当前位置: 首页>>代码示例>>Python>>正文


Python utils.load_as方法代码示例

本文整理汇总了Python中volatility.utils.load_as方法的典型用法代码示例。如果您正苦于以下问题:Python utils.load_as方法的具体用法?Python utils.load_as怎么用?Python utils.load_as使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在volatility.utils的用法示例。


在下文中一共展示了utils.load_as方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")

        for objct in self.scan_results(addr_space):

            if isinstance(objct, _UDP_ENDPOINT):
                # For UdpA, the state is always blank and the remote end is asterisks
                for ver, laddr, _ in objct.dual_stack_sockets():
                    yield objct, "UDP" + ver, laddr, objct.Port, "*", "*", ""
            elif isinstance(objct, _TCP_ENDPOINT):

                if objct.AddressFamily == AF_INET:
                    proto = "TCPv4"
                elif objct.AddressFamily == AF_INET6:
                    proto = "TCPv6"

                yield objct, proto, objct.LocalAddress, objct.LocalPort, \
                    objct.RemoteAddress, objct.RemotePort, objct.State
            elif isinstance(objct, _TCP_LISTENER):
                # For TcpL, the state is always listening and the remote port is zero
                for ver, laddr, raddr in objct.dual_stack_sockets():
                    yield objct, "TCP" + ver, laddr, objct.Port, raddr, 0, "LISTENING" 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:27,代码来源:netscan.py

示例2: get_page_contents

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def get_page_contents(self, inode, idx):
        page_addr = self.find_get_page(inode, idx)

        if page_addr:
            page = obj.Object("page", offset = page_addr, vm = self.addr_space)
            phys_offset = page.to_paddr()
            if phys_offset > 0:
                phys_as = utils.load_as(self._config, astype = 'physical')
                data = phys_as.zread(phys_offset, 4096)
            else:
                data = "\x00" * 4096
        else:
            data = "\x00" * 4096

        return data

    # main function to be called, handles getting all the pages of an inode
    # and handles the last page not being page_size aligned 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:20,代码来源:find_file.py

示例3: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.DUMP_DIR == None:
            debug.error("Please specify a dump directory (--dump-dir)")
        if not os.path.isdir(self._config.DUMP_DIR):
            debug.error(self._config.DUMP_DIR + " is not a directory")

        if self._config.OFFSET != None:
            data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
        else:
            data = self.filter_tasks(tasks.pslist(addr_space))

        if self._config.REGEX:
            try:
                if self._config.IGNORE_CASE:
                    mod_re = re.compile(self._config.REGEX, re.I)
                else:
                    mod_re = re.compile(self._config.REGEX)
            except re.error, e:
                debug.error('Error parsing regular expression: %s' % e) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:23,代码来源:dlldump.py

示例4: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self._config.sys_offset or not self._config.sec_offset:
            regapi = registryapi.RegistryApi(self._config)
            for offset in regapi.all_offsets:
                name = regapi.all_offsets[offset].lower().split("\\")[-1]
                if "system" == name:
                    self._config.update("SYS_OFFSET", offset)
                elif "security" == name:
                    self._config.update("SEC_OFFSET", offset)

        secrets = lsasecrets.get_memory_secrets(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
        if not secrets:
            debug.error("Unable to read LSA secrets from registry")

        return secrets 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:19,代码来源:lsadump.py

示例5: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
        addr_space = utils.load_as(self._config)
        regapi = registryapi.RegistryApi(self._config)
        regapi.reset_current()

        version = (addr_space.profile.metadata.get('major', 0),
                   addr_space.profile.metadata.get('minor', 0))

        for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'):
            bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
            if version <= (5, 1):
                ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas)
            elif version <= (6, 0):
                ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas)
            elif version == (6, 1):
                ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas)
            elif version == (6, 2) or version == (6, 3):     
                ap = obj.Object("AuditPolData8", offset = 0, vm = bufferas)
            else:
                ap = obj.Object("AuditPolData10", offset = 0, vm = bufferas)
                
            if ap == None:
                debug.error("No AuditPol data found")

            yield data_raw, ap 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:27,代码来源:auditpol.py

示例6: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
        addr_space = utils.load_as(self._config)
        self.regapi = registryapi.RegistryApi(self._config)
        win7 = addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) >= 1
        skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist"

        if not self._config.HIVE_OFFSET:
            self.regapi.set_current("ntuser.dat")
        else:
            name = obj.Object("_CMHIVE", vm = addr_space, offset = self._config.HIVE_OFFSET).get_name()
            self.regapi.all_offsets[self._config.HIVE_OFFSET] = name
            self.regapi.current_offsets[self._config.HIVE_OFFSET] = name

        for key, name in self.regapi.reg_yield_key(None, skey):
            for guidkey in self.regapi.reg_get_all_subkeys(None, None, given_root = key):
                for count in self.regapi.reg_get_all_subkeys(None, None, given_root = guidkey):
                    if count.Name == "Count":
                        yield win7, name, count 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:20,代码来源:userassist.py

示例7: generator

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def generator(self, data):
        profile = utils.load_as(self._config).profile

        # Get the OS version being analyzed
        version = (profile.metadata.get('major', 0),
                   profile.metadata.get('minor', 0))

        # Choose which USER handle enum to use
        if version >= (6, 1):
            handle_types = consts.HANDLE_TYPE_ENUM_SEVEN
        else:
            handle_types = consts.HANDLE_TYPE_ENUM

        for session in data:
            gahti = session.find_gahti()
            if gahti:
                for i, h in handle_types.items():
                    yield (0,
                                    [str(session.SessionId),
                                     str(h),
                                     str(gahti.types[i].dwAllocTag),
                                     Address(gahti.types[i].fnDestroy),
                                     str(gahti.types[i].bObjectCreateFlags)]) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:25,代码来源:gahti.py

示例8: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        addr_space = utils.load_as(self._config)
        rules = self._compile_rules()
        process_mem = self._scan_process_memory(addr_space, rules)
        kernel_mem = self._scan_kernel_memory(addr_space, rules)

        if self._config.ALL:
            for p in process_mem:
                yield p
            for k in kernel_mem:
                yield k
        elif self._config.KERNEL:
            for k in kernel_mem:
                yield k
        else:
            for p in process_mem:
                yield p 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:22,代码来源:malfind.py

示例9: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):

        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
        
        rules = yara.compile(sources = signatures)

        for task in self.filter_tasks(tasks.pslist(addr_space)):
            scanner = malfind.VadYaraScanner(task = task, rules = rules)

            for hit, address in scanner.scan():
                vad_base_addr = self.get_vad_base(task, address)
                if address - vad_base_addr > 0x1000:
                    continue

                yield task, vad_base_addr 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:23,代码来源:poisonivy.py

示例10: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
	    # For each process in the list
        for task in self.filter_tasks(tasks.pslist(addr_space)):
            # print task.ImageFileName
            for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
				# Injected code detected if there's values returned
                rules = yara.compile(sources = signatures)
                scanner = malfind.VadYaraScanner(task = task, rules = rules)
                # print 'before'
                for hit, address in scanner.scan():
            	    vad_base_addr = self.get_vad_base(task, address)
            	    
            	    # Get a chuck of memory of size 2048 next to where the string was detected
                    content = address_space.zread(address, 2048)
                    yield task, address, vad_base_addr, content
                    break
                # break  # Show only 1 instance of detected injection per process 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:26,代码来源:psempire.py

示例11: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
        if not self.is_nasm():
            debug.error("Please install nasm")

        if not self._config.IJSON:
            debug.error("Please provide the input JSON trace")
       
        self._addrspace = utils.load_as(self._config)

        self.md = self.init_capstone()
        self.md.detail = True

        print "[+] From gadget: %s" % self._config.SGADGET
        print "[+] To gadget: %s" % self._config.GLIMIT

        self.get_json_trace()
        self.follow_trace()

        if self._config.DEBUG:
            self.get_trace_asm()
          
        if self._config.DB or self._config.IDB:
            self.serialize_opcodes() 
开发者ID:Cisco-Talos,项目名称:ROPMEMU,代码行数:25,代码来源:unchain.py

示例12: get_dll_list

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def get_dll_list(self):
        addr_space = utils.load_as(self._config)
        task_objects = win32.tasks.pslist(addr_space)
        for task in task_objects:
            if task.Peb:
                self.process_dict[int(task.UniqueProcessId)] = (task, [m for m in task.get_load_modules()])

    # Matches a given module (executable, DLL) to a running process by looking either
    # in the CommandLine parameters or in the loaded modules 
开发者ID:tomchop,项目名称:volatility-autoruns,代码行数:11,代码来源:autoruns.py

示例13: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
        self.get_dll_list()
        self.regapi = registryapi.RegistryApi(self._config)
        self.currentcs = self.regapi.reg_get_currentcontrolset() or "ControlSet001"
        asep_list = ['autoruns', 'services', 'appinit', 'winlogon', 'tasks', 'activesetup', 'sdb']
        os_major = utils.load_as(self._config).profile.metadata.get('major', 0)

        # If all_offsets is empty then regapi was unable to find
        # hive offsets and we exit with an error message
        if not self.regapi.all_offsets:
            debug.error('Unable to find registry hives.')

        if self._config.ASEP_TYPE:
            debug.debug('Config: {}'.format(self._config.ASEP_TYPE))
            asep_list = [s for s in self._config.ASEP_TYPE.replace(' ', '').split(',')]

        # Scan for ASEPs and populate the lists
        if 'autoruns' in asep_list:
            self.autoruns = self.get_autoruns()
        if 'services' in asep_list:
            self.services = self.get_services()
        if 'appinit' in asep_list:
            self.appinit_dlls = self.get_appinit_dlls()
        if 'winlogon' in asep_list:
            self.winlogon = self.get_winlogon()
            if os_major == 5:
                self.winlogon_registrations = self.get_winlogon_registrations()
        if 'tasks' in asep_list:
            self.tasks = self.get_tasks()
        if 'activesetup' in asep_list:
            self.activesetup = self.get_activesetup()
        if 'sdb' in asep_list:
            self.sdb = self.get_sdb()

        #Returns a generator to generator() that generates the unified output data
        return self.get_unified_output_data() 
开发者ID:tomchop,项目名称:volatility-autoruns,代码行数:38,代码来源:autoruns.py

示例14: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
        address_space = utils.load_as(self._config)
        cookie = obj.VolMagic(address_space).ObHeaderCookie.v()
        yield cookie 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:6,代码来源:win10cookie.py

示例15: calculate

# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
        """Determines the address space"""
        addr_space = utils.load_as(self._config, astype = 'any')

        scanner = KPCRScanner()
        for offset in scanner.scan(addr_space):
            kpcr = obj.Object("_KPCR", offset = offset, vm = addr_space)
            yield kpcr 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:10,代码来源:kpcrscan.py


注:本文中的volatility.utils.load_as方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。