本文整理汇总了Python中volatility.plugins.malware.malfind.Disassemble方法的典型用法代码示例。如果您正苦于以下问题:Python malfind.Disassemble方法的具体用法?Python malfind.Disassemble怎么用?Python malfind.Disassemble使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.plugins.malware.malfind的用法示例。
在下文中一共展示了malfind.Disassemble方法的12个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: render_text
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
bit_string = str(task.task.map.pmap.pm_task_map or '')[9:]
if bit_string == "64BIT":
bits = '64bit'
else:
bits = '32bit'
for map in task.get_proc_maps():
if map.is_suspicious():
fname = map.get_path()
prots = map.get_perms()
content = proc_as.zread(map.start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.p_comm, task.p_pid, map.start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(map.start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, map.start, bits = bits)
]))
outfd.write("\n\n") 示例2: render_text
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def render_text(self, outfd, data):
for process, module, hook in data:
outfd.write("*" * 72 + "\n")
outfd.write("Hook mode: {0}\n".format(hook.Mode))
outfd.write("Hook type: {0}\n".format(hook.Type))
if process:
outfd.write('Process: {0} ({1})\n'.format(
process.UniqueProcessId, process.ImageFileName))
outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
module.DllBase, module.DllBase + module.SizeOfImage))
outfd.write("Function: {0}\n".format(hook.Detail))
outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = ["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
outfd.write("\n\n") 示例3: render_text
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def render_text(self, outfd, data):
self.table_header(outfd, [('CPU', '>6X'),
('Index', '>6X'),
('Selector', '[addr]'),
('Value', '[addrpad]'),
('Module', '20'),
('Section', '12'),
])
for n, entry, addr, module in data:
if addr == 0:
module_name = "NOT USED"
sect_name = ''
elif module:
module_name = str(module.BaseDllName or '')
sect_name = self.get_section_name(module, addr)
else:
module_name = "UNKNOWN"
sect_name = ''
# The parent is IDT. The grand-parent is _KPCR.
cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number
self.table_row(outfd,
cpu_number, n,
entry.Selector,
addr,
module_name,
sect_name)
if self._config.verbose:
data = entry.obj_vm.zread(addr, 32)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data, start = addr, stoponret = True)
]))
outfd.write("\n") 示例4: render_text
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
for vma in task.get_proc_maps():
if vma.is_suspicious():
fname = vma.vm_name(task)
if fname == "[vdso]":
continue
prots = vma.protection()
flags = vma.flags()
content = proc_as.zread(vma.vm_start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.comm, task.pid, vma.vm_start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("Flags: {0}\n".format(str(flags)))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(vma.vm_start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, vma.vm_start)
]))
outfd.write("\n\n") 示例5: render_text
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
for map in task.get_proc_maps():
if map.is_suspicious():
fname = map.get_path()
prots = map.get_perms()
content = proc_as.zread(map.start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.p_comm, task.p_pid, map.start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(map.start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, map.start)
]))
outfd.write("\n\n") 示例6: render_text
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
for map in task.get_proc_maps():
if self._is_suspicious(map):
fname = map.get_path()
prots = map.get_perms()
content = proc_as.zread(map.start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.p_comm, task.p_pid, map.start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(map.start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, map.start)
]))
outfd.write("\n\n") 示例7: render_text
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def render_text(self, outfd, data):
self.table_header(outfd, [('CPU', '>6X'),
('Index', '>6X'),
('Selector', '[addr]'),
('Value', '[addrpad]'),
('Module', '20'),
('Section', '12'),
])
for n, entry, addr, module in data:
if module:
module_name = str(module.BaseDllName or '')
sect_name = self.get_section_name(module, addr)
else:
module_name = "UNKNOWN"
sect_name = ''
# The parent is IDT. The grand-parent is _KPCR.
cpu_number = entry.obj_parent.obj_parent.ProcessorBlock.Number
self.table_row(outfd,
cpu_number, n,
entry.Selector,
addr,
module_name,
sect_name)
if self._config.verbose:
data = entry.obj_vm.zread(addr, 32)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data, start = addr, stoponret = True)
]))
outfd.write("\n") 示例8: render_text
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def render_text(self, outfd, data):
linux_common.set_plugin_members(self)
if self.addr_space.profile.metadata.get('memory_model', '32bit') == '32bit':
bits = '32bit'
else:
bits = '64bit'
for task in data:
proc_as = task.get_process_address_space()
for vma in task.get_proc_maps():
if vma.is_suspicious():
fname = vma.vm_name(task)
if fname == "[vdso]":
continue
prots = vma.protection()
flags = vma.flags()
content = proc_as.zread(vma.vm_start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.comm, task.pid, vma.vm_start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("Flags: {0}\n".format(str(flags)))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#016x} {1:<48} {2}".format(vma.vm_start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, vma.vm_start, bits = bits)
]))
outfd.write("\n\n") 示例9: render_text
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
# Compile the regular expression for filtering by driver name
if self._config.regex != None:
mod_re = re.compile(self._config.regex, re.I)
else:
mod_re = None
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
bits = addr_space.profile.metadata.get('memory_model', '32bit')
self.table_header(None, [('i', ">4"),
('Funcs', "36"),
('addr', '[addrpad]'),
('name', '')
])
for driver in data:
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
# Continue if a regex was supplied and it doesn't match
if mod_re != None:
if not (mod_re.search(driver_name) or
mod_re.search(driver_name)): continue
# Write the standard header for each driver object
outfd.write("{0}\n".format("-" * 50))
outfd.write("DriverName: {0}\n".format(driver_name))
outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart))
outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize))
outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo))
# Write the address and owner of each IRP function
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
# This is where we check for inline hooks once the
# ApiHooks plugin is ported to 2.1.
self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name)
if self._config.verbose:
data = addr_space.zread(function, 64)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data,
start = function, bits = bits, stoponret = True)
]))
outfd.write("\n") 示例10: render_text
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def render_text(self, outfd, data):
for process, module, hook in data:
outfd.write("*" * 72 + "\n")
outfd.write("Hook type: {0}\n".format(hook.Type))
IsProcWow64 = process.IsWow64
outfd.write('Process: {0} ({1}) ({2})\n'.format(
process.UniqueProcessId, process.ImageFileName, "Wow64" if IsProcWow64 else "bitness as the image"))
outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
module.DllBase, module.DllBase + module.SizeOfImage))
outfd.write("Function: {0}\n".format(hook.Detail))
outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
hook_mod_base = vad_ck().get_vad_base(process, hook.hook_address)
hook_mod_end = vad_ck().get_vad_end(process, hook.hook_address)
if hook_mod_end != None:
hook_mod_size = hook_mod_end - hook_mod_base
else:
hook_mod_size= 0x0
outfd.write("Hooking module base: {0:#x}\n\n".format(hook_mod_base))
outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
if self._config.DUMP_DIR != None:
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
else:
proc_space = process.get_process_address_space()
if not proc_space.is_valid_address(hook_mod_base):
print "Error: DllBase is paged"
else:
process_offset = proc_space.vtop(process.obj_offset)
dump_file = "module.{0}.{1:x}.{2:x}.dll".format(process.UniqueProcessId, process_offset, hook_mod_base)
self.dump_pe(proc_space, hook_mod_base, dump_file)
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = ["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
outfd.write("\n\n") 示例11: render_text
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def render_text(self, outfd, data):
for process, module, hook in data:
if not self._config.NO_WHITELIST:
if process:
process_name = str(process.ImageFileName)
else:
process_name = ''
if self.whitelist(hook.hook_mode | hook.hook_type,
process_name, hook.VictimModule,
hook.HookModule, hook.Function):
#debug.debug("Skipping whitelisted function: {0} {1} {2} {3}".format(
# process_name, hook.VictimModule, hook.HookModule,
# hook.Function))
continue
outfd.write("*" * 72 + "\n")
outfd.write("Hook mode: {0}\n".format(hook.Mode))
outfd.write("Hook type: {0}\n".format(hook.Type))
if process:
outfd.write('Process: {0} ({1})\n'.format(
process.UniqueProcessId, process.ImageFileName))
outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
module.DllBase, module.DllBase + module.SizeOfImage))
outfd.write("Function: {0}\n".format(hook.Detail))
outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = ["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
outfd.write("\n\n") 示例12: get_json
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import Disassemble [as 别名]
def get_json(self, data):
results = {"Hooks":[]}
for process, module, hook in data:
if not self._config.NO_WHITELIST:
if process:
process_name = str(process.ImageFileName)
process_id = int(process.UniqueProcessId)
else:
process_name = ''
process_id = -1
if self.whitelist(hook.hook_mode | hook.hook_type,
process_name, hook.VictimModule,
hook.HookModule, hook.Function):
#debug.debug("Skipping whitelisted function: {0} {1} {2} {3}".format(
# process_name, hook.VictimModule, hook.HookModule,
# hook.Function))
continue
row = {'ImageFileName':process_name or '',
'Mode':str(hook.Mode),
'Type':str(hook.Type),
'UniqueProcessId':process_id,
'BaseDllName':str(module.BaseDllName or ''),
'SizeOfImage':int(module.SizeOfImage),
'FullDllName':ntpath.basename(str(module.FullDllName or '')),
'DllBase':long(module.DllBase),
'DllSize': "{}".format(module.SizeOfImage),
'DllEndAddress': module.DllBase + module.SizeOfImage,
'Detail': str(hook.Detail),
'HookAddress':long(hook.hook_address),
'HookModule':str(hook.HookModule),
'Disassembly':[]
}
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = [{'Address':int(o), "Bytes":str(h), "Instruction":str(i)}
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
disassembled = {'Disassembly':s,
'Address':"{}".format(address),
'Hop':n}
row['Disassembly'].append(disassembled)
results['Hooks'].append(row)
return results