本文整理匯總了Python中volatility.debug.info方法的典型用法代碼示例。如果您正苦於以下問題:Python debug.info方法的具體用法?Python debug.info怎麽用?Python debug.info使用的例子?那麽, 這裏精選的方法代碼示例或許可以為您提供幫助。您也可以進一步了解該方法所在類volatility.debug
的用法示例。
在下文中一共展示了debug.info方法的14個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。
示例1: get_all_kmem_caches
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def get_all_kmem_caches(self):
linux_common.set_plugin_members(self)
cache_chain = self.addr_space.profile.get_symbol("cache_chain")
slab_caches = self.addr_space.profile.get_symbol("slab_caches")
if cache_chain: #slab
caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space)
listm = "next"
ret = [cache for cache in caches.list_of_type("kmem_cache", listm)]
elif slab_caches: #slub
debug.info("SLUB is currently unsupported.")
ret = []
else:
debug.error("Unknown or unimplemented slab type.")
return ret
示例2: find_scanned_frames
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def find_scanned_frames(self, p, address, end):
"""
Find frames by scanning for return addresses.
@param p: process info object
@param address: Start address
@param end: End address
@return: a list of frames
"""
address_size = linux_process_info.address_size
frames = []
debug.info("Scan range (%rsp to end) = (0x{:016x} to 0x{:016x})".format(address, end))
count = 0
while address <= end:
if p.proc_as.is_valid_address(address) and self.is_return_address(read_address(p.proc_as, address, address_size), p):
st = stack_frame(address + address_size, p.proc_as, count)
frames.append(st)
count += 1
address += address_size
return frames
示例3: find_entry_point
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def find_entry_point(self, proc_as, start_code):
"""
Read the entry point from the program header.
@param proc_as: Process address space
@param start_code: Start of the program code mapping
@return The address of the entry point (_start)
"""
# entry point lives at ELF header + 0x18
# add it to the memory mapping of the binary
if not proc_as.is_valid_address(start_code+0x18):
# it's gone from memory
debug.info("We could not find program entry point, skipping _start detection")
return False
offset = read_address(proc_as, start_code+0x18)
if offset > start_code:
# it's an absolute address
return offset
else:
# it's a relative offset, i.e. PIE code
return start_code + offset
示例4: is_return_address
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def is_return_address(self, address, process_info):
"""
Checks if the address is a return address by checking if the preceding instruction is a 'CALL'.
@param address: An address
@param process_info: process info object
@return True or False
"""
proc_as = process_info.proc_as
size = 5
if distorm_loaded and process_info.is_code_pointer(address):
offset = address - size
instr = distorm3.Decode(offset, proc_as.read(offset, size), self.decode_as)
# last instr, third tuple item (instr string), first 7 letters
# if instr[-1][2][:7] == 'CALL 0x':
# print(instr[-1][2])
if len(instr) > 0:
return instr[-1][2][:4] == 'CALL'
# there's also call <register>
return False
示例5: find_return_libc_start
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def find_return_libc_start(self, proc_as, start_stack, return_start):
"""
Scans the stack for a certain address, in this case the return address of __libc_start_main.
@param proc_as: Process address space
@param start_stack: Start address to search
@param return_start: The return address to find
@return The address found or None
"""
address = start_stack
for value in yield_address(proc_as, start_stack, reverse=True):
if value == return_start:
debug.info("Scanned {} stack addresses before finding the __libc_start_main return address".format((start_stack-address)/linux_process_info.address_size))
return address
address -= linux_process_info.address_size
debug.info("Exhausted search for __libc_start_main return address at stack address {:016x}".format(address))
return None
示例6: info
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def info(self, task):
if self.vm_file:
pgoff = self.vm_pgoff << 12
inode = self.vm_file.dentry.d_inode
if inode and inode.is_valid():
major, minor = inode.i_sb.major, inode.i_sb.minor
ino = inode.i_ino
else:
major, minor, ino = [0] * 3
else:
(major, minor, ino, pgoff) = [0] * 4
fname = self.vm_name(task)
if fname == "Anonymous Mapping":
fname = ""
return fname, major, minor, ino, pgoff
示例7: extract_strings
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def extract_strings(self):
debug.info("[time-consuming task] extracting strings from VADs (pid={0})".format(self.process.UniqueProcessId))
strings = []
for vad, address_space in self.process.get_vads(skip_max_commit = True):
data = self.read_without_zero_page(vad, address_space)
if len(data) == 0:
continue
elif len(data) > READ_BLOCKSIZE:
debug.debug('data size in VAD is more than READ_BLOCKSIZE (pid{0})'.format(self.process.UniqueProcessId))
extracted = list(set(self.util.extract_unicode(data) + self.util.extract_ascii(data)))
strings.extend(extracted)
records = ((self.process.UniqueProcessId.v(), string) for string in strings)
self.cur.executemany("insert or ignore into strings values (?, ?)", records)
self.update_done('strings')
return strings
示例8: extract_hooked_APIs
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def extract_hooked_APIs(self, is_API=False, is_hookingMod=False):
debug.info("[time-consuming task] extracting hooked APIs... (pid={0})".format(self.process.UniqueProcessId))
process_space = self.process.get_process_address_space()
if not process_space:
return []
module_group = apihooks.ModuleGroup(self.process.get_load_modules())
records = []
for dll in module_group.mods:
if not process_space.is_valid_address(dll.DllBase):
continue
for hook in self.get_hooks(HOOK_MODE_USER, process_space, dll, module_group):
if self.whitelist(hook.hook_mode | hook.hook_type, self.process.ImageFileName.v(), hook.VictimModule, hook.HookModule, hook.Function):
continue
records.append((self.process.UniqueProcessId.v(), hook.Mode, hook.Type, str(dll.BaseDllName or ''), hook.Function, hook.HookModule))
self.cur.executemany("insert or ignore into api_hooked values (?, ?, ?, ?, ?, ?)", records)
self.update_done('api_hooked')
if is_API:
return [record[4] for record in records]
elif is_hookingMod:
return [record[5] for record in records]
示例9: extract_privileges
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def extract_privileges(self):
debug.info("[time-consuming task] extracting enabled privilege information... (pid={0})".format(self.process.UniqueProcessId))
records = []
for value, present, enabled, default in self.process.get_token().privileges():
try:
name, desc = PRIVILEGE_INFO[int(value)]
except KeyError:
continue
if enabled:
records.append((self.process.UniqueProcessId.v(), name))
self.cur.executemany("insert or ignore into privs values (?, ?)", records)
self.update_done('privs')
return [record[1] for record in records]
示例10: ShimCache_ExecutablePath
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def ShimCache_ExecutablePath(self, content, condition, preserve_case):
if not self.util.is_condition_string(condition):
debug.error('{0} condition is not supported in RegistryItem/ShimCache/ExecutablePath'.format(condition))
return False
paths = []
records = []
count = self.util.fetchone_from_db(self.cur, "shimcache", "count(*)")
if count > 0:
paths = self.util.fetchall_from_db(self.cur, "shimcache", "path")
else:
debug.info("[time-consuming task] extracting shimcache registry information...")
for path, modified, updated in shimcache.ShimCache.calculate(self):
path_str ='{0}'.format(path)
records.append((path_str, modified.v()))
if len(records) == 0:
records.append(('dummy', 'dummy')) # insert dummy for done
self.cur.executemany("insert or ignore into shimcache values (?, ?)", records)
paths = [record[0] for record in records]
return self.util.check_strings(paths, content, condition, preserve_case)
示例11: extract_services
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def extract_services(self, is_service_name=False, is_display_name=False, is_bin_path=False):
debug.info("[time-consuming task] extracting service information...")
records = []
for rec in svcscan.SvcScan.calculate(self):
service_name = '{0}'.format(rec.ServiceName.dereference())
display_name = '{0}'.format(rec.DisplayName.dereference())
bin_path = '{0}'.format(rec.Binary)
records.append((service_name, display_name, bin_path))
self.cur.executemany("insert or ignore into service values (?, ?, ?)", records)
if is_service_name:
return [record[0] for record in records]
elif is_display_name:
return [record[1] for record in records]
elif is_bin_path:
return [record[2] for record in records]
示例12: extract_callbacks
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def extract_callbacks(self):
debug.info("[time-consuming task] extracting kernel callbacks...")
records = []
# added for default option values (filescan)
self._config.VIRTUAL = False
self._config.SHOW_UNALLOCATED = False
self._config.START = None
self._config.LENGTH = None
for (sym, cb, detail), mods, mod_addrs in callbacks.Callbacks.calculate(self):
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
type_name = '{0}'.format(sym)
#records.append((module.DllBase.v(), type_name, cb.v(), str(detail or "-")))
records.append((str(module.DllBase.v()), type_name, str(cb.v()), str(detail or "-")))
if len(records) == 0:
records.append(('dummy', 'dummy', 'dummy', 'dummy')) # insert dummy for done
self.cur.executemany("insert or ignore into kernel_mods_callbacks values (?, ?, ?, ?)", records)
return [record[1] for record in records if self.kmod.DllBase.v() == record[0]]
示例13: extract_timers
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def extract_timers(self):
debug.info("[time-consuming task] extracting kernel timers...")
records = []
# added for default option value
self._config.LISTHEAD = None
for timer, module in timers.Timers.calculate(self):
if timer.Header.SignalState.v():
signaled = "Yes"
else:
signaled = "-"
due_time = "{0:#010x}:{1:#010x}".format(timer.DueTime.HighPart, timer.DueTime.LowPart)
#records.append((module.DllBase.v(), timer.obj_offset, due_time, timer.Period.v(), signaled, timer.Dpc.DeferredRoutine.v()))
#Quickfix for module=None
if module is None:
records.append(('None', str(timer.obj_offset), due_time, timer.Period.v(), signaled, str(timer.Dpc.DeferredRoutine.v())))
else:
records.append((str(module.DllBase.v()), str(timer.obj_offset), due_time, timer.Period.v(), signaled, str(timer.Dpc.DeferredRoutine.v())))
if len(records) == 0:
records.append(('dummy', 'dummy', 'dummy', 'dummy', 'dummy', 'dummy')) # insert dummy for done
self.cur.executemany("insert or ignore into kernel_mods_timers values (?, ?, ?, ?, ?, ?)", records)
timer_routines = [record[5] for record in records if self.kmod.DllBase.v() == record[0]]
return len(timer_routines)
示例14: render_text
# 需要導入模塊: from volatility import debug [as 別名]
# 或者: from volatility.debug import info [as 別名]
def render_text(self, outfd, data):
if self._config.show:
for definitions in data:
outfd.write(definitions)
outfd.write('++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n')
else:
for process, kmod, ioc_result in data:
outfd.write('***************************************************************\n')
outfd.write(ioc_result)
if process is not None:
outfd.write("Note: ProcessItem was evaluated only in {0} (Pid={1})\n".format(process.ImageFileName, process.UniqueProcessId))
if kmod is not None:
outfd.write("Note: DriverItem was evaluated only in {0} (base=0x{1:x})\n".format(str(kmod.BaseDllName or ''), kmod.DllBase))
outfd.write('***************************************************************\n')
self.db.commit()
self.cur.close()
debug.info("=> elapsed scan total: about {0} s".format(self.total_secs))