Python volatility.plugins.malware.malfind.BaseYaraScanner() Examples
The following are 29
code examples of volatility.plugins.malware.malfind.BaseYaraScanner().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.plugins.malware.malfind
, or try the search function
.
.
Example #1
| Source File: linux_truecrypt.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self,
address_space = task.get_process_address_space(),
**kwargs)
Example #2
| Source File: mac_yarascan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #3
| Source File: linux_yarascan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None):
for vma in self.task.get_proc_maps():
for match in malfind.BaseYaraScanner.scan(self, vma.vm_start, vma.vm_end - vma.vm_start):
yield match
Example #4
| Source File: linux_yarascan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #5
| Source File: linux_truecrypt.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None):
profile = self.address_space.profile
offset = profile.get_obj_offset("PASSPHRASE", "MaxLength")
for vma in self.task.get_proc_maps():
# only scanning the process heap
if not (vma.vm_start <= self.task.mm.start_brk
and vma.vm_end >= self.task.mm.brk):
continue
for hit, address in malfind.BaseYaraScanner.scan(self,
vma.vm_start,
vma.vm_end - vma.vm_start):
# possible passphrase structure
passt = obj.Object("PASSPHRASE",
offset = address - offset,
vm = self.address_space)
# the sanity checks
if (passt and vma.vm_start <= passt.Text and
vma.vm_end >= passt.Text and
passt.Length > 0 and
passt.Length < passt.MaxLength):
password = passt.Text.dereference()
if len(password) != passt.Length:
continue
yield address, password
Example #6
| Source File: linux_truecrypt.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self,
address_space = task.get_process_address_space(),
**kwargs)
Example #7
| Source File: mac_yarascan.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #8
| Source File: linux_yarascan.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None):
for vma in self.task.get_proc_maps():
for match in malfind.BaseYaraScanner.scan(self, vma.vm_start, vma.vm_end - vma.vm_start):
yield match
Example #9
| Source File: linux_yarascan.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #10
| Source File: linux_truecrypt.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None):
profile = self.address_space.profile
offset = profile.get_obj_offset("PASSPHRASE", "MaxLength")
for vma in self.task.get_proc_maps():
# only scanning the process heap
if not (vma.vm_start <= self.task.mm.start_brk
and vma.vm_end >= self.task.mm.brk):
continue
for hit, address in malfind.BaseYaraScanner.scan(self,
vma.vm_start,
vma.vm_end - vma.vm_start):
# possible passphrase structure
passt = obj.Object("PASSPHRASE",
offset = address - offset,
vm = self.address_space)
# the sanity checks
if (passt and vma.vm_start <= passt.Text and
vma.vm_end >= passt.Text and
passt.Length > 0 and
passt.Length < passt.MaxLength):
password = passt.Text.dereference()
if len(password) != passt.Length:
continue
yield address, password
Example #11
| Source File: linux_truecrypt.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self,
address_space = task.get_process_address_space(),
**kwargs)
Example #12
| Source File: mac_yarascan.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #13
| Source File: linux_yarascan.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None):
for vma in self.task.get_proc_maps():
for match in malfind.BaseYaraScanner.scan(self, vma.vm_start, vma.vm_end - vma.vm_start):
yield match
Example #14
| Source File: linux_yarascan.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #15
| Source File: linux_truecrypt.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None):
profile = self.address_space.profile
offset = profile.get_obj_offset("PASSPHRASE", "MaxLength")
for vma in self.task.get_proc_maps():
# only scanning the process heap
if not (vma.vm_start <= self.task.mm.start_brk
and vma.vm_end >= self.task.mm.brk):
continue
for hit, address in malfind.BaseYaraScanner.scan(self,
vma.vm_start,
vma.vm_end - vma.vm_start):
# possible passphrase structure
passt = obj.Object("PASSPHRASE",
offset = address - offset,
vm = self.address_space)
# the sanity checks
if (passt and vma.vm_start <= passt.Text and
vma.vm_end >= passt.Text and
passt.Length > 0 and
passt.Length < passt.MaxLength):
password = passt.Text.dereference()
if len(password) != passt.Length:
continue
yield address, password
Example #16
| Source File: linux_truecrypt.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self,
address_space = task.get_process_address_space(),
**kwargs)
Example #17
| Source File: mac_yarascan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None, max_size = None):
for map in self.task.get_proc_maps():
length = map.links.end - map.links.start
if max_size and length > max_size:
debug.warning("Skipping max size entry {0:#x} - {1:#x}".format(map.links.start, map.links.end))
continue
for match in malfind.BaseYaraScanner.scan(self, map.links.start, length):
yield match
Example #18
| Source File: mac_yarascan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #19
| Source File: mac.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #20
| Source File: linux_yarascan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None):
for vma in self.task.get_proc_maps():
for match in malfind.BaseYaraScanner.scan(self, vma.vm_start, vma.vm_end - vma.vm_start):
yield match
Example #21
| Source File: linux_yarascan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #22
| Source File: linux_truecrypt.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None):
profile = self.address_space.profile
offset = profile.get_obj_offset("PASSPHRASE", "MaxLength")
for vma in self.task.get_proc_maps():
# only scanning the process heap
if not (vma.vm_start <= self.task.mm.start_brk
and vma.vm_end >= self.task.mm.brk):
continue
for hit, address in malfind.BaseYaraScanner.scan(self,
vma.vm_start,
vma.vm_end - vma.vm_start):
# possible passphrase structure
passt = obj.Object("PASSPHRASE",
offset = address - offset,
vm = self.address_space)
# the sanity checks
if (passt and vma.vm_start <= passt.Text and
vma.vm_end >= passt.Text and
passt.Length > 0 and
passt.Length < passt.MaxLength):
password = passt.Text.dereference()
if len(password) != passt.Length:
continue
yield address, password
Example #23
| Source File: linux_truecrypt.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self,
address_space = task.get_process_address_space(),
**kwargs)
Example #24
| Source File: mac_yarascan.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None, max_size = None):
for map in self.task.get_proc_maps():
length = map.links.end - map.links.start
if max_size and length > max_size:
debug.warning("Skipping max size entry {0:#x} - {1:#x}".format(map.links.start, map.links.end))
continue
for match in malfind.BaseYaraScanner.scan(self, map.links.start, length):
yield match
Example #25
| Source File: mac_yarascan.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #26
| Source File: mac.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #27
| Source File: linux_yarascan.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None):
for vma in self.task.get_proc_maps():
for match in malfind.BaseYaraScanner.scan(self, vma.vm_start, vma.vm_end - vma.vm_start):
yield match
Example #28
| Source File: linux_yarascan.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, task = None, **kwargs):
"""Scan the process address space through the VMAs.
Args:
task: The task_struct object for this task.
"""
self.task = task
malfind.BaseYaraScanner.__init__(self, address_space = task.get_process_address_space(), **kwargs)
Example #29
| Source File: linux_truecrypt.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def scan(self, offset = 0, maxlen = None):
profile = self.address_space.profile
offset = profile.get_obj_offset("PASSPHRASE", "MaxLength")
for vma in self.task.get_proc_maps():
# only scanning the process heap
if not (vma.vm_start <= self.task.mm.start_brk
and vma.vm_end >= self.task.mm.brk):
continue
for hit, address in malfind.BaseYaraScanner.scan(self,
vma.vm_start,
vma.vm_end - vma.vm_start):
# possible passphrase structure
passt = obj.Object("PASSPHRASE",
offset = address - offset,
vm = self.address_space)
# the sanity checks
if (passt and vma.vm_start <= passt.Text and
vma.vm_end >= passt.Text and
passt.Length > 0 and
passt.Length < passt.MaxLength):
password = passt.Text.dereference()
if len(password) != passt.Length:
continue
yield address, password
