Python volatility.obj.NoneObject() Examples
The following are 30
code examples of volatility.obj.NoneObject().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.obj
, or try the search function
.
.
Example #1
| Source File: linux.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def get_process_address_space(self):
## If we've got a NoneObject, return it maintain the reason
if not self.mm:
return self.mm
if self.mm.pgd.v() == None:
return self.mm.pgd.v()
directory_table_base = self.obj_vm.vtop(self.mm.pgd.v())
try:
process_as = self.obj_vm.__class__(
self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base)
except AssertionError, _e:
return obj.NoneObject("Unable to get process AS")
Example #2
| Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def reference_object(self):
"""Reference the object this handle represents.
If the object's type is not in our map, we don't know
what type of object to instantiate so its filled with
obj.NoneObject() instead.
"""
object_map = dict(TYPE_WINDOW = "tagWND",
TYPE_HOOK = "tagHOOK",
TYPE_CLIPDATA = "tagCLIPDATA",
TYPE_WINEVENTHOOK = "tagEVENTHOOK",
TYPE_TIMER = "tagTIMER",
)
object_type = object_map.get(str(self.bType), None)
if not object_type:
return obj.NoneObject("Cannot reference object type")
return obj.Object(object_type,
offset = self.phead, vm = self.obj_vm)
Example #3
| Source File: windows.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def get_object_bottom_up(self, struct_name, object_type, skip_type_check):
"""Get the windows object contained within this pool
by using the bottom-up approach to finding the object
"""
if not object_type:
return obj.Object(struct_name, vm = self.obj_vm,
offset = self.obj_offset +
self.obj_vm.profile.get_obj_size("_POOL_HEADER"),
native_vm = self.obj_native_vm)
pool_alignment = obj.VolMagic(self.obj_vm).PoolAlignment.v()
the_object = obj.Object(struct_name, vm = self.obj_vm,
offset = (self.obj_offset + self.BlockSize * pool_alignment -
common.pool_align(self.obj_vm, struct_name, pool_alignment)),
native_vm = self.obj_native_vm)
header = the_object.get_object_header()
if (skip_type_check or
header.get_object_type() == object_type):
return the_object
else:
return obj.NoneObject("Cannot find the object")
Example #4
| Source File: apihooks.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def find_module(self, address):
"""Find a module by an address it contains.
@param address: location in process or kernel AS to
find an owning module.
When performing thousands of lookups, this method
is actually quicker than tasks.find_module.
"""
for base, end, mod in self.mod_fast:
if address >= base and address <= end:
return mod
return obj.NoneObject("")
#--------------------------------------------------------------------------------
# Hook Class
#--------------------------------------------------------------------------------
Example #5
| Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def find_shared_info(self):
"""Find this session's tagSHAREDINFO structure.
This structure is embedded in win32k's .data section,
(i.e. not in dynamically allocated memory). Thus we
iterate over each DWORD-aligned possibility and treat
it as a tagSHAREDINFO until the sanity checks are met.
"""
for chunk in self._section_chunks(".data"):
# If the base of the value is paged
if not chunk.is_valid():
continue
# Treat it as a shared info struct
shared_info = obj.Object("tagSHAREDINFO",
offset = chunk.obj_offset, vm = self.obj_vm)
# Sanity check it
try:
if shared_info.is_valid():
return shared_info
except obj.InvalidOffsetError:
pass
return obj.NoneObject("Cannot find win32k!gSharedInfo")
Example #6
| Source File: windows.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def Peb(self):
""" Returns a _PEB object which is using the process address space.
The PEB structure is referencing back into the process address
space so we need to switch address spaces when we look at
it. This method ensure this happens automatically.
"""
process_ad = self.get_process_address_space()
if process_ad:
offset = self.m("Peb").v()
peb = obj.Object("_PEB", offset, vm = process_ad,
name = "Peb", parent = self)
if peb.is_valid():
return peb
return obj.NoneObject("Peb not found")
Example #7
| Source File: win8.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def get_item(self, entry, handle_value = 0):
"""Starting with 8/2012 x64 the PsPCidTable pointers
go directly to an object rather than an object header.
"""
if entry.LowValue == 0:
return obj.NoneObject("LowValue pointer is invalid")
body_offset = self.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body")
head_offset = self.decode_pointer(entry.LowValue) - body_offset
return obj.Object("_OBJECT_HEADER",
offset = head_offset,
vm = self.obj_vm,
parent = entry,
handle_value = handle_value)
Example #8
| Source File: sessions.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def find_session_space(self, kernel_space, session_id):
""" Get a session address space by its ID.
@param space: a kernel AS for process enumeration
@param session_id: the session ID to find.
@returns _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
for proc in tasks.pslist(kernel_space):
if proc.SessionId == session_id:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
return obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
return obj.NoneObject("Cannot locate a session")
Example #9
| Source File: linux.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def get_process_address_space(self):
## If we've got a NoneObject, return it maintain the reason
if not self.mm:
return self.mm
if self.mm.pgd.v() == None:
return self.mm.pgd.v()
directory_table_base = self.obj_vm.vtop(self.mm.pgd.v())
try:
process_as = self.obj_vm.__class__(
self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base)
except AssertionError, _e:
return obj.NoneObject("Unable to get process AS")
Example #10
| Source File: pslist.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def render_text(self, outfd, data):
self.table_header(outfd, [("Task", "16"),
("Pid", "8"),
("Virtual", "[addrpad]"),
("Physical", "[addrpad]"),
("Size", "[addr]")])
for task in data:
task_space = task.get_process_address_space()
pagedata = task_space.get_available_pages()
if pagedata:
for p in pagedata:
pa = task_space.vtop(p[0])
# pa can be 0, according to the old memmap, but can't == None(NoneObject)
if pa != None:
self.table_row(outfd, task.comm, task.pid, p[0], pa, p[1])
#else:
# outfd.write("0x{0:10x} 0x000000 0x{1:12x}\n".format(p[0], p[1]))
else:
outfd.write("Unable to read pages for {0} pid {1}.\n".format(task.comm, task.pid))
Example #11
| Source File: basic.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def v(self):
"""
Use zread to help emulate reading null-terminated C
strings across page boundaries.
@returns: If all bytes are available, return the full string
as a raw byte buffer. If the end of the string is in a page
that isn't available, return as much of the string as possible,
padded with nulls to the string's length.
If the string length is 0, vtop() fails, or the physical addr
of the string is not valid, return NoneObject.
Note: to get a null terminated string, use the __str__ method.
"""
result = self.obj_vm.zread(self.obj_offset, self.length)
if not result:
return obj.NoneObject("Cannot read string length {0} at {1:#x}".format(self.length, self.obj_offset))
return result
Example #12
| Source File: cache.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def _find_generators(self, item):
""" A recursive function to flatten generators into lists """
try:
result = []
# Make sure dicts aren't flattened to lists
if isinstance(item, dict):
result = {}
for i in item:
result[self._find_generators(i)] = self._find_generators(item[i])
return result
# Since NoneObjects and strings are both iterable, treat them specially
if isinstance(item, obj.NoneObject) or isinstance(item, str):
return item
if isinstance(item, types.GeneratorType):
raise CacheContainsGenerator
for x in iter(item):
flat_x = self._find_generators(x)
result.append(flat_x)
return result
except TypeError:
return item
Example #13
| Source File: atoms.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
seen = []
# Find the atom tables that belong to each window station
for wndsta in windowstations.WndScan(self._config).calculate():
offset = wndsta.obj_native_vm.vtop(wndsta.pGlobalAtomTable)
if offset in seen:
continue
seen.append(offset)
# The atom table is dereferenced in the proper
# session space
atom_table = wndsta.AtomTable
if atom_table.is_valid():
yield atom_table, wndsta
# Find atom tables not linked to specific window stations.
# This finds win32k!UserAtomHandleTable.
for table in AtomScan(self._config).calculate():
if table.PhysicalAddress not in seen:
yield table, obj.NoneObject("No windowstation")
Example #14
| Source File: cache.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def _find_generators(self, item):
""" A recursive function to flatten generators into lists """
try:
result = []
# Make sure dicts aren't flattened to lists
if isinstance(item, dict):
result = {}
for i in item:
result[self._find_generators(i)] = self._find_generators(item[i])
return result
# Since NoneObjects and strings are both iterable, treat them specially
if isinstance(item, obj.NoneObject) or isinstance(item, str):
return item
if isinstance(item, types.GeneratorType):
raise CacheContainsGenerator
for x in iter(item):
flat_x = self._find_generators(x)
result.append(flat_x)
return result
except TypeError:
return item
Example #15
| Source File: pslist.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def render_text(self, outfd, data):
self.table_header(outfd, [("Task", "16"),
("Pid", "8"),
("Virtual", "[addrpad]"),
("Physical", "[addrpad]"),
("Size", "[addr]")])
for task in data:
task_space = task.get_process_address_space()
pagedata = task_space.get_available_pages()
if pagedata:
for p in pagedata:
pa = task_space.vtop(p[0])
# pa can be 0, according to the old memmap, but can't == None(NoneObject)
if pa != None:
self.table_row(outfd, task.comm, task.pid, p[0], pa, p[1])
#else:
# outfd.write("0x{0:10x} 0x000000 0x{1:12x}\n".format(p[0], p[1]))
else:
outfd.write("Unable to read pages for {0} pid {1}.\n".format(task.comm, task.pid))
Example #16
| Source File: pslist.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def virtual_process_from_physical_offset(addr_space, offset):
pspace = utils.load_as(addr_space.get_config(), astype = 'physical')
task = obj.Object("task_struct", vm = pspace, offset = offset)
parent = obj.Object("task_struct", vm = addr_space, offset = task.parent)
for child in parent.children.list_of_type("task_struct", "sibling"):
if child.obj_vm.vtop(child.obj_offset) == task.obj_offset:
return child
return obj.NoneObject("Unable to bounce back from task_struct->parent->task_struct")
Example #17
| Source File: hibinfo.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
"""Determines the address space"""
addr_space = utils.load_as(self._config)
result = None
adrs = addr_space
while adrs:
if adrs.__class__.__name__ == 'WindowsHiberFileSpace32':
sr = adrs.ProcState.SpecialRegisters
peb = obj.NoneObject("Cannot locate a valid PEB")
# Find the PEB by cycling through processes. This method works
# on all versions of Windows x86 and x64.
for task in tasks.pslist(addr_space):
if task.Peb:
peb = task.Peb
break
result = {'header': adrs.get_header(),
'sr': sr,
'peb': peb,
'adrs': adrs }
adrs = adrs.base
if result == None:
debug.error("Memory Image could not be identified or did not contain hiberation information")
return result
Example #18
| Source File: hashdump.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def dump_memory_hashes(addr_space, config, syshive, samhive):
if syshive != None and samhive != None:
sysaddr = hive.HiveAddressSpace(addr_space, config, syshive)
samaddr = hive.HiveAddressSpace(addr_space, config, samhive)
return dump_hashes(sysaddr, samaddr)
return obj.NoneObject("SYSTEM or SAM address is None: Did you use the correct profile?")
Example #19
| Source File: hashdump.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def dump_hashes(sysaddr, samaddr):
if sysaddr == None:
yield obj.NoneObject("SYSTEM address is None: Did you use the correct profile?")
if samaddr == None:
yield obj.NoneObject("SAM address is None: Did you use the correct profile?")
bootkey = get_bootkey(sysaddr)
hbootkey = get_hbootkey(samaddr, bootkey)
if hbootkey:
for user in get_user_keys(samaddr):
ret = get_user_hashes(user, hbootkey)
if not ret:
yield obj.NoneObject("Cannot get user hashes for {0}".format(user))
else:
lmhash, nthash = ret
if not lmhash:
lmhash = empty_lm
if not nthash:
nthash = empty_nt
## temporary fix to prevent UnicodeDecodeError backtraces
## however this can cause truncated user names as a result
name = get_user_name(user)
if name is not None:
name = name.encode('ascii', 'ignore')
else:
name = "(unavailable)"
yield "{0}:{1}:{2}:{3}:::".format(name, int(str(user.Name), 16),
lmhash.encode('hex'), nthash.encode('hex'))
else:
yield obj.NoneObject("Hbootkey is not valid")
Example #20
| Source File: taskmods.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def virtual_process_from_physical_offset(addr_space, offset):
""" Returns a virtual process from a physical offset in memory """
# Since this is a physical offset, we find the process
flat_addr_space = utils.load_as(addr_space.get_config(), astype = 'physical')
flateproc = obj.Object("_EPROCESS", offset, flat_addr_space)
# then use the virtual address of its first thread to get into virtual land
# (Note: the addr_space and flat_addr_space use the same config, so should have the same profile)
tleoffset = addr_space.profile.get_obj_offset("_ETHREAD", "ThreadListEntry")
# start out with the member offset given to us from the profile
offsets = [tleoffset]
# if (and only if) we're dealing with 64-bit Windows 7 SP1
# then add the other commonly seen member offset to the list
meta = addr_space.profile.metadata
major = meta.get("major", 0)
minor = meta.get("minor", 0)
build = meta.get("build", 0)
version = (major, minor, build)
if meta.get("memory_model") == "64bit" and version == (6, 1, 7601):
offsets.append(tleoffset + 8)
## use the member offset from the profile
for ofs in offsets:
ethread = obj.Object("_ETHREAD", offset = flateproc.ThreadListHead.Flink.v() - ofs, vm = addr_space)
# and ask for the thread's process to get an _EPROCESS with a virtual address space
virtual_process = ethread.owning_process()
# Sanity check the bounce. See Issue 154.
if virtual_process and offset == addr_space.vtop(virtual_process.obj_offset):
return virtual_process
return obj.NoneObject("Unable to bounce back from virtual _ETHREAD to virtual _EPROCESS")
Example #21
| Source File: arm.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def read_long_phys(self, addr):
'''
Returns an unsigned 32-bit integer from the address addr in
physical memory. If unable to read from that location, returns None.
'''
try:
string = self.base.read(addr, 4)
except IOError:
string = None
if not string:
return obj.NoneObject("Could not read_long_phys at offset " + hex(addr))
longval, = self._long_struct.unpack(string)
return longval
Example #22
| Source File: rawreg.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def open_key(root, key):
if key == []:
return root
if not root.is_valid():
return None
keyname = key.pop(0)
for s in subkeys(root):
if s.Name.upper() == keyname.upper():
return open_key(s, key)
debug.debug("Couldn't find subkey {0} of {1}".format(keyname, root.Name), 1)
return obj.NoneObject("Couldn't find subkey {0} of {1}".format(keyname, root.Name))
Example #23
| Source File: vmware.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def get_tag(header, grp_name, tag_name, indices = None, data_type = None):
"""Get a tag from the VMware headers
@param grp_name: the group name (from _VMWARE_GROUP.Name)
@param tag_name: the tag name (from _VMWARE_TAG.Name)
@param indices: a group can contain multiple tags of the same name,
and tags can also contain meta-tags. this parameter lets you specify
which tag or meta-tag exactly to operate on. for example the 3rd CR
register (CR3) of the first CPU would use [0][3] indices. If this
parameter is None, then you just match on grp_name and tag_name.
@param data_type: the type of data depends on the purpose of the tag.
If you supply this parameter, the function returns an object of the
specified type (for example an int or long). If not supplied, you just
get back the _VMWARE_TAG object itself.
"""
for group in header.Groups:
## Match on the group's name
if str(group.Name) != grp_name:
continue
## Iterate the tags looking for a matchah
for tag in group.Tags:
if str(tag.Name) != tag_name:
continue
## If a set of indices was supplied, make sure it matches
if indices and tag.TagIndices != indices:
continue
## If a data type is specified, cast the Tag and return the
## object. Otherwise return the Tag object itself.
if data_type:
return tag.cast_as(data_type)
else:
return tag
return obj.NoneObject("Cannot find [{0}][{1}]".format(grp_name, tag_name))
Example #24
| Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def find_gahti(self):
"""Find this session's gahti.
This can potentially be much faster by searching for
'\0' * sizeof(tagHANDLETYPEINFO) instead
of moving on a dword aligned boundary through
the section.
"""
for chunk in self._section_chunks(".rdata"):
if not chunk.is_valid():
continue
gahti = obj.Object("gahti", offset = chunk.obj_offset,
vm = self.obj_vm)
## The sanity check here is based on the fact that the first entry
## in the gahti is always for TYPE_FREE. The fnDestroy pointer will
## be NULL, the alloc tag will be an empty string, and the creation
## flags will be zero. We also then check the alloc tag of the first
## USER handle type which should be Uswd (TYPE_WINDOW).
## Update: fnDestroy is no longer NULL for TYPE_FREE on Win8/2012.
if (str(gahti.types[0].dwAllocTag) == '' and
gahti.types[0].bObjectCreateFlags == 0 and
str(gahti.types[1].dwAllocTag) == "Uswd"):
return gahti
return obj.NoneObject("Cannot find win32k!_gahti")
Example #25
| Source File: win7.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def find_shared_info(self):
"""The way we find win32k!gSharedInfo on Windows 7
is different than before. For each DWORD in the
win32k.sys module's .data section (DWORD-aligned)
we check if its the HeEntrySize member of a possible
tagSHAREDINFO structure. This should equal the size
of a _HANDLEENTRY.
The HeEntrySize member didn't exist before Windows 7
thus the need for separate methods."""
handle_table_size = self.obj_vm.profile.\
get_obj_size("_HANDLEENTRY")
handle_entry_offset = self.obj_vm.profile.\
get_obj_offset("tagSHAREDINFO", "HeEntrySize")
for chunk in self._section_chunks(".data"):
if chunk != handle_table_size:
continue
shared_info = obj.Object("tagSHAREDINFO",
offset = chunk.obj_offset - handle_entry_offset,
vm = self.obj_vm)
if shared_info.is_valid():
return shared_info
return obj.NoneObject("Cannot find win32k!gSharedInfo")
Example #26
| Source File: intel.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def read_long_phys(self, addr):
try:
string = self.base.read(addr, 4)
except IOError:
string = None
if not string:
return obj.NoneObject("Unable to read_long_phys at " + hex(addr))
longval, = self._long_struct.unpack(string)
return longval
Example #27
| Source File: clipboard.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def generator(self, data):
for session, wndsta, clip, handle in data:
# If no tagCLIP is provided, we do not know the format
if not clip:
fmt = obj.NoneObject("Format unknown")
else:
# Try to get the format name, but failing that, print
# the format number in hex instead.
if clip.fmt.v() in consts.CLIPBOARD_FORMAT_ENUM:
fmt = str(clip.fmt)
else:
fmt = hex(clip.fmt.v())
# Try to get the handle from tagCLIP first, but
# fall back to using _HANDLEENTRY.phead. Note: this can
# be a value like DUMMY_TEXT_HANDLE (1) etc.
if clip:
handle_value = clip.hData
else:
handle_value = handle.phead.h
clip_data = ""
if handle:
try:
clip_data = ''.join([chr(c) for c in handle.reference_object().abData])
except AttributeError:
pass
yield(0, [int(session.SessionId),
str(wndsta.Name),
str(fmt),
Hex(handle_value),
Address(handle.phead.v()),
Bytes(clip_data)
])
Example #28
| Source File: intel.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def _read_long_long_phys(self, addr):
if not addr:
return obj.NoneObject("Unable to read None")
try:
string = self.base.read(addr, 8)
except IOError:
string = None
if not string:
return obj.NoneObject("Unable to read base AS at " + hex(addr))
longlongval, = self._longlong_struct.unpack(string)
return longlongval
Example #29
| Source File: messagehooks.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def translate_atom(self, winsta, atom_tables, atom_id):
"""
Translate an atom into an atom name.
@param winsta: a tagWINDOWSTATION in the proper
session space
@param atom_tables: a dictionary with _RTL_ATOM_TABLE
instances as the keys and owning window stations as
the values.
@param index: the index into the atom handle table.
"""
# First check the default atoms
if consts.DEFAULT_ATOMS.has_key(atom_id):
return consts.DEFAULT_ATOMS[atom_id].Name
# A list of tables to search. The session atom tables
# have priority and will be searched first.
table_list = [
table for (table, window_station)
in atom_tables.items() if window_station == None
]
table_list.append(winsta.AtomTable)
## Fixme: the session atom tables are found via physical
## AS pool tag scanning, and there's no good way (afaik)
## to associate the table with its session. Thus if more
## than one session has atoms with the same id but different
## values, then we could possibly select the wrong one.
for table in table_list:
atom = table.find_atom(atom_id)
if atom:
return atom.Name
return obj.NoneObject("Cannot translate atom {0:#x}".format(atom_id))
Example #30
| Source File: shellbags.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def v(self):
result = self.obj_vm.zread(self.obj_offset, self.length).split("\x00\x00")[0].replace("\x00", "")
if not result:
return obj.NoneObject("Cannot read string length {0} at {1:#x}".format(self.length, self.obj_offset))
return result
