本文整理汇总了Python中volatility.win32.tasks.find_module方法的典型用法代码示例。如果您正苦于以下问题:Python tasks.find_module方法的具体用法?Python tasks.find_module怎么用?Python tasks.find_module使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.win32.tasks的用法示例。
在下文中一共展示了tasks.find_module方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: render_text
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def render_text(self, outfd, data):
self.table_header(outfd,
[("Type", "36"),
("Callback", "[addrpad]"),
("Module", "20"),
("Details", ""),
])
for (sym, cb, detail), mods, mod_addrs in data:
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
## The original callbacks plugin searched driver objects
## if the owning module isn't found (Rustock.B). We leave that
## task up to the user this time, and will be incoporating
## some different module association methods later.
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
self.table_row(outfd, sym, cb, module_name, detail or "-") 示例2: extract_callbacks
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def extract_callbacks(self):
debug.info("[time-consuming task] extracting kernel callbacks...")
records = []
# added for default option values (filescan)
self._config.VIRTUAL = False
self._config.SHOW_UNALLOCATED = False
self._config.START = None
self._config.LENGTH = None
for (sym, cb, detail), mods, mod_addrs in callbacks.Callbacks.calculate(self):
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
type_name = '{0}'.format(sym)
#records.append((module.DllBase.v(), type_name, cb.v(), str(detail or "-")))
records.append((str(module.DllBase.v()), type_name, str(cb.v()), str(detail or "-")))
if len(records) == 0:
records.append(('dummy', 'dummy', 'dummy', 'dummy')) # insert dummy for done
self.cur.executemany("insert or ignore into kernel_mods_callbacks values (?, ?, ?, ?)", records)
return [record[1] for record in records if self.kmod.DllBase.v() == record[0]] 示例3: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
drivers = dtree.DriverIrp(self._config).calculate()
found_driver = "UNKNOWN"
if self._config.ADDR:
find_address = self._config.ADDR
found_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(find_address))
if found_module:
found_module = found_module.BaseDllName or found_module.FullDllName
else:
found_module = "UNKNOWN"
for driver in drivers:
if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
header = driver.get_object_header()
found_driver = header.NameInfo.Name
break
yield (found_module, found_driver)
else:
for driver in drivers:
driver_name = str(driver.get_object_header().NameInfo.Name or '')
service_key = str(driver.DriverExtension.ServiceKeyName or '')
driver_name3 = str(driver.DriverName or '')
owning_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(driver.DriverStart))
if owning_module:
module_name = owning_module.BaseDllName or owning_module.FullDllName
else:
module_name = "UNKNOWN"
yield (module_name, driver_name, service_key, driver_name3) 示例4: render_text
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def render_text(self, outfd, data):
# Kernel AS for looking up modules
kernel_space = utils.load_as(self._config)
# Modules sorted for address lookups
mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space))
mod_addrs = sorted(mods.keys())
for session in data:
outfd.write("*" * 50 + "\n")
outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format(
session.obj_offset,
session.SessionId,
len(list(session.processes())),
))
outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format(
session.PagedPoolStart,
session.PagedPoolEnd,
))
for process in session.processes():
outfd.write(" Process: {0} {1} {2}\n".format(
process.UniqueProcessId,
process.ImageFileName,
process.CreateTime,
))
for image in session.images():
module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address))
outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format(
image.obj_offset,
image.Address,
str(module and module.BaseDllName or '')
)) 示例5: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a IDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
# Get the GDT for access to selector bases
gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
for i, entry in kpcr.idt_entries():
# Where the IDT entry points.
addr = entry.Address
# Per MITRE, add the GDT selector base if available.
# This allows us to detect sneaky attempts to hook IDT
# entries by changing the entry's GDT selector.
gdt_entry = gdt.get(entry.Selector.v())
if gdt_entry != None and "Code" in gdt_entry.Type:
addr += gdt_entry.Base
# Lookup the function's owner
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))
yield i, entry, addr, module 示例6: generator
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def generator(self, data):
for (sym, cb, detail), mods, mod_addrs in data:
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
## The original callbacks plugin searched driver objects
## if the owning module isn't found (Rustock.B). We leave that
## task up to the user this time, and will be incoporating
## some different module association methods later.
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
yield (0, [str(sym), Address(cb), str(module_name), str(detail or "-")]) 示例7: check
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def check(self):
"""This check is True for system threads whose start address
do not map back to known/loaded kernel drivers."""
# Take the address space from any module object
addr_space = self.mods.values()[0].obj_vm
module = tasks.find_module(self.mods,
self.mod_addrs, addr_space.address_mask(self.thread.StartAddress))
return ('PS_CROSS_THREAD_FLAGS_SYSTEM' in self.flags and
module == None) 示例8: _scan_kernel_memory
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def _scan_kernel_memory(self, addr_space, rules):
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE)) 示例9: _scan_kernel_memory
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def _scan_kernel_memory(self, addr_space, rules):
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address - self._config.REVERSE, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE)) 示例10: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
drivers = dtree.DriverIrp(self._config).calculate()
found_driver = "UNKNOWN"
if self._config.ADDR:
find_address = self._config.ADDR
found_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(find_address))
if found_module:
found_module = found_module.BaseDllName or found_module.FullDllName
else:
found_module = "UNKNOWN"
for driver in drivers:
if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
header = driver.get_object_header()
found_driver = header.NameInfo.Name
break
yield (found_module, found_driver)
else:
for driver in drivers:
driver_name = driver.get_object_header().NameInfo.Name
owning_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(driver.DriverStart))
if owning_module:
module_name = owning_module.BaseDllName or owning_module.FullDllName
else:
module_name = "UNKNOWN"
yield (module_name, driver_name) 示例11: generator
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def generator(self, data):
for (sym, cb, detail), mods, mod_addrs in data:
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
## The original callbacks plugin searched driver objects
## if the owning module isn't found (Rustock.B). We leave that
## task up to the user this time, and will be incoporating
## some different module association methods later.
if module:
module_name = module.FullDllName or module.BaseDllName
else:
module_name = "UNKNOWN"
yield (0, [str(sym), Address(cb), str(module_name), str(detail or "-")]) 示例12: callbacks
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def callbacks(self):
"""Volatility callbacks plugin.
@see volatility/plugins/malware/callbacks.py
"""
log.debug("Executing Volatility callbacks plugin on "
"{0}".format(self.memdump))
self.__config()
results = []
command = self.plugins["callbacks"](self.config)
for (sym, cb, detail), mods, mod_addrs in command.calculate():
module = tasks.find_module(mods, mod_addrs, self.addr_space.address_mask(cb))
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
new = {
"type": str(sym),
"callback": hex(int(cb)),
"module": str(module_name),
"details": str(detail or "-"),
}
results.append(new)
return dict(config={}, data=results) 示例13: get_alloc
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def get_alloc(self, addr_space):
'''
Mimics volatility's PPP plugin.
'''
import volatility.plugins.malware.callbacks as callbacks
import volatility.win32.tasks as tasks
# for conn in connections.Connections(self.vol.config).calculate():
vol_callback = callbacks.Callbacks(self.vol.config)
for (sym, cb, detail), mods, mod_addrs in vol_callback.calculate():
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
yield Callback(module, sym, cb, detail, 0) 示例14: extract_IRP_info
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def extract_IRP_info(self):
debug.info("[time-consuming task] extracting hooking module names in IRP array...")
records = []
# added for default option values (AbstractScanCommand)
self._config.VIRTUAL = False
self._config.SHOW_UNALLOCATED = False
self._config.START = None
self._config.LENGTH = None
mods = dict((self.kernel_space.address_mask(mod.DllBase), mod) for mod in win32.modules.lsmod(self.kernel_space))
mod_addrs = sorted(mods.keys())
for driver in devicetree.DriverIrp.calculate(self):
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, self.kernel_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
#records.append((driver.DriverStart.v(), MAJOR_FUNCTIONS[i], function.v(), module_name))
records.append((str(driver.DriverStart.v()), str(MAJOR_FUNCTIONS[i]), str(function.v()), module_name))
self.cur.executemany("insert or ignore into kernel_mods_irp values (?, ?, ?, ?)", records)
return [record[3] for record in records if self.kmod.DllBase.v() == record[0]] 示例15: render_text
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_module [as 别名]
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
syscalls = addr_space.profile.syscalls
bits32 = addr_space.profile.metadata.get('memory_model', '32bit') == '32bit'
# Print out the entries for each table
for idx, table, n, vm, mods, mod_addrs in data:
outfd.write("SSDT[{0}] at {1:x} with {2} entries\n".format(idx, table, n))
for i in range(n):
if bits32:
# These are absolute function addresses in kernel memory.
syscall_addr = obj.Object('address', table + (i * 4), vm).v()
else:
# These must be signed long for x64 because they are RVAs relative
# to the base of the table and can be negative.
offset = obj.Object('long', table + (i * 4), vm).v()
# The offset is the top 20 bits of the 32 bit number.
syscall_addr = table + (offset >> 4)
try:
syscall_name = syscalls[idx][i]
except IndexError:
syscall_name = "UNKNOWN"
syscall_mod = tasks.find_module(mods, mod_addrs, addr_space.address_mask(syscall_addr))
if syscall_mod:
syscall_modname = syscall_mod.BaseDllName
else:
syscall_modname = "UNKNOWN"
outfd.write(" Entry {0:#06x}: {1:#x} ({2}) owned by {3}\n".format(idx * 0x1000 + i,
syscall_addr,
syscall_name,
syscall_modname))
## check for inline hooks if in --verbose mode, we're analyzing
## an x86 model system and the sycall_mod is available
if (self._config.VERBOSE and
addr_space.profile.metadata.get('memory_model', '32bit') == '32bit' and
syscall_mod is not None):
## leverage this static method from apihooks
ret = apihooks.ApiHooks.check_inline(va = syscall_addr, addr_space = vm,
mem_start = syscall_mod.DllBase,
mem_end = syscall_mod.DllBase + syscall_mod.SizeOfImage)
## could not analyze the memory
if ret == None:
continue
(hooked, data, dest_addr) = ret
## the function isn't hooked
if not hooked:
continue
## we found a hook, try to resolve the hooker. no mask required because
## we currently only work on x86 anyway
hook_mod = tasks.find_module(mods, mod_addrs, dest_addr)
if hook_mod:
hook_name = hook_mod.BaseDllName
else:
hook_name = "UNKNOWN"
## report it now
outfd.write(" ** INLINE HOOK? => {0:#x} ({1})\n".format(dest_addr, hook_name))