本文整理汇总了Python中volatility.obj.NoneObject方法的典型用法代码示例。如果您正苦于以下问题:Python obj.NoneObject方法的具体用法?Python obj.NoneObject怎么用?Python obj.NoneObject使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.obj的用法示例。
在下文中一共展示了obj.NoneObject方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: _find_generators
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def _find_generators(self, item):
""" A recursive function to flatten generators into lists """
try:
result = []
# Make sure dicts aren't flattened to lists
if isinstance(item, dict):
result = {}
for i in item:
result[self._find_generators(i)] = self._find_generators(item[i])
return result
# Since NoneObjects and strings are both iterable, treat them specially
if isinstance(item, obj.NoneObject) or isinstance(item, str):
return item
if isinstance(item, types.GeneratorType):
raise CacheContainsGenerator
for x in iter(item):
flat_x = self._find_generators(x)
result.append(flat_x)
return result
except TypeError:
return item 示例2: render_text
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def render_text(self, outfd, data):
self.table_header(outfd, [("Task", "16"),
("Pid", "8"),
("Virtual", "[addrpad]"),
("Physical", "[addrpad]"),
("Size", "[addr]")])
for task in data:
task_space = task.get_process_address_space()
pagedata = task_space.get_available_pages()
if pagedata:
for p in pagedata:
pa = task_space.vtop(p[0])
# pa can be 0, according to the old memmap, but can't == None(NoneObject)
if pa != None:
self.table_row(outfd, task.comm, task.pid, p[0], pa, p[1])
#else:
# outfd.write("0x{0:10x} 0x000000 0x{1:12x}\n".format(p[0], p[1]))
else:
outfd.write("Unable to read pages for {0} pid {1}.\n".format(task.comm, task.pid)) 示例3: get_process_address_space
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def get_process_address_space(self):
## If we've got a NoneObject, return it maintain the reason
if not self.mm:
return self.mm
if self.mm.pgd.v() == None:
return self.mm.pgd.v()
directory_table_base = self.obj_vm.vtop(self.mm.pgd.v())
try:
process_as = self.obj_vm.__class__(
self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base)
except AssertionError, _e:
return obj.NoneObject("Unable to get process AS") 示例4: Peb
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def Peb(self):
""" Returns a _PEB object which is using the process address space.
The PEB structure is referencing back into the process address
space so we need to switch address spaces when we look at
it. This method ensure this happens automatically.
"""
process_ad = self.get_process_address_space()
if process_ad:
offset = self.m("Peb").v()
peb = obj.Object("_PEB", offset, vm = process_ad,
name = "Peb", parent = self)
if peb.is_valid():
return peb
return obj.NoneObject("Peb not found") 示例5: get_object_bottom_up
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def get_object_bottom_up(self, struct_name, object_type, skip_type_check):
"""Get the windows object contained within this pool
by using the bottom-up approach to finding the object
"""
if not object_type:
return obj.Object(struct_name, vm = self.obj_vm,
offset = self.obj_offset +
self.obj_vm.profile.get_obj_size("_POOL_HEADER"),
native_vm = self.obj_native_vm)
pool_alignment = obj.VolMagic(self.obj_vm).PoolAlignment.v()
the_object = obj.Object(struct_name, vm = self.obj_vm,
offset = (self.obj_offset + self.BlockSize * pool_alignment -
common.pool_align(self.obj_vm, struct_name, pool_alignment)),
native_vm = self.obj_native_vm)
header = the_object.get_object_header()
if (skip_type_check or
header.get_object_type() == object_type):
return the_object
else:
return obj.NoneObject("Cannot find the object") 示例6: get_item
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def get_item(self, entry, handle_value = 0):
"""Starting with 8/2012 x64 the PsPCidTable pointers
go directly to an object rather than an object header.
"""
if entry.LowValue == 0:
return obj.NoneObject("LowValue pointer is invalid")
body_offset = self.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body")
head_offset = self.decode_pointer(entry.LowValue) - body_offset
return obj.Object("_OBJECT_HEADER",
offset = head_offset,
vm = self.obj_vm,
parent = entry,
handle_value = handle_value) 示例7: v
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def v(self):
"""
Use zread to help emulate reading null-terminated C
strings across page boundaries.
@returns: If all bytes are available, return the full string
as a raw byte buffer. If the end of the string is in a page
that isn't available, return as much of the string as possible,
padded with nulls to the string's length.
If the string length is 0, vtop() fails, or the physical addr
of the string is not valid, return NoneObject.
Note: to get a null terminated string, use the __str__ method.
"""
result = self.obj_vm.zread(self.obj_offset, self.length)
if not result:
return obj.NoneObject("Cannot read string length {0} at {1:#x}".format(self.length, self.obj_offset))
return result 示例8: calculate
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def calculate(self):
seen = []
# Find the atom tables that belong to each window station
for wndsta in windowstations.WndScan(self._config).calculate():
offset = wndsta.obj_native_vm.vtop(wndsta.pGlobalAtomTable)
if offset in seen:
continue
seen.append(offset)
# The atom table is dereferenced in the proper
# session space
atom_table = wndsta.AtomTable
if atom_table.is_valid():
yield atom_table, wndsta
# Find atom tables not linked to specific window stations.
# This finds win32k!UserAtomHandleTable.
for table in AtomScan(self._config).calculate():
if table.PhysicalAddress not in seen:
yield table, obj.NoneObject("No windowstation") 示例9: find_session_space
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def find_session_space(self, kernel_space, session_id):
""" Get a session address space by its ID.
@param space: a kernel AS for process enumeration
@param session_id: the session ID to find.
@returns _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
for proc in tasks.pslist(kernel_space):
if proc.SessionId == session_id:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
return obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
return obj.NoneObject("Cannot locate a session") 示例10: find_shared_info
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def find_shared_info(self):
"""Find this session's tagSHAREDINFO structure.
This structure is embedded in win32k's .data section,
(i.e. not in dynamically allocated memory). Thus we
iterate over each DWORD-aligned possibility and treat
it as a tagSHAREDINFO until the sanity checks are met.
"""
for chunk in self._section_chunks(".data"):
# If the base of the value is paged
if not chunk.is_valid():
continue
# Treat it as a shared info struct
shared_info = obj.Object("tagSHAREDINFO",
offset = chunk.obj_offset, vm = self.obj_vm)
# Sanity check it
try:
if shared_info.is_valid():
return shared_info
except obj.InvalidOffsetError:
pass
return obj.NoneObject("Cannot find win32k!gSharedInfo") 示例11: reference_object
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def reference_object(self):
"""Reference the object this handle represents.
If the object's type is not in our map, we don't know
what type of object to instantiate so its filled with
obj.NoneObject() instead.
"""
object_map = dict(TYPE_WINDOW = "tagWND",
TYPE_HOOK = "tagHOOK",
TYPE_CLIPDATA = "tagCLIPDATA",
TYPE_WINEVENTHOOK = "tagEVENTHOOK",
TYPE_TIMER = "tagTIMER",
)
object_type = object_map.get(str(self.bType), None)
if not object_type:
return obj.NoneObject("Cannot reference object type")
return obj.Object(object_type,
offset = self.phead, vm = self.obj_vm) 示例12: find_module
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def find_module(self, address):
"""Find a module by an address it contains.
@param address: location in process or kernel AS to
find an owning module.
When performing thousands of lookups, this method
is actually quicker than tasks.find_module.
"""
for base, end, mod in self.mod_fast:
if address >= base and address <= end:
return mod
return obj.NoneObject("")
#--------------------------------------------------------------------------------
# Hook Class
#-------------------------------------------------------------------------------- 示例13: open_key
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def open_key(root, key):
if key == []:
return root
if not root.is_valid():
return None
keyname = key.pop(0)
for s in subkeys(root):
if s.Name.upper() == keyname.upper():
return open_key(s, key)
debug.debug("Couldn't find subkey {0} of {1}".format(keyname, root.Name), 1)
return obj.NoneObject("Couldn't find subkey {0} of {1}".format(keyname, root.Name)) 示例14: dump_hashes
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def dump_hashes(sysaddr, samaddr):
if sysaddr == None:
yield obj.NoneObject("SYSTEM address is None: Did you use the correct profile?")
if samaddr == None:
yield obj.NoneObject("SAM address is None: Did you use the correct profile?")
bootkey = get_bootkey(sysaddr)
hbootkey = get_hbootkey(samaddr, bootkey)
if hbootkey:
for user in get_user_keys(samaddr):
ret = get_user_hashes(user, hbootkey)
if not ret:
yield obj.NoneObject("Cannot get user hashes for {0}".format(user))
else:
lmhash, nthash = ret
if not lmhash:
lmhash = empty_lm
if not nthash:
nthash = empty_nt
## temporary fix to prevent UnicodeDecodeError backtraces
## however this can cause truncated user names as a result
name = get_user_name(user).encode('ascii', 'ignore')
yield "{0}:{1}:{2}:{3}:::".format(name, int(str(user.Name), 16),
lmhash.encode('hex'), nthash.encode('hex'))
else:
yield obj.NoneObject("Hbootkey is not valid") 示例15: dump_memory_hashes
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import NoneObject [as 别名]
def dump_memory_hashes(addr_space, config, syshive, samhive):
if syshive != None and samhive != None:
sysaddr = hive.HiveAddressSpace(addr_space, config, syshive)
samaddr = hive.HiveAddressSpace(addr_space, config, samhive)
return dump_hashes(sysaddr, samaddr)
return obj.NoneObject("SYSTEM or SAM address is None: Did you use the correct profile?")