本文整理汇总了Python中volatility.plugins.mac.common.set_plugin_members函数的典型用法代码示例。如果您正苦于以下问题:Python set_plugin_members函数的具体用法?Python set_plugin_members怎么用?Python set_plugin_members使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了set_plugin_members函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: calculate
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
for proc in procs:
if str(proc.p_comm) != "kernel_task":
continue
proc_as = proc.get_process_address_space()
for map in proc.get_proc_maps():
if not map.get_perms() == 'r--':
continue
address = map.links.start
Vmk1 = proc_as.read(address,16)
Vmk2 = proc_as.read(address + 0x430,16) #Note: Vmk2 refers to our second instance of the VMK, not the tweak key.
signature = obj.Object("unsigned int", offset = address, vm = proc_as)
if not Vmk1 or signature == 0x0:
continue
if Vmk1 == Vmk2:
yield address, Vmk1示例2: calculate
def calculate(self):
common.set_plugin_members(self)
list_head_addr = self.addr_space.profile.get_symbol("_dlil_ifnet_head")
list_head_ptr = obj.Object("Pointer", offset = list_head_addr, vm = self.addr_space)
ifnet = list_head_ptr.dereference_as("ifnet")
while ifnet:
name = ifnet.if_name.dereference()
unit = ifnet.if_unit
prom = ifnet.if_flags & 0x100 == 0x100 # IFF_PROMISC
addr_dl = obj.Object("sockaddr_dl", offset = ifnet.if_lladdr.ifa_addr.v(), vm = self.addr_space)
if addr_dl.is_valid():
mac = addr_dl.v()
else:
mac = ""
ifaddr = ifnet.if_addrhead.tqh_first
ips = []
while ifaddr:
ip = ifaddr.ifa_addr.get_address()
if ip:
ips.append(ip)
ifaddr = ifaddr.ifa_link.tqe_next
yield (name, unit, mac, prom, ips)
ifnet = ifnet.if_link.tqe_next示例3: calculate
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
for proc in procs:
space = proc.get_process_address_space()
for map in proc.get_proc_maps():
# only read/write without filebacks
if not (map.get_perms() == "rw-" and not map.get_path()):
continue
# check the header for sqlite3 signature
header = space.zread(map.links.start, 32)
if "SQLite format" not in header:
continue
# get the whole sqlite3 data now
data = space.zread(map.links.start,
map.links.end - map.links.start)
for offset in utils.iterfind(data, ":ABPerson"):
person = obj.Object("String",
offset = map.links.start + offset,
vm = space, encoding = "utf8",
length = 256)
yield proc, person示例4: calculate
def calculate(self):
common.set_plugin_members(self)
msgbuf_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("_msgbufp"), vm = self.addr_space)
msgbufp = msgbuf_ptr.dereference_as("msgbuf")
bufx = msgbufp.msg_bufx
size = msgbufp.msg_size
bufc = self.addr_space.read(msgbufp.msg_bufc, size)
if bufc[bufx] == 0 and bufc[0] != 0:
## FIXME: can we do this without get_string?
buf = common.get_string(bufc, self.addr_space)
else:
if bufx > size:
bufx = 0
# older messages
buf = bufc[bufx:bufx + size]
buf = buf + bufc[0:bufx]
# strip leading NULLs
while ord(buf[0]) == 0x00:
buf = buf[1:]
yield buf示例5: calculate
def calculate(self):
common.set_plugin_members(self)
self._set_vtypes()
sym_addrs = self.profile.get_all_addresses()
table_addr = self.addr_space.profile.get_symbol("_mach_trap_table")
ntraps = obj.Object("int", offset = self.addr_space.profile.get_symbol("_mach_trap_count"), vm = self.addr_space)
traps = obj.Object(theType = "Array", offset = table_addr, vm = self.addr_space, count = ntraps, targetType = "mach_trap")
for (i, trap) in enumerate(traps):
ent_addr = trap.mach_trap_function.v()
if not ent_addr:
continue
hooked = ent_addr not in sym_addrs
if hooked == False:
sym_name = self.profile.get_symbol_by_address("kernel", ent_addr)
else:
sym_name = "HOOKED"
yield (table_addr, "TrapTable", i, ent_addr, sym_name, hooked)示例6: calculate
def calculate(self):
common.set_plugin_members(self)
p = self.addr_space.profile.get_symbol("_kmod")
kmodaddr = obj.Object("Pointer", offset = p, vm = self.addr_space)
if kmodaddr == None:
return
kmod = kmodaddr.dereference_as("kmod_info")
seen = []
ctr = 0
while kmod.is_valid():
# key on .v() instead of .obj_offset due 'next' being at offset 0
if kmod.v() in seen:
break
seen.append(kmod.v())
if ctr > 1024:
break
ctr = ctr + 1
if not self._config.ADDR or (kmod.address <= self._config.ADDR <= (kmod.address + kmod.m("size"))):
yield kmod
kmod = kmod.next示例7: calculate
def calculate(self):
common.set_plugin_members(self)
(kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self)
gnotify_addr = common.get_cpp_sym("gNotifications", self.addr_space.profile)
gnotify_ptr = obj.Object("Pointer", offset = gnotify_addr, vm = self.addr_space)
gnotifications = gnotify_ptr.dereference_as("OSDictionary")
ents = obj.Object('Array', offset = gnotifications.dictionary, vm = self.addr_space, targetType = 'dictEntry', count = gnotifications.count)
# walk the current set of notifications
for ent in ents:
if ent == None:
continue
key = ent.key.dereference_as("OSString")
# get the value
valset = ent.value.dereference_as("OSOrderedSet")
notifiers_ptrs = obj.Object('Array', offset = valset.array, vm = self.addr_space, targetType = 'Pointer', count = valset.count)
for ptr in notifiers_ptrs:
notifier = ptr.dereference_as("_IOServiceNotifier")
if notifier == None:
continue
matches = self.get_matching(notifier)
# this is the function that handles whatever the notification is for
# this should be only in the kernel or in one of the known IOKit drivers for the specific kernel
handler = notifier.handler
good = common.is_known_address(handler, kernel_symbol_addresses, kmods)
yield (good, key, notifier, matches)示例8: calculate
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
ptr_sz = 4
else:
ptr_sz = 8
for proc in procs:
if str(proc.p_comm) != "securityd":
continue
proc_as = proc.get_process_address_space()
for map in proc.get_proc_maps():
if not (map.start > 0x00007f0000000000 and map.end < 0x00007fff00000000 and map.end - map.start == 0x100000):
continue
for address in range(map.start, map.end, ptr_sz):
signature = obj.Object("unsigned int", offset = address, vm = proc_as)
if not signature or signature != 0x18:
continue
key_buf_ptr = obj.Object("unsigned long", offset = address + ptr_sz, vm = proc_as)
if map.start <= key_buf_ptr < map.end:
yield proc_as, key_buf_ptr示例9: calculate
def calculate(self):
common.set_plugin_members(self)
p = self.addr_space.profile.get_symbol("_g_kext_map")
mapaddr = obj.Object("Pointer", offset = p, vm = self.addr_space)
kextmap = mapaddr.dereference_as("_vm_map")
nentries = kextmap.hdr.nentries
kext = kextmap.hdr
for i in range(nentries):
kext = kext.links.next
if not kext:
break
macho = obj.Object("macho_header", offset = kext.start, vm = self.addr_space)
if macho.is_valid():
kmod_start = macho.address_for_symbol("_kmod_info")
else:
kmod_start = 0
address = kext.start
if kmod_start:
kmod = obj.Object("kmod_info", offset = kmod_start, vm = self.addr_space)
yield kmod示例10: calculate
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks(self._config).calculate()
for proc in procs:
fds = obj.Object('Array', offset = proc.p_fd.fd_ofiles, vm = self.addr_space, targetType = 'Pointer', count = proc.p_fd.fd_lastfile)
for i, fd in enumerate(fds):
f = fd.dereference_as("fileproc")
if f:
if 'fg_type' in f.f_fglob.dereference().__dict__['members']:
## FIXME after 2.3 replace this explicit int field with the following line:
## if str(f.f_fglob.fg_type) == 'DTYPE_VNODE':
## Its not needed for profiles generated with convert.py after r3290
fg_type = obj.Object("int", f.f_fglob.fg_type.obj_offset, vm = self.addr_space)
# OS X MAVERICKS
else:
fg_type = obj.Object("int", f.f_fglob.fg_ops.fo_type.obj_offset, vm = self.addr_space)
if fg_type == 1: # VNODE
vnode = f.f_fglob.fg_data.dereference_as("vnode")
path = vnode.full_path()
else:
path = ""
yield proc, i, f, path示例11: calculate
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
kernel_start = 0xffffff8000000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address, 64))
else:
# Scan each process memory block
for task in pstasks.mac_tasks(self._config).calculate():
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address, 64))示例12: calculate
def calculate(self):
common.set_plugin_members(self)
pidlist = None
try:
if self._config.PID:
pidlist = [int(p) for p in self._config.PID.split(',')]
except:
pass
p = self.addr_space.profile.get_symbol("_allproc")
procsaddr = obj.Object("proclist", offset = p, vm = self.addr_space)
proc = obj.Object("proc", offset = procsaddr.lh_first, vm = self.addr_space)
seen = []
while proc.is_valid():
if proc.obj_offset in seen:
debug.warning("Recursive process list detected (a result of non-atomic acquisition). Use mac_tasks or mac_psxview)")
break
else:
seen.append(proc.obj_offset)
if not pidlist or proc.p_pid in pidlist:
yield proc
proc = proc.p_list.le_next.dereference()示例13: calculate
def calculate(self):
common.set_plugin_members(self)
if not self.addr_space.profile.obj_has_member("fs_event_watcher", "proc_name"):
debug.error("This plugin only supports OS X >= 10.8.2. Please file a bug if you are running against a version matching this criteria.")
event_types = ["CREATE_FILE", "DELETE", "STAT_CHANGED", "RENAME", "CONTENT_MODIFIED", "EXCHANGE", "FINDER_INFO_CHANGED", "CREATE_DIR", "CHOWN"]
event_types = event_types + ["XATTR_MODIFIED", "XATTR_REMOVED", "DOCID_CREATED", "DOCID_CHANGED"]
table_addr = self.addr_space.profile.get_symbol("_watcher_table")
arr = obj.Object(theType = "Array", targetType = "Pointer", count = 8, vm = self.addr_space, offset = table_addr)
for watcher_addr in arr:
if not watcher_addr.is_valid():
continue
watcher = watcher_addr.dereference_as("fs_event_watcher")
name = self.addr_space.read(watcher.proc_name.obj_offset, 33)
if name:
idx = name.find("\x00")
if idx != -1:
name = name[:idx]
events = ""
event_arr = obj.Object(theType = "Array", targetType = "unsigned char", offset = watcher.event_list.v(), count = 13, vm = self.addr_space)
for (i, event) in enumerate(event_arr):
if event == 1:
events = events + event_types[i] + ", "
if len(events) and events[-1] == " " and events[-2] == ",":
events = events[:-2]
yield watcher_addr, name, watcher.pid, events示例14: render_text
def render_text(self, outfd, data):
common.set_plugin_members(self)
self.table_header(outfd, [("PID","8"),
("Name", "16"),
("Start Time", "32"),
("Priority", "6"),
("Start Function", "[addrpad]"),
("Function Map", ""),
])
kaddr_info = common.get_handler_name_addrs(self)
for proc in data:
for th in proc.threads():
func_addr = th.continuation
(module, handler_sym) = common.get_handler_name(kaddr_info, func_addr)
if handler_sym:
handler = handler_sym
elif module:
handler = module
else:
handler = proc.find_map_path(func_addr)
self.table_row(outfd, proc.p_pid, proc.p_comm,
th.start_time(),
th.sched_pri,
func_addr, handler)示例15: calculate
def calculate(self):
common.set_plugin_members(self)
n = 1024
mig_buckets_addr = self.addr_space.profile.get_symbol("_mig_buckets")
if self.addr_space.profile.has_type("mig_hash_t"):
ele_size = self.addr_space.profile.get_obj_size("mig_hash_t")
ele_type = "mig_hash_t"
else:
# we can't use an array as the size of mig_hash_entry
# depends on if MAC_COUNTERS is set, which changes between kernels
# mig_table_max_displ is declared directly after mig_buckets
# which allows us to calculate the size of each entry dynamically
di_addr = self.addr_space.profile.get_symbol("_mig_table_max_displ")
ele_size = (di_addr - mig_buckets_addr) / n
ele_type = "mig_hash_entry"
for i in range(n):
entry = obj.Object(ele_type, offset = mig_buckets_addr + (i * ele_size), vm = self.addr_space)
if entry.routine == 0:
continue
rname = self.addr_space.profile.get_symbol_by_address("kernel", entry.routine)
if not rname or rname == "":
rname = "HOOKED"
yield (entry.num, rname, entry.routine)