本文整理匯總了Python中volatility.addrspace.AbstractRunBasedMemory方法的典型用法代碼示例。如果您正苦於以下問題:Python addrspace.AbstractRunBasedMemory方法的具體用法?Python addrspace.AbstractRunBasedMemory怎麽用?Python addrspace.AbstractRunBasedMemory使用的例子?那麽, 這裏精選的方法代碼示例或許可以為您提供幫助。您也可以進一步了解該方法所在類volatility.addrspace的用法示例。
在下文中一共展示了addrspace.AbstractRunBasedMemory方法的8個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。
示例1: __init__
# 需要導入模塊: from volatility import addrspace [as 別名]
# 或者: from volatility.addrspace import AbstractRunBasedMemory [as 別名]
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "mac: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
if sig == '\xce\xfa\xed\xfe':
self.bits = 32
elif sig == '\xcf\xfa\xed\xfe':
self.bits = 64
else:
self.as_assert(0, "MachO Header signature invalid")
self.runs = []
self.header = None
self.addr_cache = {}
self.parse_macho() 示例2: __init__
# 需要導入模塊: from volatility import addrspace [as 別名]
# 或者: from volatility.addrspace import AbstractRunBasedMemory [as 別名]
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Must start with the magic PAGEDUMP
self.as_assert((base.read(0, 8) == self.dumpsig), "Header signature invalid")
self.as_assert(self.profile.has_type(self.headertype), self.headertype + " not available in profile")
self.header = obj.Object(self.headertype, 0, base)
self.as_assert((self.header.DumpType == 0x1), "Unsupported dump format")
offset = self.headerpages
for x in self.header.PhysicalMemoryBlockBuffer.Run:
self.runs.append((x.BasePage.v() * 0x1000,
offset * 0x1000,
x.PageCount.v() * 0x1000))
offset += x.PageCount.v()
self.dtb = self.header.DirectoryTableBase.v() 示例3: __init__
# 需要導入模塊: from volatility import addrspace [as 別名]
# 或者: from volatility.addrspace import AbstractRunBasedMemory [as 別名]
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "lime: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
## ARM processors are bi-endian, but little is the default and currently
## the only mode we support; unless it comes a common request.
if sig == '\x4c\x69\x4d\x45':
debug.debug("Big-endian ARM not supported, please submit a feature request")
self.as_assert(sig == '\x45\x4D\x69\x4c', "Invalid Lime header signature")
self.addr_cache = {}
self.parse_lime() 示例4: __init__
# 需要導入模塊: from volatility import addrspace [as 別名]
# 或者: from volatility.addrspace import AbstractRunBasedMemory [as 別名]
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'], "ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
self.as_assert(len(self.runs) > 0, "No PT_LOAD segments found") 示例5: __init__
# 需要導入模塊: from volatility import addrspace [as 別名]
# 或者: from volatility.addrspace import AbstractRunBasedMemory [as 別名]
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'], "ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## Tuple of (physical memory address, file offset, length)
self.runs = []
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz))) 示例6: __init__
# 需要導入模塊: from volatility import addrspace [as 別名]
# 或者: from volatility.addrspace import AbstractRunBasedMemory [as 別名]
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'], "ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz))) 示例7: __init__
# 需要導入模塊: from volatility import addrspace [as 別名]
# 或者: from volatility.addrspace import AbstractRunBasedMemory [as 別名]
def __init__(self, base, config, **kwargs):
self.as_assert(base == None, 'Must be first Address Space')
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
self.fhandle = win32file.CreateFile(
"\\\\.\\pmem",
win32file.GENERIC_READ | win32file.GENERIC_WRITE,
win32file.FILE_SHARE_READ | win32file.FILE_SHARE_WRITE,
None,
win32file.OPEN_EXISTING,
win32file.FILE_ATTRIBUTE_NORMAL,
None)
self.ParseMemoryRuns() 示例8: __init__
# 需要導入模塊: from volatility import addrspace [as 別名]
# 或者: from volatility.addrspace import AbstractRunBasedMemory [as 別名]
def __init__(self, base, config, **kwargs):
## We must have an AS below us
self.as_assert(base, "No base Address Space")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, **kwargs)
## Quick test (before instantiating an object)
## for ELF64, little-endian - ELFCLASS64 and ELFDATA2LSB
## for ELF32, little-endian - ELFCLASS32 and ELFDATA2LSB
self.as_assert(base.read(0, 6) in ['\x7fELF\x02\x01', '\x7fELF\x01\x01'],
"ELF Header signature invalid")
## Base AS should be a file AS
elf = obj.Object("elf_hdr", offset = 0, vm = base)
## Make sure its a core dump
self.as_assert(str(elf.e_type) == 'ET_CORE',
"ELF type is not a Core file")
## Tuple of (physical memory address, file offset, length)
self.runs = []
## The PT_NOTE core descriptor structure
self.header = None
for phdr in elf.program_headers():
## The first note should be the VBCORE segment
if str(phdr.p_type) == 'PT_NOTE':
note = obj.Object("elf_note", offset = phdr.p_offset, vm = base, parent = phdr)
self.check_note(note)
continue
# Only keep load segments with valid file sizes
if (str(phdr.p_type) != 'PT_LOAD' or
phdr.p_filesz == 0 or
phdr.p_filesz != phdr.p_memsz):
continue
self.runs.append((int(phdr.p_paddr),
int(phdr.p_offset),
int(phdr.p_memsz)))
self.validate()