本文整理汇总了Python中volatility.debug.warning方法的典型用法代码示例。如果您正苦于以下问题:Python debug.warning方法的具体用法?Python debug.warning怎么用?Python debug.warning使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.debug的用法示例。
在下文中一共展示了debug.warning方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: get_winlogon_registrations
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def get_winlogon_registrations(self):
debug.debug('Started get_winlogon_registrations()')
results = []
notify_key = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify"
try:
self.regapi.reset_current()
for subkey in self.regapi.reg_get_all_subkeys(hive_name='software', key=notify_key):
parsed_entry = self.parse_winlogon_registration_key(subkey)
if parsed_entry and (self._config.VERBOSE or (parsed_entry[0].split('\\')[-1] not in WINLOGON_REGISTRATION_KNOWN_DLLS)):
results.append(parsed_entry)
except Exception as e:
debug.warning('get_winlogon_registrations() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_winlogon_registrations()')
return results
# Returns None or (str(dllname), [(str(trigger)),str(event))], key.LastWriteTime, key path, [int(pids)]) 示例2: parse_winlogon_registration_key
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def parse_winlogon_registration_key(self, key):
dllname = ""
events = []
pids = []
key_path = self.regapi.reg_get_key_path(key) or str(key.Name)
try:
for v_name, v_data in self.regapi.reg_yield_values(hive_name=None, key=None, given_root=key):
val_name = str(v_name or '')
val_data = str(v_data or '').replace('\x00', '')
if val_name.lower() == 'dllname':
dllname = val_data
pids = self.find_pids_for_imagepath(dllname)
elif val_name in WINLOGON_NOTIFICATION_EVENTS:
events.append((val_name, val_data))
except Exception as e:
debug.warning('Failed while parsing {}. Exception: {} {}'.format(key_path, type(e).__name__, e.args))
if dllname:
return (dllname, events, key.LastWriteTime, key_path, pids)
# Returns [] or a list of tuples(val_name, val_data, key.LastWriteTime, expected_val_data, [int(pids)]) 示例3: get_winlogon
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def get_winlogon(self):
debug.debug('Started get_winlogon()')
winlogon = []
winlogon_key_path="Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
try:
self.regapi.reset_current()
key = self.regapi.reg_get_key(hive_name='software', key=winlogon_key_path)
if key:
for v_name, v_data in self.regapi.reg_yield_values(hive_name=None, key=None, given_root=key):
val_name = str(v_name or '')
val_data = str(v_data or '').replace('\x00', '')
if val_data and val_name in WINLOGON_COMMON_VALUES:
pids = self.find_pids_for_imagepath(val_data)
winlogon.append((val_name, val_data, key.LastWriteTime, WINLOGON_COMMON_VALUES[val_name], winlogon_key_path, pids))
except Exception as e:
debug.warning('get_winlogon() failed to complete. Exception: {} {}'.format(type(e).__name__, e.args))
debug.debug('Finished get_winlogon()')
return winlogon
# Returns [] or a list of tuples from parse_service_key() 示例4: get_services
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def get_services(self):
debug.debug('Started get_services()')
results = []
service_key_path = "{}\\Services".format(self.currentcs)
try:
self.regapi.reset_current()
for service_sk in self.regapi.reg_get_all_subkeys(hive_name='system', key=service_key_path):
parsed_service = self.parse_service_key(service_sk)
if parsed_service and (self._config.VERBOSE or 'system32' not in parsed_service[5].lower()):
results.append(parsed_service)
except Exception as e:
debug.warning('get_services() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_services()')
return results
# Returns None or (key_path, timestamp, display_name, SERVICE_STARTUP[startup], SERVICE_TYPES[type], image_path, service_dll, [int(pids)]) 示例5: get_activesetup
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def get_activesetup(self):
debug.debug('Started get_activesetup()')
results = []
try:
self.regapi.reset_current()
for subkey in self.regapi.reg_get_all_subkeys(hive_name='software', key=ACTIVE_SETUP_KEY):
r = self.parse_activesetup_keys(subkey)
if r:
results.append(r)
except Exception as e:
debug.warning('get_activesetup() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_activesetup()')
return results
# Returns None or a tuple(exe path, subkey.LastWriteTime, key path, [int(pids)]) 示例6: get_sdb
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def get_sdb(self):
debug.debug('Started get_sdb()')
results = []
try:
self.regapi.reset_current()
sdb_keys = self.regapi.reg_get_all_subkeys(hive_name='software', key=APPCOMPAT_SDB_KEY)
for subkey in sdb_keys:
parsed_sdb_entry = self.parse_sdb_key(subkey)
if parsed_sdb_entry:
results.append(parsed_sdb_entry)
except Exception as e:
debug.warning('get_sdb() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_sdb()')
return results
#Returns None or a tuple(exe, db_path, subkey.LastWriteTime, key path, [int(pids)]) 示例7: calculate_alloc_stats
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def calculate_alloc_stats(self):
"""Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data
It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread.
"""
available_allocs = list(self.get_available_allocs())
self.minimum_size = int(min([size for _, size in available_allocs]))
accumulator = self.minimum_size
for start, _ in available_allocs:
if accumulator is None and start > 1:
accumulator = start
if accumulator and start > 0:
accumulator = fractions.gcd(accumulator, start)
self.alignment_gcd = int(accumulator)
# Pick an arbitrary cut-off that'll lead to too many reads
if self.alignment_gcd < 0x4:
debug.warning("Alignment of " + self.__class__.__name__ + " is too small, plugins will be extremely slow") 示例8: Object
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def Object(theType, offset, vm, name = None, **kwargs):
""" A function which instantiates the object named in theType (as
a string) from the type in profile passing optional args of
kwargs.
"""
name = name or theType
offset = int(offset)
try:
if vm.profile.has_type(theType):
result = vm.profile.types[theType](offset = offset, vm = vm, name = name, **kwargs)
return result
except InvalidOffsetError:
## If we cant instantiate the object here, we just error out:
return NoneObject("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name),
strict = vm.profile.strict)
## If we get here we have no idea what the type is supposed to be?
## This is a serious error.
debug.warning("Cant find object {0} in profile {1}?".format(theType, vm.profile)) 示例9: load_vtypes
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def load_vtypes(self):
""" Identifies the module from which to load the vtypes
Eventually this could do the importing directly, and avoid having
the profiles loaded in memory all at once.
"""
ntvar = self.metadata.get('memory_model', '32bit')
self.native_types = copy.deepcopy(self.native_mapping.get(ntvar))
vtype_module = self.metadata.get('vtype_module', None)
if not vtype_module:
debug.warning("No vtypes specified for this profile")
else:
module = sys.modules.get(vtype_module, None)
# Try to locate the _types dictionary
for i in dir(module):
if i.endswith('_types'):
self.vtypes.update(getattr(module, i)) 示例10: _formatlookup
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def _formatlookup(self, profile, code):
"""Code to turn profile specific values into format specifications"""
code = code or ""
if not code.startswith('['):
return code
# Strip off the square brackets
code = code[1:-1].lower()
if code.startswith('addr'):
spec = fmtspec.FormatSpec("#10x")
if profile.metadata.get('memory_model', '32bit') == '64bit':
spec.minwidth += 8
if 'pad' in code:
spec.fill = "0"
spec.align = spec.align if spec.align else "="
else:
# Non-padded addresses will come out as numbers,
# so titles should align >
spec.align = ">"
return spec.to_string()
# Something went wrong
debug.warning("Unknown table format specification: " + code)
return "" 示例11: _write_file
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def _write_file(self, ff, file_path, file_dentry):
inode = file_dentry.d_inode
if inode and inode.is_valid() and not inode.is_dir():
ents = file_path.split("/")
out_path = os.path.join(self._config.DUMP_DIR, *ents)
try:
fd = open(out_path, "wb")
except IOError, e:
debug.warning("Unable to process file: %s : %s" % (out_path, str(e)))
return
for page in ff.get_file_contents(inode):
fd.write(page)
fd.close() 示例12: calculate
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def calculate(self):
"""
This works by walking the system call table
and verifies that each is a symbol in the kernel
"""
linux_common.set_plugin_members(self)
if not has_distorm:
debug.warning("distorm not installed. The best method to calculate the system call table size will not be used.")
if self._config.SYSCALL_INDEXES:
if not os.path.exists(self._config.SYSCALL_INDEXES):
debug.error("Given syscall indexes file does not exist!")
index_lines = open(self._config.SYSCALL_INDEXES, "r").read()
else:
index_lines = None
for (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked) in self.get_syscalls(index_lines, True):
yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked) 示例13: _check_inetsw
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def _check_inetsw(self, modules):
try:
self.addr_space.profile.get_obj_offset("inet_protosw", "list")
except KeyError:
debug.warning("You are using an old Linux profile. Please recreate the profile using the latest Volatility version.")
return
proto_members = self.profile.types['proto_ops'].keywords["members"].keys()
proto_members.remove('owner')
proto_members.remove('family')
inetsw_addr = self.addr_space.profile.get_symbol("inetsw")
inetsw = obj.Object(theType = "Array", targetType = "list_head", offset = inetsw_addr, vm = self.addr_space, count = 11)
for inet_list in inetsw:
for inet in inet_list.list_of_type("inet_protosw", "list"):
name = self.addr_space.read(inet.prot.name.obj_offset, 32)
idx = name.index("\x00")
if idx != -1:
name = name[:idx]
for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(inet.ops, proto_members, modules):
yield (name, hooked_member, hook_type, hook_address) 示例14: _get_image_exe
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def _get_image_exe(self, unsafe, fix):
nt_header = self.get_nt_header()
soh = nt_header.OptionalHeader.SizeOfHeaders
header = self.obj_vm.zread(self.obj_offset, soh)
if fix:
header = self._fix_header_image_base(header, nt_header)
yield (0, header)
fa = nt_header.OptionalHeader.FileAlignment
for sect in nt_header.get_sections(unsafe):
foa = self.round(sect.PointerToRawData, fa)
if foa != sect.PointerToRawData:
debug.warning("Section start on disk not aligned to file alignment.\n")
debug.warning("Adjusted section start from {0} to {1}.\n".format(sect.PointerToRawData, foa))
yield self.get_code(sect.VirtualAddress + self.obj_offset,
sect.SizeOfRawData, foa) 示例15: allprocs
# 需要导入模块: from volatility import debug [as 别名]
# 或者: from volatility.debug import warning [as 别名]
def allprocs(self):
p = self.addr_space.profile.get_symbol("_allproc")
procsaddr = obj.Object("proclist", offset = p, vm = self.addr_space)
proc = obj.Object("proc", offset = procsaddr.lh_first, vm = self.addr_space)
seen = []
while proc.is_valid():
if proc.obj_offset in seen:
debug.warning("Recursive process list detected (a result of non-atomic acquisition). Use mac_tasks or mac_psxview)")
break
else:
seen.append(proc.obj_offset)
yield proc
proc = proc.p_list.le_next.dereference()