本文整理汇总了Python中volatility.obj.Pointer方法的典型用法代码示例。如果您正苦于以下问题:Python obj.Pointer方法的具体用法?Python obj.Pointer怎么用?Python obj.Pointer使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.obj的用法示例。
在下文中一共展示了obj.Pointer方法的10个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: _walk_upid
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Pointer [as 别名]
def _walk_upid(self, upid):
while upid:
pid = self.get_obj(upid.obj_offset, "pid", "numbers")
for task in self._task_for_pid(upid, pid):
yield task
if type(upid.pid_chain) == obj.Pointer:
pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
else:
pid_chain = upid.pid_chain
if not pid_chain:
break
upid = self.get_obj(pid_chain.next, "upid", "pid_chain") 示例2: _walk_upid
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Pointer [as 别名]
def _walk_upid(self, upid):
seen = set()
while upid and upid.is_valid() and upid.v() not in seen:
seen.add(upid.v())
pid = self.get_obj(upid.obj_offset, "pid", "numbers")
for task in self._task_for_pid(upid, pid):
yield task
if type(upid.pid_chain) == obj.Pointer:
pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
else:
pid_chain = upid.pid_chain
if not pid_chain:
break
upid = self.get_obj(pid_chain.next, "upid", "pid_chain") 示例3: _get_nodelist
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Pointer [as 别名]
def _get_nodelist(self):
ent = self.nodelists
if type(ent) == obj.Pointer:
ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)
elif type(ent) == obj.Array:
ret = ent[0]
else:
debug.error("Unknown nodelists types. %s" % type(ent))
return ret 示例4: _get_pidhash_array
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Pointer [as 别名]
def _get_pidhash_array(self):
pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
pidhash_size = 1 << pidhash_shift
pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)
# pidhash is an array of hlist_heads
pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)
return pidhash 示例5: calculate_v2
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Pointer [as 别名]
def calculate_v2(self):
poff = self.addr_space.profile.get_obj_offset("task_struct", "pids")
pidhash = self._get_pidhash_array()
for p in pidhash:
if p.v() == 0:
continue
ptr = obj.Object("Pointer", offset = p.v(), vm = self.addr_space)
if ptr.v() == 0:
continue
pidl = obj.Object("pid_link", offset = ptr.v(), vm = self.addr_space)
nexth = pidl.pid
if not nexth.is_valid():
continue
nexth = obj.Object("task_struct", offset = nexth - poff, vm = self.addr_space)
while 1:
if not pidl:
break
yield nexth
pidl = pidl.node.m("next").dereference_as("pid_link")
nexth = pidl.pid
if not nexth.is_valid():
break
nexth = obj.Object("task_struct", offset = nexth - poff, vm = self.addr_space) 示例6: modification
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Pointer [as 别名]
def modification(self, profile):
profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, {
'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ],
'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]],
}
]})
profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"]
profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, {
'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]],
}]})
# In some auto-generated vtypes, the DTB is an array of 2 unsigned longs
# (for x86) or an array of 2 unsigned long long (for x64). We have an overlay
# in windows.windows_overlay which sets the DTB to a single unsigned long,
# but we do not want that bleeding through to the x64 profiles. Instead we
# want the x64 DTB to be a single unsigned long long.
profile.merge_overlay({'_KPROCESS' : [ None, {
'DirectoryTableBase' : [ None, ['unsigned long long']],
}]})
# Note: the following method of profile modification is strongly discouraged
#
# Nasty hack because pointer64 has a special structure,
# and therefore can't just be instantiated in object_classes
# using profile.object_classes.update({'pointer64': obj.Pointer})
profile._list_to_type = Pointer64Decorator(profile._list_to_type) 示例7: _get_name
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Pointer [as 别名]
def _get_name(self, pde, parent):
if type(pde.name) == obj.Pointer:
s = pde.name.dereference_as("String", length = 255)
else:
s = pde.obj_vm.read(pde.name.obj_offset, pde.namelen)
return str(parent + "/" + str(s)) 示例8: _process_sysctl_list
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Pointer [as 别名]
def _process_sysctl_list(self, sysctl_list, r = 0):
if type(sysctl_list) == obj.Pointer:
sysctl_list = sysctl_list.dereference_as("sysctl_oid_list")
sysctl = sysctl_list.slh_first
# skip the head entry if new list (recursive call)
if r:
sysctl = sysctl.oid_link.sle_next
while sysctl and sysctl.is_valid():
name = sysctl.oid_name.dereference()
if len(name) == 0:
break
name = str(name)
ctltype = sysctl.get_ctltype()
if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid():
val = self._parse_global_variable_sysctls(name)
elif ctltype == 'CTLTYPE_NODE':
if sysctl.oid_handler == 0:
for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1):
yield info
val = "Node"
elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']:
val = sysctl.oid_arg1.dereference()
elif ctltype == 'CTLTYPE_STRING':
## FIXME: can we do this without get_string?
val = common.get_string(sysctl.oid_arg1, self.addr_space)
else:
val = ctltype
yield (sysctl, name, val)
sysctl = sysctl.oid_link.sle_next 示例9: calculate_v3
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Pointer [as 别名]
def calculate_v3(self):
self.seen_tasks = {}
pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
pidhash_size = 1 << pidhash_shift
pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)
# pidhash is an array of hlist_heads
pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)
for hlist in pidhash:
# each entry in the hlist is a upid which is wrapped in a pid
ent = hlist.first
while ent.v():
upid = self.get_obj(ent.obj_offset, "upid", "pid_chain")
for task in self._walk_upid(upid):
if not task.obj_offset in self.seen_tasks:
self.seen_tasks[task.obj_offset] = 1
if task.is_valid_task():
yield task
ent = ent.m("next")
# the following functions exist because crash has handlers for them
# but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel
# if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again 示例10: check_proc_fop
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Pointer [as 别名]
def check_proc_fop(self, f_op_members, modules):
proc_mnt_addr = self.addr_space.profile.get_symbol("proc_mnt")
if proc_mnt_addr:
proc_mnt_ptr = obj.Object("Pointer", offset = proc_mnt_addr, vm = self.addr_space)
proc_mnts = [proc_mnt_ptr.dereference_as("vfsmount")]
else:
proc_mnts = []
seen_pids = {}
if self.addr_space.profile.obj_has_member("nsproxy", "pid_ns"):
ns_member = "pid_ns"
else:
ns_member = "pid_ns_for_children"
for task in self.tasks:
nsp = task.nsproxy
pidns = nsp.m(ns_member)
if pidns.v() in seen_pids:
continue
seen_pids[pidns.v()] = 1
proc_mnts.append(pidns.proc_mnt)
for proc_mnt in proc_mnts:
root = proc_mnt.mnt_root
for (hooked_member, hook_address) in self.verify_ops(root.d_inode.i_fop, f_op_members, modules):
yield ("proc_mnt: root: %x" % root.v(), hooked_member, hook_address)
# only check the root directory
if self.addr_space.profile.obj_has_member("dentry", "d_child"):
walk_member = "d_child"
else:
walk_member = "d_u"
for dentry in root.d_subdirs.list_of_type("dentry", walk_member):
name = dentry.d_name.name.dereference_as("String", length = 255)
for (hooked_member, hook_address) in self.verify_ops(dentry.d_inode.i_fop, f_op_members, modules):
yield("proc_mnt: {0:x}:{1}".format(root.v(), name), hooked_member, hook_address)