本文整理汇总了Python中volatility.plugins.malware.malfind.VadYaraScanner方法的典型用法代码示例。如果您正苦于以下问题:Python malfind.VadYaraScanner方法的具体用法?Python malfind.VadYaraScanner怎么用?Python malfind.VadYaraScanner使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.plugins.malware.malfind的用法示例。
在下文中一共展示了malfind.VadYaraScanner方法的5个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import VadYaraScanner [as 别名]
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
if address - vad_base_addr > 0x1000:
continue
yield task, vad_base_addr 示例2: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import VadYaraScanner [as 别名]
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
# For each process in the list
for task in self.filter_tasks(tasks.pslist(addr_space)):
# print task.ImageFileName
for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
# Injected code detected if there's values returned
rules = yara.compile(sources = signatures)
scanner = malfind.VadYaraScanner(task = task, rules = rules)
# print 'before'
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
# Get a chuck of memory of size 2048 next to where the string was detected
content = address_space.zread(address, 2048)
yield task, address, vad_base_addr, content
break
# break # Show only 1 instance of detected injection per process 示例3: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import VadYaraScanner [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
if not has_yara:
debug.error("You must install yara to use this plugin")
if not self._config.DUMP_DIR:
debug.error("You must supply a --dump-dir parameter")
if self._config.PHYSICAL:
# Find the FileAddressSpace
while addr_space.__class__.__name__ != "FileAddressSpace":
addr_space = addr_space.base
scanner = malfind.DiscontigYaraScanner(address_space = addr_space,
rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield None, cert
else:
for process in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = process, rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield process, cert 示例4: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import VadYaraScanner [as 别名]
def calculate(self):
""" Required: Runs YARA search to find hits """
if not has_yara:
debug.error('Yara must be installed for this plugin')
addr_space = utils.load_as(self._config)
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
if not task.ImageFileName.lower() in ['chrome.exe', 'firefox.exe', 'iexplore.exe']:
continue
scanner = malfind.VadYaraScanner(task=task, rules=rules)
for hit, address in scanner.scan():
yield task, address 示例5: calculate
# 需要导入模块: from volatility.plugins.malware import malfind [as 别名]
# 或者: from volatility.plugins.malware.malfind import VadYaraScanner [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
if not has_yara:
debug.error("You must install yara to use this plugin")
if not self._config.DUMP_DIR:
debug.error("You must supply a --dump-dir parameter")
# Wildcard signatures to scan for
rules = yara.compile(sources = {
'x509' : 'rule x509 {strings: $a = {30 82 ?? ?? 30 82 ?? ??} condition: $a}',
'pkcs' : 'rule pkcs {strings: $a = {30 82 ?? ?? 02 01 00} condition: $a}',
})
# These signature names map to these data structures
type_map = {
'x509' : '_X509_PUBLIC_CERT',
'pkcs' : '_PKCS_PRIVATE_CERT',
}
if self._config.PHYSICAL:
# Find the FileAddressSpace
while addr_space.__class__.__name__ != "FileAddressSpace":
addr_space = addr_space.base
scanner = malfind.DiscontigYaraScanner(address_space = addr_space,
rules = rules)
for hit, address in scanner.scan():
cert = obj.Object(type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield None, cert
else:
for process in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = process, rules = rules)
for hit, address in scanner.scan():
cert = obj.Object(type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield process, cert