本文整理汇总了Python中volatility.plugins.filescan.PSScan方法的典型用法代码示例。如果您正苦于以下问题:Python filescan.PSScan方法的具体用法?Python filescan.PSScan怎么用?Python filescan.PSScan使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.plugins.filescan
的用法示例。
在下文中一共展示了filescan.PSScan方法的8个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: __init__
# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('STRING-FILE', short_option = 's', default = None,
help = 'File output in strings format (offset:string)',
action = 'store', type = 'str')
config.add_option("SCAN", short_option = 'S', default = False,
action = 'store_true', help = 'Use PSScan if no offset is provided')
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'EPROCESS offset (in hex) in the physical address space',
action = 'store', type = 'int')
config.add_option('PID', short_option = 'p', default = None,
help = 'Operate on these Process IDs (comma-separated)',
action = 'store', type = 'str')
config.add_option('LOOKUP-PID', short_option = 'L', default = False,
action = 'store_true', help = 'Lookup the ImageFileName of PIDs')
示例2: get_processes
# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
bounce_back = taskmods.DllList.virtual_process_from_physical_offset
if self._config.OFFSET != None:
tasks = [bounce_back(addr_space, self._config.OFFSET)]
elif self._config.SCAN:
procs = list(filescan.PSScan(self._config).calculate())
tasks = []
for task in procs:
tasks.append(bounce_back(addr_space, task.obj_offset))
else:
tasks = win32.tasks.pslist(addr_space)
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(',')]
tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks
示例3: check_psscan
# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def check_psscan(self):
"""Enumerate processes with pool tag scanning"""
return dict((PsXview.get_file_offset(p), p)
for p in filescan.PSScan(self._config).calculate())
示例4: calculate
# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
tasklist = []
modslist = []
if self._config.SCAN:
if not self._config.KERNEL_ONLY:
for t in filescan.PSScan(self._config).calculate():
v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
if v:
tasklist.append(v)
if not self._config.PROCESS_ONLY:
modslist = [m for m in modscan.ModScan(self._config).calculate()]
else:
if not self._config.KERNEL_ONLY:
tasklist = [t for t in tasks.pslist(addr_space)]
if not self._config.PROCESS_ONLY:
modslist = [m for m in modules.lsmod(addr_space)]
for task in tasklist:
for mod in task.get_load_modules():
yield task, mod
for mod in modslist:
yield None, mod
示例5: calculate
# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def calculate(self):
eproc = {}
found = {}
cmdline = {}
pathname = {}
# Brute force search for eproc blocks in pool memory
address_space = utils.load_as(self._config)
for eprocess in filescan.PSScan(self._config).calculate():
eproc[eprocess.obj_offset] = eprocess
found[eprocess.obj_offset] = 1
# Walking the active process list.
# Remove any tasks we find here from the brute force search if the --short option is set.
# Anything left is something which was hidden/terminated/of interest.
address_space = utils.load_as(self._config)
for task in tasks.pslist(address_space):
phys = address_space.vtop(task.obj_offset)
if phys in eproc:
if self._config.SHORT :
del eproc[phys]
del found[phys]
else:
found[phys] = 0
# Grab command line and parameters
peb = task.Peb
if peb:
cmdline[phys] = peb.ProcessParameters.CommandLine
pathname[phys] = peb.ProcessParameters.ImagePathName
ret = [eproc, found, cmdline, pathname]
return ret
示例6: __init__
# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('STRING-FILE', short_option = 's', default = None,
help = 'File output in strings format (offset:string)',
action = 'store', type = 'str')
config.add_option("SCAN", short_option = 'S', default = False,
action = 'store_true', help = 'Use PSScan if no offset is provided')
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'EPROCESS offset (in hex) in the physical address space',
action = 'store', type = 'int')
config.add_option('PID', short_option = 'p', default = None,
help = 'Operate on these Process IDs (comma-separated)',
action = 'store', type = 'str')
示例7: check_psscan
# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def check_psscan(self):
"""Enumerate processes with pool tag scanning"""
return dict((p.obj_offset, p)
for p in filescan.PSScan(self._config).calculate())
示例8: _get_dtb
# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def _get_dtb(self):
"""Use psscan to get system dtb and apply it."""
ps = filescan.PSScan(self.config)
for ep in ps.calculate():
if str(ep.ImageFileName) == "System":
self.config.update("dtb",ep.Pcb.DirectoryTableBase)
return True
return False