本文整理汇总了Python中volatility.utils.load_as方法的典型用法代码示例。如果您正苦于以下问题:Python utils.load_as方法的具体用法?Python utils.load_as怎么用?Python utils.load_as使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.utils的用法示例。
在下文中一共展示了utils.load_as方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
for objct in self.scan_results(addr_space):
if isinstance(objct, _UDP_ENDPOINT):
# For UdpA, the state is always blank and the remote end is asterisks
for ver, laddr, _ in objct.dual_stack_sockets():
yield objct, "UDP" + ver, laddr, objct.Port, "*", "*", ""
elif isinstance(objct, _TCP_ENDPOINT):
if objct.AddressFamily == AF_INET:
proto = "TCPv4"
elif objct.AddressFamily == AF_INET6:
proto = "TCPv6"
yield objct, proto, objct.LocalAddress, objct.LocalPort, \
objct.RemoteAddress, objct.RemotePort, objct.State
elif isinstance(objct, _TCP_LISTENER):
# For TcpL, the state is always listening and the remote port is zero
for ver, laddr, raddr in objct.dual_stack_sockets():
yield objct, "TCP" + ver, laddr, objct.Port, raddr, 0, "LISTENING" 示例2: get_page_contents
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def get_page_contents(self, inode, idx):
page_addr = self.find_get_page(inode, idx)
if page_addr:
page = obj.Object("page", offset = page_addr, vm = self.addr_space)
phys_offset = page.to_paddr()
if phys_offset > 0:
phys_as = utils.load_as(self._config, astype = 'physical')
data = phys_as.zread(phys_offset, 4096)
else:
data = "\x00" * 4096
else:
data = "\x00" * 4096
return data
# main function to be called, handles getting all the pages of an inode
# and handles the last page not being page_size aligned 示例3: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
if self._config.OFFSET != None:
data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
else:
data = self.filter_tasks(tasks.pslist(addr_space))
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error, e:
debug.error('Error parsing regular expression: %s' % e) 示例4: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
if not self._config.sys_offset or not self._config.sec_offset:
regapi = registryapi.RegistryApi(self._config)
for offset in regapi.all_offsets:
name = regapi.all_offsets[offset].lower().split("\\")[-1]
if "system" == name:
self._config.update("SYS_OFFSET", offset)
elif "security" == name:
self._config.update("SEC_OFFSET", offset)
secrets = lsasecrets.get_memory_secrets(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
if not secrets:
debug.error("Unable to read LSA secrets from registry")
return secrets 示例5: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'):
bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
if version <= (5, 1):
ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas)
elif version <= (6, 0):
ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas)
elif version == (6, 1):
ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas)
elif version == (6, 2) or version == (6, 3):
ap = obj.Object("AuditPolData8", offset = 0, vm = bufferas)
else:
ap = obj.Object("AuditPolData10", offset = 0, vm = bufferas)
if ap == None:
debug.error("No AuditPol data found")
yield data_raw, ap 示例6: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
self.regapi = registryapi.RegistryApi(self._config)
win7 = addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) >= 1
skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist"
if not self._config.HIVE_OFFSET:
self.regapi.set_current("ntuser.dat")
else:
name = obj.Object("_CMHIVE", vm = addr_space, offset = self._config.HIVE_OFFSET).get_name()
self.regapi.all_offsets[self._config.HIVE_OFFSET] = name
self.regapi.current_offsets[self._config.HIVE_OFFSET] = name
for key, name in self.regapi.reg_yield_key(None, skey):
for guidkey in self.regapi.reg_get_all_subkeys(None, None, given_root = key):
for count in self.regapi.reg_get_all_subkeys(None, None, given_root = guidkey):
if count.Name == "Count":
yield win7, name, count 示例7: generator
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def generator(self, data):
profile = utils.load_as(self._config).profile
# Get the OS version being analyzed
version = (profile.metadata.get('major', 0),
profile.metadata.get('minor', 0))
# Choose which USER handle enum to use
if version >= (6, 1):
handle_types = consts.HANDLE_TYPE_ENUM_SEVEN
else:
handle_types = consts.HANDLE_TYPE_ENUM
for session in data:
gahti = session.find_gahti()
if gahti:
for i, h in handle_types.items():
yield (0,
[str(session.SessionId),
str(h),
str(gahti.types[i].dwAllocTag),
Address(gahti.types[i].fnDestroy),
str(gahti.types[i].bObjectCreateFlags)]) 示例8: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
addr_space = utils.load_as(self._config)
rules = self._compile_rules()
process_mem = self._scan_process_memory(addr_space, rules)
kernel_mem = self._scan_kernel_memory(addr_space, rules)
if self._config.ALL:
for p in process_mem:
yield p
for k in kernel_mem:
yield k
elif self._config.KERNEL:
for k in kernel_mem:
yield k
else:
for p in process_mem:
yield p 示例9: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
if address - vad_base_addr > 0x1000:
continue
yield task, vad_base_addr 示例10: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
# For each process in the list
for task in self.filter_tasks(tasks.pslist(addr_space)):
# print task.ImageFileName
for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
# Injected code detected if there's values returned
rules = yara.compile(sources = signatures)
scanner = malfind.VadYaraScanner(task = task, rules = rules)
# print 'before'
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
# Get a chuck of memory of size 2048 next to where the string was detected
content = address_space.zread(address, 2048)
yield task, address, vad_base_addr, content
break
# break # Show only 1 instance of detected injection per process 示例11: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
if not self.is_nasm():
debug.error("Please install nasm")
if not self._config.IJSON:
debug.error("Please provide the input JSON trace")
self._addrspace = utils.load_as(self._config)
self.md = self.init_capstone()
self.md.detail = True
print "[+] From gadget: %s" % self._config.SGADGET
print "[+] To gadget: %s" % self._config.GLIMIT
self.get_json_trace()
self.follow_trace()
if self._config.DEBUG:
self.get_trace_asm()
if self._config.DB or self._config.IDB:
self.serialize_opcodes() 示例12: get_dll_list
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def get_dll_list(self):
addr_space = utils.load_as(self._config)
task_objects = win32.tasks.pslist(addr_space)
for task in task_objects:
if task.Peb:
self.process_dict[int(task.UniqueProcessId)] = (task, [m for m in task.get_load_modules()])
# Matches a given module (executable, DLL) to a running process by looking either
# in the CommandLine parameters or in the loaded modules 示例13: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
self.get_dll_list()
self.regapi = registryapi.RegistryApi(self._config)
self.currentcs = self.regapi.reg_get_currentcontrolset() or "ControlSet001"
asep_list = ['autoruns', 'services', 'appinit', 'winlogon', 'tasks', 'activesetup', 'sdb']
os_major = utils.load_as(self._config).profile.metadata.get('major', 0)
# If all_offsets is empty then regapi was unable to find
# hive offsets and we exit with an error message
if not self.regapi.all_offsets:
debug.error('Unable to find registry hives.')
if self._config.ASEP_TYPE:
debug.debug('Config: {}'.format(self._config.ASEP_TYPE))
asep_list = [s for s in self._config.ASEP_TYPE.replace(' ', '').split(',')]
# Scan for ASEPs and populate the lists
if 'autoruns' in asep_list:
self.autoruns = self.get_autoruns()
if 'services' in asep_list:
self.services = self.get_services()
if 'appinit' in asep_list:
self.appinit_dlls = self.get_appinit_dlls()
if 'winlogon' in asep_list:
self.winlogon = self.get_winlogon()
if os_major == 5:
self.winlogon_registrations = self.get_winlogon_registrations()
if 'tasks' in asep_list:
self.tasks = self.get_tasks()
if 'activesetup' in asep_list:
self.activesetup = self.get_activesetup()
if 'sdb' in asep_list:
self.sdb = self.get_sdb()
#Returns a generator to generator() that generates the unified output data
return self.get_unified_output_data() 示例14: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
address_space = utils.load_as(self._config)
cookie = obj.VolMagic(address_space).ObHeaderCookie.v()
yield cookie 示例15: calculate
# 需要导入模块: from volatility import utils [as 别名]
# 或者: from volatility.utils import load_as [as 别名]
def calculate(self):
"""Determines the address space"""
addr_space = utils.load_as(self._config, astype = 'any')
scanner = KPCRScanner()
for offset in scanner.scan(addr_space):
kpcr = obj.Object("_KPCR", offset = offset, vm = addr_space)
yield kpcr