本文整理汇总了Python中volatility.win32.tasks.find_space方法的典型用法代码示例。如果您正苦于以下问题:Python tasks.find_space方法的具体用法?Python tasks.find_space怎么用?Python tasks.find_space使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.win32.tasks的用法示例。
在下文中一共展示了tasks.find_space方法的7个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: render_text
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_space [as 别名]
def render_text(self, outfd, data):
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
self.table_header(outfd, [("Module Base", "[addrpad]"),
("Module Name", "20"),
("Result", "")])
for addr_space, procs, mod_base, mod_name in data:
space = tasks.find_space(addr_space, procs, mod_base)
if space == None:
result = "Error: Cannot acquire AS"
else:
dump_file = "driver.{0:x}.sys".format(mod_base)
result = self.dump_pe(space, mod_base, dump_file)
self.table_row(outfd, mod_base, mod_name, result) 示例2: generator
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_space [as 别名]
def generator(self, data):
for addr_space, procs, mod_base, mod_name in data:
space = tasks.find_space(addr_space, procs, mod_base)
if space == None:
result = "Error: Cannot acquire AS"
else:
dump_file = "driver.{0:x}.sys".format(mod_base)
result = self.dump_pe(space, mod_base, dump_file)
yield (0, [Address(mod_base),
str(mod_name),
str(result)]) 示例3: get_data
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_space [as 别名]
def get_data(self):
base_address = self.kmod.DllBase
size_to_read = self.kmod.SizeOfImage
data = ""
mod_filepath = os.path.join(g_cache_path, 'kmod_0x{0:x}'.format(self.kmod.DllBase)) + '.sys'
if os.path.exists(mod_filepath):
with open(mod_filepath, 'rb') as f:
data = f.read()
else:
if not size_to_read:
pefile = obj.Object("_IMAGE_DOS_HEADER",
offset = base_address,
vm = self.kernel_space)
try:
nt_header = pefile.get_nt_header()
size_to_read = nt_header.OptionalHeader.SizeOfImage
except ValueError:
pass
if not size_to_read:
debug.warning('cannot get size info (kernel module name={0} base=0x{1:x})'.format(str(self.kmod.BaseDllName or ''), self.kmod.DllBase))
procs = list(tasks.pslist(self.kernel_space))
kernel_space = tasks.find_space(self.kernel_space, procs, base_address) # for some GUI drivers (e.g., win32k.sys)
if not kernel_space:
debug.warning('Cannot read supplied address (kernel module name={0} base=0x{1:x})'.format(str(self.kmod.BaseDllName or ''), self.kmod.DllBase))
else:
data = kernel_space.zread(base_address, size_to_read)
with open(mod_filepath, 'wb') as f:
f.write(data)
return base_address, size_to_read, data
# based on impscan 示例4: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_space [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
## Get a sorted list of module addresses
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
ssdts = set()
if addr_space.profile.metadata.get('memory_model', '32bit') == '32bit':
# Gather up all SSDTs referenced by threads
print "[x86] Gathering all referenced SSDTs from KTHREADs..."
for proc in tasks.pslist(addr_space):
for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"):
ssdt_obj = thread.Tcb.ServiceTable.dereference_as('_SERVICE_DESCRIPTOR_TABLE')
ssdts.add(ssdt_obj)
else:
print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..."
# The NT module always loads first
ntos = list(modules.lsmod(addr_space))[0]
func_rva = ntos.getprocaddress("KeAddSystemServiceTable")
if func_rva == None:
raise StopIteration("Cannot locate KeAddSystemServiceTable")
KeAddSystemServiceTable = ntos.DllBase + func_rva
for table_rva in find_tables(KeAddSystemServiceTable, addr_space):
ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", ntos.DllBase + table_rva, addr_space)
ssdts.add(ssdt_obj)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt_obj in ssdts:
for i, desc in enumerate(ssdt_obj.Descriptors):
# Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit
# should be greater than 0 but not unbelievably high
if not desc.is_valid() or desc.ServiceLimit <= 0 or desc.ServiceLimit >= 0xFFFF or desc.KiServiceTable <= 0x80000000:
break
else:
tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v()))
print "Finding appropriate address space for tables..."
tables_with_vm = []
procs = list(tasks.pslist(addr_space))
for idx, table, n in tables:
vm = tasks.find_space(addr_space, procs, table)
if vm:
tables_with_vm.append((idx, table, n, vm))
else:
debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table))
for idx, table, n, vm in sorted(tables_with_vm, key = itemgetter(0)):
yield idx, table, n, vm, mods, mod_addrs 示例5: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_space [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
## Get a sorted list of module addresses
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
ssdts = set()
if addr_space.profile.metadata.get('memory_model', '32bit') == '32bit':
# Gather up all SSDTs referenced by threads
print "[x86] Gathering all referenced SSDTs from KTHREADs..."
for proc in tasks.pslist(addr_space):
for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"):
ssdt_obj = thread.Tcb.ServiceTable.dereference_as('_SERVICE_DESCRIPTOR_TABLE')
ssdts.add(ssdt_obj)
else:
print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..."
# The NT module always loads first
ntos = list(modules.lsmod(addr_space))[0]
func_rva = ntos.getprocaddress("KeAddSystemServiceTable")
if func_rva == None:
raise StopIteration("Cannot locate KeAddSystemServiceTable")
KeAddSystemServiceTable = ntos.DllBase + func_rva
for table_addr in find_tables(ntos.DllBase, KeAddSystemServiceTable, addr_space):
ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", table_addr, addr_space)
ssdts.add(ssdt_obj)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt_obj in ssdts:
for i, desc in enumerate(ssdt_obj.Descriptors):
# Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit
# should be greater than 0 but not unbelievably high
if not desc.is_valid() or desc.ServiceLimit <= 0 or desc.ServiceLimit >= 2048 or desc.KiServiceTable <= 0x80000000:
break
else:
tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v()))
print "Finding appropriate address space for tables..."
tables_with_vm = []
procs = list(tasks.pslist(addr_space))
for idx, table, n in tables:
vm = tasks.find_space(addr_space, procs, table)
if vm:
tables_with_vm.append((idx, table, n, vm))
else:
debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table))
for idx, table, n, vm in sorted(tables_with_vm, key = itemgetter(0)):
yield idx, table, n, vm, mods, mod_addrs 示例6: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_space [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
## Get a sorted list of module addresses
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
ssdts = set()
if addr_space.profile.metadata.get('memory_model', '32bit') == '32bit':
# Gather up all SSDTs referenced by threads
print "[x86] Gathering all referenced SSDTs from KTHREADs..."
for proc in tasks.pslist(addr_space):
for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"):
ssdt_obj = thread.Tcb.ServiceTable.dereference_as('_SERVICE_DESCRIPTOR_TABLE')
ssdts.add(ssdt_obj)
else:
print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..."
# The NT module always loads first
ntos = list(modules.lsmod(addr_space))[0]
func_rva = ntos.getprocaddress("KeAddSystemServiceTable")
if func_rva == None:
raise StopIteration("Cannot locate KeAddSystemServiceTable")
KeAddSystemServiceTable = ntos.DllBase + func_rva
for table_rva in find_tables(KeAddSystemServiceTable, addr_space):
ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", ntos.DllBase + table_rva, addr_space)
ssdts.add(ssdt_obj)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt_obj in ssdts:
for i, desc in enumerate(ssdt_obj.Descriptors):
# Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit
# should be greater than 0 but not unbelievably high
if desc.is_valid() and desc.ServiceLimit > 0 and desc.ServiceLimit < 0xFFFF and desc.KiServiceTable > 0x80000000:
tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v()))
print "Finding appropriate address space for tables..."
tables_with_vm = []
procs = list(tasks.pslist(addr_space))
for idx, table, n in tables:
vm = tasks.find_space(addr_space, procs, table)
if vm:
tables_with_vm.append((idx, table, n, vm))
else:
debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table))
for idx, table, n, vm in sorted(tables_with_vm, key = itemgetter(0)):
yield idx, table, n, vm, mods, mod_addrs 示例7: PEInfo_ImportedModules_Module_ImportedFunctions_string
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import find_space [as 别名]
def PEInfo_ImportedModules_Module_ImportedFunctions_string(self, content, condition, preserve_case):
if not self.util.is_condition_string(condition):
debug.error('{0} condition is not supported in DriverItem/PEInfo/ImportedModules/Module/ImportedFunctions/string'.format(condition))
return False
imp_funcs = []
count = self.fetchone_from_db_by_base("kernel_mods_impfunc", "count(*)")
if count > 0:
imp_funcs = self.fetchall_from_db_by_base("kernel_mods_impfunc", "func_name")
else:
debug.info("[time-consuming task] extracting import functions... (kernel module name={0} base=0x{1:x})".format(str(self.kmod.BaseDllName or ''), self.kmod.DllBase))
records = []
all_mods = list(win32.modules.lsmod(self.kernel_space))
base_address, size_to_read, data = self.get_data()
if data != '':
apis = self.enum_apis(all_mods)
procs = list(tasks.pslist(self.kernel_space))
addr_space = tasks.find_space(self.kernel_space, procs, base_address) # for some GUI drivers (e.g., win32k.sys)
calls_imported = dict(
(iat, call)
for (_, iat, call) in self.call_scan(addr_space, base_address, data)
if call in apis
)
self._vicinity_scan(addr_space,
calls_imported, apis, base_address, len(data),
forward = True)
self._vicinity_scan(addr_space,
calls_imported, apis, base_address, len(data),
forward = False)
for iat, call in sorted(calls_imported.items()):
mod_name, func_name = self._original_import(str(apis[call][0].BaseDllName or ''), apis[call][1])
#records.append((self.kmod.DllBase.v(), iat, call, mod_name, func_name))
records.append((str(self.kmod.DllBase.v()), str(iat), str(call), mod_name, func_name))
imp_funcs.append(func_name)
if len(records) == 0:
debug.info('inserting marker "done"... (kernel module name={0} base=0x{1:x})'.format(str(self.kmod.BaseDllName or ''), self.kmod.DllBase))
records.append((str(self.kmod.DllBase.v()), 0, 0, 'marker_done', 'marker_done'))
self.cur.executemany("insert or ignore into kernel_mods_impfunc values (?, ?, ?, ?, ?)", records)
return self.util.check_strings(imp_funcs, content, condition, preserve_case)