當前位置: 首頁>>代碼示例>>Python>>正文


Python filescan.PSScan方法代碼示例

本文整理匯總了Python中volatility.plugins.filescan.PSScan方法的典型用法代碼示例。如果您正苦於以下問題:Python filescan.PSScan方法的具體用法?Python filescan.PSScan怎麽用?Python filescan.PSScan使用的例子?那麽, 這裏精選的方法代碼示例或許可以為您提供幫助。您也可以進一步了解該方法所在volatility.plugins.filescan的用法示例。


在下文中一共展示了filescan.PSScan方法的8個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。

示例1: __init__

# 需要導入模塊: from volatility.plugins import filescan [as 別名]
# 或者: from volatility.plugins.filescan import PSScan [as 別名]
def __init__(self, config, *args, **kwargs):
        common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)

        config.add_option('STRING-FILE', short_option = 's', default = None,
                          help = 'File output in strings format (offset:string)',
                          action = 'store', type = 'str')
        config.add_option("SCAN", short_option = 'S', default = False,
                          action = 'store_true', help = 'Use PSScan if no offset is provided')
        config.add_option('OFFSET', short_option = 'o', default = None,
                          help = 'EPROCESS offset (in hex) in the physical address space',
                          action = 'store', type = 'int')
        config.add_option('PID', short_option = 'p', default = None,
                          help = 'Operate on these Process IDs (comma-separated)',
                          action = 'store', type = 'str')
        config.add_option('LOOKUP-PID', short_option = 'L', default = False,
                          action = 'store_true', help = 'Lookup the ImageFileName of PIDs') 
開發者ID:virtualrealitysystems,項目名稱:aumfor,代碼行數:18,代碼來源:strings.py

示例2: get_processes

# 需要導入模塊: from volatility.plugins import filescan [as 別名]
# 或者: from volatility.plugins.filescan import PSScan [as 別名]
def get_processes(self, addr_space):
        """Enumerate processes based on user options.

        :param      addr_space | <addrspace.AbstractVirtualAddressSpace>

        :returns    <list> 
        """

        bounce_back = taskmods.DllList.virtual_process_from_physical_offset
        if self._config.OFFSET != None:
            tasks = [bounce_back(addr_space, self._config.OFFSET)]
        elif self._config.SCAN:
            procs = list(filescan.PSScan(self._config).calculate())
            tasks = []
            for task in procs:
                tasks.append(bounce_back(addr_space, task.obj_offset))
        else:
            tasks = win32.tasks.pslist(addr_space)

        try:
            if self._config.PID is not None:
                pidlist = [int(p) for p in self._config.PID.split(',')]
                tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist]
        except (ValueError, TypeError):
            debug.error("Invalid PID {0}".format(self._config.PID))

        return tasks 
開發者ID:virtualrealitysystems,項目名稱:aumfor,代碼行數:29,代碼來源:strings.py

示例3: check_psscan

# 需要導入模塊: from volatility.plugins import filescan [as 別名]
# 或者: from volatility.plugins.filescan import PSScan [as 別名]
def check_psscan(self):
        """Enumerate processes with pool tag scanning"""
        return dict((PsXview.get_file_offset(p), p)
                    for p in filescan.PSScan(self._config).calculate()) 
開發者ID:virtualrealitysystems,項目名稱:aumfor,代碼行數:6,代碼來源:psxview.py

示例4: calculate

# 需要導入模塊: from volatility.plugins import filescan [as 別名]
# 或者: from volatility.plugins.filescan import PSScan [as 別名]
def calculate(self):
        addr_space = utils.load_as(self._config)

        tasklist = []
        modslist = []

        if self._config.SCAN:
            if not self._config.KERNEL_ONLY:
                for t in filescan.PSScan(self._config).calculate():
                    v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
                    if v:
                        tasklist.append(v)
            if not self._config.PROCESS_ONLY:
                modslist = [m for m in modscan.ModScan(self._config).calculate()]
        else:
            if not self._config.KERNEL_ONLY:
                tasklist = [t for t in tasks.pslist(addr_space)]
            if not self._config.PROCESS_ONLY:
                modslist = [m for m in modules.lsmod(addr_space)]

        for task in tasklist:
            for mod in task.get_load_modules():
                yield task, mod

        for mod in modslist:
            yield None, mod 
開發者ID:virtualrealitysystems,項目名稱:aumfor,代碼行數:28,代碼來源:enumfunc.py

示例5: calculate

# 需要導入模塊: from volatility.plugins import filescan [as 別名]
# 或者: from volatility.plugins.filescan import PSScan [as 別名]
def calculate(self):
        eproc = {}
        found = {}
        cmdline = {}
        pathname = {}
              
        # Brute force search for eproc blocks in pool memory
        address_space = utils.load_as(self._config)
        for eprocess in filescan.PSScan(self._config).calculate():
            eproc[eprocess.obj_offset] = eprocess
            found[eprocess.obj_offset] = 1
        
        # Walking the active process list.
        # Remove any tasks we find here from the brute force search if the --short option is set.
        # Anything left is something which was hidden/terminated/of interest.
        address_space = utils.load_as(self._config)
        for task in tasks.pslist(address_space):
            phys = address_space.vtop(task.obj_offset)
            if phys in eproc:
                if self._config.SHORT :
                    del eproc[phys]
                    del found[phys] 
                else:
                    found[phys] = 0                
                    
        # Grab command line and parameters            
            peb = task.Peb
            if peb:
                cmdline[phys] = peb.ProcessParameters.CommandLine
                pathname[phys] = peb.ProcessParameters.ImagePathName
                    
        ret = [eproc, found, cmdline, pathname]

        return ret 
開發者ID:teamdfir,項目名稱:sift-saltstack,代碼行數:36,代碼來源:pstotal.py

示例6: __init__

# 需要導入模塊: from volatility.plugins import filescan [as 別名]
# 或者: from volatility.plugins.filescan import PSScan [as 別名]
def __init__(self, config, *args, **kwargs):
        common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)

        config.add_option('STRING-FILE', short_option = 's', default = None,
                          help = 'File output in strings format (offset:string)',
                          action = 'store', type = 'str')
        config.add_option("SCAN", short_option = 'S', default = False,
                          action = 'store_true', help = 'Use PSScan if no offset is provided')
        config.add_option('OFFSET', short_option = 'o', default = None,
                          help = 'EPROCESS offset (in hex) in the physical address space',
                          action = 'store', type = 'int')
        config.add_option('PID', short_option = 'p', default = None,
                          help = 'Operate on these Process IDs (comma-separated)',
                          action = 'store', type = 'str') 
開發者ID:vortessence,項目名稱:vortessence,代碼行數:16,代碼來源:strings.py

示例7: check_psscan

# 需要導入模塊: from volatility.plugins import filescan [as 別名]
# 或者: from volatility.plugins.filescan import PSScan [as 別名]
def check_psscan(self):
        """Enumerate processes with pool tag scanning"""
        return dict((p.obj_offset, p)
                    for p in filescan.PSScan(self._config).calculate()) 
開發者ID:vortessence,項目名稱:vortessence,代碼行數:6,代碼來源:psxview.py

示例8: _get_dtb

# 需要導入模塊: from volatility.plugins import filescan [as 別名]
# 或者: from volatility.plugins.filescan import PSScan [as 別名]
def _get_dtb(self):
        """Use psscan to get system dtb and apply it."""
        ps = filescan.PSScan(self.config)
        for ep in ps.calculate():
            if str(ep.ImageFileName) == "System":
                 self.config.update("dtb",ep.Pcb.DirectoryTableBase)
                 return True
        return False 
開發者ID:davidoren,項目名稱:CuckooSploit,代碼行數:10,代碼來源:memory.py


注:本文中的volatility.plugins.filescan.PSScan方法示例由純淨天空整理自Github/MSDocs等開源代碼及文檔管理平台,相關代碼片段篩選自各路編程大神貢獻的開源項目,源碼版權歸原作者所有,傳播和使用請參考對應項目的License;未經允許,請勿轉載。