本文整理汇总了Python中volatility.registry.get_plugin_classes函数的典型用法代码示例。如果您正苦于以下问题:Python get_plugin_classes函数的具体用法?Python get_plugin_classes怎么用?Python get_plugin_classes使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了get_plugin_classes函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Python代码示例。
示例1: list_plugins
def list_plugins():
result = "\n\tSupported Plugin Commands:\n\n"
cmds = registry.get_plugin_classes(commands.Command, lower = True)
profs = registry.get_plugin_classes(obj.Profile)
if config.PROFILE == None:
config.update("PROFILE", "WinXPSP2x86")
if config.PROFILE not in profs:
raise BaseException("Invalid profile " + config.PROFILE + " selected")
profile = profs[config.PROFILE]()
wrongprofile = ""
for cmdname in sorted(cmds):
command = cmds[cmdname]
helpline = command.help() or ''
## Just put the title line (First non empty line) in this
## abbreviated display
for line in helpline.splitlines():
if line:
helpline = line
break
if command.is_valid_profile(profile):
result += "\t\t{0:15}\t{1}\n".format(cmdname, helpline)
else:
wrongprofile += "\t\t{0:15}\t{1}\n".format(cmdname, helpline)
if wrongprofile and config.VERBOSE:
result += "\n\tPlugins requiring a different profile:\n\n"
result += wrongprofile
return result
开发者ID:AndrewChubatiuk,项目名称:VolatilityLibvirtXen,代码行数:29,代码来源:vol.py
示例2: init_config
def init_config(self):
"""
Volatility 설정 초기화
:return:
"""
if self.config is not None and self.addr_space is not None:
return self.config
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
base_conf = {
"profile": "WinXPSP2x86",
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://" + self.memdump,
"plugins": 'plugins',
"debug": 4,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
self.config.parse_options()
if self.osprofile:
base_conf["profile"] = self.osprofile
self.update_config(base_conf)
# 사용가능한 플러그인 목록 저장
# self.plugins = Dictionary
# key: 플러그인 클래스 이름
# value: 플러그인 클래스 인스턴스
self.plugins = registry.get_plugin_classes(commands.Command, lower=True)
profs = registry.get_plugin_classes(obj.Profile)
profile = profs[self.config.PROFILE]()
# self.plugins에서 플러그인 리스트 추출
for cmd_name, command in self.plugins.items():
if command.is_valid_profile(profile):
self.plugin_list.append(cmd_name)
return self.config
开发者ID:neplyudof,项目名称:lyzer,代码行数:59,代码来源:volinterface.py
示例3: list_plugins
def list_plugins(self):
plugin_list = []
cmds = registry.get_plugin_classes(commands.Command, lower=True)
profs = registry.get_plugin_classes(obj.Profile)
profile_type = self.config.PROFILE
if profile_type not in profs:
print "Not a valid profile"
profile = profs[profile_type]()
for cmdname in sorted(cmds):
command = cmds[cmdname]
helpline = command.help() or ''
if command.is_valid_profile(profile):
plugin_list.append([cmdname, helpline])
return plugin_list
开发者ID:KevinKien,项目名称:VolUtility,代码行数:15,代码来源:vol_interface.py
示例4: render_text
def render_text(self, outfd, data):
checks = registry.get_plugin_classes(MalthfindRule)
for thread, addr_space, thread_start_function, thread_callstack in data:
has_comment = False
s = "\n------\n\n"
s += "ETHREAD: {0:#010x} Pid: {1} Tid: {2}\n".format(
thread.obj_offset,
thread.Cid.UniqueProcess, thread.Cid.UniqueThread)
s += "Owning Process: {0}\n".format(
thread.owning_process().ImageFileName)
s += "Attached Process: {0}\n".format(
thread.attached_process().ImageFileName)
s += "Thread Flags: {0}\n".format(str(thread.CrossThreadFlags))
# get all currently implemented rules
# and run them against the threads callstack
for cls_name, cls in checks.items():
thread_callstack = cls(thread_callstack).check()
if len(thread_callstack.mal_pattern) > 0:
if len(thread_callstack.callstack) > 0:
s += "Malicious patterns detected: "
first_pattern = True
for pattern in thread_callstack.mal_pattern:
if first_pattern:
s += pattern
first_pattern = False
else:
s += ", " + pattern
s += "\nCallstack:\n"
if thread_callstack.eip:
s += "\t{0:<8} {3:<8} {1:<8} {2}\n".format("No.", "RetAddr", "Function", "Ebp")
s += "\t{0:<8} 0x{5:08x} 0x{1:08x} {2}!{3}+0x{4:<8x}\n".format("[eip]", thread_callstack.callstack[0].function.address,
thread_callstack.callstack[0].owning_module_name, thread_callstack.callstack[0].function.name,
thread_callstack.callstack[0].ret_address - thread_callstack.callstack[0].function.address,
0)
thread_callstack.callstack.remove(thread_callstack.callstack[0])
i = 0
for item in thread_callstack.callstack:
s += "\t{0:<8} 0x{5:08x} 0x{1:08x} {2}!{3}+0x{4:<8x}\n".format("[" + str(i) + "]", item.function.address,
item.owning_module_name, item.function.name,
item.ret_address - item.function.address, item.frame_address)
i += 1
if item.comment != "":
has_comment = True
else:
s += "Couldn't acquire threads _KTRAP_FRAME\n"
if has_comment:
outfd.write("{0}\n".format(s))
开发者ID:JamesHabben,项目名称:community,代码行数:60,代码来源:malthfind.py
示例5: print_info
def print_info():
""" Returns the results """
categories = {addrspace.BaseAddressSpace: 'Address Spaces',
commands.Command : 'Plugins',
obj.Profile: 'Profiles',
scan.ScannerCheck: 'Scanner Checks'}
for c, n in sorted(categories.items()):
lower = (c == commands.Command)
plugins = registry.get_plugin_classes(c, lower = lower)
print "\n"
print "{0}".format(n)
print "-" * len(n)
result = []
max_length = 0
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
max_length = max(len(clsname), max_length)
for (name, doc) in result:
print "{0:{2}} - {1:15}".format(name, doc, max_length)
开发者ID:AndrewChubatiuk,项目名称:VolatilityLibvirtXen,代码行数:25,代码来源:vol.py
示例6: guess_profile
def guess_profile(self, memimg):
'''
Using one of the user-specified memory image files, try to guess a
working Volatility profile. This can easily take on the order of
minutes.
@memimg: a memory image file name
@return: the guessed Volatiltiy profile string
'''
sys.stderr.write("Auto configuring profile. This may take a some time.\n")
self.set_memimg(memimg)
# Must set a dummy profile or volatility dies
self.set_profile('WinXPSP2x86')
chosen = None
profilelist = [p.__name__ for p in registry.get_plugin_classes(obj.Profile).values()]
for profile in profilelist:
self.config.update('profile', profile)
addr_space = utils.load_as(self.config, astype='any')
if hasattr(addr_space, "dtb"):
chosen = profile
break
return chosen
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:27,代码来源:volsetup.py
示例7: load_as
def load_as(config, astype = 'virtual', **kwargs):
"""Loads an address space by stacking valid ASes on top of each other (priority order first)"""
base_as = None
error = exceptions.AddrSpaceError()
# Start off requiring another round
found = True
## A full iteration through all the classes without anyone
## selecting us means we are done:
while found:
debug.debug("Voting round")
found = False
for cls in sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values(),
key = lambda x: x.order if hasattr(x, 'order') else 10):
debug.debug("Trying {0} ".format(cls))
try:
base_as = cls(base_as, config, astype = astype, **kwargs)
debug.debug("Succeeded instantiating {0}".format(base_as))
found = True
break
except addrspace.ASAssertionError, e:
debug.debug("Failed instantiating {0}: {1}".format(cls.__name__, e), 2)
error.append_reason(cls.__name__, e)
continue
except Exception, e:
debug.debug("Failed instantiating (exception): {0}".format(e))
error.append_reason(cls.__name__ + " - EXCEPTION", e)
continue
开发者ID:B-Rich,项目名称:amark,代码行数:29,代码来源:utils.py
示例8: __init__
def __init__(self):
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
#sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
#sys.stderr.flush()
self.config = conf.ConfObject()
self.cmds = {}
#self.profile = "--profile=Linuxcentos5_5x86"
self.vmprocessMap = {}
self.config.add_option("INFO", default = None, action = "store_true",
cache_invalidator = False,
help = "Print information about all registered objects")
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
registry.register_global_options(self.config, commands.Command)
# Reset the logging level now we know whether debug is set or not
debug.setup(self.config.DEBUG)
#pdb.set_trace()
## Try to find the first thing that looks like a module name
self.cmds = registry.get_plugin_classes(commands.Command, lower = True)
开发者ID:aqwertaqwert,项目名称:my_design_for_graduate,代码行数:31,代码来源:vmInspection.py
示例9: calculate
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
self._config.update('PROFILE', origprofile)
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
yield l, kdbg
开发者ID:Austi,项目名称:volatility,代码行数:25,代码来源:kdbgscan.py
示例10: _run_all_checks
def _run_all_checks(self, checks, pool_header):
"""Execute all constraint checks.
@param checks: a dictionary with check names as keys and
another dictionary of arguments as the values.
@param pool_header: the target _POOL_HEADER to check
@returns False if any checks fail, otherwise True.
"""
for check, args in checks:
if check == "CheckPoolSize":
if not self._check_pool_size(args, pool_header):
return False
elif check == "CheckPoolType":
if not self._check_pool_type(args, pool_header):
return False
elif check == "CheckPoolIndex":
if not self._check_pool_index(args, pool_header):
return False
else:
custom_check = registry.get_plugin_classes(scan.ScannerCheck)[check](pool_header.obj_vm, **args)
return custom_check.check(pool_header.PoolTag.obj_offset)
return True
开发者ID:ulrich29,项目名称:volatility,代码行数:26,代码来源:poolscan.py
示例11: execute
def execute(self):
""" Executes the plugin command."""
# Check we can support the plugins
profs = registry.get_plugin_classes(obj.Profile)
if self._config.PROFILE not in profs:
debug.error("Invalid profile " + self._config.PROFILE + " selected")
if not self.is_valid_profile(profs[self._config.PROFILE]()):
debug.error("This command does not support the profile " + self._config.PROFILE)
# # Executing plugins is done in two stages - first we calculate
data = self.calculate()
## Then we render the result in some way based on the
## requested output mode:
function_name = "render_{0}".format(self._config.OUTPUT)
if self._config.OUTPUT_FILE:
outfd = open(self._config.OUTPUT_FILE, 'w')
# TODO: We should probably check that this won't blat over an existing file
else:
outfd = sys.stdout
try:
func = getattr(self, function_name)
except AttributeError:
## Try to find out what formats are supported
result = []
for x in dir(self):
if x.startswith("render_"):
_a, b = x.split("_", 1)
result.append(b)
print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result)
return
func(outfd, data)
开发者ID:B-Rich,项目名称:amark,代码行数:35,代码来源:commands.py
示例12: calculate
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
encrypted_kdbg_profiles = []
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and
(buf.profile.metadata.get('major', 0),
buf.profile.metadata.get('minor', 0)) >= (6, 2)):
encrypted_kdbg_profiles.append(p)
self._config.update('PROFILE', origprofile)
# keep track of the number of potential KDBGs we find
count = 0
if origprofile not in encrypted_kdbg_profiles:
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
suspects = []
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
suspects.append((l, kdbg))
count += 1
for p, k in suspects:
if not self._config.FORCE:
yield p, k
continue
self._config.update("PROFILE", p)
nspace = utils.load_as(self._config, astype = "any")
for offset in scanner.scan(nspace):
val = nspace.read(offset, maxlen + 0x10)
if val.find(proflens[p]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = nspace)
yield p, kdbg
self._config.update('PROFILE', origprofile)
# only perform the special win8/2012 scan if we didn't find
# any others and if a virtual x64 address space is available
if count == 0:
if origprofile in encrypted_kdbg_profiles:
encrypted_kdbg_profiles = [origprofile]
for profile in encrypted_kdbg_profiles:
self._config.update('PROFILE', profile)
aspace = utils.load_as(self._config, astype = 'any')
if hasattr(aspace, 'vtop'):
for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
yield profile, kdbg
开发者ID:BryanSingh,项目名称:volatility,代码行数:60,代码来源:kdbgscan.py
示例13: search_stack_frames
def search_stack_frames(self, start, stack_base, stack_limit, yara_rules, frame_delta=32, unwind=DEFAULT_UNWIND):
"""
Use Yara to search kernel/user stack frames within +/- frame_delta of the frame's start
address.
Frames to search are chosen by using the strategies specifed by the unwind parameter.
yara_rules - compiled Yara rules, built for example with:
1. yara.compile("/path/to/yara.rules")
or 2. yara.compile(source="rule dummy { condition: true }")
"""
if not yara_installed:
debug.error("In order to search the stack frames, it is necessary to install yara")
stack_registry = registry.get_plugin_classes(StackTop)
for unwind_strategy_nm in unwind.split(","):
if unwind_strategy_nm not in stack_registry:
raise ValueError("{0} is not a known stack unwind strategy".format(unwind_strategy_nm))
unwind_strategy = stack_registry[unwind_strategy_nm](start, stack_base, stack_limit, self)
for frame in itertools.chain(unwind_strategy.up(), unwind_strategy.down()):
search_data = self.get_process_address_space().zread(frame.start - frame_delta, 2* frame_delta)
for match in yara_rules.match(data = search_data):
for moffset, name, value in match.strings:
# Match offset here is converted into frame start address and a +/- frame_delta
yield match, name, value, frame.start, moffset-frame_delta
raise StopIteration
开发者ID:binsrc,项目名称:volatility-1,代码行数:29,代码来源:exportstack.py
示例14: profile_list
def profile_list(self):
"""
return a list of profiles
:return: list
"""
prof_list = []
profs = registry.get_plugin_classes(obj.Profile)
for profile in profs.iterkeys():
prof_list.append(profile)
return sorted(prof_list)
开发者ID:LucaBongiorni,项目名称:VolUtility,代码行数:10,代码来源:vol_interface.py
示例15: profile_list
def profile_list():
plugins = registry.get_plugin_classes(obj.Profile)
result = []
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
return json.dumps(result)
开发者ID:JamesHabben,项目名称:evolve,代码行数:10,代码来源:evolve.py
示例16: __init__
def __init__(self, memdump, osprofile):
"""@param memdump: the memdump file path
@param osprofile: the profile (OS type)
"""
registry.PluginImporter()
self.memdump = memdump
self.osprofile = osprofile
self.config = None
self.addr_space = None
self.profiles = registry.get_plugin_classes(obj.Profile).keys()
self.init_config()
开发者ID:jgajek,项目名称:cuckoo,代码行数:11,代码来源:memory.py
示例17: profile_list
def profile_list(self):
"""
사용가능한 프로파일 리스트를 정렬 후 반환
:return: sorted profile list
"""
prof_list = ['AutoDetect']
profs = registry.get_plugin_classes(obj.Profile)
for profile in profs.iterkeys():
prof_list.append(profile)
return sorted(prof_list)
开发者ID:neplyudof,项目名称:lyzer,代码行数:12,代码来源:volinterface.py
示例18: check_valid_profile
def check_valid_profile(option, _opt_str, value, parser):
"""Checks to make sure the selected profile is valid"""
# PROFILES may not have been created yet,
# but the callback should get called once it has
# during the final parse of the config options
profs = registry.get_plugin_classes(obj.Profile)
if profs:
try:
profs[value]
except KeyError:
debug.error("Invalid profile " + value + " selected")
setattr(parser.values, option.dest, value)
开发者ID:Natzugen,项目名称:volatility,代码行数:12,代码来源:addrspace.py
示例19: __init__
def __init__(self, config, *args, **kwargs):
threads.Threads.__init__(self, config, *args, **kwargs)
if not yara_installed:
debug.warning("In order to search the stack frames, it is necessary to install yara - searching is disabled")
config.add_option('UNWIND', default = DEFAULT_UNWIND, help = 'List of frame unwinding strategies (comma-separated)', action = 'store', type = 'str')
config.add_option('LISTUNWINDS', default = False, help = 'List all known frame unwinding strategies', action = 'store_true')
config.add_option("SYMBOLS", default = False, action = 'store_true', cache_invalidator = False, help = "Use symbol servers to resolve process addresses to module names (we assume symbol tables have already been built)")
stack_registry = registry.get_plugin_classes(StackTop)
if getattr(config, 'LISTUNWINDS', False):
print "Stack Frame Unwind Strategies:\n"
for cls_name, cls in sorted(stack_registry.items(), key=lambda v: v[0]):
if cls_name not in ["UserFrame", "KernelFrame"]:
print "{0:<20}: {1}\n".format(cls_name, pydoc.getdoc(cls))
sys.exit(0)
self.kernel_strategies = []
self.user_strategies = []
for strategy in getattr(config, 'UNWIND', DEFAULT_UNWIND).split(","):
if ":" in strategy:
if strategy.startswith("kernel:"):
strategy = strategy[len("kernel:"):]
if strategy not in stack_registry or not issubclass(stack_registry[strategy], KernelFrame):
debug.error("{0} is not a valid kernel stack unwinding strategy".format(strategy))
self.kernel_strategies.append(stack_registry[strategy])
elif strategy.startswith("user:"):
strategy = strategy[len("user:"):]
if strategy not in stack_registry or not issubclass(stack_registry[strategy], UserFrame):
debug.error("{0} is not a valid user stack unwinding strategy".format(strategy))
self.user_strategies.append(stack_registry[strategy])
else:
debug.error("{0} is an unrecognised stack".format(strategy.split(":")[0]))
elif strategy not in stack_registry:
debug.error("{0} is neither a valid kernel nor user stack unwinding strategy".format(strategy))
elif not issubclass(stack_registry[strategy], KernelFrame) and not issubclass(stack_registry[strategy], UserFrame):
debug.error("{0} is neither a valid kernel nor stack unwinding strategy".format(strategy))
else:
if issubclass(stack_registry[strategy], KernelFrame):
self.kernel_strategies.append(stack_registry[strategy])
if issubclass(stack_registry[strategy], UserFrame):
self.user_strategies.append(stack_registry[strategy])
self.use_symbols = getattr(config, 'SYMBOLS', False)
# Determine which filters the user wants to see
if getattr(config, 'FILTER', None):
self.filters = set(config.FILTER.split(','))
else:
self.filters = set()
开发者ID:binsrc,项目名称:volatility-1,代码行数:52,代码来源:exportstack.py
示例20: volmain
def volmain(argv):
# Few modifications in original code
config.set_usage(usage = "Volatility - A memory forensics analysis platform.")
config.add_help_hook(list_plugins)
argv = argv.split(" ")
sys.argv = argv
#print sys.argv
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
if config.INFO:
print_info()
#sys.exit(0)
## Parse all the options now
config.parse_options(False)
# Reset the logging level now we know whether debug is set or not
debug.setup(config.DEBUG)
module = None
## Try to find the first thing that looks like a module name
cmds = registry.get_plugin_classes(commands.Command, lower = True)
for m in config.args:
if m in cmds.keys():
module = m
break
if not module:
config.parse_options()
#debug.error("You must specify something to do (try -h)")
try:
if module in cmds.keys():
command = cmds[module](config)
## Register the help cb from the command itself
config.set_help_hook(obj.Curry(command_help, command))
config.parse_options()
if not config.LOCATION:
debug.error("Please specify a location (-l) or filename (-f)")
#print config.LOCATION
command.execute()
except exceptions.VolatilityException, e:
print e
开发者ID:cysinfo,项目名称:PyMal,代码行数:52,代码来源:pymal.py
注:本文中的volatility.registry.get_plugin_classes函数示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论