v_data in self.regapi.reg_yield_values(hive_name=None, key=None, given_root=key):
val_name = str(v_name or '')
val_data = str(v_data or '').replace('\x00', '')
if val_name.lower() == 'dllname':
dllname = val_data
pids = self.find_pids_for_imagepath(dllname)
elif val_name in WINLOGON_NOTIFICATION_EVENTS:
events.append((val_name, val_data))
except Exception as e:
debug.warning('Failed while parsing {}. Exception: {} {}'.format(key_path, type(e).__name__, e.args))
if dllname:
return (dllname, events, key.LastWriteTime, key_path, pids)
# Returns [] or a list of tuples(val_name, val_data, key.LastWriteTime, expected_val_data, [int(pids)]) 示例3: get_winlogon
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def get_winlogon(self):
debug.debug('Started get_winlogon()')
winlogon = []
winlogon_key_path="Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
try:
self.regapi.reset_current()
key = self.regapi.reg_get_key(hive_name='software', key=winlogon_key_path)
if key:
for v_name, v_data in self.regapi.reg_yield_values(hive_name=None, key=None, given_root=key):
val_name = str(v_name or '')
val_data = str(v_data or '').replace('\x00', '')
if val_data and val_name in WINLOGON_COMMON_VALUES:
pids = self.find_pids_for_imagepath(val_data)
winlogon.append((val_name, val_data, key.LastWriteTime, WINLOGON_COMMON_VALUES[val_name], winlogon_key_path, pids))
except Exception as e:
debug.warning('get_winlogon() failed to complete. Exception: {} {}'.format(type(e).__name__, e.args))
debug.debug('Finished get_winlogon()')
return winlogon
# Returns [] or a list of tuples from parse_service_key() 示例4: get_services
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def get_services(self):
debug.debug('Started get_services()')
results = []
service_key_path = "{}\\Services".format(self.currentcs)
try:
self.regapi.reset_current()
for service_sk in self.regapi.reg_get_all_subkeys(hive_name='system', key=service_key_path):
parsed_service = self.parse_service_key(service_sk)
if parsed_service and (self._config.VERBOSE or 'system32' not in parsed_service[5].lower()):
results.append(parsed_service)
except Exception as e:
debug.warning('get_services() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_services()')
return results
# Returns None or (key_path, timestamp, display_name, SERVICE_STARTUP[startup], SERVICE_TYPES[type], image_path, service_dll, [int(pids)]) 示例5: get_activesetup
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def get_activesetup(self):
debug.debug('Started get_activesetup()')
results = []
try:
self.regapi.reset_current()
for subkey in self.regapi.reg_get_all_subkeys(hive_name='software', key=ACTIVE_SETUP_KEY):
r = self.parse_activesetup_keys(subkey)
if r:
results.append(r)
except Exception as e:
debug.warning('get_activesetup() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_activesetup()')
return results
# Returns None or a tuple(exe path, subkey.LastWriteTime, key path, [int(pids)]) 示例6: get_sdb
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def get_sdb(self):
debug.debug('Started get_sdb()')
results = []
try:
self.regapi.reset_current()
sdb_keys = self.regapi.reg_get_all_subkeys(hive_name='software', key=APPCOMPAT_SDB_KEY)
for subkey in sdb_keys:
parsed_sdb_entry = self.parse_sdb_key(subkey)
if parsed_sdb_entry:
results.append(parsed_sdb_entry)
except Exception as e:
debug.warning('get_sdb() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_sdb()')
return results
#Returns None or a tuple(exe, db_path, subkey.LastWriteTime, key path, [int(pids)]) 示例7: Object
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def Object(theType, offset, vm, name = None, **kwargs):
""" A function which instantiates the object named in theType (as
a string) from the type in profile passing optional args of
kwargs.
"""
name = name or theType
offset = int(offset)
try:
if vm.profile.has_type(theType):
result = vm.profile.types[theType](offset = offset, vm = vm, name = name, **kwargs)
return result
except InvalidOffsetError:
## If we cant instantiate the object here, we just error out:
return NoneObject("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name),
strict = vm.profile.strict)
## If we get here we have no idea what the type is supposed to be?
## This is a serious error.
debug.warning("Cant find object {0} in profile {1}?".format(theType, vm.profile)) 示例8: __getstate__
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def __getstate__(self):
""" This controls how we pickle and unpickle the objects """
try:
thetype = self._vol_theType.__name__
except AttributeError:
thetype = self._vol_theType
# Note: we lose the parent attribute here
result = dict(offset = self.obj_offset,
name = self.obj_name,
vm = self.obj_vm,
native_vm = self.obj_native_vm,
theType = thetype)
## Introspect the kwargs for the constructor and store in the dict
try:
for arg in self.__init__.func_code.co_varnames:
if (arg not in result and
arg not in "self parent profile args".split()):
result[arg] = self.__dict__[arg]
except KeyError:
debug.post_mortem()
raise pickle.PicklingError("Object {0} at 0x{1:08x} cannot be cached because of missing attribute {2}".format(self.obj_name, self.obj_offset, arg))
return result 示例9: load_vtypes
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def load_vtypes(self):
""" Identifies the module from which to load the vtypes
Eventually this could do the importing directly, and avoid having
the profiles loaded in memory all at once.
"""
ntvar = self.metadata.get('memory_model', '32bit')
self.native_types = copy.deepcopy(self.native_mapping.get(ntvar))
vtype_module = self.metadata.get('vtype_module', None)
if not vtype_module:
debug.warning("No vtypes specified for this profile")
else:
module = sys.modules.get(vtype_module, None)
# Try to locate the _types dictionary
for i in dir(module):
if i.endswith('_types'):
self.vtypes.update(getattr(module, i)) 示例10: dump
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def dump(self, url, payload):
# TODO: Ensure a better check for ieee1394/non-cachable address spaces than a bad URL
try:
filename = self.filename(url)
except exceptions.CacheRelativeURLException:
debug.debug("NOT Dumping url {0} - relative URLs are not yet supported".format(url))
return
## Check that the directory exists
directory = os.path.dirname(filename)
if not os.access(directory, os.R_OK | os.W_OK | os.X_OK):
os.makedirs(directory)
## Ensure that the payload is flattened - i.e. all generators are converted to lists for pickling
try:
data = pickle.dumps(payload)
debug.debug("Dumping filename {0}".format(filename))
fd = open(filename, 'w')
fd.write(data)
fd.close()
except (pickle.PickleError, TypeError):
# Do nothing if the pickle fails
debug.debug("NOT Dumping filename {0} - contained a non-picklable class".format(filename))
## This is the central cache object 示例11: get_all_kmem_caches
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def get_all_kmem_caches(self):
linux_common.set_plugin_members(self)
cache_chain = self.addr_space.profile.get_symbol("cache_chain")
slab_caches = self.addr_space.profile.get_symbol("slab_caches")
if cache_chain: #slab
caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space)
listm = "next"
ret = [cache for cache in caches.list_of_type("kmem_cache", listm)]
elif slab_caches: #slub
debug.info("SLUB is currently unsupported.")
ret = []
else:
debug.error("Unknown or unimplemented slab type.")
return ret 示例12: calculate
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def calculate(self):
#scan for registries and populate them:
debug.debug("Scanning for registries....")
#set our current registry of interest and get its path
#and get current control set
debug.debug("Getting Current Control Set....")
regapi = registryapi.RegistryApi(self._config)
currentcs = regapi.reg_get_currentcontrolset()
if currentcs == None:
currentcs = "ControlSet001"
#set the services root.
regapi.set_current('system')
debug.debug("Getting Services and calculating SIDs....")
services = regapi.reg_get_key('system', currentcs + '\\' + 'Services')
if services:
for s in rawreg.subkeys(services):
if s.Name not in servicesids.values():
sid = createservicesid(str(s.Name))
yield sid, str(s.Name)
for sid in servicesids:
yield sid, servicesids[sid] 示例13: bash_hash_entries
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def bash_hash_entries(self):
nbuckets_offset = self.obj_vm.profile.get_obj_offset("_bash_hash_table", "nbuckets")
heap_vma = self.find_heap_vma()
if heap_vma == None:
debug.debug("Unable to find heap for pid %d" % self.pid)
return
proc_as = self.get_process_address_space()
if proc_as == None:
return
for off in self.search_process_memory(["\x40\x00\x00\x00"], heap_only=True):
# test the number of buckets
htable = obj.Object("_bash_hash_table", offset = off - nbuckets_offset, vm = proc_as)
for ent in htable:
yield ent
off = off + 1 示例14: to_paddr
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def to_paddr(self):
mem_map_addr = self.obj_vm.profile.get_symbol("mem_map")
mem_section_addr = self.obj_vm.profile.get_symbol("mem_section")
if mem_map_addr:
# FLATMEM kernels, usually 32 bit
mem_map_ptr = obj.Object("Pointer", offset = mem_map_addr, vm = self.obj_vm, parent = self.obj_parent)
elif mem_section_addr:
# this is hardcoded in the kernel - VMEMMAPSTART, usually 64 bit kernels
mem_map_ptr = 0xffffea0000000000
else:
debug.error("phys_addr_of_page: Unable to determine physical address of page. NUMA is not supported at this time.\n")
phys_offset = (self.obj_offset - mem_map_ptr) / self.obj_vm.profile.get_obj_size("page")
phys_offset = phys_offset << 12
return phys_offset 示例15: _get_image_exe
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import debug [as 别名]
def _get_image_exe(self, unsafe, fix):
nt_header = self.get_nt_header()
soh = nt_header.OptionalHeader.SizeOfHeaders
header = self.obj_vm.zread(self.obj_offset, soh)
if fix:
header = self._fix_header_image_base(header, nt_header)
yield (0, header)
fa = nt_header.OptionalHeader.FileAlignment
for sect in nt_header.get_sections(unsafe):
foa = self.round(sect.PointerToRawData, fa)
if foa != sect.PointerToRawData:
debug.warning("Section start on disk not aligned to file alignment.\n")
debug.warning("Adjusted section start from {0} to {1}.\n".format(sect.PointerToRawData, foa))
yield self.get_code(sect.VirtualAddress + self.obj_offset,
sect.SizeOfRawData, foa)