本文整理汇总了Python中volatility.plugins.malware.malfind.DiscontigYaraScanner方法的典型用法代码示例。如果您正苦于以下问题:Python malfind.DiscontigYaraScanner方法的具体用法?Python malfind.DiscontigYaraScanner怎么用?Python malfind.DiscontigYaraScanner使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.plugins.malware.malfind的用法示例。
在下文中一共展示了malfind.DiscontigYaraScanner方法的10个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import DiscontigYaraScanner [as 别名]
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
linux_common.set_plugin_members(self)
if self._config.KERNEL:
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
else:
kernel_start = 0xffffffff80000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
tasks = self.filter_tasks()
for task in tasks:
scanner = VmaYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) 示例2: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import DiscontigYaraScanner [as 别名]
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
vm_addr = self.addr_space.profile.get_symbol("_vm_min_kernel_address")
kernel_start = obj.Object("unsigned long", offset = vm_addr, vm = self.addr_space)
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan(max_size = self._config.MAX_SIZE):
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) 示例3: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import DiscontigYaraScanner [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
if not has_yara:
debug.error("You must install yara to use this plugin")
if not self._config.DUMP_DIR:
debug.error("You must supply a --dump-dir parameter")
if self._config.PHYSICAL:
# Find the FileAddressSpace
while addr_space.__class__.__name__ != "FileAddressSpace":
addr_space = addr_space.base
scanner = malfind.DiscontigYaraScanner(address_space = addr_space,
rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield None, cert
else:
for process in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = process, rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield process, cert 示例4: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import DiscontigYaraScanner [as 别名]
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
linux_common.set_plugin_members(self)
if self._config.KERNEL:
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
else:
kernel_start = 0xffffffff80000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
tasks = self.filter_tasks()
for task in tasks:
scanner = VmaYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) 示例5: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import DiscontigYaraScanner [as 别名]
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
vm_addr = self.addr_space.profile.get_symbol("_vm_min_kernel_address")
kernel_start = obj.Object("unsigned long", offset = vm_addr, vm = self.addr_space)
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan(max_size = self._config.MAX_SIZE):
yield (task, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) 示例6: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import DiscontigYaraScanner [as 别名]
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
vm_addr = self.addr_space.profile.get_symbol("_vm_min_kernel_address")
kernel_start = obj.Object("unsigned long", offset = vm_addr, vm = self.addr_space)
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) 示例7: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import DiscontigYaraScanner [as 别名]
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
kernel_start = 0xffffff8000000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
# Scan each process memory block
tasks = self.filter_tasks()
for task in tasks:
# skip kernel_task
if task.p_pid == 0:
continue
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) 示例8: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import DiscontigYaraScanner [as 别名]
def calculate(self):
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
linux_common.set_plugin_members(self)
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
pack_size = 4
pack_fmt = "<I"
else:
kernel_start = 0xffff880000000000
pack_size = 8
pack_fmt = "<Q"
checks = [self.check_family, self.check_proto, self.check_socket_back_pointer, self.check_pointers]
destruct_offset = self.addr_space.profile.get_obj_offset("sock", "sk_destruct")
# sk_destruct pointer value of sock
func_addr = self.addr_space.profile.get_symbol("inet_sock_destruct")
vals = struct.pack(pack_fmt, func_addr)
s = "{ " + " ".join(["%.02x" % ord(v) for v in vals]) + " }"
rules = yara.compile(sources = { 'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}' })
scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space)
for _, address in scanner.scan(start_offset = kernel_start):
base_address = address - destruct_offset
i = obj.Object("inet_sock", offset = base_address, vm = self.addr_space)
valid = True
for check in checks:
if check(i) == False:
valid = False
break
if valid:
state = i.state if i.protocol == "TCP" else ""
family = i.sk.__sk_common.skc_family #pylint: disable-msg=W0212
sport = i.src_port
dport = i.dst_port
saddr = i.src_addr
daddr = i.dst_addr
if str(saddr) == "0.0.0.0" and str(daddr) == "0.0.0.0" and sport == 6 and dport == 0:
continue
yield (i, i.protocol, saddr, sport, daddr, dport, state) 示例9: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import DiscontigYaraScanner [as 别名]
def calculate(self):
linux_common.set_plugin_members(self)
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
pack_size = 4
pack_fmt = "<I"
else:
kernel_start = 0xffffffff80000000
pack_size = 8
pack_fmt = "<Q"
checks = [self.check_family, self.check_proto, self.check_socket_back_pointer, self.check_pointers]
destruct_offset = self.addr_space.profile.get_obj_offset("sock", "sk_destruct")
# sk_destruct pointer value of sock
func_addr = self.addr_space.profile.get_symbol("inet_sock_destruct")
vals = []
# convert address into a yara hex rule
for bit in range(pack_size):
idx = (pack_size - bit - 1) * 8
mask = 0xff << idx
val = ((func_addr & mask) >> idx) & 0xff
vals.insert(0, val)
s = "{" + " ".join(["%.02x" % v for v in vals]) + " }"
rules = yara.compile(sources = { 'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}' })
scanner = malfind.DiscontigYaraScanner(rules = rules, address_space = self.addr_space)
for _, address in scanner.scan(start_offset = kernel_start):
base_address = address - destruct_offset
i = obj.Object("inet_sock", offset = base_address, vm = self.addr_space)
valid = True
for check in checks:
if check(i) == False:
valid = False
break
if valid:
state = i.state if i.protocol == "TCP" else ""
family = i.sk.__sk_common.skc_family #pylint: disable-msg=W0212
sport = i.src_port
dport = i.dst_port
saddr = i.src_addr
daddr = i.dst_addr
yield (i, i.protocol, saddr, sport, daddr, dport, state) 示例10: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import DiscontigYaraScanner [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
if not has_yara:
debug.error("You must install yara to use this plugin")
if not self._config.DUMP_DIR:
debug.error("You must supply a --dump-dir parameter")
# Wildcard signatures to scan for
rules = yara.compile(sources = {
'x509' : 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}',
'pkcs' : 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}',
})
# These signature names map to these data structures
type_map = {
'x509' : '_X509_PUBLIC_CERT',
'pkcs' : '_PKCS_PRIVATE_CERT',
}
if self._config.PHYSICAL:
# Find the FileAddressSpace
while addr_space.__class__.__name__ != "FileAddressSpace":
addr_space = addr_space.base
scanner = malfind.DiscontigYaraScanner(address_space = addr_space,
rules = rules)
for hit, address in scanner.scan():
cert = obj.Object(type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield None, cert
else:
for process in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = process, rules = rules)
for hit, address in scanner.scan():
cert = obj.Object(type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield process, cert