本文整理汇总了Python中volatility.plugins.linux.common.set_plugin_members函数的典型用法代码示例。如果您正苦于以下问题:Python set_plugin_members函数的具体用法?Python set_plugin_members怎么用?Python set_plugin_members使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了set_plugin_members函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Python代码示例。
示例1: render_text
def render_text(self, outfd, data):
linux_common.set_plugin_members(self)
self.edir = self._config.DUMP_DIR
if not self.edir:
debug.error("No output directory given.")
if not os.path.isdir(self.edir):
debug.error(self.edir + " is not a directory")
for task in linux_netstat.linux_netstat(self._config).calculate():
sfop = task.obj_vm.profile.get_symbol("socket_file_ops")
dfop = task.obj_vm.profile.get_symbol("sockfs_dentry_operations")
for (filp, fdnum) in task.lsof():
if filp.f_op == sfop or filp.dentry.d_op == dfop:
iaddr = filp.dentry.d_inode
skt = task.SOCKET_I(iaddr)
sk = skt.sk
for msg in self.process_queue(
"receive", task.pid, fdnum, sk.sk_receive_queue):
outfd.write(msg + "\n")
for msg in self.process_queue(
"write", task.pid, fdnum, sk.sk_write_queue):
outfd.write(msg + "\n")
开发者ID:BryanSingh,项目名称:volatility,代码行数:27,代码来源:pkt_queues.py
示例2: calculate
def calculate(self):
linux_common.set_plugin_members(self)
find_file = self._config.FIND
inode_addr = self._config.inode
outfile = self._config.outfile
listfiles = self._config.LISTFILES
if listfiles:
for (_, _, file_path, file_dentry) in self.walk_sbs():
yield (file_path, file_dentry.d_inode)
elif find_file and len(find_file):
for (_, _, file_path, file_dentry) in self.walk_sbs():
if file_path == find_file:
yield (file_path, file_dentry.d_inode)
break
elif inode_addr and inode_addr > 0 and outfile and len(outfile) > 0:
inode = obj.Object("inode", offset = inode_addr, vm = self.addr_space)
f = open(outfile, "wb")
for page in self.get_file_contents(inode):
f.write(page)
f.close()
else:
debug.error("Incorrect command line parameters given.")
开发者ID:Digitalisx,项目名称:volatility,代码行数:30,代码来源:find_file.py
示例3: calculate
def calculate(self):
linux_common.set_plugin_members(self)
# a list of root directory entries
if self._config.DUMP_DIR and self._config.SB:
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
# this path never 'yield's, just writes the filesystem to disk
tmpfs_sbs = self.get_tmpfs_sbs()
sb_idx = self._config.SB - 1
if sb_idx >= len(tmpfs_sbs):
debug.error("Invalid superblock number given. Please use the -L option to determine valid numbers.")
root_dentry = tmpfs_sbs[sb_idx][0].s_root
self.walk_sb(root_dentry)
elif self._config.LIST_SBS:
# vfsmnt.mnt_sb.s_root
tmpfs_sbs = self.get_tmpfs_sbs()
for (i, (_sb, path)) in enumerate(tmpfs_sbs):
yield (i + 1, path)
else:
debug.error("No sb number/output directory combination given and list superblocks not given")
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:28,代码来源:tmpfs.py
示例4: calculate
def calculate(self):
linux_common.set_plugin_members(self)
ntables_ptr = obj.Object("Pointer", offset = self.get_profile_symbol("neigh_tables"), vm = self.addr_space)
for ntable in linux_common.walk_internal_list("neigh_table", "next", ntables_ptr):
yield self.handle_table(ntable)
开发者ID:aqwertaqwert,项目名称:my_design_for_graduate,代码行数:7,代码来源:arp.py
示例5: calculate
def calculate(self):
linux_common.set_plugin_members(self)
find_file = self._config.FIND
inode_addr = self._config.inode
outfile = self._config.outfile
listfiles = self._config.LISTFILES
if listfiles:
for (_, _, file_path, file_dentry) in self.walk_sbs():
yield (file_path, file_dentry.d_inode)
elif find_file and len(find_file):
for (_, _, file_path, file_dentry) in self.walk_sbs():
if file_path == find_file:
yield (file_path, file_dentry.d_inode)
break
elif inode_addr and inode_addr > 0 and outfile and len(outfile) > 0:
inode = obj.Object("inode", offset = inode_addr, vm = self.addr_space)
try:
f = open(outfile, "wb")
except IOError, e:
debug.error("Unable to open output file (%s): %s" % (outfile, str(e)))
for page in self.get_file_contents(inode):
f.write(page)
f.close()
开发者ID:chansonzhang,项目名称:volatility,代码行数:30,代码来源:find_file.py
示例6: calculate
def calculate(self):
linux_common.set_plugin_members(self)
modules = linux_lsmod.linux_lsmod(self._config).get_modules()
f_op_members = self.profile.types["file_operations"].keywords["members"].keys()
f_op_members.remove("owner")
if self._config.INODE:
inode = obj.Object("inode", offset=self._config.INODE, vm=self.addr_space)
if not inode.is_valid():
debug.error(
"Invalid inode address given. Please use linux_find_file to determine valid inode addresses."
)
for (hooked_member, hook_address) in self.verify_ops(inode.i_fop, f_op_members, modules):
yield ("inode at {0:x}".format(inode.obj_offset), hooked_member, hook_address)
else:
funcs = [self.check_open_files_fop, self.check_proc_fop, self.check_proc_root_fops, self.check_file_cache]
for func in funcs:
for (name, member, address) in func(f_op_members, modules):
yield (name, member, address)
开发者ID:rabbileibo,项目名称:volatility,代码行数:25,代码来源:check_fops.py
示例7: calculate
def calculate(self):
linux_common.set_plugin_members(self)
ps_sources = {}
# The keys are names of process sources
# The values are the virtual offset of the task_struct
ps_sources['pslist'] = self._get_pslist()
ps_sources['pid_hash'] = self._get_pid_hash()
ps_sources['kmem_cache'] = self._get_kmem_cache()
ps_sources['parents'] = self._get_task_parents()
ps_sources['thread_leaders'] = self._get_thread_leaders()
# Build a list of offsets from all sources
seen_offsets = []
for source in ps_sources:
tasks = ps_sources[source]
for offset in tasks:
if offset not in seen_offsets:
seen_offsets.append(offset)
yield offset, obj.Object("task_struct", offset = offset, vm = self.addr_space), ps_sources
开发者ID:DeborahN,项目名称:volatility,代码行数:25,代码来源:psxview.py
示例8: calculate
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
linux_common.set_plugin_members(self)
if self._config.KERNEL:
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
else:
kernel_start = 0xffffffff80000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
else:
tasks = self.filter_tasks()
for task in tasks:
scanner = VmaYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address - self._config.REVERSE, hit,
scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
开发者ID:volatilityfoundation,项目名称:volatility,代码行数:32,代码来源:linux_yarascan.py
示例9: calculate
def calculate(self):
linux_common.set_plugin_members(self)
init_task_addr = self.get_profile_symbol("init_task")
init_task = obj.Object("task_struct", vm = self.addr_space, offset = init_task_addr)
pidlist = self._config.PID
pnamelist = self._config.PROCNAMES
#pdb.set_trace
if pidlist:
pidlist = [int(p) for p in self._config.PID.split(',')]
if pnamelist:
pnamelist = [str(q) for q in self._config.PROCNAMES.split(',')]
print pidlist
print pnamelist
# walk the ->tasks list, note that this will *not* display "swapper"
for task in init_task.tasks:
type(task.comm)
#print task.comm
if not pidlist and not pnamelist:
yield task
else:
if pidlist and task.pid in pidlist:
yield task
if pnamelist and str(task.comm) in pnamelist:
yield task
开发者ID:Jack47,项目名称:volatility,代码行数:28,代码来源:pslist.py
示例10: calculate
def calculate(self):
linux_common.set_plugin_members(self)
for dentry_offset in self._compare_filps():
dentry = obj.Object("dentry", offset = dentry_offset, vm = self.addr_space)
if dentry.d_count > 0 and dentry.d_inode.is_reg() and dentry.d_flags == 128:
yield dentry
开发者ID:BryanSingh,项目名称:volatility,代码行数:7,代码来源:kernel_opened_files.py
示例11: calculate
def calculate(self):
## we need this module imported
if not has_yara:
debug.error("Please install Yara from code.google.com/p/yara-project")
## leveraged from the windows yarascan plugin
rules = self._compile_rules()
## set the linux plugin address spaces
linux_common.set_plugin_members(self)
if self._config.KERNEL:
## the start of kernel memory taken from VolatilityLinuxIntelValidAS
if self.addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
kernel_start = 0xc0000000
else:
kernel_start = 0xffffffff80000000
scanner = malfind.DiscontigYaraScanner(rules = rules,
address_space = self.addr_space)
for hit, address in scanner.scan(start_offset = kernel_start):
yield (None, address, hit,
scanner.address_space.zread(address, 64))
else:
for task in pslist.linux_pslist(self._config).calculate():
scanner = VmaYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit,
scanner.address_space.zread(address, 64))
开发者ID:Austi,项目名称:volatility,代码行数:31,代码来源:linux_yarascan.py
示例12: calculate
def calculate(self):
linux_common.set_plugin_members(self)
for (_, _, file_path, file_dentry)in linux_find_file.linux_find_file(self._config).walk_sbs():
inode = file_dentry.d_inode
yield inode, inode.i_ino, file_path
开发者ID:DeborahN,项目名称:volatility,代码行数:7,代码来源:enumerate_files.py
示例13: calculate
def calculate(self):
"""
Get all the python strings for a task, and assume those strings
might be keys of a dictionary entry. Return the valid dictionary
entries from that pool of maybes.
This repeats a lot of linux_python_strings's code, but we want to get
python strings per task, so we can optimize the bytstring search.
"""
linux_common.set_plugin_members(self)
tasks = [task for task in linux_pslist.linux_pslist.calculate(self)
if _is_python_task(task)]
for task in tasks:
addr_space = task.get_process_address_space()
memory_model = addr_space.profile.metadata.get('memory_model',
'32bit')
pack_format = "I" if memory_model == '32bit' else "Q"
bytestrings = [
# the hash as bytes
struct.pack(pack_format.lower(), py_string.ob_shash) +
# the pointer the PyStringObject as bytes
struct.pack(pack_format, py_string.obj_offset)
for py_string in find_python_strings(task)
]
for address in task.search_process_memory(bytestrings,
heap_only=True):
py_dict_entry = obj.Object("_PyDictEntry",
offset=address,
vm=addr_space)
if py_dict_entry.is_valid():
yield task, py_dict_entry
开发者ID:Alpha-10000,项目名称:Volatility,代码行数:35,代码来源:python_strings.py
示例14: calculate
def calculate(self):
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist.calculate(self)
for task in tasks:
for elf, elf_start, elf_end, soname, needed in task.elfs():
yield task, elf, elf_start, elf_end, soname, needed
开发者ID:BryanSingh,项目名称:volatility,代码行数:7,代码来源:elfs.py
示例15: calculate
def calculate(self):
linux_common.set_plugin_members(self)
modules_addr = self.get_profile_symbol("modules")
modules = obj.Object("list_head", vm = self.addr_space, offset = modules_addr)
# walk the modules list
for module in modules.list_of_type("module", "list"):
#if str(module.name) == "rootkit":
# continue
if self._config.PARAMS:
if not hasattr(module, "kp"):
debug.error("Gathering module parameters is not supported in this profile.")
params = self.get_params(module)
else:
params = ""
if self._config.SECTIONS:
sections = self.get_sections(module)
else:
sections = []
yield (module, sections, params)
开发者ID:Jack47,项目名称:volatility,代码行数:27,代码来源:lsmod.py
示例16: calculate
def calculate(self):
linux_common.set_plugin_members(self)
find_file = self._config.FIND
inode_addr = self._config.inode
outfile = self._config.outfile
if find_file and len(find_file):
wanted_dentry = self.walk_sbs(find_file)
if wanted_dentry:
yield wanted_dentry
elif inode_addr and inode_addr > 0 and outfile and len(outfile) > 0:
inode = obj.Object("inode", offset=inode_addr, vm=self.addr_space)
contents = self.get_file_contents(inode)
f = open(outfile, "wb")
f.write(contents)
f.close()
else:
debug.error("Incorrect command line parameters given.")
开发者ID:Jack47,项目名称:volatility,代码行数:26,代码来源:find_file.py
示例17: _walk_xarray_pids
def _walk_xarray_pids(self):
ff = find_file.linux_find_file(self._config)
linux_common.set_plugin_members(ff)
self.XARRAY_TAG_MASK = 3
self.XARRAY_TAG_INTERNAL = 2
self.XA_CHUNK_SHIFT = 6
self.XA_CHUNK_SIZE = 1 << self.XA_CHUNK_SHIFT
self.XA_CHUNK_MASK = self.XA_CHUNK_SIZE - 1
ns_addr = self.addr_space.profile.get_symbol("init_pid_ns")
ns = obj.Object("pid_namespace", offset = ns_addr, vm = self.addr_space)
xarray = ns.idr.idr_rt
if not xarray.is_valid():
return
root = xarray.xa_head.v()
is_internal = ff.xa_is_internal(root)
if root & self.XARRAY_TAG_MASK != 0:
root = root & ~self.XARRAY_TAG_MASK
height = 0
node = obj.Object("xa_node", offset = root, vm = self.addr_space)
if is_internal and hasattr(node, "shift"):
height = (node.shift / self.XA_CHUNK_SHIFT) + 1
for node in self._do_walk_xarray(ff, node, height, 0):
if node and node.is_valid():
yield node
开发者ID:chansonzhang,项目名称:volatility,代码行数:35,代码来源:pidhashtable.py
示例18: get_file_contents
def get_file_contents(self, inode):
linux_common.set_plugin_members(self)
data = ""
file_size = inode.i_size
extra = file_size % 4096
idxs = file_size / 4096
if extra != 0:
extra = 4096 - extra
idxs = idxs + 1
for idx in range(0, idxs):
data = data + self.get_page_contents(inode, idx)
# this is chop off any extra data on the last page
if extra != 0:
extra = extra * -1
data = data[:extra]
return data
开发者ID:Jack47,项目名称:volatility,代码行数:25,代码来源:find_file.py
示例19: calculate
def calculate(self):
linux_common.set_plugin_members(self)
phys_addr_space = utils.load_as(self._config, astype="physical")
if phys_addr_space.profile.metadata.get("memory_model", "32bit") == "32bit":
fmt = "<I"
else:
fmt = "<Q"
needles = []
for sym in phys_addr_space.profile.get_all_symbol_names("kernel"):
if sym.find("_sched_class") != -1:
addr = phys_addr_space.profile.get_symbol(sym)
needles.append(struct.pack(fmt, addr))
if len(needles) == 0:
debug.error("Unable to scan for processes. Please file a bug report.")
back_offset = phys_addr_space.profile.get_obj_offset("task_struct", "sched_class")
scanner = poolscan.MultiPoolScanner(needles)
for _, offset in scanner.scan(phys_addr_space):
ptask = obj.Object("task_struct", offset=offset - back_offset, vm=phys_addr_space)
if not ptask.exit_state.v() in [0, 16, 32, 16 | 32]:
continue
if not (0 < ptask.pid < 66000):
continue
yield ptask
开发者ID:MeteorAdminz,项目名称:volatility,代码行数:34,代码来源:psscan.py
示例20: render_text
def render_text(self, outfd, data):
linux_common.set_plugin_members(self)
self.table_header(outfd, [("Task", "10"),
("ELF Start", "[addrpad]"),
("ELF Name", "24"),
("Symbol", "24"),
("Resolved Address", "[addrpad]"),
("H", "1"),
("Target Info", "")])
ignore = frozenset(self._config.IGNORE)
for task in data:
for soname, elf, elf_start, elf_end, addr, symbol_name, hookdesc, hooked in task.plt_hook_info():
if not hooked and not self._config.ALL:
continue
if hookdesc in ignore:
continue
if hookdesc == '[RTLD_LAZY]' and not self._config.ALL:
continue
self.table_row(outfd, task.pid, elf_start, soname if soname else '[main]', \
symbol_name, addr, '!' if hooked else ' ', hookdesc)
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:26,代码来源:plthook.py
注:本文中的volatility.plugins.linux.common.set_plugin_members函数示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论