本文整理匯總了Python中volatility.utils.Hexdump方法的典型用法代碼示例。如果您正苦於以下問題:Python utils.Hexdump方法的具體用法?Python utils.Hexdump怎麽用?Python utils.Hexdump使用的例子?那麽, 這裏精選的方法代碼示例或許可以為您提供幫助。您也可以進一步了解該方法所在類volatility.utils的用法示例。
在下文中一共展示了utils.Hexdump方法的15個代碼示例,這些例子默認根據受歡迎程度排序。您可以為喜歡或者感覺有用的代碼點讚,您的評價將有助於係統推薦出更棒的Python代碼示例。
示例1: generator
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def generator(self, data):
first = True
for data_raw, ap in data:
if first and hasattr(ap, "Enabled"):
first = False
audit = "Disabled"
if int(ap.Enabled) != 0:
audit = "Enabled"
yield (0, ["GeneralAuditing", audit])
for k in ap.members.keys():
if k != "Enabled":
yield (0, ["{0}".format(k), "{0}".format(ap.m(k))])
if self._config.HEX:
# for now, not sure how to handle hexdump data
raw = "\n".join(["{0:010x}: {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(data_raw)])
print raw 示例2: get_alloc
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def get_alloc(self, addr_space):
'''
Mimics the Volatility malfind plugin
'''
import volatility.plugins.malware.malfind as malfind
import volatility.utils as utils
mfind = malfind.Malfind(self.vol.config)
for task in mfind.calculate():
for vad, address_space in task.get_vads(vad_filter=task._injection_filter):
if mfind._is_vad_empty(vad, address_space):
continue
content = address_space.zread(vad.Start, 16)
content = "{0}".format("\n".join(
["{0:<48} {1}".format(h, ''.join(c))
for o, h, c in utils.Hexdump(content)
]))
offset = "{0:#x}".format(vad.Start)
yield Injection(task, vad, offset, content) 示例3: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
for device in data:
ext = device.DeviceExtension.dereference_as("EXTENSION")
if not ext.is_valid():
continue
outfd.write("Container: {0}\n".format(ext.wszVolume))
outfd.write("Hidden Volume: {0}\n".format("Yes" if ext.cryptoInfo.hiddenVolume == 1 else "No"))
outfd.write("Removable: {0}\n".format("Yes" if ext.bRemovable == 1 else "No"))
outfd.write("Read Only: {0}\n".format("Yes" if ext.bReadOnly == 1 else "No"))
outfd.write("Disk Length: {0} (bytes)\n".format(ext.DiskLength))
outfd.write("Host Length: {0} (bytes)\n".format(ext.HostLength))
outfd.write("Encryption Algorithm: {0}\n".format(ext.cryptoInfo.ea))
outfd.write("Mode: {0}\n".format(ext.cryptoInfo.mode))
outfd.write("Master Key\n")
key = device.obj_vm.read(ext.cryptoInfo.master_keydata.obj_offset, 64)
addr = ext.cryptoInfo.master_keydata.obj_offset
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(addr + o, h, ''.join(c))
for o, h, c in utils.Hexdump(key)
])))
if self._config.DUMP_DIR:
if not os.path.isdir(self._config.DUMP_DIR):
debug.error("The path {0} is not a valid directory".format(self._config.DUMP_DIR))
name = "{0:#x}_master.key".format(addr)
keyfile = os.path.join(self._config.DUMP_DIR, name)
with open(keyfile, "wb") as handle:
handle.write(key)
outfd.write("Dumped {0} bytes to {1}\n".format(len(key), keyfile))
outfd.write("\n") 示例4: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
for task, address, hit, buf in data:
if task:
outfd.write("Task: {0} pid {1} rule {2} addr {3:#x}\n".format(
task.comm, task.pid, hit.rule, address))
else:
outfd.write("[kernel] rule {0} addr {1:#x}\n".format(hit.rule, address))
outfd.write("".join(["{0:#010x} {1:<48} {2}\n".format(
address + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)])) 示例5: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
for task, address, hit, buf in data:
if task:
outfd.write("Task: {0} pid {1} rule {2} addr {3:#x}\n".format(
task.p_comm, task.p_pid, hit.rule, address))
else:
outfd.write("[kernel] rule {0} addr {1:#x}\n".format(hit.rule, address))
outfd.write("".join(["{0:#018x} {1:<48} {2}\n".format(
address + o, h, ''.join(c)) for o, h, c in utils.Hexdump(buf)])) 示例6: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
for task in data:
proc_as = task.get_process_address_space()
bit_string = str(task.task.map.pmap.pm_task_map or '')[9:]
if bit_string == "64BIT":
bits = '64bit'
else:
bits = '32bit'
for map in task.get_proc_maps():
if map.is_suspicious():
fname = map.get_path()
prots = map.get_perms()
content = proc_as.zread(map.start, 64)
outfd.write("Process: {0} Pid: {1} Address: {2:#x} File: {3}\n".format(
task.p_comm, task.p_pid, map.start, fname))
outfd.write("Protection: {0}\n".format(prots))
outfd.write("\n")
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(map.start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
])))
outfd.write("\n")
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(content, map.start, bits = bits)
]))
outfd.write("\n\n") 示例7: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
for k in data:
outfd.write(k + "\n")
for offset, hex, chars in utils.Hexdump(data[k]):
outfd.write("{0:#010x} {1:<48} {2}\n".format(offset, hex, ''.join(chars)))
outfd.write("\n") 示例8: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
for data_raw, ap in data:
if self._config.HEX:
raw = "\n".join(["{0:010x}: {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(data_raw)])
outfd.write(raw + "\n\n")
outfd.write("{0}\n".format(str(ap))) 示例9: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
keyfound = False
for win7, reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Path: {0}\n".format(self.regapi.reg_get_key_path(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in self.regapi.reg_get_all_subkeys(None, None, given_root = key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {0}\n".format(s.Name))
outfd.write("\n")
outfd.write("Values:\n")
for subname, dat in self.regapi.reg_yield_values(None, None, given_root = key, thetype = "REG_BINARY"):
dat_raw = dat
dat = "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
try:
subname = subname.encode('rot_13')
except UnicodeDecodeError:
pass
if win7:
guid = subname.split("\\")[0]
if guid in folder_guids:
subname = subname.replace(guid, folder_guids[guid])
d = self.parse_data(dat_raw)
if d != None:
dat = "{0}Raw Data:\n{1}".format(d, dat)
else:
dat = "Raw Data:\n{0}".format(dat)
outfd.write("\n{0:13} {1:15} : {2}\n".format("REG_BINARY", subname, dat))
if not keyfound:
outfd.write("The requested key could not be found in the hive(s) searched\n") 示例10: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey: " + s.Name.reason + "\n")
else:
outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s)))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
if not keyfound:
outfd.write("The requested key could not be found in the hive(s) searched\n") 示例11: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
for o, addr, hit, content in data:
outfd.write("Rule: {0}\n".format(hit.rule))
# Find out if the hit is from user or kernel mode
if o == None:
outfd.write("Owner: (Unknown Kernel Memory)\n")
filename = "kernel.{0:#x}.dmp".format(addr)
elif o.obj_name == "_EPROCESS":
outfd.write("Owner: Process {0} Pid {1}\n".format(o.ImageFileName,
o.UniqueProcessId))
filename = "process.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr)
else:
outfd.write("Owner: {0}\n".format(o.BaseDllName))
filename = "kernel.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr)
# Dump the data if --dump-dir was supplied
if self._config.DUMP_DIR:
path = os.path.join(self._config.DUMP_DIR, filename)
fh = open(path, "wb")
fh.write(content)
fh.close()
outfd.write("".join(
["{0:#010x} {1:<48} {2}\n".format(addr + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
]))
#--------------------------------------------------------------------------------
# malfind
#-------------------------------------------------------------------------------- 示例12: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
for task, struct_base, key in data:
hex = "\n".join(["{0:#010x} {1:<48} {2}".format(
struct_base + 0x2a + o,
h, ''.join(c)) for o, h, c in utils.Hexdump(key)
])
outfd.write("Process: {0} {1}\n".format(
task.UniqueProcessId, task.ImageFileName))
outfd.write(hex)
outfd.write("\n")
#--------------------------------------------------------------------------------
# Scanner for Zeus >= 2.0
#-------------------------------------------------------------------------------- 示例13: render_extra
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_extra(self, outfd, task, vad, params):
"""Show any Zeus specific fields"""
rc4_offset = task.obj_vm.profile.get_obj_offset(self.magic_struct, 'rc4key')
creds_key = params['decoded_magic'][rc4_offset:rc4_offset + RC4_KEYSIZE]
outfd.write("{0:<30} : \n{1}\n".format("Credential RC4 key",
"\n".join(
["{0:#010x} {1:<48} {2}".format(vad.Start + o, h, ''.join(c))
for o, h, c in utils.Hexdump(creds_key)
]))) 示例14: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
outfd.write("Legend: (S) = Stable (V) = Volatile\n\n")
keyfound = False
for reg, key in data:
if key:
keyfound = True
outfd.write("----------------------------\n")
outfd.write("Registry: {0}\n".format(reg))
outfd.write("Key name: {0} {1:3s}\n".format(key.Name, self.voltext(key)))
outfd.write("Last updated: {0}\n".format(key.LastWriteTime))
outfd.write("\n")
outfd.write("Subkeys:\n")
for s in rawreg.subkeys(key):
if s.Name == None:
outfd.write(" Unknown subkey at {0:#x}\n".format(s.obj_offset))
else:
outfd.write(" {1:3s} {0}\n".format(s.Name, self.voltext(s)))
outfd.write("\n")
outfd.write("Values:\n")
for v in rawreg.values(key):
tp, dat = rawreg.value_data(v)
if tp == 'REG_BINARY' or tp == 'REG_NONE':
dat = "\n" + "\n".join(["{0:#010x} {1:<48} {2}".format(o, h, ''.join(c)) for o, h, c in utils.Hexdump(dat)])
if tp in ['REG_SZ', 'REG_EXPAND_SZ', 'REG_LINK']:
dat = dat.encode("ascii", 'backslashreplace')
if tp == 'REG_MULTI_SZ':
for i in range(len(dat)):
dat[i] = dat[i].encode("ascii", 'backslashreplace')
outfd.write("{0:13} {1:15} : {3:3s} {2}\n".format(tp, v.Name, dat, self.voltext(v)))
if not keyfound:
outfd.write("The requested key could not be found in the hive(s) searched\n") 示例15: render_text
# 需要導入模塊: from volatility import utils [as 別名]
# 或者: from volatility.utils import Hexdump [as 別名]
def render_text(self, outfd, data):
for device in data:
ext = device.DeviceExtension.dereference_as("EXTENSION")
outfd.write("Container: {0}\n".format(ext.wszVolume))
outfd.write("Hidden Volume: {0}\n".format("Yes" if ext.cryptoInfo.hiddenVolume == 1 else "No"))
outfd.write("Removable: {0}\n".format("Yes" if ext.bRemovable == 1 else "No"))
outfd.write("Read Only: {0}\n".format("Yes" if ext.bReadOnly == 1 else "No"))
outfd.write("Disk Length: {0} (bytes)\n".format(ext.DiskLength))
outfd.write("Host Length: {0} (bytes)\n".format(ext.HostLength))
outfd.write("Encryption Algorithm: {0}\n".format(ext.cryptoInfo.ea))
outfd.write("Mode: {0}\n".format(ext.cryptoInfo.mode))
outfd.write("Master Key\n")
key = device.obj_vm.read(ext.cryptoInfo.master_keydata.obj_offset, 64)
addr = ext.cryptoInfo.master_keydata.obj_offset
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(addr + o, h, ''.join(c))
for o, h, c in utils.Hexdump(key)
])))
if self._config.DUMP_DIR:
if not os.path.isdir(self._config.DUMP_DIR):
debug.error("The path {0} is not a valid directory".format(self._config.DUMP_DIR))
name = "{0:#x}_master.key".format(addr)
keyfile = os.path.join(self._config.DUMP_DIR, name)
with open(keyfile, "wb") as handle:
handle.write(key)
outfd.write("Dumped {0} bytes to {1}\n".format(len(key), keyfile))
outfd.write("\n")