Python volatility.obj.Object() Examples
The following are 30
code examples of volatility.obj.Object().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.obj
, or try the search function
.
.
Example #1
| Source File: elf.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def program_headers(self):
rtname = self._get_typename("phdr")
rtsize = self.obj_vm.profile.get_obj_size(rtname)
tname = "elf_phdr"
# the buffer of headers
arr_start = self.obj_offset + self.e_phoff
if self.e_phnum > 128:
phnum = self.e_phnum
else:
phnum = 128
for i in range(phnum):
# use the real size
idx = i * rtsize
phdr = obj.Object("elf_phdr", offset = arr_start + idx, vm = self.obj_vm, parent = self)
if phdr.is_valid():
yield phdr
Example #2
| Source File: notepad.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def heap_entries(self):
"""Enumerate the heaps in this segment.
##FIXME:
* Raise ValueError if corruptions are detected.
* Should we start at FirstEntry or Entry?
"""
next = self.Entry #FirstEntry.dereference()
last = self.LastValidEntry.dereference()
chunk_size = self.obj_vm.profile.get_obj_size("_HEAP_ENTRY")
while (next and
next.obj_offset < last.obj_offset):
yield next
next = obj.Object("_HEAP_ENTRY",
offset = next.obj_offset + next.Size * chunk_size,
vm = next.obj_vm)
Example #3
| Source File: kpcrscan.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def check(self, offset):
""" We check that _KCPR.pSelfPCR points to the start of the _KCPR struct """
paKCPR = offset
paPRCBDATA = offset + self.PrcbData_offset
try:
pSelfPCR = obj.Object('Pointer', offset = (offset + self.SelfPcr_offset), vm = self.address_space)
pPrcb = obj.Object('Pointer', offset = (offset + self.Prcb_offset), vm = self.address_space)
if self.address_equality(pSelfPCR, paKCPR) and self.address_equality(pPrcb, paPRCBDATA):
self.KPCR = pSelfPCR
return True
except BaseException:
return False
return False
# make the scan DWORD aligned
Example #4
| Source File: kpcrscan.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, address_space):
scan.ScannerCheck.__init__(self, address_space)
kpcr = obj.Object("_KPCR", vm = self.address_space, offset = 0)
if address_space.profile.metadata.get('memory_model', '') == '32bit':
self.SelfPcr_offset = kpcr.SelfPcr.obj_offset
self.Prcb_offset = kpcr.Prcb.obj_offset
self.PrcbData_offset = kpcr.PrcbData.obj_offset
# In the check() routine, we need to compare masked virtual
# addresses, but self.address_space is a BufferAddressSpace.
self.address_equality = amd64.AMD64PagedMemory.address_equality
else:
# The self-referencing member of _KPCR is Self on x64
self.SelfPcr_offset = kpcr.Self.obj_offset
# The pointer to _KPRCB is CurrentPrcb on x64
self.Prcb_offset = kpcr.CurrentPrcb.obj_offset
# The nested _KPRCB in Prcb on x64
self.PrcbData_offset = kpcr.Prcb.obj_offset
self.address_equality = intel.IA32PagedMemory.address_equality
self.KPCR = None
Example #5
| Source File: bigpagepools.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def scan(self, tags = []):
"""
Scan for the pools by tag.
@param tags: a list of pool tags to scan for,
or empty for scanning for all tags.
"""
(table_base, table_size) = \
obj.VolMagic(self.kernel_space).BigPageTable.v()
pools = obj.Object('Array', targetType = '_POOL_TRACKER_BIG_PAGES',
offset = table_base,
count = table_size, vm = self.kernel_space
)
for pool in pools:
if pool.Va.is_valid():
if not tags or pool.Key in tags:
yield pool
#--------------------------------------------------------------------------------
# BigPools Plugin
#--------------------------------------------------------------------------------
Example #6
| Source File: list_raw.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def _walk_net_spaces(self):
offset = self.addr_space.profile.get_obj_offset("sock_common", "skc_node")
nslist_addr = self.addr_space.profile.get_symbol("net_namespace_list")
nethead = obj.Object("list_head", offset = nslist_addr, vm = self.addr_space)
for net in nethead.list_of_type("net", "list"):
node = net.packet.sklist.first.dereference().v()
sk = obj.Object("sock", offset = node - offset, vm = self.addr_space)
while sk.is_valid():
inode = self._SOCK_INODE(sk.sk_socket)
ino = inode
yield ino
sk = obj.Object("sock", offset = sk.sk_node.next - offset, vm = self.addr_space)
Example #7
| Source File: kernel_opened_files.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def _gather_dcache(self):
d_hash_shift = obj.Object("unsigned int", offset =self.addr_space.profile.get_symbol("d_hash_shift"), vm = self.addr_space)
loop_max = 1 << d_hash_shift
d_htable_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("dentry_hashtable"), vm = self.addr_space)
arr = obj.Object(theType = "Array", targetType = "hlist_bl_head", offset = d_htable_ptr, vm = self.addr_space, count = loop_max)
hash_offset = self.addr_space.profile.get_obj_offset("dentry", "d_hash")
dents = {}
for list_head in arr:
if not list_head.first.is_valid():
continue
node = obj.Object("hlist_bl_node", offset = list_head.first & ~1, vm = self.addr_space)
for node, cnt in self._walk_node(node):
dents[node.v() - hash_offset] = 0
return dents
Example #8
| Source File: bash_hash.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __iter__(self):
if self.is_valid():
seen = {}
bucket_array = obj.Object(theType="Array", targetType="Pointer", offset = self.bucket_array, vm = self.nbuckets.obj_vm, count = 64)
for bucket_ptr in bucket_array:
bucket = bucket_ptr.dereference_as("bucket_contents")
while bucket.times_found > 0 and bucket.data.is_valid() and bucket.key.is_valid():
if bucket.v() in seen:
break
seen[bucket.v()] = 1
pdata = bucket.data
if pdata.path.is_valid() and (0 <= pdata.flags <= 2):
yield bucket
bucket = bucket.next
Example #9
| Source File: check_fops.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def check_proc_fop(self, f_op_members, modules):
proc_mnt_addr = self.addr_space.profile.get_symbol("proc_mnt")
if not proc_mnt_addr:
return
proc_mnt_ptr = obj.Object("Pointer", offset = proc_mnt_addr, vm = self.addr_space)
proc_mnt = proc_mnt_ptr.dereference_as("vfsmount")
root = proc_mnt.mnt_root
for (hooked_member, hook_address) in self.verify_ops(root.d_inode.i_fop, f_op_members, modules):
yield ("proc_mnt: root", hooked_member, hook_address)
# only check the root directory
for dentry in root.d_subdirs.list_of_type("dentry", "d_u"):
name = dentry.d_name.name.dereference_as("String", length = 255)
for (hooked_member, hook_address) in self.verify_ops(dentry.d_inode.i_fop, f_op_members, modules):
yield("proc_mnt: {0}".format(name), hooked_member, hook_address)
Example #10
| Source File: check_fops.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
linux_common.set_plugin_members(self)
modules = linux_lsmod.linux_lsmod(self._config).get_modules()
f_op_members = self.profile.types['file_operations'].keywords["members"].keys()
f_op_members.remove('owner')
if self._config.INODE:
inode = obj.Object("inode", offset=self._config.INODE, vm=self.addr_space)
if not inode.is_valid():
debug.error("Invalid inode address given. Please use linux_find_file to determine valid inode addresses.")
for (hooked_member, hook_address) in self.verify_ops(inode.i_fop, f_op_members, modules):
yield("inode at {0:x}".format(inode.obj_offset), hooked_member, hook_address)
else:
funcs = [self.check_open_files_fop, self.check_proc_fop, self.check_proc_root_fops, self.check_file_cache]
for func in funcs:
for (name, member, address) in func(f_op_members, modules):
yield (name, member, address)
Example #11
| Source File: check_inline_kernel.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def _check_afinfo(self, modules):
op_members = self.profile.types['file_operations'].keywords["members"].keys()
seq_members = self.profile.types['seq_operations'].keywords["members"].keys()
tcp = ("tcp_seq_afinfo", ["tcp6_seq_afinfo", "tcp4_seq_afinfo"])
udp = ("udp_seq_afinfo", ["udplite6_seq_afinfo", "udp6_seq_afinfo", "udplite4_seq_afinfo", "udp4_seq_afinfo"])
protocols = [tcp, udp]
for proto in protocols:
struct_type = proto[0]
for global_var_name in proto[1]:
global_var_addr = self.addr_space.profile.get_symbol(global_var_name)
if not global_var_addr:
continue
global_var = obj.Object(struct_type, offset = global_var_addr, vm = self.addr_space)
for (name, member, hook_type, address) in self.check_afinfo(global_var_name, global_var, op_members, seq_members, modules):
yield (name, member, hook_type, address)
Example #12
| Source File: rawreg.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def read_sklist(sk):
if (sk.Signature.v() == LH_SIG or
sk.Signature.v() == LF_SIG):
for i in sk.List:
yield i
elif sk.Signature.v() == RI_SIG:
for i in range(sk.Count):
# Read and dereference the pointer
ptr_off = sk.List.obj_offset + (i * 4)
if not sk.obj_vm.is_valid_address(ptr_off):
continue
ssk_off = obj.Object("unsigned int", ptr_off, sk.obj_vm)
if not sk.obj_vm.is_valid_address(ssk_off):
continue
ssk = obj.Object("_CM_KEY_INDEX", ssk_off, sk.obj_vm)
for i in read_sklist(ssk):
yield i
# Note: had to change SubKeyLists to be array of 2 pointers in vtypes.py
Example #13
| Source File: check_modules.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def get_kset_modules(self):
module_kset_addr = self.profile.get_symbol("module_kset")
if not module_kset_addr:
debug.error("This command is not supported by this profile.")
ret = {}
module_kset = obj.Object("kset", offset = module_kset_addr, vm = self.addr_space)
for kobj in module_kset.list.list_of_type("kobject", "entry"):
kobj_off = self.profile.get_obj_offset("module_kobject", "kobj")
mod_kobj = obj.Object("module_kobject", offset = kobj.v() - kobj_off, vm = self.addr_space)
mod = mod_kobj.mod
name = kobj.name.dereference_as("String", length = 32)
if name.is_valid() and kobj.kref.refcount.counter > 2:
ret[str(name)] = mod
return ret
Example #14
| Source File: check_syscall_arm.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def _get_syscall_table_size(self):
""" Get size of syscall table from the vector_swi function """
vector_swi_addr = self.addr_space.profile.get_symbol("vector_swi")
max_opcodes_to_check = 1024
while (max_opcodes_to_check):
opcode = obj.Object("unsigned int", offset = vector_swi_addr, vm = self.addr_space)
if ((opcode & 0xffff0000) == 0xe3570000):
shift = 0x10 - ((opcode & 0xff00) >> 8)
size = (opcode & 0xff) << (2 * shift)
return size
break
vector_swi_addr += 4
max_opcodes_to_check -= 1
debug.error("Syscall table size could not be determined.")
Example #15
| Source File: find_file.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def get_page_contents(self, inode, idx):
page_addr = self.find_get_page(inode, idx)
if page_addr:
page = obj.Object("page", offset = page_addr, vm = self.addr_space)
phys_offset = page.to_paddr()
if phys_offset > 0:
phys_as = utils.load_as(self._config, astype = 'physical')
data = phys_as.zread(phys_offset, 4096)
else:
data = "\x00" * 4096
else:
data = "\x00" * 4096
return data
# main function to be called, handles getting all the pages of an inode
# and handles the last page not being page_size aligned
Example #16
| Source File: arp.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def walk_neighbor(self, neighbor):
ret = []
for n in linux_common.walk_internal_list("neighbour", "next", neighbor):
# get the family from each neighbour in order to work with ipv4 and 6
family = n.tbl.family
if family == socket.AF_INET:
ip = obj.Object("IpAddress", offset = n.primary_key.obj_offset, vm = self.addr_space).v()
elif family == socket.AF_INET6:
ip = obj.Object("Ipv6Address", offset = n.primary_key.obj_offset, vm = self.addr_space).v()
else:
ip = '?'
if n.dev.is_valid():
mac = ":".join(["{0:02x}".format(x) for x in n.ha][:n.dev.addr_len])
devname = n.dev.name
ret.append(a_ent(ip, mac, devname))
return ret
Example #17
| Source File: arp.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
linux_common.set_plugin_members(self)
neigh_tables_addr = self.addr_space.profile.get_symbol("neigh_tables")
hasnext = True
try:
self.addr_space.profile.get_obj_offset("neigh_table", "next")
except KeyError:
hasnext = False
if hasnext == True:
ntables_ptr = obj.Object("Pointer", offset = neigh_tables_addr, vm = self.addr_space)
tables = linux_common.walk_internal_list("neigh_table", "next", ntables_ptr)
else:
tables_arr = obj.Object(theType="Array", targetType="Pointer", offset = neigh_tables_addr, vm = self.addr_space, count = 4)
tables = [t.dereference_as("neigh_table") for t in tables_arr]
for ntable in tables:
for aent in self.handle_table(ntable):
yield aent
Example #18
| Source File: cpuinfo.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def online_cpus(self):
""" returns a list of online cpus (the processor numbers) """
cpu_online_bits_addr = self.addr_space.profile.get_symbol("cpu_online_bits")
cpu_present_map_addr = self.addr_space.profile.get_symbol("cpu_present_map")
cpu_present_mask_addr = self.addr_space.profile.get_symbol("__cpu_present_mask")
#later kernels..
if cpu_online_bits_addr:
bmap = obj.Object("unsigned long", offset = cpu_online_bits_addr, vm = self.addr_space)
elif cpu_present_map_addr:
bmap = obj.Object("unsigned long", offset = cpu_present_map_addr, vm = self.addr_space)
elif cpu_present_mask_addr:
bmap = obj.Object("unsigned long", offset = cpu_present_mask_addr, vm = self.addr_space)
else:
raise AttributeError, "Unable to determine number of online CPUs for memory capture"
cpus = []
for i in range(32):
if bmap & (1 << i):
cpus.append(i)
return cpus
Example #19
| Source File: check_inline_kernel.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def _check_inetsw(self, modules):
try:
self.addr_space.profile.get_obj_offset("inet_protosw", "list")
except KeyError:
debug.warning("You are using an old Linux profile. Please recreate the profile using the latest Volatility version.")
return
proto_members = self.profile.types['proto_ops'].keywords["members"].keys()
proto_members.remove('owner')
proto_members.remove('family')
inetsw_addr = self.addr_space.profile.get_symbol("inetsw")
inetsw = obj.Object(theType = "Array", targetType = "list_head", offset = inetsw_addr, vm = self.addr_space, count = 11)
for inet_list in inetsw:
for inet in inet_list.list_of_type("inet_protosw", "list"):
name = self.addr_space.read(inet.prot.name.obj_offset, 32)
idx = name.index("\x00")
if idx != -1:
name = name[:idx]
for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(inet.ops, proto_members, modules):
yield (name, hooked_member, hook_type, hook_address)
Example #20
| Source File: pidhashtable.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def _walk_upid(self, upid):
while upid:
pid = self.get_obj(upid.obj_offset, "pid", "numbers")
for task in self._task_for_pid(upid, pid):
yield task
if type(upid.pid_chain) == obj.Pointer:
pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
else:
pid_chain = upid.pid_chain
if not pid_chain:
break
upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #21
| Source File: psscan.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
linux_common.set_plugin_members(self)
phys_addr_space = utils.load_as(self._config, astype = 'physical')
if phys_addr_space.profile.metadata.get('memory_model', '32bit') == "32bit":
fmt = "<I"
else:
fmt = "<Q"
needles = []
for sym in phys_addr_space.profile.get_all_symbol_names("kernel"):
if sym.find("_sched_class") != -1:
addr = phys_addr_space.profile.get_symbol(sym)
needles.append(struct.pack(fmt, addr))
if len(needles) == 0:
debug.error("Unable to scan for processes. Please file a bug report.")
back_offset = phys_addr_space.profile.get_obj_offset("task_struct", "sched_class")
scanner = poolscan.MultiPoolScanner(needles)
for _, offset in scanner.scan(phys_addr_space):
ptask = obj.Object("task_struct", offset = offset - back_offset, vm = phys_addr_space)
if not ptask.exit_state.v() in [0, 16, 32, 16|32]:
continue
if not (0 < ptask.pid < 66000):
continue
yield ptask
Example #22
| Source File: find_file.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
linux_common.set_plugin_members(self)
find_file = self._config.FIND
inode_addr = self._config.inode
outfile = self._config.outfile
listfiles = self._config.LISTFILES
if listfiles:
for (_, _, file_path, file_dentry) in self.walk_sbs():
yield (file_path, file_dentry.d_inode)
elif find_file and len(find_file):
for (_, _, file_path, file_dentry) in self.walk_sbs():
if file_path == find_file:
yield (file_path, file_dentry.d_inode)
break
elif inode_addr and inode_addr > 0 and outfile and len(outfile) > 0:
inode = obj.Object("inode", offset = inode_addr, vm = self.addr_space)
try:
f = open(outfile, "wb")
except IOError, e:
debug.error("Unable to open output file (%s): %s" % (outfile, str(e)))
for page in self.get_file_contents(inode):
f.write(page)
f.close()
Example #23
| Source File: hive.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, base, config, hive_addr, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config)
self.base = base
self.hive = obj.Object("_HHIVE", hive_addr, base)
self.baseblock = self.hive.BaseBlock.v()
self.flat = self.hive.Flat.v() > 0
Example #24
| Source File: pslist.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def allprocs(self):
linux_common.set_plugin_members(self)
init_task_addr = self.addr_space.profile.get_symbol("init_task")
init_task = obj.Object("task_struct", vm = self.addr_space, offset = init_task_addr)
# walk the ->tasks list, note that this will *not* display "swapper"
for task in init_task.tasks:
yield task
Example #25
| Source File: pslist.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def virtual_process_from_physical_offset(addr_space, offset):
pspace = utils.load_as(addr_space.get_config(), astype = 'physical')
task = obj.Object("task_struct", vm = pspace, offset = offset)
parent = obj.Object("task_struct", vm = addr_space, offset = task.parent)
for child in parent.children.list_of_type("task_struct", "sibling"):
if child.obj_vm.vtop(child.obj_offset) == task.obj_offset:
return child
return obj.NoneObject("Unable to bounce back from task_struct->parent->task_struct")
Example #26
| Source File: bash.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
linux_common.set_plugin_members(self)
tasks = linux_pslist.linux_pslist(self._config).calculate()
for task in tasks:
proc_as = task.get_process_address_space()
# In cases when mm is an invalid pointer
if not proc_as:
continue
if not self._config.HISTORY_LIST:
# Do we scan everything or just /bin/bash instances?
if not (self._config.SCAN_ALL or str(task.comm) == "bash"):
continue
for hist in task.bash_history_entries():
yield task, hist
else:
the_history_addr = the_history_addr = self._config.HISTORY_LIST
the_history = obj.Object("Pointer", vm = proc_as, offset = the_history_addr)
max_ents = 2001
the_history = obj.Object(theType = 'Array', offset = the_history,
vm = proc_as, targetType = 'Pointer',
count = max_ents)
for ptr in the_history:
if not ptr:
if self._config.PRINTUNALLOC:
continue
else:
break
hist = ptr.dereference_as("_hist_entry")
if hist.is_valid():
yield task, hist
Example #27
| Source File: bash.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def time_object(self):
nsecs = self.time_as_integer
# Build a timestamp object from the integer
time_val = struct.pack("<I", nsecs)
time_buf = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = time_val)
time_obj = obj.Object("UnixTimeStamp", offset = 0, vm = time_buf, is_utc = True)
return time_obj
Example #28
| Source File: poolscan.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def object_offset(self, found, address_space):
"""
The name of this function "object_offset" can be misleading depending
on how its used. Even before removing the preambles (r1324), it may not
always return the offset of an object. Here are the rules:
If you subclass PoolScanner and do not override this function, it
will return the offset of _POOL_HEADER. If you do override this function,
it should be used to calculate and return the offset of your desired
object within the pool. Thus there are two different ways it can be done.
Example 1.
For an example of subclassing PoolScanner and not overriding this function,
see filescan.PoolScanFile. In this case, the plugin (filescan.FileScan)
treats the offset returned by this function as the start of _POOL_HEADER
and then works out the object from the bottom up:
for offset in PoolScanFile().scan(address_space):
pool_obj = obj.Object("_POOL_HEADER", vm = address_space,
offset = offset)
##
## Work out objects base here
##
Example 2.
For an example of subclassing PoolScanner and overriding this function,
see filescan.PoolScanProcess. In this case, the "work" described above is
done here (in the sublcassed object_offset). Thus in the plugin (filescan.PSScan)
it can directly instantiate _EPROCESS from the offset we return.
for offset in PoolScanProcess().scan(address_space):
eprocess = obj.Object('_EPROCESS', vm = address_space,
native_vm = kernel_as, offset = offset)
"""
## Subtract the offset of the PoolTag member to get the start
## of _POOL_HEADER. This is done because PoolScanners search
## for the PoolTag.
return found - self.buffer.profile.get_obj_offset('_POOL_HEADER', 'PoolTag')
Example #29
| Source File: iomem.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
linux_common.set_plugin_members(self)
io_ptr = self.addr_space.profile.get_symbol("iomem_resource")
io_res = obj.Object("resource", offset = io_ptr, vm = self.addr_space)
for r in self.yield_resource(io_res.child):
yield r
Example #30
| Source File: check_inline_kernel.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def check_proc_root_fops(self, f_op_members, modules):
self.seen_proc = {}
proc_root_addr = self.addr_space.profile.get_symbol("proc_root")
proc_root = obj.Object("proc_dir_entry", offset = proc_root_addr, vm = self.addr_space)
for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(proc_root.proc_fops, f_op_members, modules):
yield("proc_root", hooked_member, hook_type, hook_address)
for (name, hooked_member, hook_type, hook_address) in self.walk_proc(proc_root, f_op_members, modules):
yield (name, hooked_member, hook_type, hook_address)
#### end make api with check_fops
