本文整理汇总了Python中volatility.obj.VolMagic方法的典型用法代码示例。如果您正苦于以下问题:Python obj.VolMagic方法的具体用法?Python obj.VolMagic怎么用?Python obj.VolMagic使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.obj的用法示例。
在下文中一共展示了obj.VolMagic方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: scan
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def scan(self, tags = []):
"""
Scan for the pools by tag.
@param tags: a list of pool tags to scan for,
or empty for scanning for all tags.
"""
(table_base, table_size) = \
obj.VolMagic(self.kernel_space).BigPageTable.v()
pools = obj.Object('Array', targetType = '_POOL_TRACKER_BIG_PAGES',
offset = table_base,
count = table_size, vm = self.kernel_space
)
for pool in pools:
if pool.Va.is_valid():
if not tags or pool.Key in tags:
yield pool
#--------------------------------------------------------------------------------
# BigPools Plugin
#-------------------------------------------------------------------------------- 示例2: get_object_bottom_up
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def get_object_bottom_up(self, struct_name, object_type, skip_type_check):
"""Get the windows object contained within this pool
by using the bottom-up approach to finding the object
"""
if not object_type:
return obj.Object(struct_name, vm = self.obj_vm,
offset = self.obj_offset +
self.obj_vm.profile.get_obj_size("_POOL_HEADER"),
native_vm = self.obj_native_vm)
pool_alignment = obj.VolMagic(self.obj_vm).PoolAlignment.v()
the_object = obj.Object(struct_name, vm = self.obj_vm,
offset = (self.obj_offset + self.BlockSize * pool_alignment -
common.pool_align(self.obj_vm, struct_name, pool_alignment)),
native_vm = self.obj_native_vm)
header = the_object.get_object_header()
if (skip_type_check or
header.get_object_type() == object_type):
return the_object
else:
return obj.NoneObject("Cannot find the object") 示例3: unique_sizes
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def unique_sizes(self):
items = registry.get_plugin_classes(obj.Profile).items()
sizes = set()
for name, cls in items:
if (cls._md_os != "windows" or cls._md_memory_model != "64bit"):
continue
#if (cls._md_major, cls._md_minor) < (6, 2):
# continue
conf = copy.deepcopy(self.obj_vm.get_config())
conf.PROFILE = name
buff = addrspace.BufferAddressSpace(config = conf)
header = obj.VolMagic(buff).KDBGHeader.v()
# this unpacks the kdbgsize from the signature
size = struct.unpack("<H", header[-2:])[0]
sizes.add(size)
return sizes 示例4: __init__
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def __init__(self, address_space):
poolscan.PoolScanner.__init__(self, address_space)
self.struct_name = "_DRIVER_OBJECT"
self.object_type = "Driver"
# due to the placement of the driver extension, we
# use the top down approach instead of bottom-up.
self.use_top_down = True
self.pooltag = obj.VolMagic(address_space).DriverPoolTag.v()
size = 0xf8 # self.address_space.profile.get_obj_size("_DRIVER_OBJECT")
self.checks = [
('CheckPoolSize', dict(condition = lambda x: x >= size)),
('CheckPoolType', dict(paged = False, non_paged = True, free = True)),
('CheckPoolIndex', dict(value = lambda x : x < 5)),
] 示例5: load_dtb
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def load_dtb(self):
"""Loads the DTB as quickly as possible from the config, then the base, then searching for it"""
try:
# If the user has manually specified one, then shortcircuit to that one
if self._config.DTB:
raise AttributeError
## Try to be lazy and see if someone else found dtb for
## us:
return self.base.dtb
except AttributeError:
## Ok so we need to find our dtb ourselves:
dtb = obj.VolMagic(self.base).DTB.v()
if dtb:
## Make sure to save dtb for other AS's
## Will this have an effect on following ASes attempts if this fails?
self.base.dtb = dtb
return dtb 示例6: __init__
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs):
## We must be stacked on someone else:
self.as_assert(base, "No base Address Space")
addrspace.AbstractVirtualAddressSpace.__init__(self, base, config, *args, **kwargs)
## We can not stack on someone with a dtb
self.as_assert(not (hasattr(base, 'paging_address_space') and base.paging_address_space), "Can not stack over another paging address space")
self.dtb = dtb or self.load_dtb()
# No need to set the base or dtb, it's already been by the inherited class
self.as_assert(self.dtb != None, "No valid DTB found")
if not skip_as_check:
volmag = obj.VolMagic(self)
if hasattr(volmag, self.checkname):
self.as_assert(getattr(volmag, self.checkname).v(), "Failed valid Address Space check")
else:
self.as_assert(False, "Profile does not have valid Address Space check")
# Reserved for future use
#self.pagefile = config.PAGEFILE
self.name = 'Kernel AS' 示例7: get_image_time
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def get_image_time(self, addr_space):
"""Extracts the time and date from the KUSER_SHARED_DATA area"""
# Get the Image Datetime
result = {}
# Create a VOLATILITY_MAGIC object to look up the location of certain constants
# Get the KUSER_SHARED_DATA location
KUSER_SHARED_DATA = obj.VolMagic(addr_space).KUSER_SHARED_DATA.v()
# Create the _KUSER_SHARED_DATA object at the appropriate offset
k = obj.Object("_KUSER_SHARED_DATA",
offset = KUSER_SHARED_DATA,
vm = addr_space)
# Start reading members from it
result['ImageDatetime'] = k.SystemTime
result['ImageTz'] = timefmt.OffsetTzInfo(-k.TimeZoneBias.as_windows_timestamp() / 10000000)
# Return any results we got
return result 示例8: decode_kdbg
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def decode_kdbg(self, vals):
"""Decoder the KDBG block using the provided
magic values and the algorithm reversed from
the Windows kernel file."""
block_encoded, kdbg_block, wait_never, wait_always = vals
header = obj.VolMagic(self.obj_vm).KDBGHeader.v()
kdbg_size = struct.unpack("<H", header[-2:])[0]
buffer = ""
entries = obj.Object("Array",
targetType = "unsigned long long",
count = kdbg_size / 8,
offset = kdbg_block, vm = self.obj_vm)
for entry in entries:
low_byte = (wait_never & 0xFFFFFFFF) & 0xFF
entry = patchguard.rol(entry ^ wait_never, low_byte)
swap_xor = block_encoded.obj_offset | 0xFFFF000000000000
entry = patchguard.bswap(entry ^ swap_xor)
buffer += struct.pack("Q", entry ^ wait_always)
return buffer 示例9: __init__
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def __init__(self, address_space):
poolscan.PoolScanner.__init__(self, address_space)
self.struct_name = "_DRIVER_OBJECT"
self.object_type = "Driver"
# due to the placement of the driver extension, we
# use the top down approach instead of bottom-up.
self.use_top_down = True
self.pooltag = obj.VolMagic(address_space).DriverPoolTag.v()
size = 0xf8 # self.address_space.profile.get_obj_size("_DRIVER_OBJECT")
self.checks = [
('CheckPoolSize', dict(condition = lambda x: x >= size)),
('CheckPoolType', dict(paged = False, non_paged = True, free = True)),
('CheckPoolIndex', dict(value = 0)),
] 示例10: get_lsa_key
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def get_lsa_key(addr_space, secaddr, bootkey):
if not bootkey:
return None
root = rawreg.get_root(secaddr)
if not root:
return None
volmag = obj.VolMagic(addr_space)
enc_reg_key = rawreg.open_key(root, ["Policy", volmag.PolicyKey.v()])
if not enc_reg_key:
return None
enc_reg_value = enc_reg_key.ValueList.List.dereference()[0]
if not enc_reg_value:
return None
obf_lsa_key = secaddr.read(enc_reg_value.Data,
enc_reg_value.DataLength)
if not obf_lsa_key:
return None
if addr_space.profile.metadata.get('major', 0) == 5:
md5 = MD5.new()
md5.update(bootkey)
for _i in range(1000):
md5.update(obf_lsa_key[60:76])
rc4key = md5.digest()
rc4 = ARC4.new(rc4key)
lsa_key = rc4.decrypt(obf_lsa_key[12:60])
lsa_key = lsa_key[0x10:0x20]
else:
lsa_key = decrypt_aes(obf_lsa_key, bootkey)
lsa_key = lsa_key[68:100]
return lsa_key 示例11: __init__
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def __init__(self, addr_space, scanners = [], scan_virtual = False, show_unalloc = False, use_top_down = False, start_offset = None, max_length = None):
"""An interface into the multiple concurrent pool scanner.
@param addr_space: a Volatility address space
@param scanners: a list of PoolScanner classes to scan for.
@param scan_virtual: True to scan in virtual/kernel space
or False to scan at the physical layer.
@param show_unalloc: True to skip unallocated objects whose
_OBJECT_TYPE structure are 0xbad0b0b0.
@param use_topdown: True to carve objects out of the pool using
the top-down approach or False to use the bottom-up trick.
@param start_offset: the starting offset to begin scanning.
@param max_length: the size in bytes to scan from the start.
"""
self.scanners = scanners
self.scan_virtual = scan_virtual
self.show_unalloc = show_unalloc
self.use_top_down = use_top_down
self.start_offset = start_offset
self.max_length = max_length
self.address_space = addr_space
self.pool_alignment = obj.VolMagic(self.address_space).PoolAlignment.v() 示例12: check
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def check(self, offset):
pool_hdr = obj.Object('_POOL_HEADER', vm = self.address_space,
offset = offset - 4)
block_size = pool_hdr.BlockSize.v()
pool_alignment = obj.VolMagic(self.address_space).PoolAlignment.v()
return self.condition(block_size * pool_alignment) 示例13: calculate
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def calculate(self):
address_space = utils.load_as(self._config)
cookie = obj.VolMagic(address_space).ObHeaderCookie.v()
yield cookie 示例14: handles
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def handles(self):
""" A generator which yields this process's handles
_HANDLE_TABLE tables are multi-level tables at the first level
they are pointers to second level table, which might be
pointers to third level tables etc, until the final table
contains the real _OBJECT_HEADER table.
This generator iterates over all the handles recursively
yielding all handles. We take care of recursing into the
nested tables automatically.
"""
magic = obj.VolMagic(self.obj_vm)
if hasattr(magic, 'ObHeaderCookie'):
cookie = magic.ObHeaderCookie.v()
if not cookie:
raise StopIteration("Cannot find nt!ObHeaderCookie")
# This should work equally for 32 and 64 bit systems
LEVEL_MASK = 7
TableCode = self.TableCode.v() & ~LEVEL_MASK
table_levels = self.TableCode.v() & LEVEL_MASK
offset = TableCode
for h in self._make_handle_array(offset, table_levels):
yield h 示例15: generate_suggestions
# 需要导入模块: from volatility import obj [as 别名]
# 或者: from volatility.obj import VolMagic [as 别名]
def generate_suggestions(self):
"""Generates a list of possible KDBG structure locations"""
scanner = kdbg.KDBGScanner(needles = [obj.VolMagic(self.obj_vm).KDBGHeader.v()])
for val in scanner.scan(self.obj_vm):
val = obj.Object("_KDDEBUGGER_DATA64", offset = val, vm = self.obj_vm)
yield val