本文整理汇总了Python中volatility.plugins.filescan.FileScan方法的典型用法代码示例。如果您正苦于以下问题:Python filescan.FileScan方法的具体用法?Python filescan.FileScan怎么用?Python filescan.FileScan使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.plugins.filescan的用法示例。
在下文中一共展示了filescan.FileScan方法的1个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: get_tasks
# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import FileScan [as 别名]
def get_tasks(self):
debug.debug('Started get_tasks()')
addr_space = utils.load_as(self._config)
f = filescan.FileScan(self._config)
tasks = []
parsed_tasks = []
try:
for file in f.calculate():
filename = str(file.file_name_with_device() or '')
if "system32\\tasks\\" in filename.lower() and (('system32\\tasks\\microsoft' not in filename.lower() or self._config.VERBOSE)):
tasks.append((file.obj_offset, filename))
debug.debug("Found task: 0x{0:x} {1}".format(file.obj_offset, filename))
for offset, name in tasks:
self._config.PHYSOFFSET = '0x{:x}'.format(offset)
df = dumpfiles.DumpFiles(self._config)
self._config.DUMP_DIR = '.'
for data in df.calculate():
# Doing this with mmap would probably be cleaner
# Create a sufficiently large (dynamically resizable?)
# memory map so that we can seek and write the file accordingly
#
# SystemError: mmap: resizing not available--no mremap()
chopped_file = {}
for mdata in data['present']:
rdata = addr_space.base.read(mdata[0], mdata[2])
chopped_file[mdata[1]] = rdata
task_xml = "".join(part[1] for part in sorted(chopped_file.items(), key=lambda x: x[0]))
parsed = self.parse_task_xml(task_xml, name)
if parsed:
args = parsed['Actions']['Exec'].get("Arguments", None)
if args:
parsed['Actions']['Exec']['Command'] += " {}".format(args)
pids = self.find_pids_for_imagepath(parsed['Actions']['Exec']['Command'])
parsed_tasks.append((name.split('\\')[-1], parsed, task_xml, pids))
except Exception as e:
debug.warning('get_tasks() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_tasks()')
return parsed_tasks