本文整理汇总了Python中volatility.debug.info函数的典型用法代码示例。如果您正苦于以下问题:Python info函数的具体用法?Python info怎么用?Python info使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了info函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Python代码示例。
示例1: find_function_symbol
def find_function_symbol(self, task, address):
"""
Match a function symbol to a functiona address.
@param task: the task_struct
@param address: The function address
@return: The function symbol or None
"""
if self.symbols:
for vma in task.get_proc_maps():
if vma.vm_start <= address <= vma.vm_end:
#lib = vma.vm_file
lib = linux_common.get_path(task, vma.vm_file)
offset = address - vma.vm_start
#libsymbols = self.symbols[os.path.basename(lib)]
if type(lib) == list:
lib = ""
base = os.path.basename(lib)
#print(base)
#print("{:016x} {} {}".format(offset, base, lib))
if base in self.symbols:
if offset in self.symbols[base]:
debug.info("Instruction was a call to 0x{:016x} = {}@{}".format(address, self.symbols[base][offset], base ))
return self.symbols[base][offset]
elif address in self.symbols[base]:# for a function in the main binary, eg 0x40081e
debug.info("Instruction was a call to 0x{:016x} = {}@{}".format(address, self.symbols[base][address], base ))
return self.symbols[base][address]
break
return None
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:31,代码来源:process_stack.py
示例2: progress
def progress(self, blocks, blocksz, totalsz):
if self.lastprog == None:
debug.info("Connected. Downloading data...")
percent = int((100*(blocks*blocksz)/float(totalsz)))
if self.lastprog != percent and percent % 5 == 0:
debug.info("{0}%".format(percent))
self.lastprog = percent
开发者ID:binsrc,项目名称:volatility-1,代码行数:7,代码来源:symbols.py
示例3: check_microarch
def check_microarch(self, addr, phy_space, key):
microarch = hyper.revision_id_db[key]
if microarch.lower() == "sandy":
vmcs_off = hyper.vmcs_offset_sandy
elif microarch.lower() == "core":
vmcs_off = hyper.vmcs_offset_core
else:
debug.error("Microarchitecture %s not supported yet." % microarch)
off = vmcs_off["VMCS_LINK_POINTER"] * 4
data = phy_space.read(addr + off, 0x04)
vmcs_link_pointer = struct.unpack('<I', data)[0]
data2 = phy_space.read(addr + off + 0x04, 0x04)
vmcs_link_pointer2 = struct.unpack('<I', data2)[0]
if (vmcs_link_pointer == 0xffffffff and vmcs_link_pointer2 == 0xffffffff):
size = layouts.vmcs.vmcs_field_size["GUEST_CR3"] / 8
off = vmcs_off["GUEST_CR3"] * 4
data = phy_space.read(addr + off, size)
if size == 4:
guest_cr3 = struct.unpack('<I', data)[0]
elif size == 8:
guest_cr3 = struct.unpack('<Q', data)[0]
else:
debug.error("CR3 size not possible.")
if ((guest_cr3 % 4096) == 0) and (guest_cr3 != 0):
debug.info("\t|__ VMCS 0x%08x [CONSISTENT]" % addr)
开发者ID:Cyber-Forensic,项目名称:actaeon,代码行数:29,代码来源:vmm.py
示例4: __init__
def __init__(self, location):
"""Initializes the firewire implementation"""
self.location = location.strip('/')
debug.info("Waiting for 5s firewire to settle")
self._bus = forensic1394.Bus()
self._bus.enable_sbp2()
time.sleep(5)
self._device = None
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:8,代码来源:ieee1394.py
示例5: get_symbol
def get_symbol(self, sym_name, nm_type = "", module = "kernel"):
"""Gets a symbol out of the profile
sym_name -> name of the symbol
nm_tyes -> types as defined by 'nm' (man nm for examples)
module -> which module to get the symbol from, default is kernel, otherwise can be any name seen in 'lsmod'
This fixes a few issues from the old static hash table method:
1) Conflicting symbols can be handled, if a symbol is found to conflict on any profile,
then the plugin will need to provide the nm_type to differentiate, otherwise the plugin will be errored out
2) Can handle symbols gathered from modules on disk as well from the static kernel
symtable is stored as a hash table of:
symtable[module][sym_name] = [(symbol address, symbol type), (symbol addres, symbol type), ...]
The function has overly verbose error checking on purpose...
"""
symtable = self.sys_map
ret = None
# check if the module is there...
if module in symtable:
mod = symtable[module]
# check if the requested symbol is in the module
if sym_name in mod:
sym_list = mod[sym_name]
# if a symbol has multiple definitions, then the plugin needs to specify the type
if len(sym_list) > 1:
if nm_type == "":
debug.error("Requested symbol {0:s} in module {1:s} has multiple definitions and no type given\n".format(sym_name, module))
else:
for (addr, stype) in sym_list:
if stype == nm_type:
ret = addr
break
if ret == None:
debug.error("Requested symbol {0:s} in module {1:s} could not be found\n".format(sym_name, module))
else:
# get the address of the symbol
ret = sym_list[0][0]
else:
debug.debug("Requested symbol {0:s} not found in module {1:s}\n".format(sym_name, module))
else:
debug.info("Requested module {0:s} not found in symbol table\n".format(module))
if self.shift_address and ret:
ret = ret + self.shift_address
return ret
开发者ID:B-Rich,项目名称:amark,代码行数:58,代码来源:mac.py
示例6: render_text
def render_text(self, outfd, data):
self.outfd = outfd
for (p, reg, frames) in data:
#self.render_registers(reg)
debug.info("Found {} frames!".format(len(frames)))
debug.info("")
print(frames)
if self.dump_file:
self.write_annotated_stack(self.dump_file, self.calculate_annotations(frames))
print(stats)
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:10,代码来源:process_stack.py
示例7: render_text
def render_text(self, outfd, data):
if self._config.verbose and self._config.QUICK:
debug.warning('The quick mode only carves At#.job files.')
self.table_header(outfd,
[("Offset(P)", "[addrpad]"),
("ScheduledDate", "23"),
("MostRecentRunTime", "23"),
("Application", "50"),
("Parameters", "100"),
("WorkingDir", "50"),
("Author", "30"),
("RunInstanceCount", "3"),
("MaxRunTime", "10"),
("ExitCode", "10"),
("Comment", ""),
])
i = 1
for offset, job_file in data:
# Dump the data if --dump-dir was supplied
if self._config.DUMP_DIR:
path = os.path.join(self._config.DUMP_DIR, 'carved_%s.job' % i)
fh = open(path, 'wb')
fh.write(job_file)
fh.close()
i += 1
if self._config.verbose:
debug.info(' Written: ' + os.path.basename(path))
try:
job = JobParser(job_file)
except:
if self._config.verbose:
debug.error('Failed parsing the hit at 0x%x' % offset)
continue
hours, ms = divmod(job.MaxRunTime, 3600000)
minutes, ms = divmod(ms, 60000)
seconds = ms / 1000
self.table_row(outfd,
offset,
job.ScheduledDate,
job.RunDate,
job.Name,
job.Parameter,
job.WorkingDirectory,
job.User,
job.RunningInstanceCount,
'{0:02}:{1:02}:{2:02}.{3}'.format(
hours, minutes, seconds, ms),
'{0:#010x}'.format(job.ExitCode),
job.Comment,
)
开发者ID:Alpha-10000,项目名称:Volatility,代码行数:52,代码来源:schtasks.py
示例8: visit_window
def visit_window(self, screen_id, win):
if win.v() in self._seen_windows:
debug.info('Window referenced more than once! Offset {:#x}. (Skipped)'.format(win.v()))
else:
self._windows.append((screen_id, win))
self._seen_windows.add(win.v())
if win.firstChild and self._current_vm.is_valid_address(win.firstChild):
self.visit_window(screen_id, win.firstChild.dereference())
if win.nextSib and self._current_vm.is_valid_address(win.nextSib):
self.visit_window(screen_id, win.nextSib.dereference())
开发者ID:naveen12,项目名称:community,代码行数:13,代码来源:linux_xwindows.py
示例9: visit_atomNode
def visit_atomNode(self, atomNode):
if atomNode.v() in self._seen_atoms:
debug.info('Atom referenced more than once! Offset {:#x}.'.format(atomNode.v()))
else:
self._atoms[int(atomNode.a)] = atomNode
self._seen_atoms.add(atomNode.v())
if atomNode.left and self._current_vm.is_valid_address(atomNode.left):
self.visit_atomNode(atomNode.left.dereference())
if atomNode.right and self._current_vm.is_valid_address(atomNode.right):
self.visit_atomNode(atomNode.right.dereference())
开发者ID:naveen12,项目名称:community,代码行数:13,代码来源:linux_xwindows.py
示例10: find_prevalent_microarch
def find_prevalent_microarch(self, generic_vmcs, phy_space):
microarch_vmcs = {}
for vmcs in generic_vmcs:
try:
revid_raw = phy_space.read(vmcs, 0x04)
except:
continue
rev_id = struct.unpack('<I', revid_raw)[0]
for key in layouts.revision_id_db.keys():
if key == rev_id:
if key not in microarch_vmcs:
microarch_vmcs[key] = []
microarch_vmcs[key].append(vmcs)
debug.info("Possible VMCS 0x%x with %s microarchitecture" % (vmcs,
layouts.db.revision_id_db[key]))
self.check_microarch(vmcs, phy_space, key)
else:
debug.info("Possible VMCS 0x%x with %s microarchitecture" % (vmcs,
layouts.db.revision_id_db[key]))
microarch_vmcs[key].append(vmcs)
self.check_microarch(vmcs, phy_space, key)
maxi = 0
key = None
for k, v in microarch_vmcs.items():
if len(microarch_vmcs[k]) > maxi:
maxi = len(microarch_vmcs[k])
key = k
if key != None:
debug.info("Prevalent Microarch: [0x%08x - %s] - VMCS: %d" % (key,
layouts.db.revision_id_db[key], maxi))
debug.info("Microarchitecture not found.")
开发者ID:Cyber-Forensic,项目名称:actaeon,代码行数:32,代码来源:vmm.py
示例11: get_all_symbols
def get_all_symbols(self, module = "kernel"):
""" Gets all the symbol tuples for the given module """
ret = []
symtable = self.sys_map
if module in symtable:
mod = symtable[module]
for (name, addrs) in mod.items():
ret.append([name, addrs[0][0]])
else:
debug.info("All symbols requested for non-existent module %s" % module)
return ret
开发者ID:Jack47,项目名称:volatility,代码行数:15,代码来源:mac.py
示例12: find_return_libc_start
def find_return_libc_start(self, proc_as, start_stack, return_start):
"""
Scans the stack for a certain address, in this case the return address of __libc_start_main.
@param proc_as: Process address space
@param start_stack: Start address to search
@param return_start: The return address to find
@return The address found or None
"""
address = start_stack
for value in yield_address(proc_as, start_stack, reverse=True):
if value == return_start:
debug.info("Scanned {} stack addresses before finding the __libc_start_main return address".format((start_stack-address)/linux_process_info.address_size))
return address
address -= linux_process_info.address_size
debug.info("Exhausted search for __libc_start_main return address at stack address {:016x}".format(address))
return None
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:16,代码来源:process_stack.py
示例13: get_all_kmem_caches
def get_all_kmem_caches(self):
linux_common.set_plugin_members(self)
cache_chain = self.addr_space.profile.get_symbol("cache_chain")
slab_caches = self.addr_space.profile.get_symbol("slab_caches")
if cache_chain: #slab
caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space)
listm = "next"
ret = [cache for cache in caches.list_of_type("kmem_cache", listm)]
elif slab_caches: #slub
debug.info("SLUB is currently unsupported.")
ret = []
else:
debug.error("Unknown or unimplemented slab type.")
return ret
开发者ID:B-Rich,项目名称:amark,代码行数:16,代码来源:slab_info.py
示例14: get_all_function_symbols
def get_all_function_symbols(self, module = "kernel"):
""" Gets all the function tuples for the given module """
ret = []
symtable = self.type_map
if module in symtable:
mod = symtable[module]
for (addr, (name, _sym_types)) in mod.items():
if self.shift_address and addr:
addr = addr + self.shift_address
ret.append([name, addr])
else:
debug.info("All symbols requested for non-existent module %s" % module)
return ret
开发者ID:ethobis,项目名称:volatility,代码行数:18,代码来源:mac.py
示例15: render_text
def render_text(self, outfd, data):
#03.14
print "%%%%%%%%%%%%%%%%%%%%%%%%%%%% linux_process_stack,render_text, Begin::",datetime.datetime.now()
#
self.outfd = outfd
for (p, reg, frames) in data:
#self.render_registers(reg)
debug.info("Found {} frames!".format(len(frames)))
debug.info("")
print(frames)
if self.dump_file:
self.write_annotated_stack(self.dump_file, self.calculate_annotations(frames))
print(stats)
#03.14
print "%%%%%%%%%%%%%%%%%%%%%%%%%%%% linux_process_stack,render_text, End::",datetime.datetime.now()
开发者ID:aqwertaqwert,项目名称:my_design_for_graduate,代码行数:18,代码来源:linux_proc_stack.py
示例16: get_record_info
def get_record_info(self, profile):
"""Get search metadata for the appropriate record version for this profile"""
record_info = None
record_version = self.get_record_version(profile)
if self._config.RECORDTYPE:
debug.info('Forcing record version {}'.format(self._config.RECORDTYPE))
if self._config.RECORDTYPE != record_version:
debug.warning('Overriding expected profile record version {} with user-specified version {}'.format(record_version, self._config.RECORDTYPE))
record_version = self._config.RECORDTYPE
if record_version in USN_RECORD_SEARCHDATA:
record_info = USN_RECORD_SEARCHDATA[record_version]
return record_info
开发者ID:Alpha-10000,项目名称:Volatility,代码行数:19,代码来源:usnparser.py
示例17: find_scanned_frames
def find_scanned_frames(self, p, address, end):
"""
Find frames by scanning for return addresses.
@param p: process info object
@param address: Start address
@param end: End address
@return: a list of frames
"""
address_size = linux_process_info.address_size
frames = []
debug.info("Scan range (%rsp to end) = (0x{:016x} to 0x{:016x})".format(address, end))
count = 0
while address <= end:
if p.proc_as.is_valid_address(address) and self.is_return_address(read_address(p.proc_as, address, address_size), p):
st = stack_frame(address + address_size, p.proc_as, count)
frames.append(st)
count += 1
address += address_size
return frames
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:19,代码来源:process_stack.py
示例18: calculate
def calculate(self):
# Apply the correct vtypes for the profile
addr_space = utils.load_as(self._config)
addr_space.profile.object_classes.update(linux_xatoms.xatoms_classes)
addr_space.profile.vtypes.update(xwindows_vtypes_x64)
addr_space.profile.compile()
# Build a list of tasks
tasks = linux_pslist.linux_pslist.calculate(self)
if self._config.PID:
pids = [int(p) for p in self._config.PID.split(',')]
the_tasks = [t for t in tasks if t.pid in pids]
else:
# Find the X Windows task
the_tasks = []
for task in tasks:
task_offset, dtb, ppid, uid, gid, start_time = self._get_task_vals(task)
task_name = str(task.comm)
task_pid = int(task.pid)
if task_name == 'X' or task_name == 'Xorg':
the_tasks.append(task)
# In case no appropriate processes are found
if len(the_tasks) < 1:
return
for task in the_tasks:
# These need to be here so that they're reset for each X/Xorg process.
self._atoms = {} # Holds the atoms, per X process
self._seen_atoms = set() # Holds a list of atom offsets for avoiding circular referencing
self._current_vm = task.get_process_address_space()
msg = 'Working with \'{0}\' (pid={1}).'.format(str(task.comm), task.pid)
debug.info(msg)
proc_maps = task.get_proc_maps()
atom_root = self.seek_atom_root(task, proc_maps)
if atom_root:
self.visit_atomNode(atom_root)
debug.info('Found {:,} atom(s).'.format(len(self._atoms)))
yield msg, self._atoms
开发者ID:naveen12,项目名称:community,代码行数:42,代码来源:linux_xwindows.py
示例19: find_entry_point
def find_entry_point(self, proc_as, start_code):
"""
Read the entry point from the program header.
@param proc_as: Process address space
@param start_code: Start of the program code mapping
@return The address of the entry point (_start)
"""
# entry point lives at ELF header + 0x18
# add it to the memory mapping of the binary
if not proc_as.is_valid_address(start_code+0x18):
# it's gone from memory
debug.info("We could not find program entry point, skipping _start detection")
return False
offset = read_address(proc_as, start_code+0x18)
if offset > start_code:
# it's an absolute address
return offset
else:
# it's a relative offset, i.e. PIE code
return start_code + offset
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:20,代码来源:process_stack.py
示例20: calculate
def calculate(self):
address_space = utils.load_as(self._config, astype = 'physical')
if not self.is_valid_profile(address_space.profile):
debug.error('This command does not support the selected profile.')
if self._config.QUICK:
scanner = AtJobsScanner()
else:
# Regex matching... slow!
scanner = GenericJobsScanner()
for offset in scanner.scan(address_space):
if self._config.verbose:
debug.info('[+] Found hit: 0x%x' % offset)
data = scanner.carve(address_space, offset)
if data:
yield offset, data
elif self._config.verbose:
debug.info('[-] Failed verification')
return
开发者ID:Alpha-10000,项目名称:Volatility,代码行数:20,代码来源:schtasks.py
注:本文中的volatility.debug.info函数示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论