Python volatility.obj.Object() Examples
The following are 30
code examples of volatility.obj.Object().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.obj
, or try the search function
.
Example #1
Source File: elf.py From aumfor with GNU General Public License v3.0 | 6 votes |
def program_headers(self): rtname = self._get_typename("phdr") rtsize = self.obj_vm.profile.get_obj_size(rtname) tname = "elf_phdr" # the buffer of headers arr_start = self.obj_offset + self.e_phoff if self.e_phnum > 128: phnum = self.e_phnum else: phnum = 128 for i in range(phnum): # use the real size idx = i * rtsize phdr = obj.Object("elf_phdr", offset = arr_start + idx, vm = self.obj_vm, parent = self) if phdr.is_valid(): yield phdr
Example #2
Source File: notepad.py From aumfor with GNU General Public License v3.0 | 6 votes |
def heap_entries(self): """Enumerate the heaps in this segment. ##FIXME: * Raise ValueError if corruptions are detected. * Should we start at FirstEntry or Entry? """ next = self.Entry #FirstEntry.dereference() last = self.LastValidEntry.dereference() chunk_size = self.obj_vm.profile.get_obj_size("_HEAP_ENTRY") while (next and next.obj_offset < last.obj_offset): yield next next = obj.Object("_HEAP_ENTRY", offset = next.obj_offset + next.Size * chunk_size, vm = next.obj_vm)
Example #3
Source File: kpcrscan.py From aumfor with GNU General Public License v3.0 | 6 votes |
def check(self, offset): """ We check that _KCPR.pSelfPCR points to the start of the _KCPR struct """ paKCPR = offset paPRCBDATA = offset + self.PrcbData_offset try: pSelfPCR = obj.Object('Pointer', offset = (offset + self.SelfPcr_offset), vm = self.address_space) pPrcb = obj.Object('Pointer', offset = (offset + self.Prcb_offset), vm = self.address_space) if self.address_equality(pSelfPCR, paKCPR) and self.address_equality(pPrcb, paPRCBDATA): self.KPCR = pSelfPCR return True except BaseException: return False return False # make the scan DWORD aligned
Example #4
Source File: kpcrscan.py From aumfor with GNU General Public License v3.0 | 6 votes |
def __init__(self, address_space): scan.ScannerCheck.__init__(self, address_space) kpcr = obj.Object("_KPCR", vm = self.address_space, offset = 0) if address_space.profile.metadata.get('memory_model', '') == '32bit': self.SelfPcr_offset = kpcr.SelfPcr.obj_offset self.Prcb_offset = kpcr.Prcb.obj_offset self.PrcbData_offset = kpcr.PrcbData.obj_offset # In the check() routine, we need to compare masked virtual # addresses, but self.address_space is a BufferAddressSpace. self.address_equality = amd64.AMD64PagedMemory.address_equality else: # The self-referencing member of _KPCR is Self on x64 self.SelfPcr_offset = kpcr.Self.obj_offset # The pointer to _KPRCB is CurrentPrcb on x64 self.Prcb_offset = kpcr.CurrentPrcb.obj_offset # The nested _KPRCB in Prcb on x64 self.PrcbData_offset = kpcr.Prcb.obj_offset self.address_equality = intel.IA32PagedMemory.address_equality self.KPCR = None
Example #5
Source File: bigpagepools.py From aumfor with GNU General Public License v3.0 | 6 votes |
def scan(self, tags = []): """ Scan for the pools by tag. @param tags: a list of pool tags to scan for, or empty for scanning for all tags. """ (table_base, table_size) = \ obj.VolMagic(self.kernel_space).BigPageTable.v() pools = obj.Object('Array', targetType = '_POOL_TRACKER_BIG_PAGES', offset = table_base, count = table_size, vm = self.kernel_space ) for pool in pools: if pool.Va.is_valid(): if not tags or pool.Key in tags: yield pool #-------------------------------------------------------------------------------- # BigPools Plugin #--------------------------------------------------------------------------------
Example #6
Source File: list_raw.py From aumfor with GNU General Public License v3.0 | 6 votes |
def _walk_net_spaces(self): offset = self.addr_space.profile.get_obj_offset("sock_common", "skc_node") nslist_addr = self.addr_space.profile.get_symbol("net_namespace_list") nethead = obj.Object("list_head", offset = nslist_addr, vm = self.addr_space) for net in nethead.list_of_type("net", "list"): node = net.packet.sklist.first.dereference().v() sk = obj.Object("sock", offset = node - offset, vm = self.addr_space) while sk.is_valid(): inode = self._SOCK_INODE(sk.sk_socket) ino = inode yield ino sk = obj.Object("sock", offset = sk.sk_node.next - offset, vm = self.addr_space)
Example #7
Source File: kernel_opened_files.py From aumfor with GNU General Public License v3.0 | 6 votes |
def _gather_dcache(self): d_hash_shift = obj.Object("unsigned int", offset =self.addr_space.profile.get_symbol("d_hash_shift"), vm = self.addr_space) loop_max = 1 << d_hash_shift d_htable_ptr = obj.Object("Pointer", offset = self.addr_space.profile.get_symbol("dentry_hashtable"), vm = self.addr_space) arr = obj.Object(theType = "Array", targetType = "hlist_bl_head", offset = d_htable_ptr, vm = self.addr_space, count = loop_max) hash_offset = self.addr_space.profile.get_obj_offset("dentry", "d_hash") dents = {} for list_head in arr: if not list_head.first.is_valid(): continue node = obj.Object("hlist_bl_node", offset = list_head.first & ~1, vm = self.addr_space) for node, cnt in self._walk_node(node): dents[node.v() - hash_offset] = 0 return dents
Example #8
Source File: bash_hash.py From aumfor with GNU General Public License v3.0 | 6 votes |
def __iter__(self): if self.is_valid(): seen = {} bucket_array = obj.Object(theType="Array", targetType="Pointer", offset = self.bucket_array, vm = self.nbuckets.obj_vm, count = 64) for bucket_ptr in bucket_array: bucket = bucket_ptr.dereference_as("bucket_contents") while bucket.times_found > 0 and bucket.data.is_valid() and bucket.key.is_valid(): if bucket.v() in seen: break seen[bucket.v()] = 1 pdata = bucket.data if pdata.path.is_valid() and (0 <= pdata.flags <= 2): yield bucket bucket = bucket.next
Example #9
Source File: check_fops.py From aumfor with GNU General Public License v3.0 | 6 votes |
def check_proc_fop(self, f_op_members, modules): proc_mnt_addr = self.addr_space.profile.get_symbol("proc_mnt") if not proc_mnt_addr: return proc_mnt_ptr = obj.Object("Pointer", offset = proc_mnt_addr, vm = self.addr_space) proc_mnt = proc_mnt_ptr.dereference_as("vfsmount") root = proc_mnt.mnt_root for (hooked_member, hook_address) in self.verify_ops(root.d_inode.i_fop, f_op_members, modules): yield ("proc_mnt: root", hooked_member, hook_address) # only check the root directory for dentry in root.d_subdirs.list_of_type("dentry", "d_u"): name = dentry.d_name.name.dereference_as("String", length = 255) for (hooked_member, hook_address) in self.verify_ops(dentry.d_inode.i_fop, f_op_members, modules): yield("proc_mnt: {0}".format(name), hooked_member, hook_address)
Example #10
Source File: check_fops.py From aumfor with GNU General Public License v3.0 | 6 votes |
def calculate(self): linux_common.set_plugin_members(self) modules = linux_lsmod.linux_lsmod(self._config).get_modules() f_op_members = self.profile.types['file_operations'].keywords["members"].keys() f_op_members.remove('owner') if self._config.INODE: inode = obj.Object("inode", offset=self._config.INODE, vm=self.addr_space) if not inode.is_valid(): debug.error("Invalid inode address given. Please use linux_find_file to determine valid inode addresses.") for (hooked_member, hook_address) in self.verify_ops(inode.i_fop, f_op_members, modules): yield("inode at {0:x}".format(inode.obj_offset), hooked_member, hook_address) else: funcs = [self.check_open_files_fop, self.check_proc_fop, self.check_proc_root_fops, self.check_file_cache] for func in funcs: for (name, member, address) in func(f_op_members, modules): yield (name, member, address)
Example #11
Source File: check_inline_kernel.py From aumfor with GNU General Public License v3.0 | 6 votes |
def _check_afinfo(self, modules): op_members = self.profile.types['file_operations'].keywords["members"].keys() seq_members = self.profile.types['seq_operations'].keywords["members"].keys() tcp = ("tcp_seq_afinfo", ["tcp6_seq_afinfo", "tcp4_seq_afinfo"]) udp = ("udp_seq_afinfo", ["udplite6_seq_afinfo", "udp6_seq_afinfo", "udplite4_seq_afinfo", "udp4_seq_afinfo"]) protocols = [tcp, udp] for proto in protocols: struct_type = proto[0] for global_var_name in proto[1]: global_var_addr = self.addr_space.profile.get_symbol(global_var_name) if not global_var_addr: continue global_var = obj.Object(struct_type, offset = global_var_addr, vm = self.addr_space) for (name, member, hook_type, address) in self.check_afinfo(global_var_name, global_var, op_members, seq_members, modules): yield (name, member, hook_type, address)
Example #12
Source File: rawreg.py From aumfor with GNU General Public License v3.0 | 6 votes |
def read_sklist(sk): if (sk.Signature.v() == LH_SIG or sk.Signature.v() == LF_SIG): for i in sk.List: yield i elif sk.Signature.v() == RI_SIG: for i in range(sk.Count): # Read and dereference the pointer ptr_off = sk.List.obj_offset + (i * 4) if not sk.obj_vm.is_valid_address(ptr_off): continue ssk_off = obj.Object("unsigned int", ptr_off, sk.obj_vm) if not sk.obj_vm.is_valid_address(ssk_off): continue ssk = obj.Object("_CM_KEY_INDEX", ssk_off, sk.obj_vm) for i in read_sklist(ssk): yield i # Note: had to change SubKeyLists to be array of 2 pointers in vtypes.py
Example #13
Source File: check_modules.py From aumfor with GNU General Public License v3.0 | 6 votes |
def get_kset_modules(self): module_kset_addr = self.profile.get_symbol("module_kset") if not module_kset_addr: debug.error("This command is not supported by this profile.") ret = {} module_kset = obj.Object("kset", offset = module_kset_addr, vm = self.addr_space) for kobj in module_kset.list.list_of_type("kobject", "entry"): kobj_off = self.profile.get_obj_offset("module_kobject", "kobj") mod_kobj = obj.Object("module_kobject", offset = kobj.v() - kobj_off, vm = self.addr_space) mod = mod_kobj.mod name = kobj.name.dereference_as("String", length = 32) if name.is_valid() and kobj.kref.refcount.counter > 2: ret[str(name)] = mod return ret
Example #14
Source File: check_syscall_arm.py From aumfor with GNU General Public License v3.0 | 6 votes |
def _get_syscall_table_size(self): """ Get size of syscall table from the vector_swi function """ vector_swi_addr = self.addr_space.profile.get_symbol("vector_swi") max_opcodes_to_check = 1024 while (max_opcodes_to_check): opcode = obj.Object("unsigned int", offset = vector_swi_addr, vm = self.addr_space) if ((opcode & 0xffff0000) == 0xe3570000): shift = 0x10 - ((opcode & 0xff00) >> 8) size = (opcode & 0xff) << (2 * shift) return size break vector_swi_addr += 4 max_opcodes_to_check -= 1 debug.error("Syscall table size could not be determined.")
Example #15
Source File: find_file.py From aumfor with GNU General Public License v3.0 | 6 votes |
def get_page_contents(self, inode, idx): page_addr = self.find_get_page(inode, idx) if page_addr: page = obj.Object("page", offset = page_addr, vm = self.addr_space) phys_offset = page.to_paddr() if phys_offset > 0: phys_as = utils.load_as(self._config, astype = 'physical') data = phys_as.zread(phys_offset, 4096) else: data = "\x00" * 4096 else: data = "\x00" * 4096 return data # main function to be called, handles getting all the pages of an inode # and handles the last page not being page_size aligned
Example #16
Source File: arp.py From aumfor with GNU General Public License v3.0 | 6 votes |
def walk_neighbor(self, neighbor): ret = [] for n in linux_common.walk_internal_list("neighbour", "next", neighbor): # get the family from each neighbour in order to work with ipv4 and 6 family = n.tbl.family if family == socket.AF_INET: ip = obj.Object("IpAddress", offset = n.primary_key.obj_offset, vm = self.addr_space).v() elif family == socket.AF_INET6: ip = obj.Object("Ipv6Address", offset = n.primary_key.obj_offset, vm = self.addr_space).v() else: ip = '?' if n.dev.is_valid(): mac = ":".join(["{0:02x}".format(x) for x in n.ha][:n.dev.addr_len]) devname = n.dev.name ret.append(a_ent(ip, mac, devname)) return ret
Example #17
Source File: arp.py From aumfor with GNU General Public License v3.0 | 6 votes |
def calculate(self): linux_common.set_plugin_members(self) neigh_tables_addr = self.addr_space.profile.get_symbol("neigh_tables") hasnext = True try: self.addr_space.profile.get_obj_offset("neigh_table", "next") except KeyError: hasnext = False if hasnext == True: ntables_ptr = obj.Object("Pointer", offset = neigh_tables_addr, vm = self.addr_space) tables = linux_common.walk_internal_list("neigh_table", "next", ntables_ptr) else: tables_arr = obj.Object(theType="Array", targetType="Pointer", offset = neigh_tables_addr, vm = self.addr_space, count = 4) tables = [t.dereference_as("neigh_table") for t in tables_arr] for ntable in tables: for aent in self.handle_table(ntable): yield aent
Example #18
Source File: cpuinfo.py From aumfor with GNU General Public License v3.0 | 6 votes |
def online_cpus(self): """ returns a list of online cpus (the processor numbers) """ cpu_online_bits_addr = self.addr_space.profile.get_symbol("cpu_online_bits") cpu_present_map_addr = self.addr_space.profile.get_symbol("cpu_present_map") cpu_present_mask_addr = self.addr_space.profile.get_symbol("__cpu_present_mask") #later kernels.. if cpu_online_bits_addr: bmap = obj.Object("unsigned long", offset = cpu_online_bits_addr, vm = self.addr_space) elif cpu_present_map_addr: bmap = obj.Object("unsigned long", offset = cpu_present_map_addr, vm = self.addr_space) elif cpu_present_mask_addr: bmap = obj.Object("unsigned long", offset = cpu_present_mask_addr, vm = self.addr_space) else: raise AttributeError, "Unable to determine number of online CPUs for memory capture" cpus = [] for i in range(32): if bmap & (1 << i): cpus.append(i) return cpus
Example #19
Source File: check_inline_kernel.py From aumfor with GNU General Public License v3.0 | 6 votes |
def _check_inetsw(self, modules): try: self.addr_space.profile.get_obj_offset("inet_protosw", "list") except KeyError: debug.warning("You are using an old Linux profile. Please recreate the profile using the latest Volatility version.") return proto_members = self.profile.types['proto_ops'].keywords["members"].keys() proto_members.remove('owner') proto_members.remove('family') inetsw_addr = self.addr_space.profile.get_symbol("inetsw") inetsw = obj.Object(theType = "Array", targetType = "list_head", offset = inetsw_addr, vm = self.addr_space, count = 11) for inet_list in inetsw: for inet in inet_list.list_of_type("inet_protosw", "list"): name = self.addr_space.read(inet.prot.name.obj_offset, 32) idx = name.index("\x00") if idx != -1: name = name[:idx] for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(inet.ops, proto_members, modules): yield (name, hooked_member, hook_type, hook_address)
Example #20
Source File: pidhashtable.py From aumfor with GNU General Public License v3.0 | 6 votes |
def _walk_upid(self, upid): while upid: pid = self.get_obj(upid.obj_offset, "pid", "numbers") for task in self._task_for_pid(upid, pid): yield task if type(upid.pid_chain) == obj.Pointer: pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space) else: pid_chain = upid.pid_chain if not pid_chain: break upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #21
Source File: psscan.py From aumfor with GNU General Public License v3.0 | 5 votes |
def calculate(self): linux_common.set_plugin_members(self) phys_addr_space = utils.load_as(self._config, astype = 'physical') if phys_addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": fmt = "<I" else: fmt = "<Q" needles = [] for sym in phys_addr_space.profile.get_all_symbol_names("kernel"): if sym.find("_sched_class") != -1: addr = phys_addr_space.profile.get_symbol(sym) needles.append(struct.pack(fmt, addr)) if len(needles) == 0: debug.error("Unable to scan for processes. Please file a bug report.") back_offset = phys_addr_space.profile.get_obj_offset("task_struct", "sched_class") scanner = poolscan.MultiPoolScanner(needles) for _, offset in scanner.scan(phys_addr_space): ptask = obj.Object("task_struct", offset = offset - back_offset, vm = phys_addr_space) if not ptask.exit_state.v() in [0, 16, 32, 16|32]: continue if not (0 < ptask.pid < 66000): continue yield ptask
Example #22
Source File: find_file.py From aumfor with GNU General Public License v3.0 | 5 votes |
def calculate(self): linux_common.set_plugin_members(self) find_file = self._config.FIND inode_addr = self._config.inode outfile = self._config.outfile listfiles = self._config.LISTFILES if listfiles: for (_, _, file_path, file_dentry) in self.walk_sbs(): yield (file_path, file_dentry.d_inode) elif find_file and len(find_file): for (_, _, file_path, file_dentry) in self.walk_sbs(): if file_path == find_file: yield (file_path, file_dentry.d_inode) break elif inode_addr and inode_addr > 0 and outfile and len(outfile) > 0: inode = obj.Object("inode", offset = inode_addr, vm = self.addr_space) try: f = open(outfile, "wb") except IOError, e: debug.error("Unable to open output file (%s): %s" % (outfile, str(e))) for page in self.get_file_contents(inode): f.write(page) f.close()
Example #23
Source File: hive.py From aumfor with GNU General Public License v3.0 | 5 votes |
def __init__(self, base, config, hive_addr, **kwargs): addrspace.BaseAddressSpace.__init__(self, base, config) self.base = base self.hive = obj.Object("_HHIVE", hive_addr, base) self.baseblock = self.hive.BaseBlock.v() self.flat = self.hive.Flat.v() > 0
Example #24
Source File: pslist.py From aumfor with GNU General Public License v3.0 | 5 votes |
def allprocs(self): linux_common.set_plugin_members(self) init_task_addr = self.addr_space.profile.get_symbol("init_task") init_task = obj.Object("task_struct", vm = self.addr_space, offset = init_task_addr) # walk the ->tasks list, note that this will *not* display "swapper" for task in init_task.tasks: yield task
Example #25
Source File: pslist.py From aumfor with GNU General Public License v3.0 | 5 votes |
def virtual_process_from_physical_offset(addr_space, offset): pspace = utils.load_as(addr_space.get_config(), astype = 'physical') task = obj.Object("task_struct", vm = pspace, offset = offset) parent = obj.Object("task_struct", vm = addr_space, offset = task.parent) for child in parent.children.list_of_type("task_struct", "sibling"): if child.obj_vm.vtop(child.obj_offset) == task.obj_offset: return child return obj.NoneObject("Unable to bounce back from task_struct->parent->task_struct")
Example #26
Source File: bash.py From aumfor with GNU General Public License v3.0 | 5 votes |
def calculate(self): linux_common.set_plugin_members(self) tasks = linux_pslist.linux_pslist(self._config).calculate() for task in tasks: proc_as = task.get_process_address_space() # In cases when mm is an invalid pointer if not proc_as: continue if not self._config.HISTORY_LIST: # Do we scan everything or just /bin/bash instances? if not (self._config.SCAN_ALL or str(task.comm) == "bash"): continue for hist in task.bash_history_entries(): yield task, hist else: the_history_addr = the_history_addr = self._config.HISTORY_LIST the_history = obj.Object("Pointer", vm = proc_as, offset = the_history_addr) max_ents = 2001 the_history = obj.Object(theType = 'Array', offset = the_history, vm = proc_as, targetType = 'Pointer', count = max_ents) for ptr in the_history: if not ptr: if self._config.PRINTUNALLOC: continue else: break hist = ptr.dereference_as("_hist_entry") if hist.is_valid(): yield task, hist
Example #27
Source File: bash.py From aumfor with GNU General Public License v3.0 | 5 votes |
def time_object(self): nsecs = self.time_as_integer # Build a timestamp object from the integer time_val = struct.pack("<I", nsecs) time_buf = addrspace.BufferAddressSpace(self.obj_vm.get_config(), data = time_val) time_obj = obj.Object("UnixTimeStamp", offset = 0, vm = time_buf, is_utc = True) return time_obj
Example #28
Source File: poolscan.py From aumfor with GNU General Public License v3.0 | 5 votes |
def object_offset(self, found, address_space): """ The name of this function "object_offset" can be misleading depending on how its used. Even before removing the preambles (r1324), it may not always return the offset of an object. Here are the rules: If you subclass PoolScanner and do not override this function, it will return the offset of _POOL_HEADER. If you do override this function, it should be used to calculate and return the offset of your desired object within the pool. Thus there are two different ways it can be done. Example 1. For an example of subclassing PoolScanner and not overriding this function, see filescan.PoolScanFile. In this case, the plugin (filescan.FileScan) treats the offset returned by this function as the start of _POOL_HEADER and then works out the object from the bottom up: for offset in PoolScanFile().scan(address_space): pool_obj = obj.Object("_POOL_HEADER", vm = address_space, offset = offset) ## ## Work out objects base here ## Example 2. For an example of subclassing PoolScanner and overriding this function, see filescan.PoolScanProcess. In this case, the "work" described above is done here (in the sublcassed object_offset). Thus in the plugin (filescan.PSScan) it can directly instantiate _EPROCESS from the offset we return. for offset in PoolScanProcess().scan(address_space): eprocess = obj.Object('_EPROCESS', vm = address_space, native_vm = kernel_as, offset = offset) """ ## Subtract the offset of the PoolTag member to get the start ## of _POOL_HEADER. This is done because PoolScanners search ## for the PoolTag. return found - self.buffer.profile.get_obj_offset('_POOL_HEADER', 'PoolTag')
Example #29
Source File: iomem.py From aumfor with GNU General Public License v3.0 | 5 votes |
def calculate(self): linux_common.set_plugin_members(self) io_ptr = self.addr_space.profile.get_symbol("iomem_resource") io_res = obj.Object("resource", offset = io_ptr, vm = self.addr_space) for r in self.yield_resource(io_res.child): yield r
Example #30
Source File: check_inline_kernel.py From aumfor with GNU General Public License v3.0 | 5 votes |
def check_proc_root_fops(self, f_op_members, modules): self.seen_proc = {} proc_root_addr = self.addr_space.profile.get_symbol("proc_root") proc_root = obj.Object("proc_dir_entry", offset = proc_root_addr, vm = self.addr_space) for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(proc_root.proc_fops, f_op_members, modules): yield("proc_root", hooked_member, hook_type, hook_address) for (name, hooked_member, hook_type, hook_address) in self.walk_proc(proc_root, f_op_members, modules): yield (name, hooked_member, hook_type, hook_address) #### end make api with check_fops