本文整理汇总了Python中volatility.obj.Profile方法的典型用法代码示例。如果您正苦于以下问题:Python obj.Profile方法的具体用法?Python obj.Profile怎么用?Python obj.Profile使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.obj的用法示例。
在下文中一共展示了obj.Profile方法的14个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: _set_profile
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def _set_profile(self, profile_name):
## Load the required profile
if profile_name == None:
raise ASAssertionError, "You must set a profile!"
if profile_name in PROFILES:
ret = PROFILES[profile_name]
else:
profs = registry.get_plugin_classes(obj.Profile)
if profile_name in profs:
ret = profs[profile_name]()
PROFILES[profile_name] = ret
else:
raise ASAssertionError, "Invalid profile " + profile_name + " selected"
if not self.is_valid_profile(ret):
raise ASAssertionError, "Incompatible profile " + profile_name + " selected"
return ret 示例2: unique_sizes
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def unique_sizes(self):
items = registry.get_plugin_classes(obj.Profile).items()
sizes = set()
for name, cls in items:
if (cls._md_os != "windows" or cls._md_memory_model != "64bit"):
continue
#if (cls._md_major, cls._md_minor) < (6, 2):
# continue
conf = copy.deepcopy(self.obj_vm.get_config())
conf.PROFILE = name
buff = addrspace.BufferAddressSpace(config = conf)
header = obj.VolMagic(buff).KDBGHeader.v()
# this unpacks the kdbgsize from the signature
size = struct.unpack("<H", header[-2:])[0]
sizes.add(size)
return sizes 示例3: print_info
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def print_info():
""" Returns the results """
categories = {addrspace.BaseAddressSpace: 'Address Spaces',
commands.Command : 'Plugins',
obj.Profile: 'Profiles',
scan.ScannerCheck: 'Scanner Checks'}
for c, n in sorted(categories.items()):
lower = (c == commands.Command)
plugins = registry.get_plugin_classes(c, lower = lower)
print "\n"
print "{0}".format(n)
print "-" * len(n)
result = []
max_length = 0
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
max_length = max(len(clsname), max_length)
for (name, doc) in result:
print "{0:{2}} - {1:15}".format(name, doc, max_length) 示例4: list_plugins
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def list_plugins(self):
"""
list of plugins valid for the selected profile
:return:
"""
plugin_list = []
cmds = registry.get_plugin_classes(commands.Command, lower=True)
profs = registry.get_plugin_classes(obj.Profile)
profile_type = self.config.PROFILE
if profile_type not in profs:
print "Not a valid profile"
profile = profs[profile_type]()
for cmdname in sorted(cmds):
command = cmds[cmdname]
helpline = command.help() or ''
if command.is_valid_profile(profile):
plugin_list.append([cmdname, helpline])
return plugin_list 示例5: check_valid_profile
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def check_valid_profile(option, _opt_str, value, parser):
"""Checks to make sure the selected profile is valid"""
# PROFILES may not have been created yet,
# but the callback should get called once it has
# during the final parse of the config options
profs = registry.get_plugin_classes(obj.Profile)
if profs:
try:
profs[value]
except KeyError:
debug.error("Invalid profile " + value + " selected")
setattr(parser.values, option.dest, value) 示例6: modification
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def modification(self, profile):
profiles = registry.get_plugin_classes(obj.Profile)
meta = profile.metadata
# find the equivalent 32-bit profile to this 64-bit profile.
# the prof._md_build + 1 accounts for a poor decision we made
# a while back where we added + 1 to the build number for
# server-based profiles as a method to distinguish between
# client vs server in a plugin.
profile_32bit = None
for prof in profiles.values():
if (prof._md_os == "windows" and
prof._md_major == meta.get("major") and
prof._md_minor == meta.get("minor") and
((prof._md_build == meta.get("build")) or (prof._md_build + 1 == meta.get("build"))) and
prof._md_memory_model == "32bit"):
profile_32bit = prof()
break
if profile_32bit == None:
debug.warning("Cannot find a 32-bit equivalent profile. The "\
"WoW64 plugins (dlllist, ldrmodules, etc) may not work.")
return
profile.vtypes.update({
"_PEB32_LDR_DATA": self.cast_as_32bit(profile_32bit.vtypes["_PEB_LDR_DATA"]),
"_LDR32_DATA_TABLE_ENTRY": self.cast_as_32bit(profile_32bit.vtypes["_LDR_DATA_TABLE_ENTRY"]),
'_UNICODE32_STRING': self.cast_as_32bit(profile_32bit.vtypes["_UNICODE_STRING"]),
})
profile.object_classes.update({
"_LDR32_DATA_TABLE_ENTRY": pe_vtypes._LDR_DATA_TABLE_ENTRY,
"_UNICODE32_STRING": windows._UNICODE_STRING,
"LIST_ENTRY32": LIST_ENTRY32,
})
profile.merge_overlay({
'_PEB32': [None, {
'Ldr': [None, ['pointer32', ['_PEB32_LDR_DATA']]],
}]}) 示例7: list_plugins
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def list_plugins():
result = "\n\tSupported Plugin Commands:\n\n"
cmds = registry.get_plugin_classes(commands.Command, lower = True)
profs = registry.get_plugin_classes(obj.Profile)
if config.PROFILE == None:
config.update("PROFILE", "WinXPSP2x86")
if config.PROFILE not in profs:
raise BaseException("Invalid profile " + config.PROFILE + " selected")
profile = profs[config.PROFILE]()
wrongprofile = ""
for cmdname in sorted(cmds):
command = cmds[cmdname]
helpline = command.help() or ''
## Just put the title line (First non empty line) in this
## abbreviated display
for line in helpline.splitlines():
if line:
helpline = line
break
if command.is_valid_profile(profile):
result += "\t\t{0:15}\t{1}\n".format(cmdname, helpline)
else:
wrongprofile += "\t\t{0:15}\t{1}\n".format(cmdname, helpline)
if wrongprofile and config.VERBOSE:
result += "\n\tPlugins requiring a different profile:\n\n"
result += wrongprofile
return result 示例8: execute
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def execute(self):
""" Executes the plugin command."""
# Check we can support the plugins
profs = registry.get_plugin_classes(obj.Profile)
# force user to give a profile if a plugin
# other than kdbgscan or imageinfo are given:
if self.__class__.__name__.lower() in ["kdbgscan", "imageinfo"] and self._config.PROFILE == None:
self._config.update("PROFILE", "WinXPSP2x86")
elif self._config.PROFILE == None:
debug.error("You must set a profile!")
if self._config.PROFILE not in profs:
debug.error("Invalid profile " + self._config.PROFILE + " selected")
if not self.is_valid_profile(profs[self._config.PROFILE]()):
debug.error("This command does not support the profile " + self._config.PROFILE)
# # Executing plugins is done in two stages - first we calculate
data = self.calculate()
## Then we render the result in some way based on the
## requested output mode:
function_name = "render_{0}".format(self._config.OUTPUT)
if self._config.OUTPUT_FILE:
outfd = open(self._config.OUTPUT_FILE, 'w')
# TODO: We should probably check that this won't blat over an existing file
else:
outfd = sys.stdout
try:
func = getattr(self, function_name)
except AttributeError:
## Try to find out what formats are supported
result = []
for x in dir(self):
if x.startswith("render_"):
_a, b = x.split("_", 1)
result.append(b)
print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result)
return
func(outfd, data) 示例9: guess_profile
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def guess_profile(self, memimg):
'''
Using one of the user-specified memory image files, try to guess a
working Volatility profile. This can easily take on the order of
minutes.
@memimg: a memory image file name
@return: the guessed Volatiltiy profile string
'''
sys.stderr.write("Auto configuring profile. This may take a some time.\n")
self.set_memimg(memimg)
# Must set a dummy profile or volatility dies
self.set_profile('WinXPSP2x86')
chosen = None
profilelist = [p.__name__ for p in registry.get_plugin_classes(obj.Profile).values()]
for profile in profilelist:
self.config.update('profile', profile)
addr_space = utils.load_as(self.config, astype='any')
if hasattr(addr_space, "dtb"):
chosen = profile
break
return chosen 示例10: profile_list
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def profile_list():
"""
Return a list of available Profiles
:return:
"""
prof_list = ['AutoDetect']
profs = registry.get_plugin_classes(obj.Profile)
for profile in profs.iterkeys():
prof_list.append(profile)
return sorted(prof_list) 示例11: execute
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def execute(self):
""" Executes the plugin command."""
# Check we can support the plugins
profs = registry.get_plugin_classes(obj.Profile)
# force user to give a profile if a plugin
# other than kdbgscan or imageinfo are given:
plugin_name = self.__class__.__name__.lower()
if plugin_name != "mac_get_profile":
if self._config.PROFILE == None:
if plugin_name in ["kdbgscan", "imageinfo"]:
self._config.update("PROFILE", "WinXPSP2x86")
else:
debug.error("You must set a profile!")
if self._config.PROFILE not in profs:
debug.error("Invalid profile " + self._config.PROFILE + " selected")
if not self.is_valid_profile(profs[self._config.PROFILE]()):
debug.error("This command does not support the profile " + self._config.PROFILE)
# # Executing plugins is done in two stages - first we calculate
data = self.calculate()
## Then we render the result in some way based on the
## requested output mode:
function_name = "render_{0}".format(self._config.OUTPUT)
if not self._config.OUTPUT == "sqlite" and self._config.OUTPUT_FILE:
out_file = '{0}_{1}.txt'.format(time.strftime('%Y%m%d%H%M%S'), plugin_name) if self._config.OUTPUT_FILE == '.' else self._config.OUTPUT_FILE
if os.path.exists(out_file):
debug.error("File " + out_file + " already exists. Cowardly refusing to overwrite it...")
print 'Outputting to: {0}'.format(out_file)
outfd = open(out_file, 'wb')
else:
outfd = sys.stdout
try:
func = getattr(self, function_name)
except AttributeError:
## Try to find out what formats are supported
result = []
for x in dir(self):
if x.startswith("render_"):
_a, b = x.split("_", 1)
result.append(b)
print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result)
return
func(outfd, data) 示例12: calculate
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
encrypted_kdbg_profiles = []
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and
(buf.profile.metadata.get('major', 0),
buf.profile.metadata.get('minor', 0)) >= (6, 2)):
encrypted_kdbg_profiles.append(p)
self._config.update('PROFILE', origprofile)
# keep track of the number of potential KDBGs we find
count = 0
if origprofile not in encrypted_kdbg_profiles:
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
suspects = []
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
suspects.append((l, kdbg))
count += 1
for p, k in suspects:
if not self._config.FORCE:
yield p, k
continue
self._config.update("PROFILE", p)
nspace = utils.load_as(self._config, astype = "any")
for offset in scanner.scan(nspace):
val = nspace.read(offset, maxlen + 0x10)
if val.find(proflens[p]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = nspace)
yield p, kdbg
self._config.update('PROFILE', origprofile)
# only perform the special win8/2012 scan if we didn't find
# any others and if a virtual x64 address space is available
if count == 0:
if origprofile in encrypted_kdbg_profiles:
encrypted_kdbg_profiles = [origprofile]
for profile in encrypted_kdbg_profiles:
self._config.update('PROFILE', profile)
aspace = utils.load_as(self._config, astype = 'any')
if hasattr(aspace, 'vtop'):
for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
yield profile, kdbg 示例13: execute
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def execute(self):
""" Executes the plugin command."""
# Check we can support the plugins
profs = registry.get_plugin_classes(obj.Profile)
# force user to give a profile if a plugin
# other than kdbgscan or imageinfo are given:
if self.__class__.__name__.lower() in ["kdbgscan", "imageinfo"] and self._config.PROFILE == None:
self._config.update("PROFILE", "WinXPSP2x86")
elif self._config.PROFILE == None:
debug.error("You must set a profile!")
if self._config.PROFILE not in profs:
debug.error("Invalid profile " + self._config.PROFILE + " selected")
if not self.is_valid_profile(profs[self._config.PROFILE]()):
debug.error("This command does not support the profile " + self._config.PROFILE)
# # Executing plugins is done in two stages - first we calculate
data = self.calculate()
## Then we render the result in some way based on the
## requested output mode:
function_name = "render_{0}".format(self._config.OUTPUT)
if self._config.OUTPUT_FILE:
if os.path.exists(self._config.OUTPUT_FILE):
debug.error("File " + self._config.OUTPUT_FILE + " already exists. Cowardly refusing to overwrite it...")
outfd = open(self._config.OUTPUT_FILE, 'wb')
# TODO: We should probably check that this won't blat over an existing file
else:
outfd = sys.stdout
try:
func = getattr(self, function_name)
except AttributeError:
## Try to find out what formats are supported
result = []
for x in dir(self):
if x.startswith("render_"):
_a, b = x.split("_", 1)
result.append(b)
print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result)
return
func(outfd, data) 示例14: calculate
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import Profile [as 别名]
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
encrypted_kdbg_profiles = []
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and
(buf.profile.metadata.get('major', 0),
buf.profile.metadata.get('minor', 0)) >= (6, 2)):
encrypted_kdbg_profiles.append(p)
self._config.update('PROFILE', origprofile)
# keep track of the number of potential KDBGs we find
count = 0
if origprofile not in encrypted_kdbg_profiles:
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
yield l, kdbg
count += 1
# only perform the special win8/2012 scan if we didn't find
# any others and if a virtual x64 address space is available
if count == 0:
if origprofile in encrypted_kdbg_profiles:
encrypted_kdbg_profiles = [origprofile]
for profile in encrypted_kdbg_profiles:
self._config.update('PROFILE', profile)
aspace = utils.load_as(self._config, astype = 'any')
if hasattr(aspace, 'vtop'):
for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
yield profile, kdbg