当前位置: 首页>>代码示例>>Python>>正文


Python tasks.get_kdbg方法代码示例

本文整理汇总了Python中volatility.win32.tasks.get_kdbg方法的典型用法代码示例。如果您正苦于以下问题:Python tasks.get_kdbg方法的具体用法?Python tasks.get_kdbg怎么用?Python tasks.get_kdbg使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在volatility.win32.tasks的用法示例。


在下文中一共展示了tasks.get_kdbg方法的10个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: lsmod

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import get_kdbg [as 别名]
def lsmod(addr_space):
    """ A Generator for modules """

    for m in tasks.get_kdbg(addr_space).modules():
        yield m 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:7,代码来源:modules.py

示例2: generate_suggestions

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import get_kdbg [as 别名]
def generate_suggestions(self):
        """The nt!PoolBigPageTable and nt!PoolBigPageTableSize
        are found relative to nt!PoolTrackTable"""

        track_table = tasks.get_kdbg(self.obj_vm).PoolTrackTable

        for pair in self.distance:
            table_base = obj.Object("address", 
                offset = track_table - pair[0], 
                vm = self.obj_vm)

            table_size = obj.Object("address", 
                offset = track_table - pair[1], 
                vm = self.obj_vm)

            if table_size != 0 and self.obj_vm.is_valid_address(table_base):
                break

        debug.debug("Distance Map: {0}".format(repr(self.distance)))
        debug.debug("PoolTrackTable: {0:#x}".format(track_table))
        debug.debug("PoolBigPageTable: {0:#x} => {1:#x}".format(table_base.obj_offset, table_base))
        debug.debug("PoolBigPageTableSize: {0:#x} => {1:#x}".format(table_size.obj_offset, table_size))
        yield table_base, table_size

#--------------------------------------------------------------------------------
# Big Page Pool Scanner
#-------------------------------------------------------------------------------- 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:29,代码来源:bigpagepools.py

示例3: check_pspcid

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import get_kdbg [as 别名]
def check_pspcid(self, addr_space):
        """Enumerate processes by walking the PspCidTable"""
        ret = dict()

        # Follow the pointers to the table base
        kdbg = tasks.get_kdbg(addr_space)
        PspCidTable = kdbg.PspCidTable.dereference().dereference()

        # Walk the handle table
        for handle in PspCidTable.handles():
            if handle.get_object_type() == "Process":
                process = handle.dereference_as("_EPROCESS")
                ret[PsXview.get_file_offset(process)] = process

        return ret 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:17,代码来源:psxview.py

示例4: calculate

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import get_kdbg [as 别名]
def calculate(self):
        addr_space = utils.load_as(self._config)

        # Currently we only support x86. The x64 does still have a GDT 
        # but hooking is prohibited and results in bugcheck. 
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")

        for kpcr in tasks.get_kdbg(addr_space).kpcrs():
            for i, entry in kpcr.gdt_entries():
                yield i, entry 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:13,代码来源:idt.py

示例5: get_bugcheck_callbacks

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import get_kdbg [as 别名]
def get_bugcheck_callbacks(addr_space):
        """
        Enumerate generic Bugcheck callbacks.

        Note: These structures don't exist in tagged pools, but you can find 
        them via KDDEBUGGER_DATA64 on all versions of Windows.
        """

        kdbg = tasks.get_kdbg(addr_space)
        list_head = kdbg.KeBugCheckCallbackListHead.dereference_as('_KBUGCHECK_CALLBACK_RECORD')

        for l in list_head.Entry.list_of_type("_KBUGCHECK_CALLBACK_RECORD", "Entry"):
            yield "KeBugCheckCallbackListHead", l.CallbackRoutine, l.Component.dereference() 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:15,代码来源:callbacks.py

示例6: _scan_kernel_memory

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import get_kdbg [as 别名]
def _scan_kernel_memory(self, addr_space, rules):
        # Find KDBG so we know where kernel memory begins. Do not assume
        # the starting range is 0x80000000 because we may be dealing with
        # an image with the /3GB boot switch. 
        kdbg = tasks.get_kdbg(addr_space)

        start = kdbg.MmSystemRangeStart.dereference_as("Pointer")

        # Modules so we can map addresses to owners
        mods = dict((addr_space.address_mask(mod.DllBase), mod)
                    for mod in modules.lsmod(addr_space))
        mod_addrs = sorted(mods.keys())

        # There are multiple views (GUI sessions) of kernel memory.
        # Since we're scanning virtual memory and not physical, 
        # all sessions must be scanned for full coverage. This 
        # really only has a positive effect if the data you're
        # searching for is in GUI memory. 
        sessions = []

        for proc in tasks.pslist(addr_space):
            sid = proc.SessionId
            # Skip sessions we've already seen 
            if sid == None or sid in sessions:
                continue

            session_space = proc.get_process_address_space()
            if session_space == None:
                continue

            sessions.append(sid)
            scanner = DiscontigYaraScanner(address_space = session_space,
                                           rules = rules)

            for hit, address in scanner.scan(start_offset = start):
                module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
                yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE)) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:39,代码来源:malfind.py

示例7: generate_suggestions

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import get_kdbg [as 别名]
def generate_suggestions(self):
        """The nt!PoolBigPageTable and nt!PoolBigPageTableSize
        are found relative to nt!PoolTrackTable"""

        track_table = tasks.get_kdbg(self.obj_vm).PoolTrackTable

        for pair in self.distance:
            table_base = obj.Object("address", 
                offset = track_table - pair[0], 
                vm = self.obj_vm)

            table_size = obj.Object("address", 
                offset = track_table - pair[1], 
                vm = self.obj_vm)
                
            if (table_base % 0x1000 == 0 and
                    self.obj_vm.is_valid_address(table_base) and
                    table_size != 0 and 
                    table_size % 0x1000 == 0 and 
                    table_size < 0x1000000):
                break

        debug.debug("Distance Map: {0}".format(repr(self.distance)))
        debug.debug("PoolTrackTable: {0:#x}".format(track_table))
        debug.debug("PoolBigPageTable: {0:#x} => {1:#x}".format(table_base.obj_offset, table_base))
        debug.debug("PoolBigPageTableSize: {0:#x} => {1:#x}".format(table_size.obj_offset, table_size))
        yield table_base, table_size

#--------------------------------------------------------------------------------
# Big Page Pool Scanner
#-------------------------------------------------------------------------------- 
开发者ID:volatilityfoundation,项目名称:volatility,代码行数:33,代码来源:bigpagepools.py

示例8: _scan_kernel_memory

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import get_kdbg [as 别名]
def _scan_kernel_memory(self, addr_space, rules):
        # Find KDBG so we know where kernel memory begins. Do not assume
        # the starting range is 0x80000000 because we may be dealing with
        # an image with the /3GB boot switch. 
        kdbg = tasks.get_kdbg(addr_space)

        start = kdbg.MmSystemRangeStart.dereference_as("Pointer")

        # Modules so we can map addresses to owners
        mods = dict((addr_space.address_mask(mod.DllBase), mod)
                    for mod in modules.lsmod(addr_space))
        mod_addrs = sorted(mods.keys())

        # There are multiple views (GUI sessions) of kernel memory.
        # Since we're scanning virtual memory and not physical, 
        # all sessions must be scanned for full coverage. This 
        # really only has a positive effect if the data you're
        # searching for is in GUI memory. 
        sessions = []

        for proc in tasks.pslist(addr_space):
            sid = proc.SessionId
            # Skip sessions we've already seen 
            if sid == None or sid in sessions:
                continue

            session_space = proc.get_process_address_space()
            if session_space == None:
                continue

            sessions.append(sid)
            scanner = DiscontigYaraScanner(address_space = session_space,
                                           rules = rules)

            for hit, address in scanner.scan(start_offset = start):
                module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
                yield (module, address - self._config.REVERSE, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE)) 
开发者ID:volatilityfoundation,项目名称:volatility,代码行数:39,代码来源:malfind.py

示例9: check_pspcid

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import get_kdbg [as 别名]
def check_pspcid(self, addr_space):
        """Enumerate processes by walking the PspCidTable"""
        ret = dict()

        # Follow the pointers to the table base
        kdbg = tasks.get_kdbg(addr_space)
        PspCidTable = kdbg.PspCidTable.dereference().dereference()

        # Walk the handle table
        for handle in PspCidTable.handles():
            if handle.get_object_type() == "Process":
                process = handle.dereference_as("_EPROCESS")
                ret[process.obj_vm.vtop(process.obj_offset)] = process

        return ret 
开发者ID:vortessence,项目名称:vortessence,代码行数:17,代码来源:psxview.py

示例10: calculate

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import get_kdbg [as 别名]
def calculate(self):
        kernel_space = utils.load_as(self._config)

        if not self.is_valid_profile(kernel_space.profile):
            debug.error("Windows XP/2003 does not track pool tags")

        knowntags = {}
        if self._config.TAGFILE and os.path.isfile(self._config.TAGFILE):
            taglines = open(self._config.TAGFILE).readlines()
            for tag in taglines:
                tag = tag.strip()
                if tag.startswith("rem") or tag.startswith(" ") or tag == "":
                    continue
                info = tag.split("-", 2)
                try:
                    key = info[0].strip()
                    driver = info[1].strip()
                    reason = info[2].strip()
                except IndexError:
                    continue
                knowntags[key] = (driver, reason)

        track_table = tasks.get_kdbg(kernel_space).PoolTrackTable

        # not really an address, this is just a trick to get 
        # a 32bit number on x86 and 64bit number on x64. the
        # size is always directly before the pool table. 
        table_size = obj.Object("address", offset = 
            track_table - kernel_space.profile.get_obj_size("address"), 
            vm = kernel_space
            )

        track_table = track_table.dereference_as("address")

        if not kernel_space.is_valid_address(track_table) or table_size > 100000:
            debug.error("Cannot find the table or its size is unexpected: {0}".format(table_size))

        entries = obj.Object("Array", targetType = "_POOL_TRACKER_TABLE", 
            offset = track_table, count = table_size, 
            vm = kernel_space
            )

        if self._config.TAGS:
            tags = [tag for tag in self._config.TAGS.split(",")]
        else:
            tags = []

        for entry in entries:

            if not self._config.SHOW_FREE:
                if entry.PagedBytes == 0 and entry.NonPagedBytes == 0:
                    continue

            if not tags or entry.Key in tags:
                try:
                    (driver, reason) = knowntags[str(entry.Key).strip()]
                    if self._config.WHITELIST:
                        continue
                except KeyError:
                    (driver, reason) = ("", "")
                yield entry, driver, reason 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:63,代码来源:pooltracker.py


注:本文中的volatility.win32.tasks.get_kdbg方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。