Python volatility.obj.CType() Examples
The following are 30
code examples of volatility.obj.CType().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.obj
, or try the search function
.
.
Example #1
| Source File: dumpfiles.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def is_valid(self):
if not obj.CType.is_valid(self):
return False
# Added a semantic check to make sure the data is in a sound state. It's better
# to catch it early.
FileSize = self.FileSize.QuadPart
ValidDataLength = self.ValidDataLength.QuadPart
SectionSize = self.SectionSize.QuadPart
# Corrupted values: Win2003SP0x86.vmem
if FileSize <= 0 or ValidDataLength <= 0:
return False
#print "SectionSize 0x%x < 0 or FileSize < 0x%x ValidDataLength 0x%x"%(SectionSize,FileSize,ValidDataLength)
#if SectionSize < 0 or (FileSize < ValidDataLength):
if SectionSize < 0 or ((FileSize < ValidDataLength) and (ValidDataLength != 0x7fffffffffffffff)):
return False
return True
Example #2
| Source File: mftparser.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def is_valid(self):
try:
modified = self.ModifiedTime.v()
except struct.error:
modified = 0
try:
mftaltered = self.MFTAlteredTime.v()
except struct.error:
mftaltered = 0
try:
creation = self.CreationTime.v()
except struct.error:
creation = 0
try:
accessed = self.FileAccessedTime.v()
except struct.error:
accessed = 0
return obj.CType.is_valid(self) and (modified != 0 or mftaltered != 0 or \
accessed != 0 or creation != 0)
Example #3
| Source File: windows.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def is_valid(self):
if not obj.CType.is_valid(self):
return False
## check the start address
if self.Cid.UniqueProcess.v() != 0 and self.StartAddress == 0:
return False
# win8 _KTHREAD doesn't have this member
if (hasattr(self.Tcb, 'SuspendSemaphore') and
self.Tcb.SuspendSemaphore.Header.Size != 0x05 and
self.Tcb.SuspendSemaphore.Header.Type != 0x05):
return False
if (self.KeyedWaitSemaphore.Header.Size != 0x05 and
self.KeyedWaitSemaphore.Header.Type != 0x05):
return False
return True
Example #4
| Source File: linux.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def gid(self):
ret = self.members.get("gid")
if ret is None:
gid = self.cred.gid
if hasattr(gid, 'counter'):
ret = obj.Object("int", offset = gid.v(), vm = self.obj_vm)
elif hasattr(gid, "val"):
ret = gid.val
else:
ret = gid
else:
ret = self.m("gid")
if type(ret) == obj.CType:
ret = ret.v()
return ret
Example #5
| Source File: windows.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def is_valid(self):
if not obj.CType.is_valid(self):
return False
if (self.Pcb.DirectoryTableBase == 0):
return False
if (self.Pcb.DirectoryTableBase % 0x20 != 0):
return False
list_head = self.ThreadListHead
kernel = 0x80000000
if (list_head.Flink < kernel) or (list_head.Blink < kernel):
return False
return True
Example #6
| Source File: mftparser.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def is_valid(self):
try:
modified = self.ModifiedTime.v()
except struct.error:
modified = 0
try:
mftaltered = self.MFTAlteredTime.v()
except struct.error:
mftaltered = 0
try:
creation = self.CreationTime.v()
except struct.error:
creation = 0
try:
accessed = self.FileAccessedTime.v()
except struct.error:
accessed = 0
return obj.CType.is_valid(self) and (modified != 0 or mftaltered != 0 or \
accessed != 0 or creation != 0) #and \
#self.remove_unprintable(self.get_name()) != ""
Example #7
| Source File: elf.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, name = None, **kwargs):
obj.CType.__init__(self, theType, offset, vm, name, **kwargs)
Example #8
| Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
"""Check for validity based on the atom table signature
and the maximum allowed number of buckets"""
return (obj.CType.is_valid(self) and
self.Signature == 0x6d6f7441 and
self.NumBuckets < 0xFFFF)
Example #9
| Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
"""Perform some sanity checks on the Atom"""
if not obj.CType.is_valid(self):
return False
# There is only one flag (and zero)
if self.Flags not in (0, 1):
return False
# There is a maximum name length enforced
return self.NameLength <= 255
#--------------------------------------------------------------------------------
# profile modifications
#--------------------------------------------------------------------------------
Example #10
| Source File: elf.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, name = None, **kwargs):
obj.CType.__init__(self, theType, offset, vm, name, **kwargs)
Example #11
| Source File: elf.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, name = None, **kwargs):
obj.CType.__init__(self, theType, offset, vm, name, **kwargs)
Example #12
| Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
"""The sanity checks for tagSHAREDINFO structures"""
if not obj.CType.is_valid(self):
return False
# The kernel's version of tagSHAREDINFO should always have
# a zeroed-out shared delta member.
if self.ulSharedDelta != 0:
return False
# The pointer to our server information structure must be valid
if not self.psi.is_valid():
return False
# Annoying check, but required for some samples
# whose psi is a valid pointer, but cbHandleTable
# cannot be read due to objects that cross page
# boundaries.
if self.psi.cbHandleTable == None:
return False
if self.psi.cbHandleTable < 0x1000:
return False
# The final check is that the total size in bytes of the handle
# table is equal to the size of a _HANDLEENTRY multiplied by the
# number of _HANDLEENTRY structures.
return (self.psi.cbHandleTable /
self.obj_vm.profile.get_obj_size("_HANDLEENTRY")
== self.psi.cHandleEntries)
Example #13
| Source File: elf.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, name = None, **kwargs):
obj.CType.__init__(self, theType, offset, vm, name, **kwargs)
Example #14
| Source File: elf.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, name = None, **kwargs):
obj.CType.__init__(self, theType, offset, vm, name, **kwargs)
Example #15
| Source File: elf.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, name = None, **kwargs):
obj.CType.__init__(self, theType, offset, vm, name, **kwargs)
Example #16
| Source File: elf.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, name = None, **kwargs):
obj.CType.__init__(self, theType, offset, vm, name, **kwargs)
Example #17
| Source File: elf.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, name = None, **kwargs):
obj.CType.__init__(self, theType, offset, vm, name, **kwargs)
Example #18
| Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
return (obj.CType.is_valid(self) and self.dwSessionId < 0xFF)
Example #19
| Source File: devicetree.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
return (obj.CType.is_valid(self) and
self.DriverStart % 0x1000 == 0)
Example #20
| Source File: iehistory.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
ret = False
if obj.CType.is_valid(self) and self.LastModified.is_valid() and self.LastAccessed.is_valid():
if not str(self.LastModified).startswith("1970-01-01") and str(self.LastModified) != "-":
if not str(self.LastAccessed).startswith("1970-01-01") and str(self.LastAccessed) != "-":
if 1999 < self.LastModified.as_datetime().year < 2075 and 1999 < self.LastAccessed.as_datetime().year < 2075 and self.URLStart.is_valid():
ret = True
return ret
Example #21
| Source File: iehistory.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
ret = False
if obj.CType.is_valid(self) and self.Length > 0 and self.Length < 32768:
if not str(self.LastModified).startswith("1970-01-01") and str(self.LastModified) != "-":
if not str(self.LastAccessed).startswith("1970-01-01") and str(self.LastAccessed) != "-":
ret = True
return ret
Example #22
| Source File: dumpcerts.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
"""
This implements the check described in sslfinder:
http://www.trapkit.de/research/sslkeyfinder/
"""
if not obj.CType.is_valid(self):
return False
return self.Size < 0xFFF
Example #23
| Source File: bash_hash.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
if (not obj.CType.is_valid(self) or
not self.obj_vm.is_valid_address(self.bucket_array) or
not self.nbuckets == 64 or
not self.nentries > 1):
return False
return True
Example #24
| Source File: bash_hash.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
if (not obj.CType.is_valid(self) or
not self.obj_vm.is_valid_address(self.bucket_array) or
not self.nbuckets == 64 or
not self.nentries >= 0):
return False
return True
Example #25
| Source File: bash_hash.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, ptr_size, theType, offset, vm, name = None, **kwargs):
self.ptr_size = ptr_size
obj.CType.__init__(self, theType, offset, vm, name, **kwargs)
Example #26
| Source File: basic.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, theType, offset, vm, **kwargs):
try:
obj.CType.__init__(self, theType, offset, vm, **kwargs)
except obj.InvalidOffsetError:
# The exception will be raised before this point,
# so we must finish off the CType's __init__ ourselves
self.__initialized = True
Example #27
| Source File: win10.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
"""Determine if a given object header is valid"""
if not obj.CType.is_valid(self):
return False
if self.InfoMask > 0x88:
return False
if self.PointerCount > 0x1000000 or self.PointerCount < 0:
return False
return True
Example #28
| Source File: vad_vtypes.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
return (obj.CType.is_valid(self) and
self.Start < obj.VolMagic(self.obj_vm).MaxAddress.v() and
self.End < (obj.VolMagic(self.obj_vm).MaxAddress.v()))
Example #29
| Source File: tcpip_vtypes.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def is_valid(self):
return obj.CType.is_valid(self) and self.CreateTime.v() > 0
Example #30
| Source File: pe_vtypes.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, theType = None, offset = None, vm = None, parent = None, *args, **kwargs):
self.sectoffset = offset
obj.CType.__init__(self, theType = theType, offset = offset, vm = vm, parent = parent, *args, **kwargs)
