本文整理汇总了Python中volatility.obj.Object方法的典型用法代码示例。如果您正苦于以下问题:Python obj.Object方法的具体用法?Python obj.Object怎么用?Python obj.Object使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.obj的用法示例。
在下文中一共展示了obj.Object方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: read_sklist
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def read_sklist(sk):
if (sk.Signature.v() == LH_SIG or
sk.Signature.v() == LF_SIG):
for i in sk.List:
yield i
elif sk.Signature.v() == RI_SIG:
for i in range(sk.Count):
# Read and dereference the pointer
ptr_off = sk.List.obj_offset + (i * 4)
if not sk.obj_vm.is_valid_address(ptr_off):
continue
ssk_off = obj.Object("unsigned int", ptr_off, sk.obj_vm)
if not sk.obj_vm.is_valid_address(ssk_off):
continue
ssk = obj.Object("_CM_KEY_INDEX", ssk_off, sk.obj_vm)
for i in read_sklist(ssk):
yield i
# Note: had to change SubKeyLists to be array of 2 pointers in vtypes.py 示例2: __init__
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def __init__(self, address_space):
scan.ScannerCheck.__init__(self, address_space)
kpcr = obj.Object("_KPCR", vm = self.address_space, offset = 0)
if address_space.profile.metadata.get('memory_model', '') == '32bit':
self.SelfPcr_offset = kpcr.SelfPcr.obj_offset
self.Prcb_offset = kpcr.Prcb.obj_offset
self.PrcbData_offset = kpcr.PrcbData.obj_offset
# In the check() routine, we need to compare masked virtual
# addresses, but self.address_space is a BufferAddressSpace.
self.address_equality = amd64.AMD64PagedMemory.address_equality
else:
# The self-referencing member of _KPCR is Self on x64
self.SelfPcr_offset = kpcr.Self.obj_offset
# The pointer to _KPRCB is CurrentPrcb on x64
self.Prcb_offset = kpcr.CurrentPrcb.obj_offset
# The nested _KPRCB in Prcb on x64
self.PrcbData_offset = kpcr.Prcb.obj_offset
self.address_equality = intel.IA32PagedMemory.address_equality
self.KPCR = None 示例3: check
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def check(self, offset):
""" We check that _KCPR.pSelfPCR points to the start of the _KCPR struct """
paKCPR = offset
paPRCBDATA = offset + self.PrcbData_offset
try:
pSelfPCR = obj.Object('Pointer', offset = (offset + self.SelfPcr_offset), vm = self.address_space)
pPrcb = obj.Object('Pointer', offset = (offset + self.Prcb_offset), vm = self.address_space)
if self.address_equality(pSelfPCR, paKCPR) and self.address_equality(pPrcb, paPRCBDATA):
self.KPCR = pSelfPCR
return True
except BaseException:
return False
return False
# make the scan DWORD aligned 示例4: heap_entries
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def heap_entries(self):
"""Enumerate the heaps in this segment.
##FIXME:
* Raise ValueError if corruptions are detected.
* Should we start at FirstEntry or Entry?
"""
next = self.Entry #FirstEntry.dereference()
last = self.LastValidEntry.dereference()
chunk_size = self.obj_vm.profile.get_obj_size("_HEAP_ENTRY")
while (next and
next.obj_offset < last.obj_offset):
yield next
next = obj.Object("_HEAP_ENTRY",
offset = next.obj_offset + next.Size * chunk_size,
vm = next.obj_vm) 示例5: scan
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def scan(self, tags = []):
"""
Scan for the pools by tag.
@param tags: a list of pool tags to scan for,
or empty for scanning for all tags.
"""
(table_base, table_size) = \
obj.VolMagic(self.kernel_space).BigPageTable.v()
pools = obj.Object('Array', targetType = '_POOL_TRACKER_BIG_PAGES',
offset = table_base,
count = table_size, vm = self.kernel_space
)
for pool in pools:
if pool.Va.is_valid():
if not tags or pool.Key in tags:
yield pool
#--------------------------------------------------------------------------------
# BigPools Plugin
#-------------------------------------------------------------------------------- 示例6: _walk_net_spaces
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def _walk_net_spaces(self):
offset = self.addr_space.profile.get_obj_offset("sock_common", "skc_node")
nslist_addr = self.addr_space.profile.get_symbol("net_namespace_list")
nethead = obj.Object("list_head", offset = nslist_addr, vm = self.addr_space)
for net in nethead.list_of_type("net", "list"):
node = net.packet.sklist.first.dereference().v()
sk = obj.Object("sock", offset = node - offset, vm = self.addr_space)
while sk.is_valid():
inode = self._SOCK_INODE(sk.sk_socket)
ino = inode
yield ino
sk = obj.Object("sock", offset = sk.sk_node.next - offset, vm = self.addr_space) 示例7: _gather_dcache
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def _gather_dcache(self):
d_hash_shift = obj.Object("unsigned int", offset =self.addr_space.profile.get_symbol("d_hash_shift"), vm = self.addr_space)
loop_max = 1 << d_hash_shift
d_htable_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("dentry_hashtable"), vm = self.addr_space)
arr = obj.Object(theType = "Array", targetType = "hlist_bl_head", offset = d_htable_ptr, vm = self.addr_space, count = loop_max)
hash_offset = self.addr_space.profile.get_obj_offset("dentry", "d_hash")
dents = {}
for list_head in arr:
if not list_head.first.is_valid():
continue
node = obj.Object("hlist_bl_node", offset = list_head.first & ~1, vm = self.addr_space)
for node, cnt in self._walk_node(node):
dents[node.v() - hash_offset] = 0
return dents 示例8: __iter__
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def __iter__(self):
if self.is_valid():
seen = {}
bucket_array = obj.Object(theType="Array", targetType="Pointer", offset = self.bucket_array, vm = self.nbuckets.obj_vm, count = 64)
for bucket_ptr in bucket_array:
bucket = bucket_ptr.dereference_as("bucket_contents")
while bucket.times_found > 0 and bucket.data.is_valid() and bucket.key.is_valid():
if bucket.v() in seen:
break
seen[bucket.v()] = 1
pdata = bucket.data
if pdata.path.is_valid() and (0 <= pdata.flags <= 2):
yield bucket
bucket = bucket.next 示例9: check_proc_fop
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def check_proc_fop(self, f_op_members, modules):
proc_mnt_addr = self.addr_space.profile.get_symbol("proc_mnt")
if not proc_mnt_addr:
return
proc_mnt_ptr = obj.Object("Pointer", offset = proc_mnt_addr, vm = self.addr_space)
proc_mnt = proc_mnt_ptr.dereference_as("vfsmount")
root = proc_mnt.mnt_root
for (hooked_member, hook_address) in self.verify_ops(root.d_inode.i_fop, f_op_members, modules):
yield ("proc_mnt: root", hooked_member, hook_address)
# only check the root directory
for dentry in root.d_subdirs.list_of_type("dentry", "d_u"):
name = dentry.d_name.name.dereference_as("String", length = 255)
for (hooked_member, hook_address) in self.verify_ops(dentry.d_inode.i_fop, f_op_members, modules):
yield("proc_mnt: {0}".format(name), hooked_member, hook_address) 示例10: calculate
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def calculate(self):
linux_common.set_plugin_members(self)
modules = linux_lsmod.linux_lsmod(self._config).get_modules()
f_op_members = self.profile.types['file_operations'].keywords["members"].keys()
f_op_members.remove('owner')
if self._config.INODE:
inode = obj.Object("inode", offset=self._config.INODE, vm=self.addr_space)
if not inode.is_valid():
debug.error("Invalid inode address given. Please use linux_find_file to determine valid inode addresses.")
for (hooked_member, hook_address) in self.verify_ops(inode.i_fop, f_op_members, modules):
yield("inode at {0:x}".format(inode.obj_offset), hooked_member, hook_address)
else:
funcs = [self.check_open_files_fop, self.check_proc_fop, self.check_proc_root_fops, self.check_file_cache]
for func in funcs:
for (name, member, address) in func(f_op_members, modules):
yield (name, member, address) 示例11: _walk_upid
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def _walk_upid(self, upid):
while upid:
pid = self.get_obj(upid.obj_offset, "pid", "numbers")
for task in self._task_for_pid(upid, pid):
yield task
if type(upid.pid_chain) == obj.Pointer:
pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
else:
pid_chain = upid.pid_chain
if not pid_chain:
break
upid = self.get_obj(pid_chain.next, "upid", "pid_chain") 示例12: _check_afinfo
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def _check_afinfo(self, modules):
op_members = self.profile.types['file_operations'].keywords["members"].keys()
seq_members = self.profile.types['seq_operations'].keywords["members"].keys()
tcp = ("tcp_seq_afinfo", ["tcp6_seq_afinfo", "tcp4_seq_afinfo"])
udp = ("udp_seq_afinfo", ["udplite6_seq_afinfo", "udp6_seq_afinfo", "udplite4_seq_afinfo", "udp4_seq_afinfo"])
protocols = [tcp, udp]
for proto in protocols:
struct_type = proto[0]
for global_var_name in proto[1]:
global_var_addr = self.addr_space.profile.get_symbol(global_var_name)
if not global_var_addr:
continue
global_var = obj.Object(struct_type, offset = global_var_addr, vm = self.addr_space)
for (name, member, hook_type, address) in self.check_afinfo(global_var_name, global_var, op_members, seq_members, modules):
yield (name, member, hook_type, address) 示例13: _check_inetsw
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def _check_inetsw(self, modules):
try:
self.addr_space.profile.get_obj_offset("inet_protosw", "list")
except KeyError:
debug.warning("You are using an old Linux profile. Please recreate the profile using the latest Volatility version.")
return
proto_members = self.profile.types['proto_ops'].keywords["members"].keys()
proto_members.remove('owner')
proto_members.remove('family')
inetsw_addr = self.addr_space.profile.get_symbol("inetsw")
inetsw = obj.Object(theType = "Array", targetType = "list_head", offset = inetsw_addr, vm = self.addr_space, count = 11)
for inet_list in inetsw:
for inet in inet_list.list_of_type("inet_protosw", "list"):
name = self.addr_space.read(inet.prot.name.obj_offset, 32)
idx = name.index("\x00")
if idx != -1:
name = name[:idx]
for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(inet.ops, proto_members, modules):
yield (name, hooked_member, hook_type, hook_address) 示例14: online_cpus
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def online_cpus(self):
""" returns a list of online cpus (the processor numbers) """
cpu_online_bits_addr = self.addr_space.profile.get_symbol("cpu_online_bits")
cpu_present_map_addr = self.addr_space.profile.get_symbol("cpu_present_map")
cpu_present_mask_addr = self.addr_space.profile.get_symbol("__cpu_present_mask")
#later kernels..
if cpu_online_bits_addr:
bmap = obj.Object("unsigned long", offset = cpu_online_bits_addr, vm = self.addr_space)
elif cpu_present_map_addr:
bmap = obj.Object("unsigned long", offset = cpu_present_map_addr, vm = self.addr_space)
elif cpu_present_mask_addr:
bmap = obj.Object("unsigned long", offset = cpu_present_mask_addr, vm = self.addr_space)
else:
raise AttributeError, "Unable to determine number of online CPUs for memory capture"
cpus = []
for i in range(32):
if bmap & (1 << i):
cpus.append(i)
return cpus 示例15: calculate
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Object [as 别名]
def calculate(self):
linux_common.set_plugin_members(self)
neigh_tables_addr = self.addr_space.profile.get_symbol("neigh_tables")
hasnext = True
try:
self.addr_space.profile.get_obj_offset("neigh_table", "next")
except KeyError:
hasnext = False
if hasnext == True:
ntables_ptr = obj.Object("Pointer", offset = neigh_tables_addr, vm = self.addr_space)
tables = linux_common.walk_internal_list("neigh_table", "next", ntables_ptr)
else:
tables_arr = obj.Object(theType="Array", targetType="Pointer", offset = neigh_tables_addr, vm = self.addr_space, count = 4)
tables = [t.dereference_as("neigh_table") for t in tables_arr]
for ntable in tables:
for aent in self.handle_table(ntable):
yield aent