本文整理汇总了Python中volatility.plugins.common.AbstractWindowsCommand方法的典型用法代码示例。如果您正苦于以下问题:Python common.AbstractWindowsCommand方法的具体用法?Python common.AbstractWindowsCommand怎么用?Python common.AbstractWindowsCommand使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.plugins.common的用法示例。
在下文中一共展示了common.AbstractWindowsCommand方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option("ASEP-TYPE", short_option='t', default=None,
help='Only collect the ASEP types specified. Select from: autoruns, services, appinit, winlogon, tasks, activesetup, sdb (comma-separated)',
action='store', type='str')
config.remove_option("VERBOSE")
config.add_option("VERBOSE", short_option='v', default=False,
help='Show entries that are normally filtered out (Ex. Services from the System32 folder)',
action='store_true')
self.process_dict = {}
self.autoruns = []
self.services = []
self.appinit_dlls = []
self.winlogon = []
self.winlogon_registrations = []
self.tasks = []
self.activesetup = []
self.sdb = [] 示例2: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.remove_option("SAVE-EVT")
config.remove_option("HIVE-OFFSET")
config.remove_option("KEY")
config.remove_option("BASE")
config.remove_option("REGEX")
config.remove_option("IGNORE-CASE")
config.remove_option("DUMP-DIR")
config.remove_option("OFFSET")
config.remove_option("PID")
config.remove_option("UNSAFE")
self.types = ["Process", "Socket", "Shimcache", "Userassist", "IEHistory", "Thread", "Symlink", "Timer",
"_CM_KEY_BODY", "LoadTime", "TimeDateStamp", "_HBASE_BLOCK", "_CMHIVE", "EvtLog", "ImageDate"]
config.add_option('HIVE', short_option = 'H',
help = 'Gather Timestamps from a Particular Registry Hive', type = 'str')
config.add_option('USER', short_option = 'U',
help = 'Gather Timestamps from a Particular User\'s Hive(s)', type = 'str')
config.add_option("MACHINE", default = "",
help = "Machine name to add to timeline header")
config.add_option("TYPE", default = "".join([",".join(x for x in sorted(self.types))]),
help = "Type of artifact to use in timeline (default is all, but \"Registry\")") 示例3: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('STRING-FILE', short_option = 's', default = None,
help = 'File output in strings format (offset:string)',
action = 'store', type = 'str')
config.add_option("SCAN", short_option = 'S', default = False,
action = 'store_true', help = 'Use PSScan if no offset is provided')
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'EPROCESS offset (in hex) in the physical address space',
action = 'store', type = 'int')
config.add_option('PID', short_option = 'p', default = None,
help = 'Operate on these Process IDs (comma-separated)',
action = 'store', type = 'str')
config.add_option('LOOKUP-PID', short_option = 'L', default = False,
action = 'store_true', help = 'Lookup the ImageFileName of PIDs') 示例4: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option("OFFSET", short_option = "o", default = None,
help = "Physical offset for MFT Entries (comma delimited)")
config.add_option('NOCHECK', short_option = 'N', default = False,
help = 'Only all entries including w/null timestamps',
action = "store_true")
config.add_option("ENTRYSIZE", short_option = "E", default = 1024,
help = "MFT Entry Size",
action = "store", type = "int")
config.add_option('DUMP-DIR', short_option = 'D', default = None,
cache_invalidator = False,
help = 'Directory in which to dump extracted resident files')
config.add_option("MACHINE", default = "",
help = "Machine name to add to timeline header")
config.add_option("DEBUGOUT", default = False,
help = "Output debugging messages",
action = "store_true") 示例5: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs) 示例6: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('MIN-LENGTH', short_option = 'M', default = 5,
help = 'Mimumim length of passphrases to identify',
action = 'store', type = 'int') 示例7: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('TAGS', short_option = 't', help = 'Pool tag to find') 示例8: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
cache.Testable.__init__(self)
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'EPROCESS offset (in hex) in the physical address space',
action = 'store', type = 'int')
config.add_option('PID', short_option = 'p', default = None,
help = 'Operate on these Process IDs (comma-separated)',
action = 'store', type = 'str')
config.add_option('NAME', short_option = 'n', default = None,
help = 'Operate on these process names (regex)',
action = 'store', type = 'str') 示例9: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False,
cache_invalidator = False, help = "Physical Offset", action = "store_true") 示例10: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('ADDR', short_option = 'a', default = None,
help = 'Show info on module at or containing this address',
action = 'store', type = 'int') 示例11: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'EPROCESS Offset (in hex) in kernel address space',
action = 'store', type = 'int')
config.add_option('IMNAME', short_option = 'n', default = None,
help = 'Operate on this Process name',
action = 'store', type = 'str')
config.add_option('PID', short_option = 'p', default = None,
help = 'Operate on these Process IDs (comma-separated)',
action = 'store', type = 'str')
self._addrspace = None
self._proc = None 示例12: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
self.kaddr_space = None
self.filters = []
config.add_option('REGEX', short_option = 'r',
help = 'Dump files matching REGEX',
action = 'store', type = 'string')
config.add_option('IGNORE-CASE', short_option = 'i',
help = 'Ignore case in pattern match',
action = 'store_true', default = False)
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'Dump files for Process with physical address OFFSET',
action = 'store', type = 'int')
config.add_option('PHYSOFFSET', short_option = 'Q', default = None,
help = 'Dump File Object at physical address PHYSOFFSETs (comma delimited)',
action = 'store', type = 'str')
config.add_option('DUMP-DIR', short_option = 'D', default = None,
cache_invalidator = False,
help = 'Directory in which to dump extracted files')
config.add_option('SUMMARY-FILE', short_option = 'S', default = None,
cache_invalidator = False,
help = 'File where to store summary information')
config.add_option('PID', short_option = 'p', default = None,
help = 'Operate on these Process IDs (comma-separated)',
action = 'store', type = 'str')
config.add_option('NAME', short_option = 'n',
help = 'Include extracted filename in output file path',
action = 'store_true', default = False)
config.add_option('UNSAFE', short_option = 'u',
help = 'Relax safety constraints for more data',
action = 'store_true', default = False)
# Possible filters include:
# SharedCacheMap,DataSectionObject,ImageSectionObject,HandleTable,VAD
config.add_option("FILTER", short_option = 'F', default = None,
help = 'Filters to apply (comma-separated). Possible values:\n\nSharedCacheMap,DataSectionObject,ImageSectionObject,HandleTable,VAD') 示例13: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('TAG', short_option = 't',
help = 'Pool tag to find')
config.add_option('MIN-SIZE', short_option = 'm',
type = 'int',
help = 'Minimum size of the pool to find (default: 0)',
default = 0)
config.add_option('MAX-SIZE', short_option = 'M',
type = 'int',
help = 'Maximum size of the pool to find (default: 4096)',
default = 4096)
config.add_option('PAGED', short_option = 'P',
help = 'Search in paged pools (default: False)',
default = False, action = "store_true") 示例14: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('HIVE-OFFSET', short_option = 'o',
help = 'Hive offset (virtual)', type = 'int')
self.regapi = None 示例15: __init__
# 需要导入模块: from volatility.plugins import common [as 别名]
# 或者: from volatility.plugins.common import AbstractWindowsCommand [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('HIVE-OFFSET', short_option = 'o', default = None,
help = 'Hive offset (virtual)',
action = 'store', type = 'int')
config.add_option('DUMP-DIR', short_option = 'D', default = None,
cache_invalidator = False,
help = 'Directory in which to dump extracted files')