本文整理匯總了Python中volatility.plugins.taskmods.DllList方法的典型用法代碼示例。如果您正苦於以下問題:Python taskmods.DllList方法的具體用法?Python taskmods.DllList怎麽用?Python taskmods.DllList使用的例子?那麽, 這裏精選的方法代碼示例或許可以為您提供幫助。您也可以進一步了解該方法所在類volatility.plugins.taskmods
的用法示例。
在下文中一共展示了taskmods.DllList方法的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。
示例1: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("ALL", short_option = 'A', default = False, action = 'store_true',
help = 'Scan both process and kernel memory')
config.add_option("CASE", short_option = 'C', default = False, action = 'store_true',
help = 'Make the search case insensitive')
config.add_option("KERNEL", short_option = 'K', default = False, action = 'store_true',
help = 'Scan kernel modules')
config.add_option("WIDE", short_option = 'W', default = False, action = 'store_true',
help = 'Match wide (unicode) strings')
config.add_option('YARA-RULES', short_option = 'Y', default = None,
help = 'Yara rules (as a string)')
config.add_option('YARA-FILE', short_option = 'y', default = None,
help = 'Yara rules (rules file)')
config.add_option('DUMP-DIR', short_option = 'D', default = None,
help = 'Directory in which to dump the files')
config.add_option('SIZE', short_option = 's', default = 256,
help = 'Size of preview hexdump (in bytes)',
action = 'store', type = 'int')
config.add_option('REVERSE', short_option = 'R', default = 0,
help = 'Reverse this number of bytes',
action = 'store', type = 'int')
config.add_option('MAX-SIZE', short_option = 'M', default = 0x40000000,
action = 'store', type = 'long',
help = 'Set the maximum size (default is 1GB)')
示例2: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("ALL", short_option = 'A', default = False, action = 'store_true',
help = 'Scan both process and kernel memory')
config.add_option("CASE", short_option = 'C', default = False, action = 'store_true',
help = 'Make the search case insensitive')
config.add_option("KERNEL", short_option = 'K', default = False, action = 'store_true',
help = 'Scan kernel modules')
config.add_option("WIDE", short_option = 'W', default = False, action = 'store_true',
help = 'Match wide (unicode) strings')
config.add_option('YARA-RULES', short_option = 'Y', default = None,
help = 'Yara rules (as a string)')
config.add_option('YARA-FILE', short_option = 'y', default = None,
help = 'Yara rules (rules file)')
config.add_option('DUMP-DIR', short_option = 'D', default = None,
help = 'Directory in which to dump the files')
config.add_option('SIZE', short_option = 's', default = 256,
help = 'Size of preview hexdump (in bytes)',
action = 'store', type = 'int')
config.add_option('REVERSE', short_option = 'R', default = 0,
help = 'Reverse this number of bytes',
action = 'store', type = 'int')
示例3: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("VERBOSE", short_option = 'v',
default = False, cache_invalidator = False,
help = "Display full path of executable",
action = "store_true")
示例4: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("DUMP-DIR", short_option = "D", default = None,
help = "Dump binary data to this directory")
示例5: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option('DUMP-DIR', short_option = 'D', default = None,
cache_invalidator = False,
help = 'Directory in which to dump executable files')
config.add_option("UNSAFE", short_option = "u", default = False, action = 'store_true',
help = 'Bypasses certain sanity checks when creating image')
config.add_option("MEMORY", short_option = "m", default = False, action = 'store_true',
help = "Carve as a memory sample rather than exe/disk")
config.add_option('FIX', short_option = 'x', default = False,
help = 'Modify the image base of the dump to the in-memory base address',
action = 'store_true')
示例6: calculate
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def calculate(self):
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
return taskmods.DllList.calculate(self)
示例7: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False,
help = "Physical Offset", action = "store_true")
config.add_option("OBJECT-TYPE", short_option = 't', default = None,
help = 'Show these object types (comma-separated)',
action = 'store', type = 'str')
config.add_option("SILENT", short_option = 's', default = False,
action = 'store_true', help = 'Suppress less meaningful results')
示例8: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option('ADDR', short_option = 'a', default = None,
help = 'Show info on VAD at or containing this address',
action = 'store', type = 'int')
示例9: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("PHYSICAL-OFFSET", short_option = 'P',
default = False, cache_invalidator = False,
help = "Display physical offsets instead of virtual",
action = "store_true")
示例10: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args):
taskmods.DllList.__init__(self, config, *args)
config.add_option("SILENT", short_option = "s", default = False,
help = "Suppress less meaningful results",
action = "store_true")
config.add_option('REGEX', short_option = 'r',
help = 'Show privileges matching REGEX',
action = 'store', type = 'string')
示例11: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("LEAK", short_option = 'L',
default = False, action = 'store_true',
help = 'Find LEAK records (deleted)')
config.add_option("REDR", short_option = 'R',
default = False, action = 'store_true',
help = 'Find REDR records (redirected)')
示例12: calculate
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def calculate(self):
## Select the tags to scan for. Always find visited URLs,
## but make freed and redirected records optional.
tags = ["URL ", "DEST"]
if self._config.LEAK:
tags.append("LEAK")
if self._config.REDR:
tags.append("REDR")
tags = ["DEST"]
## Define the record type based on the tag
tag_records = {
"URL " : "_URL_RECORD",
"LEAK" : "_URL_RECORD",
"REDR" : "_REDR_RECORD",
"DEST" : "_DEST_RECORD"}
vad_filter = lambda x : (hasattr(x, 'ControlArea') and str(x.FileObject.FileName or '').endswith("index.dat")) or (x.VadFlags.Protection.v() == 4)
## Enumerate processes based on the --pid and --offset
for proc in taskmods.DllList(self._config).calculate():
## Acquire a process specific AS
ps_as = proc.get_process_address_space()
for hit in proc.search_process_memory(tags, vad_filter = vad_filter):
## Get a preview of the data to see what tag was detected
tag = ps_as.read(hit, 4)
## Create the appropriate object type based on the tag
record = obj.Object(tag_records[tag], offset = hit, vm = ps_as)
if record.is_valid():
yield proc, record
示例13: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
self.bits32 = None
config.add_option("FILTER", short_option = 'F', default = None,
help = 'Tags to filter (comma-separated)')
config.add_option("LISTTAGS", short_option = 'L', default = False,
action = 'store_true', help = 'List all available tags')
示例14: __init__
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.remove_option("PID")
config.remove_option("OFFSET")
config.add_option("SCAN", short_option = 's', default = False,
action = 'store_true', help = 'Scan for objects')
config.add_option("PROCESS-ONLY", short_option = 'P', default = False,
action = 'store_true', help = 'Process only')
config.add_option("KERNEL-ONLY", short_option = 'K', default = False,
action = 'store_true', help = 'Kernel only')
config.add_option("IMPORT-ONLY", short_option = 'I', default = False,
action = 'store_true', help = 'Imports only')
config.add_option("EXPORT-ONLY", short_option = 'E', default = False,
action = 'store_true', help = 'Exports only')
示例15: calculate
# 需要導入模塊: from volatility.plugins import taskmods [as 別名]
# 或者: from volatility.plugins.taskmods import DllList [as 別名]
def calculate(self):
## Select the tags to scan for. Always find visited URLs,
## but make freed and redirected records optional.
tags = ["URL ", "DEST"]
if self._config.LEAK:
tags.append("LEAK")
if self._config.REDR:
tags.append("REDR")
## Define the record type based on the tag
tag_records = {
"URL " : "_URL_RECORD",
"LEAK" : "_URL_RECORD",
"REDR" : "_REDR_RECORD",
"DEST" : "_DEST_RECORD"}
vad_filter = lambda x : (hasattr(x, 'ControlArea') and str(x.FileObject.FileName or '').endswith("index.dat")) or (x.VadFlags.Protection.v() == 4)
## Enumerate processes based on the --pid and --offset
for proc in taskmods.DllList(self._config).calculate():
## Acquire a process specific AS
ps_as = proc.get_process_address_space()
for hit in proc.search_process_memory(tags, vad_filter = vad_filter):
## Get a preview of the data to see what tag was detected
tag = ps_as.read(hit, 4)
## Create the appropriate object type based on the tag
record = obj.Object(tag_records[tag], offset = hit, vm = ps_as)
if record.is_valid():
yield proc, record