本文整理汇总了Python中volatility.win32.tasks.pslist方法的典型用法代码示例。如果您正苦于以下问题:Python tasks.pslist方法的具体用法?Python tasks.pslist怎么用?Python tasks.pslist使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类volatility.win32.tasks
的用法示例。
在下文中一共展示了tasks.pslist方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
if self._config.OFFSET != None:
data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
else:
data = self.filter_tasks(tasks.pslist(addr_space))
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error, e:
debug.error('Error parsing regular expression: %s' % e)
示例2: session_spaces
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def session_spaces(self, kernel_space):
""" Generators unique _MM_SESSION_SPACE objects
referenced by active processes.
@param space: a kernel AS for process enumeration
@yields _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
seen = []
for proc in tasks.pslist(kernel_space):
if proc.SessionId != None and proc.SessionId.v() not in seen:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
seen.append(proc.SessionId.v())
yield obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
示例3: find_session_space
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def find_session_space(self, kernel_space, session_id):
""" Get a session address space by its ID.
@param space: a kernel AS for process enumeration
@param session_id: the session ID to find.
@returns _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
for proc in tasks.pslist(kernel_space):
if proc.SessionId == session_id:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
return obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
return obj.NoneObject("Cannot locate a session")
示例4: cmdhistory_process_filter
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def cmdhistory_process_filter(self, addr_space):
"""Generator for processes that might contain command
history information.
Takes into account if we're on Windows 7 or an earlier
operator system.
@param addr_space: a kernel address space.
"""
# Detect if we're on windows seven
use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for task in tasks.pslist(addr_space):
process_name = str(task.ImageFileName).lower()
# The process we select is conhost on Win7 or csrss for others
if ((use_conhost and process_name == "conhost.exe") or
(not use_conhost and process_name == "csrss.exe")):
yield task
示例5: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
# For each process in the list
for task in self.filter_tasks(tasks.pslist(addr_space)):
# print task.ImageFileName
for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
# Injected code detected if there's values returned
rules = yara.compile(sources = signatures)
scanner = malfind.VadYaraScanner(task = task, rules = rules)
# print 'before'
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
# Get a chuck of memory of size 2048 next to where the string was detected
content = address_space.zread(address, 2048)
yield task, address, vad_base_addr, content
break
# break # Show only 1 instance of detected injection per process
示例6: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.OFFSET != None:
data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
else:
data = self.filter_tasks(tasks.pslist(addr_space))
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error, e:
debug.error('Error parsing regular expression: %s' % e)
示例7: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
if address - vad_base_addr > 0x1000:
continue
yield task, vad_base_addr
示例8: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
## Load a new address space
addr_space = utils.load_as(self._config)
return dict(
(int(task.UniqueProcessId), task)
for task in tasks.pslist(addr_space)
)
示例9: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
"""Determines the address space"""
addr_space = utils.load_as(self._config)
result = None
adrs = addr_space
while adrs:
if adrs.__class__.__name__ == 'WindowsHiberFileSpace32':
sr = adrs.ProcState.SpecialRegisters
peb = obj.NoneObject("Cannot locate a valid PEB")
# Find the PEB by cycling through processes. This method works
# on all versions of Windows x86 and x64.
for task in tasks.pslist(addr_space):
if task.Peb:
peb = task.Peb
break
result = {'header': adrs.get_header(),
'sr': sr,
'peb': peb,
'adrs': adrs }
adrs = adrs.base
if result == None:
debug.error("Memory Image could not be identified or did not contain hiberation information")
return result
示例10: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
if not has_yara:
debug.error("You must install yara to use this plugin")
if not self._config.DUMP_DIR:
debug.error("You must supply a --dump-dir parameter")
if self._config.PHYSICAL:
# Find the FileAddressSpace
while addr_space.__class__.__name__ != "FileAddressSpace":
addr_space = addr_space.base
scanner = malfind.DiscontigYaraScanner(address_space = addr_space,
rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield None, cert
else:
for process in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = process, rules = DumpCerts.rules)
for hit, address in scanner.scan():
cert = obj.Object(DumpCerts.type_map.get(hit.rule),
vm = scanner.address_space,
offset = address,
)
if cert.is_valid():
yield process, cert
示例11: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This plugin only works on XP and 2003")
## When verbose is specified, we recalculate the list of SIDs for
## services in the registry. Otherwise, we take the list from the
## pre-populated dictionary in getservicesids.py
if self._config.VERBOSE:
ssids = getservicesids.GetServiceSids(self._config).calculate()
for sid, service in ssids:
self.extrasids[sid] = " (Service: " + service + ")"
else:
for sid, service in getservicesids.servicesids.items():
self.extrasids[sid] = " (Service: " + service + ")"
## Get the user's SIDs from the registry
self.load_user_sids()
for proc in tasks.pslist(addr_space):
if str(proc.ImageFileName).lower() == "services.exe":
for vad, process_space in proc.get_vads(vad_filter = proc._mapped_file_filter):
if vad.FileObject.FileName:
name = str(vad.FileObject.FileName).lower()
if name.endswith(".evt"):
## Maybe check the length is reasonable, though probably there won't
## ever be event logs that are multiple GB or TB in size.
data = process_space.zread(vad.Start, vad.Length)
yield name, data
示例12: calculate
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def calculate(self):
if self._config.OUTPUT == "xlsx" and not has_openpyxl:
debug.error("You must install OpenPyxl 2.1.2 for xlsx format:\n\thttps://pypi.python.org/pypi/openpyxl")
elif self._config.OUTPUT == "xlsx" and not self._config.OUTPUT_FILE:
debug.error("You must specify an output *.xlsx file!\n\t(Example: --output-file=OUTPUT.xlsx)")
addr_space = utils.load_as(self._config)
all_tasks = list(tasks.pslist(addr_space))
ps_sources = {}
# The keys are names of process sources. The values
# are dictionaries whose keys are physical process
# offsets and the values are _EPROCESS objects.
ps_sources['pslist'] = self.check_pslist(all_tasks)
ps_sources['psscan'] = self.check_psscan()
ps_sources['thrdproc'] = self.check_thrdproc(addr_space)
ps_sources['csrss'] = self.check_csrss_handles(all_tasks)
ps_sources['pspcid'] = self.check_pspcid(addr_space)
ps_sources['session'] = self.check_sessions(addr_space)
ps_sources['deskthrd'] = self.check_desktop_thread(addr_space)
# Build a list of offsets from all sources
seen_offsets = []
for source in ps_sources.values():
for offset in source.keys():
if offset not in seen_offsets:
seen_offsets.append(offset)
yield offset, source[offset], ps_sources
示例13: unified_output
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def unified_output(self, data):
return TreeGrid([("Offset(P)", Address),
("Name", str),
("PID", int),
("pslist", str),
("psscan", str),
("thrdproc", str),
("pspcid", str),
("csrss", str),
("session", str),
("deskthrd", str),
("ExitTime", str)],
self.generator(data))
示例14: _scan_process_memory
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def _scan_process_memory(self, addr_space, rules):
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan(maxlen = self._config.MAX_SIZE):
yield (task, address, hit, scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
示例15: _scan_kernel_memory
# 需要导入模块: from volatility.win32 import tasks [as 别名]
# 或者: from volatility.win32.tasks import pslist [as 别名]
def _scan_kernel_memory(self, addr_space, rules):
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))