当前位置: 首页>>代码示例>>Python>>正文


Python filescan.PSScan方法代码示例

本文整理汇总了Python中volatility.plugins.filescan.PSScan方法的典型用法代码示例。如果您正苦于以下问题:Python filescan.PSScan方法的具体用法?Python filescan.PSScan怎么用?Python filescan.PSScan使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在volatility.plugins.filescan的用法示例。


在下文中一共展示了filescan.PSScan方法的8个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: __init__

# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def __init__(self, config, *args, **kwargs):
        common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)

        config.add_option('STRING-FILE', short_option = 's', default = None,
                          help = 'File output in strings format (offset:string)',
                          action = 'store', type = 'str')
        config.add_option("SCAN", short_option = 'S', default = False,
                          action = 'store_true', help = 'Use PSScan if no offset is provided')
        config.add_option('OFFSET', short_option = 'o', default = None,
                          help = 'EPROCESS offset (in hex) in the physical address space',
                          action = 'store', type = 'int')
        config.add_option('PID', short_option = 'p', default = None,
                          help = 'Operate on these Process IDs (comma-separated)',
                          action = 'store', type = 'str')
        config.add_option('LOOKUP-PID', short_option = 'L', default = False,
                          action = 'store_true', help = 'Lookup the ImageFileName of PIDs') 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:18,代码来源:strings.py

示例2: get_processes

# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def get_processes(self, addr_space):
        """Enumerate processes based on user options.

        :param      addr_space | <addrspace.AbstractVirtualAddressSpace>

        :returns    <list> 
        """

        bounce_back = taskmods.DllList.virtual_process_from_physical_offset
        if self._config.OFFSET != None:
            tasks = [bounce_back(addr_space, self._config.OFFSET)]
        elif self._config.SCAN:
            procs = list(filescan.PSScan(self._config).calculate())
            tasks = []
            for task in procs:
                tasks.append(bounce_back(addr_space, task.obj_offset))
        else:
            tasks = win32.tasks.pslist(addr_space)

        try:
            if self._config.PID is not None:
                pidlist = [int(p) for p in self._config.PID.split(',')]
                tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist]
        except (ValueError, TypeError):
            debug.error("Invalid PID {0}".format(self._config.PID))

        return tasks 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:29,代码来源:strings.py

示例3: check_psscan

# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def check_psscan(self):
        """Enumerate processes with pool tag scanning"""
        return dict((PsXview.get_file_offset(p), p)
                    for p in filescan.PSScan(self._config).calculate()) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:6,代码来源:psxview.py

示例4: calculate

# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def calculate(self):
        addr_space = utils.load_as(self._config)

        tasklist = []
        modslist = []

        if self._config.SCAN:
            if not self._config.KERNEL_ONLY:
                for t in filescan.PSScan(self._config).calculate():
                    v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
                    if v:
                        tasklist.append(v)
            if not self._config.PROCESS_ONLY:
                modslist = [m for m in modscan.ModScan(self._config).calculate()]
        else:
            if not self._config.KERNEL_ONLY:
                tasklist = [t for t in tasks.pslist(addr_space)]
            if not self._config.PROCESS_ONLY:
                modslist = [m for m in modules.lsmod(addr_space)]

        for task in tasklist:
            for mod in task.get_load_modules():
                yield task, mod

        for mod in modslist:
            yield None, mod 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:28,代码来源:enumfunc.py

示例5: calculate

# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def calculate(self):
        eproc = {}
        found = {}
        cmdline = {}
        pathname = {}
              
        # Brute force search for eproc blocks in pool memory
        address_space = utils.load_as(self._config)
        for eprocess in filescan.PSScan(self._config).calculate():
            eproc[eprocess.obj_offset] = eprocess
            found[eprocess.obj_offset] = 1
        
        # Walking the active process list.
        # Remove any tasks we find here from the brute force search if the --short option is set.
        # Anything left is something which was hidden/terminated/of interest.
        address_space = utils.load_as(self._config)
        for task in tasks.pslist(address_space):
            phys = address_space.vtop(task.obj_offset)
            if phys in eproc:
                if self._config.SHORT :
                    del eproc[phys]
                    del found[phys] 
                else:
                    found[phys] = 0                
                    
        # Grab command line and parameters            
            peb = task.Peb
            if peb:
                cmdline[phys] = peb.ProcessParameters.CommandLine
                pathname[phys] = peb.ProcessParameters.ImagePathName
                    
        ret = [eproc, found, cmdline, pathname]

        return ret 
开发者ID:teamdfir,项目名称:sift-saltstack,代码行数:36,代码来源:pstotal.py

示例6: __init__

# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def __init__(self, config, *args, **kwargs):
        common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)

        config.add_option('STRING-FILE', short_option = 's', default = None,
                          help = 'File output in strings format (offset:string)',
                          action = 'store', type = 'str')
        config.add_option("SCAN", short_option = 'S', default = False,
                          action = 'store_true', help = 'Use PSScan if no offset is provided')
        config.add_option('OFFSET', short_option = 'o', default = None,
                          help = 'EPROCESS offset (in hex) in the physical address space',
                          action = 'store', type = 'int')
        config.add_option('PID', short_option = 'p', default = None,
                          help = 'Operate on these Process IDs (comma-separated)',
                          action = 'store', type = 'str') 
开发者ID:vortessence,项目名称:vortessence,代码行数:16,代码来源:strings.py

示例7: check_psscan

# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def check_psscan(self):
        """Enumerate processes with pool tag scanning"""
        return dict((p.obj_offset, p)
                    for p in filescan.PSScan(self._config).calculate()) 
开发者ID:vortessence,项目名称:vortessence,代码行数:6,代码来源:psxview.py

示例8: _get_dtb

# 需要导入模块: from volatility.plugins import filescan [as 别名]
# 或者: from volatility.plugins.filescan import PSScan [as 别名]
def _get_dtb(self):
        """Use psscan to get system dtb and apply it."""
        ps = filescan.PSScan(self.config)
        for ep in ps.calculate():
            if str(ep.ImageFileName) == "System":
                 self.config.update("dtb",ep.Pcb.DirectoryTableBase)
                 return True
        return False 
开发者ID:davidoren,项目名称:CuckooSploit,代码行数:10,代码来源:memory.py


注:本文中的volatility.plugins.filescan.PSScan方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。