本文整理汇总了Python中volatility.plugins.mac.common.set_plugin_members函数的典型用法代码示例。如果您正苦于以下问题:Python set_plugin_members函数的具体用法?Python set_plugin_members怎么用?Python set_plugin_members使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了set_plugin_members函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Python代码示例。
示例1: calculate
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
for proc in procs:
if str(proc.p_comm) != "kernel_task":
continue
proc_as = proc.get_process_address_space()
for map in proc.get_proc_maps():
if not map.get_perms() == 'r--':
continue
address = map.links.start
Vmk1 = proc_as.read(address,16)
Vmk2 = proc_as.read(address + 0x430,16) #Note: Vmk2 refers to our second instance of the VMK, not the tweak key.
signature = obj.Object("unsigned int", offset = address, vm = proc_as)
if not Vmk1 or signature == 0x0:
continue
if Vmk1 == Vmk2:
yield address, Vmk1
开发者ID:JamesHabben,项目名称:community,代码行数:26,代码来源:filevault2.py
示例2: calculate
def calculate(self):
common.set_plugin_members(self)
list_head_addr = self.addr_space.profile.get_symbol("_dlil_ifnet_head")
list_head_ptr = obj.Object("Pointer", offset = list_head_addr, vm = self.addr_space)
ifnet = list_head_ptr.dereference_as("ifnet")
while ifnet:
name = ifnet.if_name.dereference()
unit = ifnet.if_unit
prom = ifnet.if_flags & 0x100 == 0x100 # IFF_PROMISC
addr_dl = obj.Object("sockaddr_dl", offset = ifnet.if_lladdr.ifa_addr.v(), vm = self.addr_space)
if addr_dl.is_valid():
mac = addr_dl.v()
else:
mac = ""
ifaddr = ifnet.if_addrhead.tqh_first
ips = []
while ifaddr:
ip = ifaddr.ifa_addr.get_address()
if ip:
ips.append(ip)
ifaddr = ifaddr.ifa_link.tqe_next
yield (name, unit, mac, prom, ips)
ifnet = ifnet.if_link.tqe_next
开发者ID:DSLeung,项目名称:volatility,代码行数:30,代码来源:ifconfig.py
示例3: calculate
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
for proc in procs:
space = proc.get_process_address_space()
for map in proc.get_proc_maps():
# only read/write without filebacks
if not (map.get_perms() == "rw-" and not map.get_path()):
continue
# check the header for sqlite3 signature
header = space.zread(map.links.start, 32)
if "SQLite format" not in header:
continue
# get the whole sqlite3 data now
data = space.zread(map.links.start,
map.links.end - map.links.start)
for offset in utils.iterfind(data, ":ABPerson"):
person = obj.Object("String",
offset = map.links.start + offset,
vm = space, encoding = "utf8",
length = 256)
yield proc, person
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:28,代码来源:contacts.py
示例4: calculate
def calculate(self):
common.set_plugin_members(self)
msgbuf_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("_msgbufp"), vm = self.addr_space)
msgbufp = msgbuf_ptr.dereference_as("msgbuf")
bufx = msgbufp.msg_bufx
size = msgbufp.msg_size
bufc = self.addr_space.read(msgbufp.msg_bufc, size)
if bufc[bufx] == 0 and bufc[0] != 0:
## FIXME: can we do this without get_string?
buf = common.get_string(bufc, self.addr_space)
else:
if bufx > size:
bufx = 0
# older messages
buf = bufc[bufx:bufx + size]
buf = buf + bufc[0:bufx]
# strip leading NULLs
while ord(buf[0]) == 0x00:
buf = buf[1:]
yield buf
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:26,代码来源:dmesg.py
示例5: calculate
def calculate(self):
common.set_plugin_members(self)
self._set_vtypes()
sym_addrs = self.profile.get_all_addresses()
table_addr = self.addr_space.profile.get_symbol("_mach_trap_table")
ntraps = obj.Object("int", offset = self.addr_space.profile.get_symbol("_mach_trap_count"), vm = self.addr_space)
traps = obj.Object(theType = "Array", offset = table_addr, vm = self.addr_space, count = ntraps, targetType = "mach_trap")
for (i, trap) in enumerate(traps):
ent_addr = trap.mach_trap_function.v()
if not ent_addr:
continue
hooked = ent_addr not in sym_addrs
if hooked == False:
sym_name = self.profile.get_symbol_by_address("kernel", ent_addr)
else:
sym_name = "HOOKED"
yield (table_addr, "TrapTable", i, ent_addr, sym_name, hooked)
开发者ID:Austi,项目名称:volatility,代码行数:26,代码来源:check_trap_table.py
示例6: calculate
def calculate(self):
common.set_plugin_members(self)
p = self.addr_space.profile.get_symbol("_kmod")
kmodaddr = obj.Object("Pointer", offset = p, vm = self.addr_space)
if kmodaddr == None:
return
kmod = kmodaddr.dereference_as("kmod_info")
seen = []
ctr = 0
while kmod.is_valid():
# key on .v() instead of .obj_offset due 'next' being at offset 0
if kmod.v() in seen:
break
seen.append(kmod.v())
if ctr > 1024:
break
ctr = ctr + 1
if not self._config.ADDR or (kmod.address <= self._config.ADDR <= (kmod.address + kmod.m("size"))):
yield kmod
kmod = kmod.next
开发者ID:chansonzhang,项目名称:volatility,代码行数:27,代码来源:lsmod.py
示例7: calculate
def calculate(self):
common.set_plugin_members(self)
(kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self)
gnotify_addr = common.get_cpp_sym("gNotifications", self.addr_space.profile)
gnotify_ptr = obj.Object("Pointer", offset = gnotify_addr, vm = self.addr_space)
gnotifications = gnotify_ptr.dereference_as("OSDictionary")
ents = obj.Object('Array', offset = gnotifications.dictionary, vm = self.addr_space, targetType = 'dictEntry', count = gnotifications.count)
# walk the current set of notifications
for ent in ents:
if ent == None:
continue
key = ent.key.dereference_as("OSString")
# get the value
valset = ent.value.dereference_as("OSOrderedSet")
notifiers_ptrs = obj.Object('Array', offset = valset.array, vm = self.addr_space, targetType = 'Pointer', count = valset.count)
for ptr in notifiers_ptrs:
notifier = ptr.dereference_as("_IOServiceNotifier")
if notifier == None:
continue
matches = self.get_matching(notifier)
# this is the function that handles whatever the notification is for
# this should be only in the kernel or in one of the known IOKit drivers for the specific kernel
handler = notifier.handler
good = common.is_known_address(handler, kernel_symbol_addresses, kmods)
yield (good, key, notifier, matches)
开发者ID:Jack47,项目名称:volatility,代码行数:35,代码来源:notifiers.py
示例8: calculate
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
ptr_sz = 4
else:
ptr_sz = 8
for proc in procs:
if str(proc.p_comm) != "securityd":
continue
proc_as = proc.get_process_address_space()
for map in proc.get_proc_maps():
if not (map.start > 0x00007f0000000000 and map.end < 0x00007fff00000000 and map.end - map.start == 0x100000):
continue
for address in range(map.start, map.end, ptr_sz):
signature = obj.Object("unsigned int", offset = address, vm = proc_as)
if not signature or signature != 0x18:
continue
key_buf_ptr = obj.Object("unsigned long", offset = address + ptr_sz, vm = proc_as)
if map.start <= key_buf_ptr < map.end:
yield proc_as, key_buf_ptr
开发者ID:BryanSingh,项目名称:volatility,代码行数:30,代码来源:keychaindump.py
示例9: calculate
def calculate(self):
common.set_plugin_members(self)
p = self.addr_space.profile.get_symbol("_g_kext_map")
mapaddr = obj.Object("Pointer", offset = p, vm = self.addr_space)
kextmap = mapaddr.dereference_as("_vm_map")
nentries = kextmap.hdr.nentries
kext = kextmap.hdr
for i in range(nentries):
kext = kext.links.next
if not kext:
break
macho = obj.Object("macho_header", offset = kext.start, vm = self.addr_space)
if macho.is_valid():
kmod_start = macho.address_for_symbol("_kmod_info")
else:
kmod_start = 0
address = kext.start
if kmod_start:
kmod = obj.Object("kmod_info", offset = kmod_start, vm = self.addr_space)
yield kmod
开发者ID:DSLeung,项目名称:volatility,代码行数:28,代码来源:gkextmap.py
示例10: calculate
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks(self._config).calculate()
for proc in procs:
fds = obj.Object('Array', offset = proc.p_fd.fd_ofiles, vm = self.addr_space, targetType = 'Pointer', count = proc.p_fd.fd_lastfile)
for i, fd in enumerate(fds):
f = fd.dereference_as("fileproc")
if f:
if 'fg_type' in f.f_fglob.dereference().__dict__['members']:
## FIXME after 2.3 replace this explicit int field with the following line:
## if str(f.f_fglob.fg_type) == 'DTYPE_VNODE':
## Its not needed for profiles generated with convert.py after r3290
fg_type = obj.Object("int", f.f_fglob.fg_type.obj_offset, vm = self.addr_space)
# OS X MAVERICKS
else:
fg_type = obj.Object("int", f.f_fglob.fg_ops.fo_type.obj_offset, vm = self.addr_space)
if fg_type == 1: # VNODE
vnode = f.f_fglob.fg_data.dereference_as("vnode")
path = vnode.full_path()
else:
path = ""
yield proc, i, f, path
开发者ID:FaisalHasan,项目名称:volatility,代码行数:27,代码来源:lsof.py
示例11: calculate
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
common.set_plugin_members(self)
if self._config.KERNEL:
## http://fxr.watson.org/fxr/source/osfmk/mach/i386/vm_param.h?v=xnu-2050.18.24
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
if not common.is_64bit_capable(self.addr_space):
kernel_start = 0
else:
kernel_start = 0xc0000000
else:
kernel_start = 0xffffff8000000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address, 64))
else:
# Scan each process memory block
for task in pstasks.mac_tasks(self._config).calculate():
scanner = MapYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address, 64))
开发者ID:Austi,项目名称:volatility,代码行数:35,代码来源:mac_yarascan.py
示例12: calculate
def calculate(self):
common.set_plugin_members(self)
pidlist = None
try:
if self._config.PID:
pidlist = [int(p) for p in self._config.PID.split(',')]
except:
pass
p = self.addr_space.profile.get_symbol("_allproc")
procsaddr = obj.Object("proclist", offset = p, vm = self.addr_space)
proc = obj.Object("proc", offset = procsaddr.lh_first, vm = self.addr_space)
seen = []
while proc.is_valid():
if proc.obj_offset in seen:
debug.warning("Recursive process list detected (a result of non-atomic acquisition). Use mac_tasks or mac_psxview)")
break
else:
seen.append(proc.obj_offset)
if not pidlist or proc.p_pid in pidlist:
yield proc
proc = proc.p_list.le_next.dereference()
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:29,代码来源:pslist.py
示例13: calculate
def calculate(self):
common.set_plugin_members(self)
if not self.addr_space.profile.obj_has_member("fs_event_watcher", "proc_name"):
debug.error("This plugin only supports OS X >= 10.8.2. Please file a bug if you are running against a version matching this criteria.")
event_types = ["CREATE_FILE", "DELETE", "STAT_CHANGED", "RENAME", "CONTENT_MODIFIED", "EXCHANGE", "FINDER_INFO_CHANGED", "CREATE_DIR", "CHOWN"]
event_types = event_types + ["XATTR_MODIFIED", "XATTR_REMOVED", "DOCID_CREATED", "DOCID_CHANGED"]
table_addr = self.addr_space.profile.get_symbol("_watcher_table")
arr = obj.Object(theType = "Array", targetType = "Pointer", count = 8, vm = self.addr_space, offset = table_addr)
for watcher_addr in arr:
if not watcher_addr.is_valid():
continue
watcher = watcher_addr.dereference_as("fs_event_watcher")
name = self.addr_space.read(watcher.proc_name.obj_offset, 33)
if name:
idx = name.find("\x00")
if idx != -1:
name = name[:idx]
events = ""
event_arr = obj.Object(theType = "Array", targetType = "unsigned char", offset = watcher.event_list.v(), count = 13, vm = self.addr_space)
for (i, event) in enumerate(event_arr):
if event == 1:
events = events + event_types[i] + ", "
if len(events) and events[-1] == " " and events[-2] == ",":
events = events[:-2]
yield watcher_addr, name, watcher.pid, events
开发者ID:CRYP706URU,项目名称:pyrebox,代码行数:35,代码来源:vfsevents.py
示例14: render_text
def render_text(self, outfd, data):
common.set_plugin_members(self)
self.table_header(outfd, [("PID","8"),
("Name", "16"),
("Start Time", "32"),
("Priority", "6"),
("Start Function", "[addrpad]"),
("Function Map", ""),
])
kaddr_info = common.get_handler_name_addrs(self)
for proc in data:
for th in proc.threads():
func_addr = th.continuation
(module, handler_sym) = common.get_handler_name(kaddr_info, func_addr)
if handler_sym:
handler = handler_sym
elif module:
handler = module
else:
handler = proc.find_map_path(func_addr)
self.table_row(outfd, proc.p_pid, proc.p_comm,
th.start_time(),
th.sched_pri,
func_addr, handler)
开发者ID:chansonzhang,项目名称:volatility,代码行数:27,代码来源:threads_simple.py
示例15: calculate
def calculate(self):
common.set_plugin_members(self)
n = 1024
mig_buckets_addr = self.addr_space.profile.get_symbol("_mig_buckets")
if self.addr_space.profile.has_type("mig_hash_t"):
ele_size = self.addr_space.profile.get_obj_size("mig_hash_t")
ele_type = "mig_hash_t"
else:
# we can't use an array as the size of mig_hash_entry
# depends on if MAC_COUNTERS is set, which changes between kernels
# mig_table_max_displ is declared directly after mig_buckets
# which allows us to calculate the size of each entry dynamically
di_addr = self.addr_space.profile.get_symbol("_mig_table_max_displ")
ele_size = (di_addr - mig_buckets_addr) / n
ele_type = "mig_hash_entry"
for i in range(n):
entry = obj.Object(ele_type, offset = mig_buckets_addr + (i * ele_size), vm = self.addr_space)
if entry.routine == 0:
continue
rname = self.addr_space.profile.get_symbol_by_address("kernel", entry.routine)
if not rname or rname == "":
rname = "HOOKED"
yield (entry.num, rname, entry.routine)
开发者ID:chansonzhang,项目名称:volatility,代码行数:32,代码来源:check_mig_table.py
示例16: calculate
def calculate(self):
common.set_plugin_members(self)
for task in pstasks.mac_tasks(self._config).calculate():
fdp = task.p_fd
# for (i = 0; i < fdp->fd_knlistsize; i++) {
# kn = SLIST_FIRST(&fdp->fd_knlist[i]);
for kn in self._walk_karray(fdp.fd_knlist, fdp.fd_knlistsize):
yield task, kn
# if (fdp->fd_knhashmask != 0) {
# for (i = 0; i < (int)fdp->fd_knhashmask + 1; i++) {
# kn = SLIST_FIRST(&fdp->fd_knhash[i]);
mask = fdp.fd_knhashmask
if mask != 0:
for kn in self._walk_karray(fdp.fd_knhash, mask + 1):
yield task, kn
kn = task.p_klist.slh_first
while kn.is_valid():
yield task, kn
kn = kn.kn_link.sle_next
开发者ID:CRYP706URU,项目名称:pyrebox,代码行数:26,代码来源:kevents.py
示例17: calculate
def calculate(self):
common.set_plugin_members(self)
# get all the members of 'mac_policy_ops' so that we can check them (they are all function ptrs)
ops_members = self.get_members()
# get the symbols need to check for if rootkit or not
(kernel_symbol_addresses, kmods) = common.get_kernel_addrs(self)
list_addr = self.addr_space.profile.get_symbol("_mac_policy_list")
plist = obj.Object("mac_policy_list", offset = list_addr, vm = self.addr_space)
parray = obj.Object('Array', offset = plist.entries, vm = self.addr_space, targetType = 'mac_policy_list_element', count = plist.staticmax + 1)
for ent in parray:
# I don't know how this can happen, but the kernel makes this check all over the place
# the policy isn't useful without any ops so a rootkit can't abuse this
if ent.mpc == None:
continue
name = ent.mpc.mpc_name.dereference()
ops = obj.Object("mac_policy_ops", offset = ent.mpc.mpc_ops, vm = self.addr_space)
# walk each member of the struct
for check in ops_members:
ptr = ops.__getattr__(check)
if ptr.v() != 0 and ptr.is_valid():
(good, module) = common.is_known_address_name(ptr, kernel_symbol_addresses, kmods)
yield (good, check, module, name, ptr)
开发者ID:vortessence,项目名称:vortessence,代码行数:32,代码来源:trustedbsd.py
示例18: render_text
def render_text(self, outfd, data):
common.set_plugin_members(self)
if not self._config.OUTPUTFILE:
debug.error("Please specify an OUTPUTFILE")
elif os.path.exists(self._config.OUTPUTFILE):
debug.error("Cowardly refusing to overwrite an existing file.")
outfile = open(self._config.OUTPUTFILE, "wb+")
map_address = self._config.MAP_ADDRESS
size = 0
self.table_header(outfd, [("Pid", "8"),
("Name", "20"),
("Start", "#018x"),
("End", "#018x"),
("Perms", "9"),
("Map Name", "")])
# from osfmk/vm/vm_object.h. compressor_object is the high level VM object.
self.compressor_object = obj.Object("vm_object",
offset = self.addr_space.profile.get_symbol("_compressor_object_store"),
vm = self.addr_space)
# from osfmk/vm/vm_compressor.c. c_segments is an array of c_segu objects, which track and store compressed pages.
# c_segment_count is current size of c_segments array.
self.c_segment_count = obj.Object("unsigned int",
offset = self.addr_space.profile.get_symbol("_c_segment_count"),
vm = self.addr_space)
self.c_segments_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("_c_segments"),
vm = self.addr_space)
self.c_segments = obj.Object("Array", targetType = "c_segu", count = self.c_segment_count,
offset = self.c_segments_ptr, vm = self.addr_space)
for proc, map in data:
self.table_row(outfd,
str(proc.p_pid), proc.p_comm,
map.links.start,
map.links.end,
map.get_perms(),
map.get_path())
if (map.links.end - map.links.start) > self.MAXMAPSIZE:
outfd.write("Skipping suspiciously large map, smearing is suspected. Adjust MAXMAPSIZE to override.\n")
continue
if not map_address or map_address == map.links.start:
for page in self._read_addr_range(outfd, proc, map):
if not page is None:
size += self.wkdm.PAGE_SIZE_IN_BYTES
if not self._config.SKIP_WRITING:
for k in range(0, self.wkdm.PAGE_SIZE_IN_WORDS):
outfile.write(struct.pack('<i', page[k]))
outfile.close()
outfd.write("Wrote {0} bytes.\n".format(size))
if self._config.DECOMPRESS_SWAP:
outfd.write("{0} pages were successfully decompressed.\n".format(self.successful_decompressions))
开发者ID:BryanSingh,项目名称:volatility,代码行数:59,代码来源:dump_map.py
示例19: unified_output
def unified_output(self, data):
common.set_plugin_members(self)
return TreeGrid([("Pid", int),
("Name", str),
("Start", Address),
("Map Name", str),
], self.generator(data))
开发者ID:BryanSingh,项目名称:volatility,代码行数:8,代码来源:dlyd_maps.py
示例20: calculate
def calculate(self):
common.set_plugin_members(self)
pe_state_addr = self.addr_space.profile.get_symbol("_PE_state")
pe_state = obj.Object("PE_state", offset=pe_state_addr, vm=self.addr_space)
bootargs = pe_state.bootArgs.dereference_as("boot_args")
yield bootargs.CommandLine
开发者ID:Siegfried5,项目名称:BHP,代码行数:8,代码来源:print_boot_cmdline.py
注:本文中的volatility.plugins.mac.common.set_plugin_members函数示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论