本文整理汇总了Python中volatility.win32.tasks.get_kdbg函数的典型用法代码示例。如果您正苦于以下问题:Python get_kdbg函数的具体用法?Python get_kdbg怎么用?Python get_kdbg使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了get_kdbg函数的19个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Python代码示例。
示例1: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a IDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
# Get the GDT for access to selector bases
gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
for i, entry in kpcr.idt_entries():
# Where the IDT entry points.
addr = entry.Address
# Per MITRE, add the GDT selector base if available.
# This allows us to detect sneaky attempts to hook IDT
# entries by changing the entry's GDT selector.
gdt_entry = gdt.get(entry.Selector.v())
if gdt_entry != None and "Code" in gdt_entry.Type:
addr += gdt_entry.Base
# Lookup the function's owner
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))
yield i, entry, addr, module
开发者ID:RaptorFactor,项目名称:volatility,代码行数:28,代码来源:idt.py
示例2: generate_suggestions
def generate_suggestions(self):
"""The nt!PoolBigPageTable and nt!PoolBigPageTableSize
are found relative to nt!PoolTrackTable"""
track_table = tasks.get_kdbg(self.obj_vm).PoolTrackTable
for pair in self.distance:
table_base = obj.Object("address",
offset = track_table - pair[0],
vm = self.obj_vm)
table_size = obj.Object("address",
offset = track_table - pair[1],
vm = self.obj_vm)
if (table_base % 0x1000 == 0 and
self.obj_vm.is_valid_address(table_base) and
table_size != 0 and
table_size % 0x1000 == 0 and
table_size < 0x1000000):
break
debug.debug("Distance Map: {0}".format(repr(self.distance)))
debug.debug("PoolTrackTable: {0:#x}".format(track_table))
debug.debug("PoolBigPageTable: {0:#x} => {1:#x}".format(table_base.obj_offset, table_base))
debug.debug("PoolBigPageTableSize: {0:#x} => {1:#x}".format(table_size.obj_offset, table_size))
yield table_base, table_size
开发者ID:expressDESERT,项目名称:volatility,代码行数:27,代码来源:bigpagepools.py
示例3: __init__
def __init__(self, config, *args, **kwargs):
commands.Command.__init__(self, config, *args, **kwargs)
config.add_option("BUILD_SYMBOLS", default = False, action = 'store_true', cache_invalidator = False, help = "Build symbol table information")
config.add_option("USE_SYMBOLS", default = False, action = 'store_true', cache_invalidator = False, help = "Use symbol servers to resolve process addresses to module names")
self.kdbg = tasks.get_kdbg(utils.load_as(config))
self.build_symbols = getattr(config, 'BUILD_SYMBOLS', False)
self.use_symbols = getattr(config, 'USE_SYMBOLS', False)
开发者ID:binsrc,项目名称:volatility-1,代码行数:8,代码来源:symbols.py
示例4: calculate
def calculate(self):
kernel_space = utils.load_as(self._config)
if not self.is_valid_profile(kernel_space.profile):
debug.error("Windows XP/2003 does not track pool tags")
knowntags = {}
if self._config.TAGFILE and os.path.isfile(self._config.TAGFILE):
taglines = open(self._config.TAGFILE).readlines()
for tag in taglines:
tag = tag.strip()
if tag.startswith("rem") or tag.startswith(" ") or tag == "":
continue
info = tag.split("-", 2)
try:
key = info[0].strip()
driver = info[1].strip()
reason = info[2].strip()
except IndexError:
continue
knowntags[key] = (driver, reason)
track_table = tasks.get_kdbg(kernel_space).PoolTrackTable
# not really an address, this is just a trick to get
# a 32bit number on x86 and 64bit number on x64. the
# size is always directly before the pool table.
table_size = obj.Object("address", offset =
track_table - kernel_space.profile.get_obj_size("address"),
vm = kernel_space
)
track_table = track_table.dereference_as("address")
entries = obj.Object("Array", targetType = "_POOL_TRACKER_TABLE",
offset = track_table, count = table_size,
vm = kernel_space
)
if self._config.TAGS:
tags = [tag for tag in self._config.TAGS.split(",")]
else:
tags = []
for entry in entries:
if not self._config.SHOW_FREE:
if entry.PagedBytes == 0 and entry.NonPagedBytes == 0:
continue
if not tags or entry.Key in tags:
try:
(driver, reason) = knowntags[str(entry.Key).strip()]
if self._config.WHITELIST:
continue
except KeyError:
(driver, reason) = ("", "")
yield entry, driver, reason
开发者ID:cephurs,项目名称:volatility,代码行数:58,代码来源:pooltracker.py
示例5: calculate
def calculate(self):
if not has_pydeep:
debug.error(
"Please install ssdeep and pydeep from http://ssdeep.sourceforge.net/ and https://github.com/kbandla/pydeep"
)
addr_space = utils.load_as(self._config)
self._addr_space = addr_space
page_sig = self._pydeep_page()
if page_sig == None:
debug.error("Pydeep was not able to hash the input")
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigSSDeepScanner(address_space=session_space, rules=rules)
for hit, address in scanner.scan(start_offset=start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadSSDeepScanner(task=task, pydeep_hash=page_sig)
for sig, vStart, vLength, offset, alike in scanner.scan():
yield (task, sig, vStart, vLength, offset, alike, scanner.address_space.zread(offset, 0x1000))
开发者ID:xueyi28,项目名称:volgui,代码行数:56,代码来源:ssdeepscan.py
示例6: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a GDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
for i, entry in kpcr.gdt_entries():
yield i, entry
开发者ID:Jack47,项目名称:volatility,代码行数:11,代码来源:idt.py
示例7: calculate
def calculate(self):
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
addr_space = utils.load_as(self._config)
rules = self._compile_rules()
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address, 1024))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit, scanner.address_space.zread(address, 1024))
开发者ID:Austi,项目名称:volatility,代码行数:53,代码来源:malfind.py
示例8: get_bugcheck_callbacks
def get_bugcheck_callbacks(self):
"""
Enumerate generic Bugcheck callbacks.
Note: These structures don't exist in tagged pools, but you can find
them via KDDEBUGGER_DATA64 on all versions of Windows.
"""
kbcclh = tasks.get_kdbg(self.kern_space).KeBugCheckCallbackListHead.dereference_as('_KBUGCHECK_CALLBACK_RECORD')
for l in kbcclh.Entry.list_of_type("_KBUGCHECK_CALLBACK_RECORD", "Entry"):
yield "KeBugCheckCallbackListHead", l.CallbackRoutine, l.Component.dereference()
开发者ID:MemForsKing,项目名称:memfors4all,代码行数:12,代码来源:callbacksf.py
示例9: check_pspcid
def check_pspcid(self, addr_space):
"""Enumerate processes by walking the PspCidTable"""
ret = dict()
# Follow the pointers to the table base
kdbg = tasks.get_kdbg(addr_space)
PspCidTable = kdbg.PspCidTable.dereference().dereference()
# Walk the handle table
for handle in PspCidTable.handles():
if handle.get_object_type() == "Process":
process = handle.dereference_as("_EPROCESS")
ret[process.obj_vm.vtop(process.obj_offset)] = process
return ret
开发者ID:Jonnyliu,项目名称:Malware_Analysis,代码行数:15,代码来源:psxview.py
示例10: calculate
def calculate(self):
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
addr_space = utils.load_as(self._config)
rules = yara.compile(sources=ghost_sig)
decrypted_data = None
mal_proc = {}
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = malfind.DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
content = session_space.zread(address,1024)
header_size = content.find("\x78\x9c")
magic_header_size = header_size - 8
magic_keyword = content[:magic_header_size]
comp_uncomp_size = content[magic_header_size:header_size]
s = struct.Struct("I I")
comp_size, uncomp_size = s.unpack(comp_uncomp_size)
enc_data = content[0:comp_size]
to_decrypt = content[header_size:comp_size]
dec_data = self.decrypt_communication(to_decrypt)
if not mal_proc:
self.get_ghost_process(magic_keyword, mal_proc, addr_space)
os_version = self.get_os_version(addr_space)
yield (mal_proc, address, magic_keyword, enc_data, dec_data, os_version)
开发者ID:Alpha-10000,项目名称:Volatility,代码行数:41,代码来源:ghostrat.py
示例11: _scan_kernel_memory
def _scan_kernel_memory(self, addr_space, rules):
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address - self._config.REVERSE, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))
开发者ID:volatilityfoundation,项目名称:volatility,代码行数:37,代码来源:malfind.py
示例12: calculate
def calculate(self):
## Stop executing if the user did not mean to overwrite the file
if os.path.isfile(self.save_location):
resp = raw_input("Are you sure you want to overwrite {}? [Y/n] ".format(self.save_location))
if resp.upper() == 'N':
self.abort = True
return # Not continuing
## Read from existing target configuration (if modifying)
if self._config.MODIFY:
self.new_config.read(self.save_location)
## Attempt to automatically determine profile
if self._config.AUTO:
print("Determining profile based on KDBG search...")
self.suglist = [ s for s, _ in kdbgscan.KDBGScan.calculate(self)]
if self.suglist:
self.new_config.set("DEFAULT", "profile", self.suglist[0])
## Update profile so --offsets will work
self._config.PROFILE = self.suglist[0]
self._exclude_options.append('profile')
else:
print("Failed to determine profile")
## Read in current command line (precedence over settings in configs)
for key in self._config.opts:
if key not in self._exclude_options:
self.new_config.set("DEFAULT", key, self._config.opts[key])
## Add to excluded list so we do not overwrite them later
self._exclude_options.append(key)
## Save options from configuration files (unless excluded by user)
if self._config.EXCLUDE_CONF == False:
for key in self._config.cnf_opts:
if key not in self._exclude_options:
self.new_config.set("DEFAULT", key, self._config.cnf_opts[key])
## Get offsets (KDBG and DTB)
if self._config.OFFSETS:
addr_space = utils.load_as(self._config)
kdbg = tasks.get_kdbg(addr_space)
self.new_config.set("DEFAULT", "kdbg", str(kdbg.v()))
if hasattr(addr_space, "dtb"):
self.new_config.set("DEFAULT", "dtb", str(addr_space.dtb))
## Ensure DTB and KDBG are converted properly at the last moment:
## Note, volatility will convert these to int when read from CNF_OPTS
try:
kdbg = self.new_config.get("DEFAULT", "kdbg")
self.new_config.set("DEFAULT", "kdbg", str(hex(int(kdbg))))
except ConfigParser.NoOptionError:
pass
try:
dtb = self.new_config.get("DEFAULT", "dtb")
self.new_config.set("DEFAULT", "dtb", str(hex(int(dtb))))
except ConfigParser.NoOptionError:
pass
## Write the new configuration file
with open(self.save_location, "wb") as configfile:
self.new_config.write(configfile)
开发者ID:BryanSingh,项目名称:volatility,代码行数:64,代码来源:saveconfig.py
示例13: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
# Get the OS version we're analyzing
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
# KTIMERs collected
timers = []
# Valid KTIMER.Header.Type values
TimerNotificationObject = 8
TimerSynchronizationObject = 9
valid_types = (TimerNotificationObject, TimerSynchronizationObject)
if version == (5, 1) or (version == (5, 2) and
addr_space.profile.metadata.get('build', 0) == 3789):
# On XP SP0-SP3 x86 and Windows 2003 SP0, KiTimerTableListHead
# is an array of 256 _LIST_ENTRY for _KTIMERs.
KiTimerTableListHead = self.find_list_head(modlist[0],
"KeUpdateSystemTime",
"\x25\xFF\x00\x00\x00\x8D\x0C\xC5")
lists = obj.Object("Array", offset = KiTimerTableListHead,
vm = addr_space,
targetType = '_LIST_ENTRY',
count = 256)
for l in lists:
for t in l.list_of_type("_KTIMER", "TimerListEntry"):
timers.append(t)
elif version == (5, 2) or version == (6, 0):
# On XP x64, Windows 2003 SP1-SP2, and Vista SP0-SP2, KiTimerTableListHead
# is an array of 512 _KTIMER_TABLE_ENTRY structs.
KiTimerTableListHead = self.find_list_head(modlist[0],
"KeCancelTimer",
"\xC1\xE7\x04\x81\xC7")
lists = obj.Object("Array", offset = KiTimerTableListHead,
vm = addr_space,
targetType = '_KTIMER_TABLE_ENTRY',
count = 512)
for l in lists:
for t in l.Entry.list_of_type("_KTIMER", "TimerListEntry"):
timers.append(t)
elif version == (6, 1):
# On Windows 7, there is no more KiTimerTableListHead. The list is
# at _KPCR.PrcbData.TimerTable.TimerEntries (credits to Matt Suiche
# for this one. See http://pastebin.com/FiRsGW3f).
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
for table in kpcr.ProcessorBlock.TimerTable.TimerEntries:
for t in table.Entry.list_of_type("_KTIMER", "TimerListEntry"):
timers.append(t)
for timer in timers:
# Sanity check on the timer type
if timer.Header.Type not in valid_types:
continue
# Ignore timers without DPCs
if not timer.Dpc.is_valid() or not timer.Dpc.DeferredRoutine.is_valid():
continue
# Lookup the module containing the DPC
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(timer.Dpc.DeferredRoutine))
yield timer, module
开发者ID:Austi,项目名称:volatility,代码行数:83,代码来源:timers.py
示例14: lsmod
def lsmod(addr_space):
""" A Generator for modules """
for m in tasks.get_kdbg(addr_space).modules():
yield m
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:5,代码来源:modules.py
示例15: calculate
def calculate(self):
if self._config.SLACK and (self._config.DSTS or self._config.PCAP):
debug.error('SLACK can\'t be used with PCAP or DSTS')
# Make sure the MAC address is valid
if self._config.MAC:
hex_mac = self.validate_mac(self._config.MAC)
if not hex_mac:
debug.error('Invalid MAC address')
# Ensure PCAP file won't overwrite an existing file
if self._config.PCAP and os.path.exists(self._config.PCAP):
debug.error('\'{}\' already exists. Cowardly refusing to overwrite it...'.format(
self._config.PCAP))
# Ensure DSTS file won't overwrite an existing file
if self._config.DSTS and os.path.exists(self._config.DSTS):
debug.error('\'{}\' already exists. Cowardly refusing to overwrite it...'.format(
self._config.DSTS))
if self._config.SLACK:
# Compiled RegEx = (tiny) increase in efficiency
# NetBIOS code chars
self.rx_nbchars = re.compile('^([ACDEFH][A-P])+$')
# Get the start of kernel space
addr_space = utils.load_as(self._config)
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# 64-bit to 48-bit adjustment
# TODO: Is there a more Volatility-esque way of doing this?
if start > 0xffff000000000000:
start = start & 0x0000ffffffffffff
macs = set() # Store the MAC addresses we find
if self._config.MAC:
macs.add(hex_mac)
else: # No MAC provided, so we'd better try and find one
# Attemp 1: NDsh
new_macs = self.macfind_ndsh(addr_space, start)
if new_macs:
for new_mac in new_macs:
macs.add(new_mac)
if len(macs) < 1:
debug.error('No MAC addresses found.')
hits = []
_MAX_SLACK_LENGTH = 128
for session_space in self.gen_session_spaces(addr_space):
for mac in macs:
scanner = MacScanner(mac)
for address in scanner.scan(session_space, offset=start):
if address in hits:
continue
hits.append(address)
eth = obj.Object('_ETHERNET', vm=session_space, offset=address)
if eth.eth_type == 0x0800 or eth.eth_type == 0x86dd:
raw = session_space.zread(address, 2048)
# Parse ethernet's payload
if eth.eth_type == 0x0800: # IPv4:
eth_payload = obj.Object('_IPv4', vm=session_space,
offset = eth.v() + 0x0E)
end = 14 + eth_payload.length
if self._config.SLACK:
yield address, raw[end:end+_MAX_SLACK_LENGTH]
continue
raw = raw[:end]
elif eth.eth_type == 0x86dd: # IPv6
eth_payload = obj.Object('_IPv6', vm=session_space,
offset = eth.v() + 0x0E)
end = 14 + 40 + eth_payload.pld_len
if self._config.SLACK:
yield address, raw[end:end+_MAX_SLACK_LENGTH]
continue
raw = raw[:end]
else: # This shouldn't happen, but just in case
continue
# Parse ethernet's payload's payload
if eth_payload.is_tcp():
payload = obj.Object('_TCP', vm=session_space,
offset=eth_payload.payload_offset())
elif eth_payload.is_udp():
payload = obj.Object('_UDP', vm=session_space,
offset=eth_payload.payload_offset())
else:
yield raw, eth, eth_payload, None
continue
yield raw, eth, eth_payload, payload
开发者ID:Alpha-10000,项目名称:Volatility,代码行数:99,代码来源:ndispktscan.py
示例16: calculate
def calculate(self):
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
addr_space = utils.load_as(self._config)
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Scan for unicode strings
if self._config.WIDE: s += "wide"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE:
rules = yara.compile(self._config.YARA_FILE)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
# FIXME: Addresses should be truncated to 48 bits. Currently
# we do that in Pointer.__eq__ but not in Pointer.v(). This prevents
# module lookups in yarascan's --kernel mode on x64 from working
# properly because win32.tasks.find_module cannot match the truncated
# address with non-truncated mod.DllBase.v(). Changing Pointer.v()
# could have wide spread effects, so this yarascan issue is fixed
# temporarily by giving YaraScan a private version of find_module
# that performs the pointer truncation. After fixing this globally,
# we can dereference MmSystemRangeStart as a Pointer instead of an
# address and then remove the manual bitmask below.
start = kdbg.MmSystemRangeStart.dereference_as("address")
start = start & 0xffffffffffff
# Modules so we can map addresses to owners
mods = dict((mod.DllBase & 0xffffffffffff, mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = self.find_module(mods, mod_addrs, address)
yield (module, address, hit, session_space.zread(address, 1024))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit, scanner.address_space.zread(address, 1024))
开发者ID:Jonnyliu,项目名称:Malware_Analysis,代码行数:76,代码来源:malfind.py
示例17: calculate
def calculate(self):
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
addr_space = utils.load_as(self._config)
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Scan for unicode strings
if self._config.WIDE: s += "wide"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE:
rules = yara.compile(self._config.YARA_FILE)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((mod.DllBase, mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, address)
yield (module, address, hit, session_space.zread(address, 1024))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit, scanner.address_space.zread(address, 1024))
开发者ID:carmaa,项目名称:volatility-2.2-python3,代码行数:65,代码来源:malfind.py
示例18: findcookie
def findcookie(self, kernel_space):
"""Find and read the nt!ObHeaderCookie value.
On success, return True and save the cookie value in self._cookie.
On Failure, return False.
This method must be called before performing any tasks that require
object header validation including handles, psxview (due to pspcid)
and the object scanning plugins (psscan, etc).
NOTE: this cannot be implemented as a volatility "magic" class,
because it must be persistent across various classes and sources.
We don't want to recalculate the cookie value multiple times.
"""
meta = kernel_space.profile.metadata
vers = (meta.get("major", 0), meta.get("minor", 0))
# this algorithm only applies to Windows 10 or greater
if vers < (6, 4):
return True
# prevent subsequent attempts from recalculating the existing value
if self._cookie:
return True
if not has_distorm:
debug.warning("distorm3 module is not installed")
return False
kdbg = tasks.get_kdbg(kernel_space)
nt_mod = list(kdbg.modules())[0]
addr = nt_mod.getprocaddress("ObGetObjectType")
if addr == None:
debug.warning("Cannot find nt!ObGetObjectType")
return False
# produce an absolute address by adding the DLL base to the RVA
addr += nt_mod.DllBase
if not nt_mod.obj_vm.is_valid_address(addr):
debug.warning("nt!ObGetObjectType at {0} is invalid".format(addr))
return False
# in theory...but so far we haven't tested 32-bits
model = meta.get("memory_model")
if model == "32bit":
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
data = nt_mod.obj_vm.read(addr, 100)
ops = distorm3.Decompose(addr, data, mode, distorm3.DF_STOP_ON_RET)
addr = None
# search backwards from the RET and find the MOVZX
if model == "32bit":
# movzx ecx, byte ptr ds:_ObHeaderCookie
for op in reversed(ops):
if (op.size == 7 and
'FLAG_DST_WR' in op.flags and
len(op.operands) == 2 and
op.operands[0].type == 'Register' and
op.operands[1].type == 'AbsoluteMemoryAddress' and
op.operands[1].size == 8):
addr = op.operands[1].disp & 0xFFFFFFFF
break
else:
# movzx ecx, byte ptr cs:ObHeaderCookie
for op in reversed(ops):
if (op.size == 7 and
'FLAG_RIP_RELATIVE' in op.flags and
len(op.operands) == 2 and
op.operands[0].type == 'Register' and
op.operands[1].type == 'AbsoluteMemory' and
op.operands[1].size == 8):
addr = op.address + op.size + op.operands[1].disp
break
if not addr:
debug.warning("Cannot find nt!ObHeaderCookie")
return False
if not nt_mod.obj_vm.is_valid_address(addr):
debug.warning("nt!ObHeaderCookie at {0} is not valid".format(addr))
return False
cookie = obj.Object("unsigned int", offset = addr, vm = nt_mod.obj_vm)
self._cookie = int(cookie)
return True
开发者ID:npetroni,项目名称:volatility,代码行数:92,代码来源:win10.py
示例19: calculate
def calculate(self):
if not has_distorm3:
debug.warning("For best results please install distorm3")
# Checks that subclass AbstractThreadCheck
checks = registry.get_plugin_classes(AbstractThreadCheck)
# If --listtags is chosen, just print the tags and return
if self._config.LISTTAGS:
for cls_name, cls in checks.items():
sys.stdout.write("{0:<20} {1}\n".format(cls_name, pydoc.getdoc(cls)))
return
addr_space = utils.load_as(self._config)
system_range = tasks.get_kdbg(addr_space).MmSystemRangeStart.dereference_as("Pointer")
# Only show threads owned by particular processes
|
客服电话
APP下载
官方微信
请发表评论