当前位置: 首页>>代码示例>>Python>>正文


Python tasks.pslist方法代码示例

本文整理汇总了Python中volatility.win32.tasks.pslist方法的典型用法代码示例。如果您正苦于以下问题:Python tasks.pslist方法的具体用法?Python tasks.pslist怎么用?Python tasks.pslist使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在volatility.win32.tasks的用法示例。


在下文中一共展示了tasks.pslist方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: calculate

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.DUMP_DIR == None:
            debug.error("Please specify a dump directory (--dump-dir)")
        if not os.path.isdir(self._config.DUMP_DIR):
            debug.error(self._config.DUMP_DIR + " is not a directory")

        if self._config.OFFSET != None:
            data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
        else:
            data = self.filter_tasks(tasks.pslist(addr_space))

        if self._config.REGEX:
            try:
                if self._config.IGNORE_CASE:
                    mod_re = re.compile(self._config.REGEX, re.I)
                else:
                    mod_re = re.compile(self._config.REGEX)
            except re.error, e:
                debug.error('Error parsing regular expression: %s' % e) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:23,代码来源:dlldump.py

示例2: session_spaces

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def session_spaces(self, kernel_space):
        """ Generators unique _MM_SESSION_SPACE objects
        referenced by active processes. 
    
        @param space: a kernel AS for process enumeration
    
        @yields _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        seen = []
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId != None and proc.SessionId.v() not in seen:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    seen.append(proc.SessionId.v())
                    yield obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:19,代码来源:sessions.py

示例3: find_session_space

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def find_session_space(self, kernel_space, session_id):
        """ Get a session address space by its ID. 
    
        @param space: a kernel AS for process enumeration
        @param session_id: the session ID to find.
    
        @returns _MM_SESSION_SPACE instantiated from the 
        session space native_vm. 
        """
        for proc in tasks.pslist(kernel_space):
            if proc.SessionId == session_id:
                ps_ad = proc.get_process_address_space()
                if ps_ad != None:
                    return obj.Object("_MM_SESSION_SPACE",
                        offset = proc.Session.v(), vm = ps_ad)
        return obj.NoneObject("Cannot locate a session") 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:18,代码来源:sessions.py

示例4: cmdhistory_process_filter

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def cmdhistory_process_filter(self, addr_space):
        """Generator for processes that might contain command 
        history information. 

        Takes into account if we're on Windows 7 or an earlier
        operator system. 

        @param addr_space: a kernel address space. 
        """

        # Detect if we're on windows seven 
        use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
                                addr_space.profile.metadata.get('minor', 0))

        for task in tasks.pslist(addr_space):
            process_name = str(task.ImageFileName).lower()
            # The process we select is conhost on Win7 or csrss for others
            if ((use_conhost and process_name == "conhost.exe") or
                        (not use_conhost and process_name == "csrss.exe")):
                yield task 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:22,代码来源:cmdhistory.py

示例5: calculate

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
	    # For each process in the list
        for task in self.filter_tasks(tasks.pslist(addr_space)):
            # print task.ImageFileName
            for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
				# Injected code detected if there's values returned
                rules = yara.compile(sources = signatures)
                scanner = malfind.VadYaraScanner(task = task, rules = rules)
                # print 'before'
                for hit, address in scanner.scan():
            	    vad_base_addr = self.get_vad_base(task, address)
            	    
            	    # Get a chuck of memory of size 2048 next to where the string was detected
                    content = address_space.zread(address, 2048)
                    yield task, address, vad_base_addr, content
                    break
                # break  # Show only 1 instance of detected injection per process 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:26,代码来源:psempire.py

示例6: calculate

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.OFFSET != None:
            data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
        else:
            data = self.filter_tasks(tasks.pslist(addr_space))

        if self._config.REGEX:
            try:
                if self._config.IGNORE_CASE:
                    mod_re = re.compile(self._config.REGEX, re.I)
                else:
                    mod_re = re.compile(self._config.REGEX)
            except re.error, e:
                debug.error('Error parsing regular expression: %s' % e) 
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:18,代码来源:dlldump.py

示例7: calculate

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):

        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
        
        rules = yara.compile(sources = signatures)

        for task in self.filter_tasks(tasks.pslist(addr_space)):
            scanner = malfind.VadYaraScanner(task = task, rules = rules)

            for hit, address in scanner.scan():
                vad_base_addr = self.get_vad_base(task, address)
                if address - vad_base_addr > 0x1000:
                    continue

                yield task, vad_base_addr 
开发者ID:botherder,项目名称:volatility,代码行数:23,代码来源:poisonivy.py

示例8: calculate

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):

        ## Load a new address space
        addr_space = utils.load_as(self._config)

        return dict(
                (int(task.UniqueProcessId), task)
                for task in tasks.pslist(addr_space)
                ) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:11,代码来源:pstree.py

示例9: calculate

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
        """Determines the address space"""
        addr_space = utils.load_as(self._config)

        result = None
        adrs = addr_space
        while adrs:
            if adrs.__class__.__name__ == 'WindowsHiberFileSpace32':
                sr = adrs.ProcState.SpecialRegisters

                peb = obj.NoneObject("Cannot locate a valid PEB")

                # Find the PEB by cycling through processes. This method works 
                # on all versions of Windows x86 and x64. 
                for task in tasks.pslist(addr_space):
                    if task.Peb:
                        peb = task.Peb
                        break

                result = {'header': adrs.get_header(),
                          'sr': sr,
                          'peb': peb,
                          'adrs': adrs }
            adrs = adrs.base

        if result == None:
            debug.error("Memory Image could not be identified or did not contain hiberation information")

        return result 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:31,代码来源:hibinfo.py

示例10: calculate

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
        addr_space = utils.load_as(self._config)

        if not has_yara:
            debug.error("You must install yara to use this plugin")

        if not self._config.DUMP_DIR:
            debug.error("You must supply a --dump-dir parameter")
        
        if self._config.PHYSICAL:
            # Find the FileAddressSpace
            while addr_space.__class__.__name__ != "FileAddressSpace":
                addr_space = addr_space.base 
            scanner = malfind.DiscontigYaraScanner(address_space = addr_space, 
                                                   rules = DumpCerts.rules)
            for hit, address in scanner.scan():
                cert = obj.Object(DumpCerts.type_map.get(hit.rule), 
                                            vm = scanner.address_space,
                                            offset = address, 
                                            )
                if cert.is_valid():
                    yield None, cert
        else:
            for process in self.filter_tasks(tasks.pslist(addr_space)):
                scanner = malfind.VadYaraScanner(task = process, rules = DumpCerts.rules)
                for hit, address in scanner.scan():
                    cert = obj.Object(DumpCerts.type_map.get(hit.rule), 
                                            vm = scanner.address_space,
                                            offset = address, 
                                            )
                    if cert.is_valid():
                        yield process, cert 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:34,代码来源:dumpcerts.py

示例11: calculate

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This plugin only works on XP and 2003")

        ## When verbose is specified, we recalculate the list of SIDs for
        ## services in the registry. Otherwise, we take the list from the 
        ## pre-populated dictionary in getservicesids.py
        if self._config.VERBOSE:
            ssids = getservicesids.GetServiceSids(self._config).calculate()
            for sid, service in ssids:
                self.extrasids[sid] = " (Service: " + service + ")" 
        else:
            for sid, service in getservicesids.servicesids.items():
                self.extrasids[sid] = " (Service: " + service + ")"

        ## Get the user's SIDs from the registry
        self.load_user_sids()

        for proc in tasks.pslist(addr_space):
            if str(proc.ImageFileName).lower() == "services.exe":
                for vad, process_space in proc.get_vads(vad_filter = proc._mapped_file_filter):
                    if vad.FileObject.FileName:
                        name = str(vad.FileObject.FileName).lower()
                        if name.endswith(".evt"):
                            ## Maybe check the length is reasonable, though probably there won't 
                            ## ever be event logs that are multiple GB or TB in size.
                            data = process_space.zread(vad.Start, vad.Length)
                            yield name, data 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:32,代码来源:evtlogs.py

示例12: calculate

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
        if self._config.OUTPUT == "xlsx" and not has_openpyxl:
            debug.error("You must install OpenPyxl 2.1.2 for xlsx format:\n\thttps://pypi.python.org/pypi/openpyxl")
        elif self._config.OUTPUT == "xlsx" and not self._config.OUTPUT_FILE:
            debug.error("You must specify an output *.xlsx file!\n\t(Example: --output-file=OUTPUT.xlsx)")

        addr_space = utils.load_as(self._config)

        all_tasks = list(tasks.pslist(addr_space))

        ps_sources = {}
        # The keys are names of process sources. The values
        # are dictionaries whose keys are physical process 
        # offsets and the values are _EPROCESS objects. 
        ps_sources['pslist'] = self.check_pslist(all_tasks)
        ps_sources['psscan'] = self.check_psscan()
        ps_sources['thrdproc'] = self.check_thrdproc(addr_space)
        ps_sources['csrss'] = self.check_csrss_handles(all_tasks)
        ps_sources['pspcid'] = self.check_pspcid(addr_space)
        ps_sources['session'] = self.check_sessions(addr_space)
        ps_sources['deskthrd'] = self.check_desktop_thread(addr_space)

        # Build a list of offsets from all sources
        seen_offsets = []
        for source in ps_sources.values():
            for offset in source.keys():
                if offset not in seen_offsets:
                    seen_offsets.append(offset)
                    yield offset, source[offset], ps_sources 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:31,代码来源:psxview.py

示例13: unified_output

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def unified_output(self, data):
        return TreeGrid([("Offset(P)", Address),
                       ("Name", str),
                       ("PID", int),
                       ("pslist", str),
                       ("psscan", str),
                       ("thrdproc", str),
                       ("pspcid", str),
                       ("csrss", str),
                       ("session", str),
                       ("deskthrd", str),
                       ("ExitTime", str)],
                        self.generator(data)) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:15,代码来源:psxview.py

示例14: _scan_process_memory

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def _scan_process_memory(self, addr_space, rules):
        for task in self.filter_tasks(tasks.pslist(addr_space)):
            scanner = VadYaraScanner(task = task, rules = rules)
            for hit, address in scanner.scan(maxlen = self._config.MAX_SIZE):
                yield (task, address, hit, scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE)) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:7,代码来源:malfind.py

示例15: _scan_kernel_memory

# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def _scan_kernel_memory(self, addr_space, rules):
        # Find KDBG so we know where kernel memory begins. Do not assume
        # the starting range is 0x80000000 because we may be dealing with
        # an image with the /3GB boot switch. 
        kdbg = tasks.get_kdbg(addr_space)

        start = kdbg.MmSystemRangeStart.dereference_as("Pointer")

        # Modules so we can map addresses to owners
        mods = dict((addr_space.address_mask(mod.DllBase), mod)
                    for mod in modules.lsmod(addr_space))
        mod_addrs = sorted(mods.keys())

        # There are multiple views (GUI sessions) of kernel memory.
        # Since we're scanning virtual memory and not physical, 
        # all sessions must be scanned for full coverage. This 
        # really only has a positive effect if the data you're
        # searching for is in GUI memory. 
        sessions = []

        for proc in tasks.pslist(addr_space):
            sid = proc.SessionId
            # Skip sessions we've already seen 
            if sid == None or sid in sessions:
                continue

            session_space = proc.get_process_address_space()
            if session_space == None:
                continue

            sessions.append(sid)
            scanner = DiscontigYaraScanner(address_space = session_space,
                                           rules = rules)

            for hit, address in scanner.scan(start_offset = start):
                module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
                yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE)) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:39,代码来源:malfind.py


注:本文中的volatility.win32.tasks.pslist方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。