本文整理汇总了Python中volatility.win32.tasks.find_module函数的典型用法代码示例。如果您正苦于以下问题:Python find_module函数的具体用法?Python find_module怎么用?Python find_module使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了find_module函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Python代码示例。
示例1: render_text
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
syscalls = addr_space.profile.syscalls
bits32 = addr_space.profile.metadata.get('memory_model', '32bit') == '32bit'
# Print out the entries for each table
for idx, table, n, vm, mods, mod_addrs in data:
outfd.write("SSDT[{0}] at {1:x} with {2} entries\n".format(idx, table, n))
for i in range(n):
if bits32:
# These are absolute function addresses in kernel memory.
syscall_addr = obj.Object('address', table + (i * 4), vm).v()
else:
# These must be signed long for x64 because they are RVAs relative
# to the base of the table and can be negative.
offset = obj.Object('long', table + (i * 4), vm).v()
# The offset is the top 20 bits of the 32 bit number.
syscall_addr = table + (offset >> 4)
try:
syscall_name = syscalls[idx][i]
except IndexError:
syscall_name = "UNKNOWN"
syscall_mod = tasks.find_module(mods, mod_addrs, addr_space.address_mask(syscall_addr))
if syscall_mod:
syscall_modname = syscall_mod.BaseDllName
else:
syscall_modname = "UNKNOWN"
outfd.write(" Entry {0:#06x}: {1:#x} ({2}) owned by {3}\n".format(idx * 0x1000 + i,
syscall_addr,
syscall_name,
syscall_modname))
## check for inline hooks if in --verbose mode, we're analyzing
## an x86 model system and the sycall_mod is available
if (self._config.VERBOSE and
addr_space.profile.metadata.get('memory_model', '32bit') == '32bit' and
syscall_mod is not None):
## leverage this static method from apihooks
ret = apihooks.ApiHooks.check_inline(va = syscall_addr, addr_space = vm,
mem_start = syscall_mod.DllBase,
mem_end = syscall_mod.DllBase + syscall_mod.SizeOfImage)
## could not analyze the memory
if ret == None:
continue
(hooked, data, dest_addr) = ret
## the function isn't hooked
if not hooked:
continue
## we found a hook, try to resolve the hooker. no mask required because
## we currently only work on x86 anyway
hook_mod = tasks.find_module(mods, mod_addrs, dest_addr)
if hook_mod:
hook_name = hook_mod.BaseDllName
else:
hook_name = "UNKNOWN"
## report it now
outfd.write(" ** INLINE HOOK? => {0:#x} ({1})\n".format(dest_addr, hook_name))
开发者ID:BryanSingh,项目名称:volatility,代码行数:60,代码来源:ssdt.py
示例2: render_text
def render_text(self, outfd, data):
# Kernel AS for looking up modules
kernel_space = utils.load_as(self._config)
# Modules sorted for address lookups
mods = dict((kernel_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(kernel_space))
mod_addrs = sorted(mods.keys())
for session in data:
outfd.write("*" * 50 + "\n")
outfd.write("Session(V): {0:x} ID: {1} Processes: {2}\n".format(
session.obj_offset,
session.SessionId,
len(list(session.processes())),
))
outfd.write("PagedPoolStart: {0:x} PagedPoolEnd {1:x}\n".format(
session.PagedPoolStart,
session.PagedPoolEnd,
))
for process in session.processes():
outfd.write(" Process: {0} {1} {2}\n".format(
process.UniqueProcessId,
process.ImageFileName,
process.CreateTime,
))
for image in session.images():
module = tasks.find_module(mods, mod_addrs, kernel_space.address_mask(image.Address))
outfd.write(" Image: {0:#x}, Address {1:x}, Name: {2}\n".format(
image.obj_offset,
image.Address,
str(module and module.BaseDllName or '')
))
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:33,代码来源:sessions.py
示例3: __init__
def __init__(self, start, stack_base, stack_limit, eproc, modules=None, module_addrs=None, *args, **kwargs):
EBP.__init__(self, start, stack_base, stack_limit, eproc, *args, **kwargs)
if modules == None:
self.modules = dict( (m.DllBase, m) for m in list(sysmods.lsmod(eproc.get_process_address_space())) + list(eproc.get_load_modules()) )
self.module_addrs = sorted(self.modules.keys())
else:
self.modules = modules
self.module_addrs = module_addrs
mod = tasks.find_module(self.modules, self.module_addrs, self.eip)
self.security_cookie = None
self.cookie = None
security_cookie_addr = None
if mod != None:
load_config = mod.get_load_config_directory()
if load_config == None:
# Attempt to use PDB symbols to locate this module's ___security_cookie
addrs = eproc.lookup("{0}/.data!___security_cookie".format(str(mod.BaseDllName)))
if len(addrs) > 0:
security_cookie_addr = addrs[0]
else:
# Use _IMAGE_LOAD_CONFIG_DIRECTORY to locate this module's ___security_cookie
security_cookie_addr = load_config.SecurityCookie
if security_cookie_addr != None and self.addrspace.is_valid_address(security_cookie_addr):
self.security_cookie = self.addrspace.read_long_phys(self.addrspace.vtop(security_cookie_addr))
if self.addrspace.is_valid_address(self.ebp - self.alignment):
self.cookie = self.addrspace.read_long_phys(self.addrspace.vtop(self.ebp - self.alignment))
开发者ID:binsrc,项目名称:volatility-1,代码行数:26,代码来源:exportstack.py
示例4: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
# Currently we only support x86. The x64 does still have a IDT
# but hooking is prohibited and results in bugcheck.
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
for kpcr in tasks.get_kdbg(addr_space).kpcrs():
# Get the GDT for access to selector bases
gdt = dict((i * 8, sd) for i, sd in kpcr.gdt_entries())
for i, entry in kpcr.idt_entries():
# Where the IDT entry points.
addr = entry.Address
# Per MITRE, add the GDT selector base if available.
# This allows us to detect sneaky attempts to hook IDT
# entries by changing the entry's GDT selector.
gdt_entry = gdt.get(entry.Selector.v())
if gdt_entry != None and "Code" in gdt_entry.Type:
addr += gdt_entry.Base
# Lookup the function's owner
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(addr))
yield i, entry, addr, module
开发者ID:RaptorFactor,项目名称:volatility,代码行数:28,代码来源:idt.py
示例5: callbacks
def callbacks(self):
"""Volatility callbacks plugin.
@see volatility/plugins/malware/callbacks.py
"""
results = []
command = self.plugins["callbacks"](self.config)
for (sym, cb, detail), mods, mod_addrs in command.calculate():
module = tasks.find_module(mods, mod_addrs, self.addr_space.address_mask(cb))
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
new = {
"type": str(sym),
"callback": hex(int(cb)),
"module": str(module_name),
"details": str(detail or "-"),
}
results.append(new)
return dict(config={}, data=results)
开发者ID:NickyCM,项目名称:cuckoo,代码行数:25,代码来源:memory.py
示例6: render_text
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
syscalls = addr_space.profile.syscalls
bits32 = addr_space.profile.metadata.get('memory_model', '32bit') == '32bit'
# Print out the entries for each table
for idx, table, n, vm, mods, mod_addrs in data:
outfd.write("SSDT[{0}] at {1:x} with {2} entries\n".format(idx, table, n))
for i in range(n):
if bits32:
# These are absolute function addresses in kernel memory.
syscall_addr = obj.Object('address', table + (i * 4), vm).v()
else:
# These must be signed long for x64 because they are RVAs relative
# to the base of the table and can be negative.
offset = obj.Object('long', table + (i * 4), vm).v()
# The offset is the top 20 bits of the 32 bit number.
syscall_addr = table + (offset >> 4)
try:
syscall_name = syscalls[idx][i]
except IndexError:
syscall_name = "UNKNOWN"
syscall_mod = tasks.find_module(mods, mod_addrs, syscall_addr)
if syscall_mod:
syscall_modname = syscall_mod.BaseDllName
else:
syscall_modname = "UNKNOWN"
outfd.write(" Entry {0:#06x}: {1:#x} ({2}) owned by {3}\n".format(idx * 0x1000 + i,
syscall_addr,
syscall_name,
syscall_modname))
开发者ID:carmaa,项目名称:volatility-2.2-python3,代码行数:34,代码来源:ssdt.py
示例7: render_text
def render_text(self, outfd, data):
addr_space = utils.load_as(self._config)
# Compile the regular expression for filtering by driver name
if self._config.regex != None:
mod_re = re.compile(self._config.regex, re.I)
else:
mod_re = None
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
bits = addr_space.profile.metadata.get('memory_model', '32bit')
self.table_header(None, [('i', ">4"),
('Funcs', "36"),
('addr', '[addrpad]'),
('name', '')
])
for driver in data:
header = driver.get_object_header()
driver_name = str(header.NameInfo.Name or '')
# Continue if a regex was supplied and it doesn't match
if mod_re != None:
if not (mod_re.search(driver_name) or
mod_re.search(driver_name)): continue
# Write the standard header for each driver object
outfd.write("{0}\n".format("-" * 50))
outfd.write("DriverName: {0}\n".format(driver_name))
outfd.write("DriverStart: {0:#x}\n".format(driver.DriverStart))
outfd.write("DriverSize: {0:#x}\n".format(driver.DriverSize))
outfd.write("DriverStartIo: {0:#x}\n".format(driver.DriverStartIo))
# Write the address and owner of each IRP function
for i, function in enumerate(driver.MajorFunction):
function = driver.MajorFunction[i]
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(function))
if module:
module_name = str(module.BaseDllName or '')
else:
module_name = "Unknown"
# This is where we check for inline hooks once the
# ApiHooks plugin is ported to 2.1.
self.table_row(outfd, i, MAJOR_FUNCTIONS[i], function, module_name)
if self._config.verbose:
data = addr_space.zread(function, 64)
outfd.write("\n".join(
["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in malfind.Disassemble(data = data,
start = function, bits = bits, stoponret = True)
]))
outfd.write("\n")
开发者ID:vortessence,项目名称:vortessence,代码行数:58,代码来源:devicetree.py
示例8: check
def check(self):
"""This check is True for system threads whose start address
do not map back to known/loaded kernel drivers."""
module = tasks.find_module(self.mods,
self.mod_addrs, self.thread.StartAddress)
return ('PS_CROSS_THREAD_FLAGS_SYSTEM' in self.flags and
module == None)
开发者ID:Jack47,项目名称:volatility,代码行数:9,代码来源:threads.py
示例9: get_hooked_tables
def get_hooked_tables(self, addr_space):
"""This function finds SSDTs in an address space, checks
if there are any hooked functions in the SSDTs, and returns
a dictionary where SSDT base addresses are the keys and the
values are lists of hooked function names.
@param addr_space: a kernel address space.
"""
# Names of the legit executive modules for SSDT tables
executive_modules = [
# SSDT 0
["ntoskrnl.exe", "ntkrnlpa.exe", "ntkrnlmp.exe", "ntkrpamp.exe"],
# SSDT 1
["win32k.sys"],
# SSDT 2
["spud.sys"],
# SSDT 3
[]]
syscalls = addr_space.profile.syscalls
hooked_tables = {}
for info in ssdt.SSDT(self._config).calculate():
idx, table, n, vm, mods, mod_addrs = info
# This is straight out of ssdt.py. Too bad there's no better way
# to not duplicate code?
for i in range(n):
if self.bits32:
# These are absolute function addresses in kernel memory.
syscall_addr = obj.Object('address', table + (i * 4), vm).v()
else:
# These must be signed long for x64 because they are RVAs
# relative to the base of the table and can be negative.
offset = obj.Object('long', table + (i * 4), vm).v()
# The offset is the top 20 bits of the 32 bit number.
syscall_addr = table + (offset >> 4)
try:
syscall_name = syscalls[idx][i]
except IndexError:
syscall_name = "UNKNOWN"
syscall_mod = tasks.find_module(mods, mod_addrs, syscall_addr)
if syscall_mod:
syscall_modname = syscall_mod.BaseDllName
else:
syscall_modname = "UNKNOWN"
if str(syscall_modname).lower() not in executive_modules[idx]:
fields = (i, syscall_name, syscall_addr, syscall_modname)
if hooked_tables.has_key(table):
hooked_tables[table].append(fields)
else:
hooked_tables[table] = [(fields)]
return hooked_tables
开发者ID:BryanSingh,项目名称:volatility,代码行数:57,代码来源:threads.py
示例10: calculate
def calculate(self):
if not has_pydeep:
debug.error(
"Please install ssdeep and pydeep from http://ssdeep.sourceforge.net/ and https://github.com/kbandla/pydeep"
)
addr_space = utils.load_as(self._config)
self._addr_space = addr_space
page_sig = self._pydeep_page()
if page_sig == None:
debug.error("Pydeep was not able to hash the input")
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigSSDeepScanner(address_space=session_space, rules=rules)
for hit, address in scanner.scan(start_offset=start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadSSDeepScanner(task=task, pydeep_hash=page_sig)
for sig, vStart, vLength, offset, alike in scanner.scan():
yield (task, sig, vStart, vLength, offset, alike, scanner.address_space.zread(offset, 0x1000))
开发者ID:xueyi28,项目名称:volgui,代码行数:56,代码来源:ssdeepscan.py
示例11: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
drivers = dtree.DriverIrp(self._config).calculate()
driver_name = "UNKNOWN"
service_key = "UNKNOWN"
driver_name3 = "UNKNOWN"
module_name = "UNKNOWN"
if self._config.ADDR:
find_address = self._config.ADDR
module_name = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(find_address))
if module_name:
module_name = module_name.BaseDllName or module_name.FullDllName
for driver in drivers:
if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
header = driver.get_object_header()
driver_name = header.NameInfo.Name
driver_name = str(driver.get_object_header().NameInfo.Name or '')
service_key = str(driver.DriverExtension.ServiceKeyName or '')
driver_name3 = str(driver.DriverName or '')
break
yield (module_name, driver_name, service_key, driver_name3)
else:
for driver in drivers:
driver_name = str(driver.get_object_header().NameInfo.Name or '')
service_key = str(driver.DriverExtension.ServiceKeyName or '')
driver_name3 = str(driver.DriverName or '')
owning_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(driver.DriverStart))
module_name = "UNKNOWN"
if owning_module:
module_name = owning_module.BaseDllName or owning_module.FullDllName
yield (module_name, driver_name, service_key, driver_name3)
开发者ID:chansonzhang,项目名称:volatility,代码行数:43,代码来源:drivermodule.py
示例12: check
def check(self):
"""This check is True for system threads whose start address
do not map back to known/loaded kernel drivers."""
# Take the address space from any module object
addr_space = self.mods.values()[0].obj_vm
module = tasks.find_module(self.mods,
self.mod_addrs, addr_space.address_mask(self.thread.StartAddress))
return ('PS_CROSS_THREAD_FLAGS_SYSTEM' in self.flags and
module == None)
开发者ID:BryanSingh,项目名称:volatility,代码行数:12,代码来源:threads.py
示例13: calculate
def calculate(self):
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
addr_space = utils.load_as(self._config)
rules = self._compile_rules()
if self._config.KERNEL:
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address, 1024))
else:
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit, scanner.address_space.zread(address, 1024))
开发者ID:Austi,项目名称:volatility,代码行数:53,代码来源:malfind.py
示例14: get_alloc
def get_alloc(self, addr_space):
'''
Mimics volatility's PPP plugin.
'''
import volatility.plugins.malware.callbacks as callbacks
import volatility.win32.tasks as tasks
# for conn in connections.Connections(self.vol.config).calculate():
vol_callback = callbacks.Callbacks(self.vol.config)
for (sym, cb, detail), mods, mod_addrs in vol_callback.calculate():
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
yield Callback(module, sym, cb, detail, 0)
开发者ID:forensix-cn,项目名称:DAMM,代码行数:12,代码来源:callbacks.py
示例15: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
modlist = list(modules.lsmod(addr_space))
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modlist)
mod_addrs = sorted(mods.keys())
drivers = dtree.DriverIrp(self._config).calculate()
found_driver = "UNKNOWN"
if self._config.ADDR:
find_address = self._config.ADDR
found_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(find_address))
if found_module:
found_module = found_module.BaseDllName or found_module.FullDllName
else:
found_module = "UNKNOWN"
for driver in drivers:
if driver.DriverStart <= find_address < driver.DriverStart + driver.DriverSize:
header = driver.get_object_header()
found_driver = header.NameInfo.Name
break
yield (found_module, found_driver)
else:
for driver in drivers:
driver_name = driver.get_object_header().NameInfo.Name
owning_module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(driver.DriverStart))
if owning_module:
module_name = owning_module.BaseDllName or owning_module.FullDllName
else:
module_name = "UNKNOWN"
yield (module_name, driver_name)
开发者ID:Darriall,项目名称:volatility,代码行数:38,代码来源:drivermodule.py
示例16: generator
def generator(self, data):
for (sym, cb, detail), mods, mod_addrs in data:
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
## The original callbacks plugin searched driver objects
## if the owning module isn't found (Rustock.B). We leave that
## task up to the user this time, and will be incoporating
## some different module association methods later.
if module:
module_name = module.FullDllName or module.BaseDllName
else:
module_name = "UNKNOWN"
yield (0, [str(sym), Address(cb), str(module_name), str(detail or "-")])
开发者ID:vortessence,项目名称:vortessence,代码行数:15,代码来源:callbacks.py
示例17: execute
def execute(self,config):
addr_space = utils.load_as(config)
syscalls = addr_space.profile.syscalls
bits32 = addr_space.profile.metadata.get('memory_model', '32bit') == '32bit'
data = SSDTS.SSDT(config).calculate()
sdtObjectList = datastructs.rootType()
# Print out the entries for each table
for idx, table, n, vm, mods, mod_addrs in data:
sdtObject = sdtObjectList.SSDTs.SSDT.add()
sdtObject.VirtAddr=table
sdtEntries = sdtObject.SSDTEntries
sdtEntries.count=n
for i in range(n):
if bits32:
# These are absolute function addresses in kernel memory.
syscall_addr = obj.Object('address', table + (i * 4), vm).v()
else:
# These must be signed long for x64 because they are RVAs relative
# to the base of the table and can be negative.
offset = obj.Object('long', table + (i * 4), vm).v()
# The offset is the top 20 bits of the 32 bit number.
syscall_addr = table + (offset >> 4)
try:
syscall_name = syscalls[idx][i]
except IndexError:
syscall_name = "UNKNOWN"
syscall_mod = tasks.find_module(mods, mod_addrs, addr_space.address_mask(syscall_addr))
if syscall_mod:
syscall_modname = syscall_mod.BaseDllName
else:
syscall_modname = "UNKNOWN"
sdtEntry = sdtEntries.SSDTEntry.add()
sdtEntry.FunctionName=adutils.SmartUnicode(syscall_name)
sdtEntry.ModuleName=adutils.SmartUnicode(syscall_modname)
sdtEntry.VirtAddr=int(syscall_addr)
sdtsfile = open(config.OUTPUT_PATH + "sdts.xml", "w")
#sdtsfile.write(sdtObjectList.SerializeToString())
sdtsfile.write(proto2xml(sdtObjectList,indent=0))
logging.debug("Completed exporting the sdts on the system")
开发者ID:r1nswenson,项目名称:volatility,代码行数:46,代码来源:adsdts.py
示例18: render_text
def render_text(self, outfd, data):
outfd.write("{0}||{1}||{2}||{3}\n".format('Type', 'Callback', 'Module', 'Details'))
for (sym, cb, detail), mods, mod_addrs in data:
module = tasks.find_module(mods, mod_addrs, self.kern_space.address_mask(cb))
## The original callbacks plugin searched driver objects
## if the owning module isn't found (Rustock.B). We leave that
## task up to the user this time, and will be incoporating
## some different module association methods later.
if module:
module_name = module.BaseDllName or module.FullDllName
else:
module_name = "UNKNOWN"
outfd.write("{0}||{1:#x}||{2}||{3}\n".format(sym, cb, module_name, detail or "-" ))
开发者ID:MemForsKing,项目名称:memfors4all,代码行数:18,代码来源:callbacksf.py
示例19: decide
def decide(analyzer, signatures):
breach = False
ioc_list = []
rootkit_signatures = signatures.get("rootkits", {})
entries = rootkit_signatures.get("entries", [])
aux = analyzer.run_plugin("ssdt", "SSDT")
config_obj = analyzer.get_config()
addr_space = utils.load_as(config_obj)
syscalls = addr_space.profile.syscalls
# Print out the entries for each table
for idx, table, n, vm, mods, mod_addrs in aux:
for i in range(n):
# These are absolute function addresses in kernel memory.
syscall_addr = obj.Object('address', table + (i * 4), vm).v()
try:
syscall_name = syscalls[idx][i]
except IndexError:
syscall_name = "UNKNOWN"
syscall_mod = tasks.find_module(mods, mod_addrs, addr_space.address_mask(syscall_addr))
if syscall_mod:
syscall_modname = syscall_mod.BaseDllName
else:
syscall_modname = "UNKNOWN"
# must match all values that are filled (empty values accept any)
for entry in entries:
address = entry.get("address", syscall_addr)
name = entry.get("name", syscall_name)
module = entry.get("module", syscall_modname)
matches_rule = address == str(hex(syscall_addr)) and name == str(syscall_name) and module == str(syscall_modname)
if matches_rule:
ioc_list.append(["-- Rootkits IoC --", str(hex(syscall_addr)) , syscall_name, syscall_modname ])
return decision_tree.Decision(ioc_list, breach)
开发者ID:AlbertoRico,项目名称:vol-o-matic,代码行数:44,代码来源:rootkits.py
示例20: calculate
def calculate(self):
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
addr_space = utils.load_as(self._config)
rules = yara.compile(sources=ghost_sig)
decrypted_data = None
mal_proc = {}
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = malfind.DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
content = session_space.zread(address,1024)
header_size = content.find("\x78\x9c")
magic_header_size = header_size - 8
magic_keyword = content[:magic_header_size]
comp_uncomp_size = content[magic_header_size:header_size]
s = struct.Struct("I I")
comp_size, uncomp_size = s.unpack(comp_uncomp_size)
enc_data = content[0:comp_size]
to_decrypt = content[header_size:comp_size]
dec_data = self.decrypt_communication(to_decrypt)
if not mal_proc:
self.get_ghost_process(magic_keyword, mal_proc, addr_space)
os_version = self.get_os_version(addr_space)
yield (mal_proc, address, magic_keyword, enc_data, dec_data, os_version)
开发者ID:Alpha-10000,项目名称:Volatility,代码行数:41,代码来源:ghostrat.py
注:本文中的volatility.win32.tasks.find_module函数示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论