本文整理汇总了Python中volatility.debug.error函数的典型用法代码示例。如果您正苦于以下问题:Python error函数的具体用法?Python error怎么用?Python error使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了error函数的20个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于我们的系统推荐出更棒的Python代码示例。
示例1: render_text
def render_text(self, outfd, data):
if (not self._config.DUMP_DIR or
not os.path.isdir(self._config.DUMP_DIR)):
debug.error("Please specify an existing output dir (--dump-dir)")
self.table_header(outfd, [("Task", "10"),
("VM Start", "[addrpad]"),
("VM End", "[addrpad]"),
("Length", "[addr]"),
("Path", "")])
for (task, vma) in data:
if not self._config.VMA or vma.vm_start == self._config.VMA:
file_name = "task.{0}.{1:#x}.vma".format(task.pid, vma.vm_start)
file_path = os.path.join(self._config.DUMP_DIR, file_name)
outfile = open(file_path, "wb+")
for page in self.read_addr_range(task, vma.vm_start, vma.vm_end):
outfile.write(page)
outfile.close()
self.table_row(outfd, task.pid,
vma.vm_start,
vma.vm_end,
vma.vm_end - vma.vm_start,
file_path)
开发者ID:B-Rich,项目名称:amark,代码行数:26,代码来源:dump_map.py
示例2: render_text
def render_text(self, outfd, data):
"""Renders the tasks to disk images, outputting progress as they go"""
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
self.table_header(outfd,
[("Process(V)", "[addrpad]"),
("ImageBase", "[addrpad]"),
("Name", "20"),
("Result", "")])
for task in data:
task_space = task.get_process_address_space()
if task_space == None:
result = "Error: Cannot acquire process AS"
elif task.Peb == None:
# we must use m() here, because any other attempt to
# reference task.Peb will try to instantiate the _PEB
result = "Error: PEB at {0:#x} is paged".format(task.m('Peb'))
elif task_space.vtop(task.Peb.ImageBaseAddress) == None:
result = "Error: ImageBaseAddress at {0:#x} is paged".format(task.Peb.ImageBaseAddress)
else:
dump_file = "executable." + str(task.UniqueProcessId) + ".exe"
result = self.dump_pe(task_space,
task.Peb.ImageBaseAddress,
dump_file)
self.table_row(outfd,
task.obj_offset,
task.Peb.ImageBaseAddress,
task.ImageFileName,
result)
开发者ID:carmaa,项目名称:volatility-2.2-python3,代码行数:33,代码来源:procdump.py
示例3: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
for objct in self.scan_results(addr_space):
if isinstance(objct, _UDP_ENDPOINT):
# For UdpA, the state is always blank and the remote end is asterisks
for ver, laddr, _ in objct.dual_stack_sockets():
yield objct, "UDP" + ver, laddr, objct.Port, "*", "*", ""
elif isinstance(objct, _TCP_ENDPOINT):
if objct.AddressFamily == AF_INET:
proto = "TCPv4"
elif objct.AddressFamily == AF_INET6:
proto = "TCPv6"
yield objct, proto, objct.LocalAddress, objct.LocalPort, \
objct.RemoteAddress, objct.RemotePort, objct.State
elif isinstance(objct, _TCP_LISTENER):
# For TcpL, the state is always listening and the remote port is zero
for ver, laddr, raddr in objct.dual_stack_sockets():
yield objct, "TCP" + ver, laddr, objct.Port, raddr, 0, "LISTENING"
开发者ID:Iamgublin,项目名称:python-related,代码行数:25,代码来源:netscan.py
示例4: apply_types
def apply_types(addr_space, ver):
"""Apply the TrueCrypt types for a specific version of TC.
@param addr_space: <volatility.BaseAddressSpace>
@param ver: <string> version
"""
mm_model = addr_space.profile.metadata.get('memory_model', '32bit')
try:
vtypes = TrueCryptMaster.version_map[ver][mm_model]
addr_space.profile.vtypes.update(vtypes)
addr_space.profile.merge_overlay({
'EXTENSION' : [ None, {
'wszVolume' : [ None, ['String', dict(length = 260, encoding = "utf16")]],
}],
'CRYPTO_INFO_t' : [ None, {
'mode' : [ None, ['Enumeration', dict(target = "long",
choices = {1: 'XTS',
2: 'LWR',
3: 'CBC',
4: 'OUTER_CBC',
5: 'INNER_CBC'})]],
'ea' : [ None, ['Enumeration', dict(target = "long",
choices = {1: 'AES',
2: 'SERPENT',
3: 'TWOFISH',
4: 'BLOWFISH',
5: 'CAST',
6: 'TRIPLEDES'})]],
}]})
addr_space.profile.compile()
except KeyError:
debug.error("Truecrypt version {0} is not supported".format(ver))
开发者ID:504ensicsLabs,项目名称:DAMM,代码行数:33,代码来源:tcaudit.py
示例5: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
return win32.network.determine_sockets(addr_space)
开发者ID:BryanSingh,项目名称:volatility,代码行数:7,代码来源:sockets.py
示例6: generator
def generator(self, data):
if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
for task in data:
for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
if self._is_vad_empty(vad, address_space):
continue
content = address_space.zread(vad.Start, 64)
yield (0, [str(task.ImageFileName),
int(task.UniqueProcessId),
Address(vad.Start),
str(vad.Tag),
str(vadinfo.PROTECT_FLAGS.get(vad.VadFlags.Protection.v(), "")),
str(vad.VadFlags),
Bytes(content)])
# Dump the data if --dump-dir was supplied
if self._config.DUMP_DIR:
filename = os.path.join(self._config.DUMP_DIR,
"process.{0:#x}.{1:#x}.dmp".format(
task.obj_offset, vad.Start))
self.dump_vad(filename, vad, address_space)
开发者ID:volatilityfoundation,项目名称:volatility,代码行数:28,代码来源:malfind.py
示例7: search_stack_frames
def search_stack_frames(self, start, stack_base, stack_limit, yara_rules, frame_delta=32, unwind=DEFAULT_UNWIND):
"""
Use Yara to search kernel/user stack frames within +/- frame_delta of the frame's start
address.
Frames to search are chosen by using the strategies specifed by the unwind parameter.
yara_rules - compiled Yara rules, built for example with:
1. yara.compile("/path/to/yara.rules")
or 2. yara.compile(source="rule dummy { condition: true }")
"""
if not yara_installed:
debug.error("In order to search the stack frames, it is necessary to install yara")
stack_registry = registry.get_plugin_classes(StackTop)
for unwind_strategy_nm in unwind.split(","):
if unwind_strategy_nm not in stack_registry:
raise ValueError("{0} is not a known stack unwind strategy".format(unwind_strategy_nm))
unwind_strategy = stack_registry[unwind_strategy_nm](start, stack_base, stack_limit, self)
for frame in itertools.chain(unwind_strategy.up(), unwind_strategy.down()):
search_data = self.get_process_address_space().zread(frame.start - frame_delta, 2* frame_delta)
for match in yara_rules.match(data = search_data):
for moffset, name, value in match.strings:
# Match offset here is converted into frame start address and a +/- frame_delta
yield match, name, value, frame.start, moffset-frame_delta
raise StopIteration
开发者ID:binsrc,项目名称:volatility-1,代码行数:29,代码来源:exportstack.py
示例8: calculate
def calculate(self):
common.set_plugin_members(self)
if not self.addr_space.profile.obj_has_member("fs_event_watcher", "proc_name"):
debug.error("This plugin only supports OS X >= 10.8.2. Please file a bug if you are running against a version matching this criteria.")
event_types = ["CREATE_FILE", "DELETE", "STAT_CHANGED", "RENAME", "CONTENT_MODIFIED", "EXCHANGE", "FINDER_INFO_CHANGED", "CREATE_DIR", "CHOWN"]
event_types = event_types + ["XATTR_MODIFIED", "XATTR_REMOVED", "DOCID_CREATED", "DOCID_CHANGED"]
table_addr = self.addr_space.profile.get_symbol("_watcher_table")
arr = obj.Object(theType = "Array", targetType = "Pointer", count = 8, vm = self.addr_space, offset = table_addr)
for watcher_addr in arr:
if not watcher_addr.is_valid():
continue
watcher = watcher_addr.dereference_as("fs_event_watcher")
name = self.addr_space.read(watcher.proc_name.obj_offset, 33)
if name:
idx = name.find("\x00")
if idx != -1:
name = name[:idx]
events = ""
event_arr = obj.Object(theType = "Array", targetType = "unsigned char", offset = watcher.event_list.v(), count = 13, vm = self.addr_space)
for (i, event) in enumerate(event_arr):
if event == 1:
events = events + event_types[i] + ", "
if len(events) and events[-1] == " " and events[-2] == ",":
events = events[:-2]
yield watcher_addr, name, watcher.pid, events
开发者ID:CRYP706URU,项目名称:pyrebox,代码行数:35,代码来源:vfsevents.py
示例9: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
tag = self._config.TAG
if tag == None:
debug.error("You must enter a --tag to find")
minsize = self._config.MIN_SIZE
maxsize = self._config.MAX_SIZE
poolsize = lambda x : x >= minsize and x <= maxsize
if self._config.PAGED:
paged = True
non_paged = False
else:
paged = False
non_paged = True
scanner = GenericPoolScan()
scanner.checks = [
('PoolTagCheck', dict(tag = tag)),
('CheckPoolSize', dict(condition = poolsize)),
('CheckPoolType', dict(paged = paged, non_paged = non_paged)),
]
for offset in scanner.scan(addr_space):
pool = obj.Object("_POOL_HEADER", offset = offset, vm = addr_space)
buf = addr_space.zread(offset, minsize)
yield pool, buf
开发者ID:BryanSingh,项目名称:volatility,代码行数:30,代码来源:pooltracker.py
示例10: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error as e:
debug.error('Error parsing regular expression: %s' % e)
mods = dict((mod.DllBase.v(), mod) for mod in modules.lsmod(addr_space))
# We need the process list to find spaces for some drivers. Enumerate them here
# instead of inside the find_space function, so we only have to do it once.
procs = list(tasks.pslist(addr_space))
if self._config.BASE:
if self._config.BASE in mods:
mod_name = mods[self._config.BASE].BaseDllName
else:
mod_name = "UNKNOWN"
yield addr_space, procs, int(self._config.BASE), mod_name
else:
for mod in list(mods.values()):
if self._config.REGEX:
if not mod_re.search(str(mod.FullDllName or '')) and not mod_re.search(str(mod.BaseDllName or '')):
continue
yield addr_space, procs, mod.DllBase.v(), mod.BaseDllName
开发者ID:carmaa,项目名称:volatility-2.2-python3,代码行数:29,代码来源:moddump.py
示例11: get_processes
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
bounce_back = taskmods.DllList.virtual_process_from_physical_offset
if self._config.OFFSET != None:
tasks = [bounce_back(addr_space, self._config.OFFSET)]
elif self._config.SCAN:
procs = list(filescan.PSScan(self._config).calculate())
tasks = []
for task in procs:
tasks.append(bounce_back(addr_space, task.obj_offset))
else:
tasks = win32.tasks.pslist(addr_space)
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(",")]
tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks
开发者ID:binaryAccess,项目名称:volatility,代码行数:27,代码来源:strings.py
示例12: calculate
def calculate(self):
linux_common.set_plugin_members(self)
phys_addr_space = utils.load_as(self._config, astype="physical")
if phys_addr_space.profile.metadata.get("memory_model", "32bit") == "32bit":
fmt = "<I"
else:
fmt = "<Q"
needles = []
for sym in phys_addr_space.profile.get_all_symbol_names("kernel"):
if sym.find("_sched_class") != -1:
addr = phys_addr_space.profile.get_symbol(sym)
needles.append(struct.pack(fmt, addr))
if len(needles) == 0:
debug.error("Unable to scan for processes. Please file a bug report.")
back_offset = phys_addr_space.profile.get_obj_offset("task_struct", "sched_class")
scanner = poolscan.MultiPoolScanner(needles)
for _, offset in scanner.scan(phys_addr_space):
ptask = obj.Object("task_struct", offset=offset - back_offset, vm=phys_addr_space)
if not ptask.exit_state.v() in [0, 16, 32, 16 | 32]:
continue
if not (0 < ptask.pid < 66000):
continue
yield ptask
开发者ID:MeteorAdminz,项目名称:volatility,代码行数:34,代码来源:psscan.py
示例13: _compile_rules
def _compile_rules(self):
"""Compile the YARA rules from command-line parameters.
@returns: a YARA object on which you can call 'match'
This function causes the plugin to exit if the YARA
rules have syntax errors or are not supplied correctly.
"""
rules = None
try:
if self._config.YARA_RULES:
s = self._config.YARA_RULES
# Don't wrap hex or regex rules in quotes
if s[0] not in ("{", "/"): s = '"' + s + '"'
# Option for case insensitive searches
if self._config.CASE: s += " nocase"
# Scan for unicode and ascii strings
if self._config.WIDE: s += " wide ascii"
rules = yara.compile(sources = {
'n' : 'rule r1 {strings: $a = ' + s + ' condition: $a}'
})
elif self._config.YARA_FILE and os.path.isfile(self._config.YARA_FILE):
rules = yara.compile(self._config.YARA_FILE)
else:
debug.error("You must specify a string (-Y) or a rules file (-y)")
except yara.SyntaxError, why:
debug.error("Cannot compile rules: {0}".format(str(why)))
开发者ID:volatilityfoundation,项目名称:volatility,代码行数:29,代码来源:malfind.py
示例14: calculate
def calculate(self):
"""Begin carving and analysing"""
#Check output dir is provided
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
#Carve packets from all mempages
self.addr_space = utils.load_as(self._config)
for mempage in self.addr_space.get_available_addresses():
self.carve_packets(self.addr_space.zread(mempage[0], mempage[1]))
#Analyze the carved/parsed packets
packet_stats = self.analyze_packets(self.parsed_packets)
#Dump files to dump-dir
self.dump_packets_to_pcap(self.hex_packets, os.path.abspath(os.path.join(self._config.DUMP_DIR, 'packets.pcap')))
with open(os.path.abspath(os.path.join(self._config.DUMP_DIR, 'ips.txt')), 'w') as fd:
for ip_to_check in packet_stats['unique_public_ips']:
fd.write(ip_to_check + '\n')
return packet_stats
开发者ID:JamesHabben,项目名称:community,代码行数:27,代码来源:carve_packets.py
示例15: render_text
def render_text(self, outfd, data):
if self._config.DUMP_DIR and not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
for o, addr, hit, content in data:
outfd.write("Rule: {0}\n".format(hit.rule))
# Find out if the hit is from user or kernel mode
if o == None:
outfd.write("Owner: (Unknown Kernel Memory)\n")
filename = "kernel.{0:#x}.dmp".format(addr)
elif o.obj_name == "_EPROCESS":
outfd.write("Owner: Process {0} Pid {1}\n".format(o.ImageFileName,
o.UniqueProcessId))
filename = "process.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr)
else:
outfd.write("Owner: {0}\n".format(o.BaseDllName))
filename = "kernel.{0:#x}.{1:#x}.dmp".format(o.obj_offset, addr)
# Dump the data if --dump-dir was supplied
if self._config.DUMP_DIR:
path = os.path.join(self._config.DUMP_DIR, filename)
fh = open(path, "wb")
fh.write(content)
fh.close()
outfd.write("".join(
["{0:#010x} {1:<48} {2}\n".format(addr + o, h, ''.join(c))
for o, h, c in utils.Hexdump(content)
]))
开发者ID:volatilityfoundation,项目名称:volatility,代码行数:30,代码来源:malfind.py
示例16: tz_from_string
def tz_from_string(_option, _opt_str, value, parser):
"""Stores a tzinfo object from a string"""
if value is not None:
if value[0] in ['+', '-']:
# Handed a numeric offset, create an OffsetTzInfo
valarray = [value[i:i + 2] for i in range(1, len(value), 2)]
multipliers = [3600, 60]
offset = 0
for i in range(min(len(valarray), len(multipliers))):
offset += int(valarray[i]) * multipliers[i]
if value[0] == '-':
offset = -offset
timezone = OffsetTzInfo(offset = offset)
else:
# Value is a lookup, choose pytz over time.tzset
if tz_pytz:
try:
timezone = pytz.timezone(value)
except pytz.UnknownTimeZoneError:
debug.error("Unknown display timezone specified")
else:
if not hasattr(time, 'tzset'):
debug.error("This operating system doesn't support tzset, please either specify an offset (eg. +1000) or install pytz")
timezone = value
parser.values.tz = timezone
开发者ID:r1nswenson,项目名称:volatility,代码行数:25,代码来源:timefmt.py
示例17: render
def render(self, outfd, grid):
if not self._config.OUTPUT_FILE:
debug.error("Please specify a valid output file using --output-file")
self._db = sqlite3.connect(self._config.OUTPUT_FILE, isolation_level = None)
create = "CREATE TABLE IF NOT EXISTS " + self._plugin_name + "( id INTEGER, " + \
", ".join(['"' + self._sanitize_name(i.name) + '" ' + self._column_type(i.type) for i in grid.columns]) + ")"
self._db.execute(create)
def _add_multiple_row(node, accumulator):
accumulator[0] = accumulator[0] + 1 #id
accumulator[1].append([accumulator[0]] + [str(v) for v in node.values])
if len(accumulator[1]) > 20000:
self._db.execute("BEGIN TRANSACTION")
insert = "INSERT INTO " + self._plugin_name + " VALUES (?, " + ", ".join(["?"] * len(node.values)) + ")"
self._db.executemany(insert, accumulator[1])
accumulator = [accumulator[0], []]
self._db.execute("COMMIT TRANSACTION")
self._accumulator = accumulator
return accumulator
grid.populate(_add_multiple_row, self._accumulator)
#Insert last nodes
if len(self._accumulator[1]) > 0:
self._db.execute("BEGIN TRANSACTION")
insert = "INSERT INTO " + self._plugin_name + " VALUES (?, " + ", ".join(["?"] * (len(self._accumulator[1][0])-1)) + ")"
self._db.executemany(insert, self._accumulator[1])
self._db.execute("COMMIT TRANSACTION")
开发者ID:binaryAccess,项目名称:volatility,代码行数:29,代码来源:sqlite.py
示例18: calculate
def calculate(self):
linux_common.set_plugin_members(self)
find_file = self._config.FIND
inode_addr = self._config.inode
outfile = self._config.outfile
listfiles = self._config.LISTFILES
if listfiles:
for (_, _, file_path, file_dentry) in self.walk_sbs():
yield (file_path, file_dentry.d_inode)
elif find_file and len(find_file):
for (_, _, file_path, file_dentry) in self.walk_sbs():
if file_path == find_file:
yield (file_path, file_dentry.d_inode)
break
elif inode_addr and inode_addr > 0 and outfile and len(outfile) > 0:
inode = obj.Object("inode", offset = inode_addr, vm = self.addr_space)
try:
f = open(outfile, "wb")
except IOError, e:
debug.error("Unable to open output file (%s): %s" % (outfile, str(e)))
for page in self.get_file_contents(inode):
f.write(page)
f.close()
开发者ID:chansonzhang,项目名称:volatility,代码行数:30,代码来源:find_file.py
示例19: calculate
def calculate(self):
addr_space = utils.load_as(self._config)
win7 = addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) == 1
if not self._config.HIVE_OFFSET:
hive_offsets = [(self.hive_name(h), h.obj_offset) for h in hivelist.HiveList.calculate(self)]
else:
hive_offsets = [("User Specified", self._config.HIVE_OFFSET)]
for name, hoff in set(hive_offsets):
h = hivemod.HiveAddressSpace(addr_space, self._config, hoff)
root = rawreg.get_root(h)
if not root:
if self._config.HIVE_OFFSET:
debug.error("Unable to find root key. Is the hive offset correct?")
else:
skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist\\"
if win7:
uakey = skey + "{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"
yield win7, name, rawreg.open_key(root, uakey.split('\\'))
uakey = skey + "{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count"
yield win7, name, rawreg.open_key(root, uakey.split('\\'))
else:
uakey = skey + "{75048700-EF1F-11D0-9888-006097DEACF9}\\Count"
yield win7, name, rawreg.open_key(root, uakey.split('\\'))
uakey = skey + "{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count"
yield win7, name, rawreg.open_key(root, uakey.split('\\'))
开发者ID:B-Rich,项目名称:amark,代码行数:27,代码来源:userassist.py
示例20: generator
def generator(self, data):
keyfound = False
for win7, reg, key in data:
if key:
keyfound = True
for s in self.regapi.reg_get_all_subkeys(None, None, given_root = key):
if s.Name == None:
item = "Unknown subkey: " + s.Name.reason
else:
item = s.Name
yield (0, [str(reg), str(self.regapi.reg_get_key_path(key)), str(key.LastWriteTime), str(item), "", ""])
for subname, dat in self.regapi.reg_yield_values(None, None, given_root = key, thetype = "REG_BINARY"):
dat_raw = dat
try:
subname = subname.encode('rot_13')
except UnicodeDecodeError:
pass
if win7:
guid = subname.split("\\")[0]
if guid in folder_guids:
subname = subname.replace(guid, folder_guids[guid])
dat = self.parse_data(dat_raw)
yield (0, [str(reg), str(self.regapi.reg_get_key_path(key)), str(key.LastWriteTime), "", str(subname), str(dat)])
if not keyfound:
debug.error("The requested key could not be found in the hive(s) searched")
开发者ID:DSLeung,项目名称:volatility,代码行数:25,代码来源:userassist.py
注:本文中的volatility.debug.error函数示例由纯净天空整理自Github/MSDocs等源码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。 |
客服电话
APP下载
官方微信
请发表评论