当前位置: 首页>>代码示例>>Python>>正文

Python debug.info方法代码示例

本文整理汇总了Python中volatility.debug.info方法的典型用法代码示例。如果您正苦于以下问题:Python debug.info方法的具体用法?Python debug.info怎么用?Python debug.info使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在volatility.debug的用法示例。


在下文中一共展示了debug.info方法的14个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: get_all_kmem_caches

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def get_all_kmem_caches(self):
        linux_common.set_plugin_members(self)
        cache_chain = self.addr_space.profile.get_symbol("cache_chain")
        slab_caches = self.addr_space.profile.get_symbol("slab_caches")

        if cache_chain: #slab
            caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space)
            listm = "next"
            ret = [cache for cache in caches.list_of_type("kmem_cache", listm)]
        elif slab_caches: #slub
            debug.info("SLUB is currently unsupported.")
            ret = []
        else:
            debug.error("Unknown or unimplemented slab type.")

        return ret
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:18,代码来源:slab_info.py

示例2: find_scanned_frames

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def find_scanned_frames(self, p, address, end):
        """
        Find frames by scanning for return addresses.
        @param p: process info object
        @param address: Start address
        @param end: End address
        @return: a list of frames
        """
        address_size = linux_process_info.address_size
        frames = []
        debug.info("Scan range (%rsp to end) = (0x{:016x} to 0x{:016x})".format(address, end))
        count = 0
        while address <= end:
            if p.proc_as.is_valid_address(address) and self.is_return_address(read_address(p.proc_as, address, address_size), p):
                st = stack_frame(address + address_size, p.proc_as, count)
                frames.append(st)
                count += 1
            address += address_size
        return frames
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:21,代码来源:process_stack.py

示例3: find_entry_point

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def find_entry_point(self, proc_as, start_code):
        """
        Read the entry point from the program header.
        @param proc_as: Process address space
        @param start_code: Start of the program code mapping
        @return The address of the entry point (_start)
        """
        # entry point lives at ELF header + 0x18
        # add it to the memory mapping of the binary
        if not proc_as.is_valid_address(start_code+0x18):
            # it's gone from memory
            debug.info("We could not find program entry point, skipping _start detection")
            return False
        offset = read_address(proc_as, start_code+0x18)
        if offset > start_code:
            # it's an absolute address
            return offset
        else:
            # it's a relative offset, i.e. PIE code
            return start_code + offset
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:22,代码来源:process_stack.py

示例4: is_return_address

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def is_return_address(self, address, process_info):
        """
        Checks if the address is a return address by checking if the preceding instruction is a 'CALL'.
        @param address: An address
        @param process_info: process info object
        @return True or False
        """
        proc_as = process_info.proc_as
        size = 5
        if distorm_loaded and process_info.is_code_pointer(address):
            offset = address - size
            instr = distorm3.Decode(offset, proc_as.read(offset, size), self.decode_as)
            # last instr, third tuple item (instr string), first 7 letters
            # if instr[-1][2][:7] == 'CALL 0x':
            #     print(instr[-1][2])
            if len(instr) > 0:
                return instr[-1][2][:4] == 'CALL'
            # there's also call <register>
        return False
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:21,代码来源:process_stack.py

示例5: find_return_libc_start

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def find_return_libc_start(self, proc_as, start_stack, return_start):
        """
        Scans the stack for a certain address, in this case the return address of __libc_start_main.
        @param proc_as: Process address space
        @param start_stack: Start address to search
        @param return_start: The return address to find
        @return The address found or None
        """
        address = start_stack
        for value in yield_address(proc_as, start_stack, reverse=True):
            if value == return_start:
                debug.info("Scanned {} stack addresses before finding the __libc_start_main return address".format((start_stack-address)/linux_process_info.address_size))
                return address
            address -= linux_process_info.address_size
        debug.info("Exhausted search for __libc_start_main return address at stack address {:016x}".format(address))
        return None
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:18,代码来源:process_stack.py

示例6: info

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def info(self, task):
        if self.vm_file:
            pgoff = self.vm_pgoff << 12
            
            inode = self.vm_file.dentry.d_inode
            if inode and inode.is_valid():
                major, minor = inode.i_sb.major, inode.i_sb.minor
                ino = inode.i_ino
            else:
                major, minor, ino = [0] * 3
        else:
            (major, minor, ino, pgoff) = [0] * 4

        fname = self.vm_name(task)

        if fname == "Anonymous Mapping":
            fname = ""

        return fname, major, minor, ino, pgoff
开发者ID:volatilityfoundation,项目名称:volatility,代码行数:21,代码来源:linux.py

示例7: extract_strings

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def extract_strings(self):
        debug.info("[time-consuming task] extracting strings from VADs (pid={0})".format(self.process.UniqueProcessId))
        strings = []

        for vad, address_space in self.process.get_vads(skip_max_commit = True):
            data = self.read_without_zero_page(vad, address_space)
            if len(data) == 0:
                continue
            elif len(data) > READ_BLOCKSIZE:
                debug.debug('data size in VAD is more than READ_BLOCKSIZE (pid{0})'.format(self.process.UniqueProcessId))
            extracted = list(set(self.util.extract_unicode(data) + self.util.extract_ascii(data)))
            strings.extend(extracted)

        records = ((self.process.UniqueProcessId.v(), string) for string in strings)
        self.cur.executemany("insert or ignore into strings values (?, ?)", records)
        self.update_done('strings')
        return strings
开发者ID:TakahiroHaruyama,项目名称:openioc_scan,代码行数:19,代码来源:openioc_scan.py

示例8: extract_hooked_APIs

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def extract_hooked_APIs(self, is_API=False, is_hookingMod=False):
        debug.info("[time-consuming task] extracting hooked APIs... (pid={0})".format(self.process.UniqueProcessId))

        process_space = self.process.get_process_address_space()
        if not process_space:
            return []

        module_group = apihooks.ModuleGroup(self.process.get_load_modules())

        records = []
        for dll in module_group.mods:
            if not process_space.is_valid_address(dll.DllBase):
                continue
            for hook in self.get_hooks(HOOK_MODE_USER, process_space, dll, module_group):
                if self.whitelist(hook.hook_mode | hook.hook_type, self.process.ImageFileName.v(), hook.VictimModule, hook.HookModule, hook.Function):
                    continue
                records.append((self.process.UniqueProcessId.v(), hook.Mode, hook.Type, str(dll.BaseDllName or ''), hook.Function, hook.HookModule))
        self.cur.executemany("insert or ignore into api_hooked values (?, ?, ?, ?, ?, ?)", records)
        self.update_done('api_hooked')
        if is_API:
            return [record[4] for record in records]
        elif is_hookingMod:
            return [record[5] for record in records]
开发者ID:TakahiroHaruyama,项目名称:openioc_scan,代码行数:25,代码来源:openioc_scan.py

示例9: extract_privileges

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def extract_privileges(self):
        debug.info("[time-consuming task] extracting enabled privilege information... (pid={0})".format(self.process.UniqueProcessId))
        records = []

        for value, present, enabled, default in self.process.get_token().privileges():
            try:
                name, desc = PRIVILEGE_INFO[int(value)]
            except KeyError:
                continue

            if enabled:
                records.append((self.process.UniqueProcessId.v(), name))

        self.cur.executemany("insert or ignore into privs values (?, ?)", records)
        self.update_done('privs')
        return [record[1] for record in records]
开发者ID:TakahiroHaruyama,项目名称:openioc_scan,代码行数:18,代码来源:openioc_scan.py

示例10: ShimCache_ExecutablePath

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def ShimCache_ExecutablePath(self, content, condition, preserve_case):
        if not self.util.is_condition_string(condition):
            debug.error('{0} condition is not supported in RegistryItem/ShimCache/ExecutablePath'.format(condition))
            return False

        paths = []
        records = []
        count = self.util.fetchone_from_db(self.cur, "shimcache", "count(*)")
        if count > 0:
            paths = self.util.fetchall_from_db(self.cur, "shimcache", "path")
        else:
            debug.info("[time-consuming task] extracting shimcache registry information...")
            for path, modified, updated in shimcache.ShimCache.calculate(self):
                path_str ='{0}'.format(path)
                records.append((path_str, modified.v()))
            if len(records) == 0:
                records.append(('dummy', 'dummy')) # insert dummy for done
            self.cur.executemany("insert or ignore into shimcache values (?, ?)", records)
            paths = [record[0] for record in records]
        return self.util.check_strings(paths, content, condition, preserve_case)
开发者ID:TakahiroHaruyama,项目名称:openioc_scan,代码行数:22,代码来源:openioc_scan.py

示例11: extract_services

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def extract_services(self, is_service_name=False, is_display_name=False, is_bin_path=False):
        debug.info("[time-consuming task] extracting service information...")

        records = []
        for rec in svcscan.SvcScan.calculate(self):
            service_name = '{0}'.format(rec.ServiceName.dereference())
            display_name = '{0}'.format(rec.DisplayName.dereference())
            bin_path = '{0}'.format(rec.Binary)
            records.append((service_name, display_name, bin_path))
        self.cur.executemany("insert or ignore into service values (?, ?, ?)", records)

        if is_service_name:
            return [record[0] for record in records]
        elif is_display_name:
            return [record[1] for record in records]
        elif is_bin_path:
            return [record[2] for record in records]
开发者ID:TakahiroHaruyama,项目名称:openioc_scan,代码行数:19,代码来源:openioc_scan.py

示例12: extract_callbacks

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def extract_callbacks(self):
        debug.info("[time-consuming task] extracting kernel callbacks...")

        records = []
        # added for default option values (filescan)
        self._config.VIRTUAL = False
        self._config.SHOW_UNALLOCATED = False
        self._config.START = None
        self._config.LENGTH = None

        for (sym, cb, detail), mods, mod_addrs in callbacks.Callbacks.calculate(self):
            module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
            type_name = '{0}'.format(sym)
            #records.append((module.DllBase.v(), type_name, cb.v(), str(detail or "-")))
            records.append((str(module.DllBase.v()), type_name, str(cb.v()), str(detail or "-")))

        if len(records) == 0:
            records.append(('dummy', 'dummy', 'dummy', 'dummy')) # insert dummy for done
        self.cur.executemany("insert or ignore into kernel_mods_callbacks values (?, ?, ?, ?)", records)
        return [record[1] for record in records if self.kmod.DllBase.v() == record[0]]
开发者ID:TakahiroHaruyama,项目名称:openioc_scan,代码行数:22,代码来源:openioc_scan.py

示例13: extract_timers

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def extract_timers(self):
        debug.info("[time-consuming task] extracting kernel timers...")

        records = []
        # added for default option value
        self._config.LISTHEAD = None

        for timer, module in timers.Timers.calculate(self):
            if timer.Header.SignalState.v():
                signaled = "Yes"
            else:
                signaled = "-"
            due_time = "{0:#010x}:{1:#010x}".format(timer.DueTime.HighPart, timer.DueTime.LowPart)
            #records.append((module.DllBase.v(), timer.obj_offset, due_time, timer.Period.v(), signaled, timer.Dpc.DeferredRoutine.v()))
#Quickfix for module=None
	    if module is None:
            	records.append(('None', str(timer.obj_offset), due_time, timer.Period.v(), signaled, str(timer.Dpc.DeferredRoutine.v())))
            else:
            	records.append((str(module.DllBase.v()), str(timer.obj_offset), due_time, timer.Period.v(), signaled, str(timer.Dpc.DeferredRoutine.v())))

        if len(records) == 0:
            records.append(('dummy', 'dummy', 'dummy', 'dummy', 'dummy', 'dummy')) # insert dummy for done
        self.cur.executemany("insert or ignore into kernel_mods_timers values (?, ?, ?, ?, ?, ?)", records)
        timer_routines = [record[5] for record in records if self.kmod.DllBase.v() == record[0]]
        return len(timer_routines)
开发者ID:TakahiroHaruyama,项目名称:openioc_scan,代码行数:27,代码来源:openioc_scan.py

示例14: render_text

# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import info [as 别名]
def render_text(self, outfd, data):
        if self._config.show:
            for definitions in data:
                outfd.write(definitions)
            outfd.write('++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n')
        else:
            for process, kmod, ioc_result in data:
                outfd.write('***************************************************************\n')
                outfd.write(ioc_result)
                if process is not None:
                    outfd.write("Note: ProcessItem was evaluated only in {0} (Pid={1})\n".format(process.ImageFileName, process.UniqueProcessId))
                if kmod is not None:
                    outfd.write("Note: DriverItem was evaluated only in {0} (base=0x{1:x})\n".format(str(kmod.BaseDllName  or ''), kmod.DllBase))
                outfd.write('***************************************************************\n')

            self.db.commit()
            self.cur.close()
            debug.info("=> elapsed scan total: about {0} s".format(self.total_secs))
开发者ID:TakahiroHaruyama,项目名称:openioc_scan,代码行数:20,代码来源:openioc_scan.py


注:本文中的volatility.debug.info方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。