Python volatility.obj.InvalidOffsetError() Examples
The following are 21
code examples of volatility.obj.InvalidOffsetError().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.obj
, or try the search function
.
.
Example #1
| Source File: win32k_core.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def find_shared_info(self):
"""Find this session's tagSHAREDINFO structure.
This structure is embedded in win32k's .data section,
(i.e. not in dynamically allocated memory). Thus we
iterate over each DWORD-aligned possibility and treat
it as a tagSHAREDINFO until the sanity checks are met.
"""
for chunk in self._section_chunks(".data"):
# If the base of the value is paged
if not chunk.is_valid():
continue
# Treat it as a shared info struct
shared_info = obj.Object("tagSHAREDINFO",
offset = chunk.obj_offset, vm = self.obj_vm)
# Sanity check it
try:
if shared_info.is_valid():
return shared_info
except obj.InvalidOffsetError:
pass
return obj.NoneObject("Cannot find win32k!gSharedInfo")
Example #2
| Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def find_shared_info(self):
"""Find this session's tagSHAREDINFO structure.
This structure is embedded in win32k's .data section,
(i.e. not in dynamically allocated memory). Thus we
iterate over each DWORD-aligned possibility and treat
it as a tagSHAREDINFO until the sanity checks are met.
"""
for chunk in self._section_chunks(".data"):
# If the base of the value is paged
if not chunk.is_valid():
continue
# Treat it as a shared info struct
shared_info = obj.Object("tagSHAREDINFO",
offset = chunk.obj_offset, vm = self.obj_vm)
# Sanity check it
try:
if shared_info.is_valid():
return shared_info
except obj.InvalidOffsetError:
pass
return obj.NoneObject("Cannot find win32k!gSharedInfo")
Example #3
| Source File: win32k_core.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def find_shared_info(self):
"""Find this session's tagSHAREDINFO structure.
This structure is embedded in win32k's .data section,
(i.e. not in dynamically allocated memory). Thus we
iterate over each DWORD-aligned possibility and treat
it as a tagSHAREDINFO until the sanity checks are met.
"""
for chunk in self._section_chunks(".data"):
# If the base of the value is paged
if not chunk.is_valid():
continue
# Treat it as a shared info struct
shared_info = obj.Object("tagSHAREDINFO",
offset = chunk.obj_offset, vm = self.obj_vm)
# Sanity check it
try:
if shared_info.is_valid():
return shared_info
except obj.InvalidOffsetError:
pass
return obj.NoneObject("Cannot find win32k!gSharedInfo")
Example #4
| Source File: win32k_core.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def find_shared_info(self):
"""Find this session's tagSHAREDINFO structure.
This structure is embedded in win32k's .data section,
(i.e. not in dynamically allocated memory). Thus we
iterate over each DWORD-aligned possibility and treat
it as a tagSHAREDINFO until the sanity checks are met.
"""
for chunk in self._section_chunks(".data"):
# If the base of the value is paged
if not chunk.is_valid():
continue
# Treat it as a shared info struct
shared_info = obj.Object("tagSHAREDINFO",
offset = chunk.obj_offset, vm = self.obj_vm)
# Sanity check it
try:
if shared_info.is_valid():
return shared_info
except obj.InvalidOffsetError:
pass
return obj.NoneObject("Cannot find win32k!gSharedInfo")
Example #5
| Source File: win32k_core.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def find_shared_info(self):
"""Find this session's tagSHAREDINFO structure.
This structure is embedded in win32k's .data section,
(i.e. not in dynamically allocated memory). Thus we
iterate over each DWORD-aligned possibility and treat
it as a tagSHAREDINFO until the sanity checks are met.
"""
for chunk in self._section_chunks(".data"):
# If the base of the value is paged
if not chunk.is_valid():
continue
# Treat it as a shared info struct
shared_info = obj.Object("tagSHAREDINFO",
offset = chunk.obj_offset, vm = self.obj_vm)
# Sanity check it
try:
if shared_info.is_valid():
return shared_info
except obj.InvalidOffsetError:
pass
return obj.NoneObject("Cannot find win32k!gSharedInfo")
Example #6
| Source File: pe_vtypes.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def valid(self, nt_header):
"""Check the validity of some fields"""
try:
return (self.OriginalFirstThunk != 0 and
self.OriginalFirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.FirstThunk != 0 and
self.FirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.Name < nt_header.OptionalHeader.SizeOfImage)
except obj.InvalidOffsetError:
return False
Example #7
| Source File: basic.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, **kwargs):
try:
obj.CType.__init__(self, theType, offset, vm, **kwargs)
except obj.InvalidOffsetError:
# The exception will be raised before this point,
# so we must finish off the CType's __init__ ourselves
self.__initialized = True
Example #8
| Source File: pe_vtypes.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def valid(self, nt_header):
"""Check the validity of some fields"""
try:
return (self.OriginalFirstThunk != 0 and
self.OriginalFirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.FirstThunk != 0 and
self.FirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.Name < nt_header.OptionalHeader.SizeOfImage)
except obj.InvalidOffsetError:
return False
Example #9
| Source File: pe_vtypes.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def valid(self, nt_header):
"""
Check the sanity of export table fields.
The RVAs cannot be larger than the module size. The function
and name counts cannot be larger than 32K.
"""
try:
return (self.AddressOfFunctions < nt_header.OptionalHeader.SizeOfImage and
self.AddressOfNameOrdinals < nt_header.OptionalHeader.SizeOfImage and
self.AddressOfNames < nt_header.OptionalHeader.SizeOfImage and
self.NumberOfFunctions < 0x7FFF and
self.NumberOfNames < 0x7FFF)
except obj.InvalidOffsetError:
return False
Example #10
| Source File: basic.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, **kwargs):
try:
obj.CType.__init__(self, theType, offset, vm, **kwargs)
except obj.InvalidOffsetError:
# The exception will be raised before this point,
# so we must finish off the CType's __init__ ourselves
self.__initialized = True
Example #11
| Source File: pe_vtypes.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def valid(self, nt_header):
"""Check the validity of some fields"""
try:
return (self.OriginalFirstThunk != 0 and
self.OriginalFirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.FirstThunk != 0 and
self.FirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.Name < nt_header.OptionalHeader.SizeOfImage)
except obj.InvalidOffsetError:
return False
Example #12
| Source File: pe_vtypes.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def valid(self, nt_header):
"""
Check the sanity of export table fields.
The RVAs cannot be larger than the module size. The function
and name counts cannot be larger than 32K.
"""
try:
return (self.AddressOfFunctions < nt_header.OptionalHeader.SizeOfImage and
self.AddressOfNameOrdinals < nt_header.OptionalHeader.SizeOfImage and
self.AddressOfNames < nt_header.OptionalHeader.SizeOfImage and
self.NumberOfFunctions < 0x7FFF and
self.NumberOfNames < 0x7FFF)
except obj.InvalidOffsetError:
return False
Example #13
| Source File: basic.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, **kwargs):
try:
obj.CType.__init__(self, theType, offset, vm, **kwargs)
except obj.InvalidOffsetError:
# The exception will be raised before this point,
# so we must finish off the CType's __init__ ourselves
self.__initialized = True
Example #14
| Source File: pe_vtypes.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def valid(self, nt_header):
"""
Check the sanity of export table fields.
The RVAs cannot be larger than the module size. The function
and name counts cannot be larger than 32K.
"""
try:
return (self.AddressOfFunctions < nt_header.OptionalHeader.SizeOfImage and
self.AddressOfNameOrdinals < nt_header.OptionalHeader.SizeOfImage and
self.AddressOfNames < nt_header.OptionalHeader.SizeOfImage and
self.NumberOfFunctions < 0x7FFF and
self.NumberOfNames < 0x7FFF)
except obj.InvalidOffsetError:
return False
Example #15
| Source File: pe_vtypes.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def valid(self, nt_header):
"""
Check the sanity of export table fields.
The RVAs cannot be larger than the module size. The function
and name counts cannot be larger than 32K.
"""
try:
return (self.AddressOfFunctions < nt_header.OptionalHeader.SizeOfImage and
self.AddressOfNameOrdinals < nt_header.OptionalHeader.SizeOfImage and
self.AddressOfNames < nt_header.OptionalHeader.SizeOfImage and
self.NumberOfFunctions < 0x7FFF and
self.NumberOfNames < 0x7FFF)
except obj.InvalidOffsetError:
return False
Example #16
| Source File: basic.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, theType, offset, vm, **kwargs):
try:
obj.CType.__init__(self, theType, offset, vm, **kwargs)
except obj.InvalidOffsetError:
# The exception will be raised before this point,
# so we must finish off the CType's __init__ ourselves
self.__initialized = True
Example #17
| Source File: pe_vtypes.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def valid(self, nt_header):
"""Check the validity of some fields"""
try:
return (self.OriginalFirstThunk != 0 and
self.OriginalFirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.FirstThunk != 0 and
self.FirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.Name < nt_header.OptionalHeader.SizeOfImage)
except obj.InvalidOffsetError:
return False
Example #18
| Source File: pe_vtypes.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def valid(self, nt_header):
"""
Check the sanity of export table fields.
The RVAs cannot be larger than the module size. The function
and name counts cannot be larger than 32K.
"""
try:
return (self.AddressOfFunctions < nt_header.OptionalHeader.SizeOfImage and
self.AddressOfNameOrdinals < nt_header.OptionalHeader.SizeOfImage and
self.AddressOfNames < nt_header.OptionalHeader.SizeOfImage and
self.NumberOfFunctions < 0x7FFF and
self.NumberOfNames < 0x7FFF)
except obj.InvalidOffsetError:
return False
Example #19
| Source File: browserhooks.py From volatility-browserhooks with BSD 2-Clause "Simplified" License | 5 votes |
|
def valid(self, nt_header):
"""Check the validity of some fields"""
try:
return (self.OriginalFirstThunk != 0 and
self.OriginalFirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.FirstThunk != 0 and
self.FirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.Name < nt_header.OptionalHeader.SizeOfImage)
except obj.InvalidOffsetError:
return False
Example #20
| Source File: basic.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, theType, offset, vm, **kwargs):
try:
obj.CType.__init__(self, theType, offset, vm, **kwargs)
except obj.InvalidOffsetError:
# The exception will be raised before this point,
# so we must finish off the CType's __init__ ourselves
self.__initialized = True
Example #21
| Source File: pe_vtypes.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def valid(self, nt_header):
"""Check the validity of some fields"""
try:
return (self.OriginalFirstThunk != 0 and
self.OriginalFirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.FirstThunk != 0 and
self.FirstThunk < nt_header.OptionalHeader.SizeOfImage and
self.Name < nt_header.OptionalHeader.SizeOfImage)
except obj.InvalidOffsetError:
return False
