本文整理汇总了Python中volatility.obj.Array方法的典型用法代码示例。如果您正苦于以下问题:Python obj.Array方法的具体用法?Python obj.Array怎么用?Python obj.Array使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.obj的用法示例。
在下文中一共展示了obj.Array方法的8个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: get_symbols
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Array [as 别名]
def get_symbols(self):
ret_syms = []
if self.obj_vm.profile.metadata.get('arch').lower() == 'x64':
struct_name = "elf64_sym"
else:
struct_name = "elf32_sym"
syms = obj.Object(theType = "Array", targetType = struct_name, offset = self.symtab, count = self.num_symtab + 1, vm = self.obj_vm)
for sym_struct in syms:
sym_name_addr = self.strtab + sym_struct.st_name
sym_name = self.obj_vm.read(sym_name_addr, 64)
if not sym_name:
continue
idx = sym_name.index("\x00")
if idx != -1:
sym_name = sym_name[:idx]
if sym_name != "":
ret_syms.append((str(sym_name), sym_struct.st_value.v()))
return ret_syms 示例2: lsof
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Array [as 别名]
def lsof(self):
fds = self.files.get_fds()
max_fds = self.files.get_max_fds()
fds = obj.Object(theType = 'Array', offset = fds.obj_offset, vm = self.obj_vm, targetType = 'Pointer', count = max_fds)
# mem corruption check
if max_fds > 500000:
return
for i in range(max_fds):
if fds[i]:
filp = obj.Object('file', offset = fds[i], vm = self.obj_vm)
yield filp, i
# has to get the struct socket given an inode (see SOCKET_I in sock.h) 示例3: _get_nodelist
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Array [as 别名]
def _get_nodelist(self):
ent = self.nodelists
if type(ent) == obj.Pointer:
ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)
elif type(ent) == obj.Array:
ret = ent[0]
else:
debug.error("Unknown nodelists types. %s" % type(ent))
return ret 示例4: __iter__
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Array [as 别名]
def __iter__(self):
if not self.unalloc:
for slab in self._get_full_list():
for i in range(self.num):
yield self._get_object(slab.s_mem.v() + i * self.buffer_size)
for slab in self._get_partial_list():
if not self.num or self.num == 0:
return
bufctl = obj.Object("Array",
offset = slab.v() + slab.size(),
vm = self.obj_vm,
parent = self.obj_parent,
targetType = "unsigned int",
count = self.num)
unallocated = [0] * self.num
i = slab.free
while i != 0xFFFFFFFF:
if i >= self.num:
break
unallocated[i] = 1
i = bufctl[i]
for i in range(0, self.num):
if unallocated[i] == self.unalloc:
yield self._get_object(slab.s_mem.v() + i * self.buffer_size)
if self.unalloc:
for slab in self._get_free_list():
for i in range(self.num):
yield self._get_object(slab.s_mem.v() + i * self.buffer_size) 示例5: sect_name
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Array [as 别名]
def sect_name(self):
if type(self.m("name")) == obj.Array:
name = obj.Object("String", offset = self.m("name").obj_offset, vm = self.obj_vm, length = 32)
else:
name = self.name.dereference_as("String", length = 255)
return str(name) 示例6: _get_sect_count
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Array [as 别名]
def _get_sect_count(self, grp):
arr = obj.Object(theType = 'Array', offset = grp.attrs, vm = self.obj_vm, targetType = 'Pointer', count = 25)
idx = 0
while arr[idx]:
idx = idx + 1
return idx 示例7: get_sections
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Array [as 别名]
def get_sections(self):
if hasattr(self.sect_attrs, "nsections"):
num_sects = self.sect_attrs.nsections
else:
num_sects = self._get_sect_count(self.sect_attrs.grp)
attrs = obj.Object(theType = 'Array', offset = self.sect_attrs.attrs.obj_offset, vm = self.obj_vm, targetType = 'module_sect_attr', count = num_sects)
for attr in attrs:
yield attr 示例8: bash_hash_entries
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Array [as 别名]
def bash_hash_entries(self):
nbuckets_offset = self.obj_vm.profile.get_obj_offset("_bash_hash_table", "nbuckets")
heap_vma = self.find_heap_vma()
if heap_vma == None:
debug.debug("Unable to find heap for pid %d" % self.pid)
return
proc_as = self.get_process_address_space()
for off in self.search_process_memory(["\x40\x00\x00\x00"], heap_only=True):
# test the number of buckets
htable = obj.Object("_bash_hash_table", offset = off - nbuckets_offset, vm = proc_as)
if htable.is_valid():
bucket_array = obj.Object(theType="Array", targetType="Pointer", offset = htable.bucket_array, vm = htable.nbuckets.obj_vm, count = 64)
for bucket_ptr in bucket_array:
bucket = bucket_ptr.dereference_as("bucket_contents")
while bucket.times_found > 0 and bucket.data.is_valid() and bucket.key.is_valid():
pdata = bucket.data
if pdata.path.is_valid() and (0 <= pdata.flags <= 2):
yield bucket
bucket = bucket.next
off = off + 1