本文整理汇总了Python中volatility.utils.iterfind方法的典型用法代码示例。如果您正苦于以下问题:Python utils.iterfind方法的具体用法?Python utils.iterfind怎么用?Python utils.iterfind使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.utils
的用法示例。
在下文中一共展示了utils.iterfind方法的11个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: scan
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import iterfind [as 别名]
def scan(self, address_space, offset = None, maxlen = None):
if offset is None:
current_offset = 0
else:
current_offset = offset
for (range_start, range_size) in sorted(address_space.get_available_addresses()):
# Jump to the next available point to scan from
# self.base_offset jumps up to be at least range_start
current_offset = max(range_start, current_offset)
range_end = range_start + range_size
# If we have a maximum length, we make sure it's less than the range_end
if maxlen is not None:
range_end = min(range_end, current_offset + maxlen)
while (current_offset < range_end):
# We've now got range_start <= self.base_offset < range_end
# Figure out how much data to read
l = min(constants.SCAN_BLOCKSIZE + self.overlap, range_end - current_offset)
data = address_space.zread(current_offset, l)
for needle in self.needles:
for addr in utils.iterfind(data, needle):
# this scanner yields the matched pool tag as well as
# the offset, to save the caller from having to perform
# another .read() just to see which tag was matched
yield data[addr:addr+4], addr + current_offset
current_offset += min(constants.SCAN_BLOCKSIZE, l)
#--------------------------------------------------------------------------------
# The main interface / API for concurrent scans
#--------------------------------------------------------------------------------
示例2: search_process_memory
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import iterfind [as 别名]
def search_process_memory(self, s, heap_only = False):
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
if addr_space == None:
return
for vma in self.get_proc_maps():
if heap_only:
if not (vma.vm_start <= self.mm.start_brk and vma.vm_end >= self.mm.brk):
continue
offset = vma.vm_start
out_of_range = vma.vm_start + (vma.vm_end - vma.vm_start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
示例3: search_process_memory
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import iterfind [as 别名]
def search_process_memory(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
示例4: search_process_memory_rw_nofile
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import iterfind [as 别名]
def search_process_memory_rw_nofile(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if vma.get_perms() != "rw-" or vma.get_path() != "":
if vma.get_special_path() != "[heap]":
continue
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
示例5: search_process_memory
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import iterfind [as 别名]
def search_process_memory(self, s, vad_filter = None):
"""
Search memory for a simple byte string.
FIXME: as of 2.3 this parameter can also be a list to
search for mutliple strings concurrently. The
single string will be deprecated in 3.0.
@param s: the string to search for.
@returns every occurrance of the string
in process memory (as absolute address).
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
# All MMVADs that belong to this process.
for vad, address_space in self.get_vads(vad_filter, skip_max_commit = True):
offset = vad.Start
out_of_range = vad.Start + vad.Length
while offset < out_of_range:
# Read some data and match it.
to_read = min(constants.SCAN_BLOCKSIZE + overlap, out_of_range - offset)
data = address_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, constants.SCAN_BLOCKSIZE)
示例6: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import iterfind [as 别名]
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
for proc in procs:
space = proc.get_process_address_space()
for map in proc.get_proc_maps():
# only read/write without filebacks
if not (map.get_perms() == "rw-" and not map.get_path()):
continue
# check the header for sqlite3 signature
header = space.zread(map.links.start, 32)
if "SQLite format" not in header:
continue
# get the whole sqlite3 data now
data = space.zread(map.links.start,
map.links.end - map.links.start)
for offset in utils.iterfind(data, ":ABPerson"):
person = obj.Object("String",
offset = map.links.start + offset,
vm = space, encoding = "utf8",
length = 256)
yield proc, person
示例7: search_process_memory
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import iterfind [as 别名]
def search_process_memory(self, s, heap_only = False):
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
if addr_space == None:
return
for vma in self.get_proc_maps():
if heap_only:
if not (vma.vm_start <= self.mm.brk and vma.vm_end >= self.mm.start_brk):
continue
offset = vma.vm_start
out_of_range = vma.vm_start + (vma.vm_end - vma.vm_start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
示例8: search_process_memory
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import iterfind [as 别名]
def search_process_memory(self, s, heap_only = False):
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if heap_only:
if not (vma.vm_start <= self.mm.start_brk and vma.vm_end >= self.mm.brk):
continue
offset = vma.vm_start
out_of_range = vma.vm_start + (vma.vm_end - vma.vm_start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
示例9: search_process_memory_rw_nofile
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import iterfind [as 别名]
def search_process_memory_rw_nofile(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if vma.get_perms() != "rw-" or vma.get_path() != "":
continue
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
示例10: search_process_memory
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import iterfind [as 别名]
def search_process_memory(self, s):
"""
Search memory for a simple byte string.
FIXME: as of 2.3 this parameter can also be a list to
search for mutliple strings concurrently. The
single string will be deprecated in 3.0.
@param s: the string to search for.
@returns every occurrance of the string
in process memory (as absolute address).
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
# All MMVADs that belong to this process.
for vad, address_space in self.get_vads(skip_max_commit = True):
offset = vad.Start
out_of_range = vad.Start + vad.Length
while offset < out_of_range:
# Read some data and match it.
to_read = min(constants.SCAN_BLOCKSIZE + overlap, out_of_range - offset)
data = address_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, constants.SCAN_BLOCKSIZE)
示例11: scan
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import iterfind [as 别名]
def scan(self, address_space, offset = None, maxlen = None):
if offset is None:
current_offset = 0
else:
current_offset = offset
for (range_start, range_size) in sorted(address_space.get_available_addresses()):
# Jump to the next available point to scan from
# self.base_offset jumps up to be at least range_start
current_offset = max(range_start, current_offset)
range_end = range_start + range_size
# If we have a maximum length, we make sure it's less than the range_end
if maxlen is not None:
range_end = min(range_end, offset + maxlen)
while (current_offset < range_end):
# We've now got range_start <= self.base_offset < range_end
# Figure out how much data to read
l = min(constants.SCAN_BLOCKSIZE + self.overlap, range_end - current_offset)
data = address_space.zread(current_offset, l)
for needle in self.needles:
for addr in utils.iterfind(data, needle):
# this scanner yields the matched pool tag as well as
# the offset, to save the caller from having to perform
# another .read() just to see which tag was matched
yield data[addr:addr+4], addr + current_offset
current_offset += min(constants.SCAN_BLOCKSIZE, l)
#--------------------------------------------------------------------------------
# The main interface / API for concurrent scans
#--------------------------------------------------------------------------------