Python volatility.debug.debug() Examples
The following are 30
code examples of volatility.debug.debug().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.debug
, or try the search function
.
.
Example #1
| Source File: lsadump.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self._config.sys_offset or not self._config.sec_offset:
regapi = registryapi.RegistryApi(self._config)
for offset in regapi.all_offsets:
name = regapi.all_offsets[offset].lower().split("\\")[-1]
if "system" == name:
self._config.update("SYS_OFFSET", offset)
elif "security" == name:
self._config.update("SEC_OFFSET", offset)
secrets = lsasecrets.get_memory_secrets(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
if not secrets:
debug.error("Unable to read LSA secrets from registry")
return secrets
Example #2
| Source File: autoruns.py From volatility-autoruns with GNU General Public License v2.0 | 6 votes |
|
def get_sdb(self):
debug.debug('Started get_sdb()')
results = []
try:
self.regapi.reset_current()
sdb_keys = self.regapi.reg_get_all_subkeys(hive_name='software', key=APPCOMPAT_SDB_KEY)
for subkey in sdb_keys:
parsed_sdb_entry = self.parse_sdb_key(subkey)
if parsed_sdb_entry:
results.append(parsed_sdb_entry)
except Exception as e:
debug.warning('get_sdb() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_sdb()')
return results
#Returns None or a tuple(exe, db_path, subkey.LastWriteTime, key path, [int(pids)])
Example #3
| Source File: autoruns.py From volatility-autoruns with GNU General Public License v2.0 | 6 votes |
|
def get_activesetup(self):
debug.debug('Started get_activesetup()')
results = []
try:
self.regapi.reset_current()
for subkey in self.regapi.reg_get_all_subkeys(hive_name='software', key=ACTIVE_SETUP_KEY):
r = self.parse_activesetup_keys(subkey)
if r:
results.append(r)
except Exception as e:
debug.warning('get_activesetup() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_activesetup()')
return results
# Returns None or a tuple(exe path, subkey.LastWriteTime, key path, [int(pids)])
Example #4
| Source File: autoruns.py From volatility-autoruns with GNU General Public License v2.0 | 6 votes |
|
def get_services(self):
debug.debug('Started get_services()')
results = []
service_key_path = "{}\\Services".format(self.currentcs)
try:
self.regapi.reset_current()
for service_sk in self.regapi.reg_get_all_subkeys(hive_name='system', key=service_key_path):
parsed_service = self.parse_service_key(service_sk)
if parsed_service and (self._config.VERBOSE or 'system32' not in parsed_service[5].lower()):
results.append(parsed_service)
except Exception as e:
debug.warning('get_services() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_services()')
return results
# Returns None or (key_path, timestamp, display_name, SERVICE_STARTUP[startup], SERVICE_TYPES[type], image_path, service_dll, [int(pids)])
Example #5
| Source File: autoruns.py From volatility-autoruns with GNU General Public License v2.0 | 6 votes |
|
def get_winlogon(self):
debug.debug('Started get_winlogon()')
winlogon = []
winlogon_key_path="Microsoft\\Windows NT\\CurrentVersion\\Winlogon"
try:
self.regapi.reset_current()
key = self.regapi.reg_get_key(hive_name='software', key=winlogon_key_path)
if key:
for v_name, v_data in self.regapi.reg_yield_values(hive_name=None, key=None, given_root=key):
val_name = str(v_name or '')
val_data = str(v_data or '').replace('\x00', '')
if val_data and val_name in WINLOGON_COMMON_VALUES:
pids = self.find_pids_for_imagepath(val_data)
winlogon.append((val_name, val_data, key.LastWriteTime, WINLOGON_COMMON_VALUES[val_name], winlogon_key_path, pids))
except Exception as e:
debug.warning('get_winlogon() failed to complete. Exception: {} {}'.format(type(e).__name__, e.args))
debug.debug('Finished get_winlogon()')
return winlogon
# Returns [] or a list of tuples from parse_service_key()
Example #6
| Source File: emulator.py From ROPMEMU with GNU Lesser General Public License v2.1 | 6 votes |
|
def hook_mem_fetch_unmapped(self, uc, access, address, size, value, user_data):
debug.debug("[hook_mem_fetch_unmapped] - address: (%lx, %x) " % (address, size))
# update ip
next_ip = self.unicorn_code + size
self.mu.reg_write(UC_X86_REG_RIP, next_ip)
D = disass.Disass(self.dump)
# for the format - always deal with strings - internally int
address = hex(address).strip("L")
# we need to disass to get instructions/content
D.get_gadget(address, 1)
self.mu.mem_write(next_ip, D.total_content)
self.set_ip(address)
return True
### Registers
Example #7
| Source File: autoruns.py From volatility-autoruns with GNU General Public License v2.0 | 6 votes |
|
def parse_winlogon_registration_key(self, key):
dllname = ""
events = []
pids = []
key_path = self.regapi.reg_get_key_path(key) or str(key.Name)
try:
for v_name, v_data in self.regapi.reg_yield_values(hive_name=None, key=None, given_root=key):
val_name = str(v_name or '')
val_data = str(v_data or '').replace('\x00', '')
if val_name.lower() == 'dllname':
dllname = val_data
pids = self.find_pids_for_imagepath(dllname)
elif val_name in WINLOGON_NOTIFICATION_EVENTS:
events.append((val_name, val_data))
except Exception as e:
debug.warning('Failed while parsing {}. Exception: {} {}'.format(key_path, type(e).__name__, e.args))
if dllname:
return (dllname, events, key.LastWriteTime, key_path, pids)
# Returns [] or a list of tuples(val_name, val_data, key.LastWriteTime, expected_val_data, [int(pids)])
Example #8
| Source File: autoruns.py From volatility-autoruns with GNU General Public License v2.0 | 6 votes |
|
def get_winlogon_registrations(self):
debug.debug('Started get_winlogon_registrations()')
results = []
notify_key = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify"
try:
self.regapi.reset_current()
for subkey in self.regapi.reg_get_all_subkeys(hive_name='software', key=notify_key):
parsed_entry = self.parse_winlogon_registration_key(subkey)
if parsed_entry and (self._config.VERBOSE or (parsed_entry[0].split('\\')[-1] not in WINLOGON_REGISTRATION_KNOWN_DLLS)):
results.append(parsed_entry)
except Exception as e:
debug.warning('get_winlogon_registrations() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))
debug.debug('Finished get_winlogon_registrations()')
return results
# Returns None or (str(dllname), [(str(trigger)),str(event))], key.LastWriteTime, key path, [int(pids)])
Example #9
| Source File: obj.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def Object(theType, offset, vm, name = None, **kwargs):
""" A function which instantiates the object named in theType (as
a string) from the type in profile passing optional args of
kwargs.
"""
name = name or theType
offset = int(offset)
try:
if vm.profile.has_type(theType):
result = vm.profile.types[theType](offset = offset, vm = vm, name = name, **kwargs)
return result
except InvalidOffsetError:
## If we cant instantiate the object here, we just error out:
return NoneObject("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name),
strict = vm.profile.strict)
## If we get here we have no idea what the type is supposed to be?
## This is a serious error.
debug.warning("Cant find object {0} in profile {1}?".format(theType, vm.profile))
Example #10
| Source File: obj.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __getstate__(self):
""" This controls how we pickle and unpickle the objects """
try:
thetype = self._vol_theType.__name__
except AttributeError:
thetype = self._vol_theType
# Note: we lose the parent attribute here
result = dict(offset = self.obj_offset,
name = self.obj_name,
vm = self.obj_vm,
native_vm = self.obj_native_vm,
theType = thetype)
## Introspect the kwargs for the constructor and store in the dict
try:
for arg in self.__init__.func_code.co_varnames:
if (arg not in result and
arg not in "self parent profile args".split()):
result[arg] = self.__dict__[arg]
except KeyError:
debug.post_mortem()
raise pickle.PicklingError("Object {0} at 0x{1:08x} cannot be cached because of missing attribute {2}".format(self.obj_name, self.obj_offset, arg))
return result
Example #11
| Source File: obj.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def load_vtypes(self):
""" Identifies the module from which to load the vtypes
Eventually this could do the importing directly, and avoid having
the profiles loaded in memory all at once.
"""
ntvar = self.metadata.get('memory_model', '32bit')
self.native_types = copy.deepcopy(self.native_mapping.get(ntvar))
vtype_module = self.metadata.get('vtype_module', None)
if not vtype_module:
debug.warning("No vtypes specified for this profile")
else:
module = sys.modules.get(vtype_module, None)
# Try to locate the _types dictionary
for i in dir(module):
if i.endswith('_types'):
self.vtypes.update(getattr(module, i))
Example #12
| Source File: unchain.py From ROPMEMU with GNU Lesser General Public License v2.1 | 6 votes |
|
def calculate(self):
if not self.is_nasm():
debug.error("Please install nasm")
if not self._config.IJSON:
debug.error("Please provide the input JSON trace")
self._addrspace = utils.load_as(self._config)
self.md = self.init_capstone()
self.md.detail = True
print "[+] From gadget: %s" % self._config.SGADGET
print "[+] To gadget: %s" % self._config.GLIMIT
self.get_json_trace()
self.follow_trace()
if self._config.DEBUG:
self.get_trace_asm()
if self._config.DB or self._config.IDB:
self.serialize_opcodes()
Example #13
| Source File: cache.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def dump(self, url, payload):
# TODO: Ensure a better check for ieee1394/non-cachable address spaces than a bad URL
try:
filename = self.filename(url)
except exceptions.CacheRelativeURLException:
debug.debug("NOT Dumping url {0} - relative URLs are not yet supported".format(url))
return
## Check that the directory exists
directory = os.path.dirname(filename)
if not os.access(directory, os.R_OK | os.W_OK | os.X_OK):
os.makedirs(directory)
## Ensure that the payload is flattened - i.e. all generators are converted to lists for pickling
try:
data = pickle.dumps(payload)
debug.debug("Dumping filename {0}".format(filename))
fd = open(filename, 'w')
fd.write(data)
fd.close()
except (pickle.PickleError, TypeError):
# Do nothing if the pickle fails
debug.debug("NOT Dumping filename {0} - contained a non-picklable class".format(filename))
## This is the central cache object
Example #14
| Source File: disass.py From ROPMEMU with GNU Lesser General Public License v2.1 | 6 votes |
|
def get_gadget(self, address, state):
def is_capstone_branch(ins):
for m in ins.groups:
if m in self.branch: return True
return False
address = int(address, 16)
debug.debug("[get_gadget] address: %x" % address)
data = self.get_gadget_data(address)
gadget = []
final_addr = address
for ins in self.md.disasm(data, address):
instr = "%s %s" % (ins.mnemonic, ins.op_str)
final_addr += ins.size
if state == 0: print "\t | 0x%x \t| %s " % (ins.address, instr)
gadget.append((str(ins.bytes), ins.size))
self.gadget_instructions.append(instr)
if is_capstone_branch(ins): break
if "ret" in instr: self.ret = (final_addr - ins.size)
return gadget
Example #15
| Source File: lime.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, base, config, *args, **kwargs):
self.as_assert(base, "lime: need base")
addrspace.AbstractRunBasedMemory.__init__(self, base, config, *args, **kwargs)
sig = base.read(0, 4)
## ARM processors are bi-endian, but little is the default and currently
## the only mode we support; unless it comes a common request.
if sig == '\x4c\x69\x4d\x45':
debug.debug("Big-endian ARM not supported, please submit a feature request")
self.as_assert(sig == '\x45\x4D\x69\x4c', "Invalid Lime header signature")
self.addr_cache = {}
self.parse_lime()
Example #16
| Source File: lsadump.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self._config.sys_offset or not self._config.sam_offset:
regapi = registryapi.RegistryApi(self._config)
for offset in regapi.all_offsets:
name = regapi.all_offsets[offset].lower().split("\\")[-1]
if "system" == name:
self._config.update("SYS_OFFSET", offset)
elif "sam" == name:
self._config.update("SAM_OFFSET", offset)
hashes = hashdumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sam_offset)
if not hashes:
debug.error("Unable to read hashes from registry")
return hashes
Example #17
| Source File: lsadump.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self._config.sys_offset or not self._config.sec_offset:
regapi = registryapi.RegistryApi(self._config)
for offset in regapi.all_offsets:
name = regapi.all_offsets[offset].lower().split("\\")[-1]
if "system" == name:
self._config.update("SYS_OFFSET", offset)
elif "security" == name:
self._config.update("SEC_OFFSET", offset)
hashes = domcachedumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
if hashes == None:
debug.error("Unable to read hashes from registry")
return hashes
Example #18
| Source File: pe_vtypes.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def _get_image_exe(self, unsafe, fix):
nt_header = self.get_nt_header()
soh = nt_header.OptionalHeader.SizeOfHeaders
header = self.obj_vm.zread(self.obj_offset, soh)
if fix:
header = self._fix_header_image_base(header, nt_header)
yield (0, header)
fa = nt_header.OptionalHeader.FileAlignment
for sect in nt_header.get_sections(unsafe):
foa = self.round(sect.PointerToRawData, fa)
if foa != sect.PointerToRawData:
debug.warning("Section start on disk not aligned to file alignment.\n")
debug.warning("Adjusted section start from {0} to {1}.\n".format(sect.PointerToRawData, foa))
yield self.get_code(sect.VirtualAddress + self.obj_offset,
sect.SizeOfRawData, foa)
Example #19
| Source File: linux.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def to_paddr(self):
mem_map_addr = self.obj_vm.profile.get_symbol("mem_map")
mem_section_addr = self.obj_vm.profile.get_symbol("mem_section")
if mem_map_addr:
# FLATMEM kernels, usually 32 bit
mem_map_ptr = obj.Object("Pointer", offset = mem_map_addr, vm = self.obj_vm, parent = self.obj_parent)
elif mem_section_addr:
# this is hardcoded in the kernel - VMEMMAPSTART, usually 64 bit kernels
mem_map_ptr = 0xffffea0000000000
else:
debug.error("phys_addr_of_page: Unable to determine physical address of page. NUMA is not supported at this time.\n")
phys_offset = (self.obj_offset - mem_map_ptr) / self.obj_vm.profile.get_obj_size("page")
phys_offset = phys_offset << 12
return phys_offset
Example #20
| Source File: linux.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def bash_hash_entries(self):
nbuckets_offset = self.obj_vm.profile.get_obj_offset("_bash_hash_table", "nbuckets")
heap_vma = self.find_heap_vma()
if heap_vma == None:
debug.debug("Unable to find heap for pid %d" % self.pid)
return
proc_as = self.get_process_address_space()
if proc_as == None:
return
for off in self.search_process_memory(["\x40\x00\x00\x00"], heap_only=True):
# test the number of buckets
htable = obj.Object("_bash_hash_table", offset = off - nbuckets_offset, vm = proc_as)
for ent in htable:
yield ent
off = off + 1
Example #21
| Source File: getservicesids.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
#scan for registries and populate them:
debug.debug("Scanning for registries....")
#set our current registry of interest and get its path
#and get current control set
debug.debug("Getting Current Control Set....")
regapi = registryapi.RegistryApi(self._config)
currentcs = regapi.reg_get_currentcontrolset()
if currentcs == None:
currentcs = "ControlSet001"
#set the services root.
regapi.set_current('system')
debug.debug("Getting Services and calculating SIDs....")
services = regapi.reg_get_key('system', currentcs + '\\' + 'Services')
if services:
for s in rawreg.subkeys(services):
if s.Name not in servicesids.values():
sid = createservicesid(str(s.Name))
yield sid, str(s.Name)
for sid in servicesids:
yield sid, servicesids[sid]
Example #22
| Source File: slab_info.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def get_all_kmem_caches(self):
linux_common.set_plugin_members(self)
cache_chain = self.addr_space.profile.get_symbol("cache_chain")
slab_caches = self.addr_space.profile.get_symbol("slab_caches")
if cache_chain: #slab
caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space)
listm = "next"
ret = [cache for cache in caches.list_of_type("kmem_cache", listm)]
elif slab_caches: #slub
debug.info("SLUB is currently unsupported.")
ret = []
else:
debug.error("Unknown or unimplemented slab type.")
return ret
Example #23
| Source File: unchain.py From ROPMEMU with GNU Lesser General Public License v2.1 | 6 votes |
|
def follow_trace(self):
cnt = 0
self.init_chain_dump()
self.init_opcodes_db()
for trace_key1, trace_c1 in self.trace.items():
trace_ptr, trace_gnum = trace_key1.split('-')
if self._config.GLIMIT and int(trace_gnum) >= self._config.GLIMIT: break
if int(trace_gnum) < self._config.SGADGET: continue
self.gid += 1
for trace_key2, trace_c2 in trace_c1.items():
for tk in trace_c2.keys():
cnt += 1
opcodes = self.check_trace_instruction(trace_key2, tk.lower(), trace_c2, cnt)
if opcodes: self.append_opcodes_dump(opcodes)
else: debug.debug("[-] Skipping instructions... %s" % tk.lower())
self.stop_chain_dump()
Example #24
| Source File: ropemu.py From ROPMEMU with GNU Lesser General Public License v2.1 | 5 votes |
|
def is_api(self, ip):
debug.debug("[is_api] - %s -> %s" % (ip, ip[2:]))
if ip[2:] in self.symbols.keys(): return self.symbols[ip[2:]]
return None
Example #25
| Source File: unchain.py From ROPMEMU with GNU Lesser General Public License v2.1 | 5 votes |
|
def get_trace_asm(self):
'''Debugging function'''
debug.debug("Trace ASM")
gnum = 0
stop = 0
for k1, v1 in self.trace.items():
if self._config.GLIMIT:
if gnum > self._config.GLIMIT: stop = 1
gnum += 1
if stop == 1: break
for k2, v2 in v1.items():
for k3, v3 in v2.items():
print k3.lower()
Example #26
| Source File: unchain.py From ROPMEMU with GNU Lesser General Public License v2.1 | 5 votes |
|
def is_in_trace(self, chain_ptr, chain_gnum, c_ins):
for trace_key1, trace_c1 in self.trace.items():
trace_ptr, trace_gnum = trace_key1.split('-')
if trace_ptr != chain_ptr: continue
for trace_key2, trace_c2 in trace_c1.items():
if c_ins in [tk.lower() for tk in trace_c2.keys()]:
debug.debug("%s %s %s %s %s" % (chain_ptr, chain_gnum, trace_ptr, trace_gnum, c_ins))
return True
return False
Example #27
| Source File: browserhooks.py From volatility-browserhooks with BSD 2-Clause "Simplified" License | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
## prerequisities
if not has_distorm3:
debug.error("Install distorm3 code.google.com/p/distorm/")
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
for proc in self.filter_tasks(tasks.pslist(addr_space)):
process_space = proc.get_process_address_space()
if not process_space:
print("Cannot acquire process AS for {0} ({1})".format(proc.ImageFileName, proc.UniqueProcessId))
continue
#PK process_space.profile.add_types(wow64_types)
process_space.profile.object_classes.update({'_UNICODE_STRING32': _UNICODE_STRING32,
'_LDR_DATA_TABLE_ENTRY32' : _LDR_DATA_TABLE_ENTRY32,
'_IMAGE_IMPORT_DESCRIPTOR32' : _IMAGE_IMPORT_DESCRIPTOR32})
i = 0
if proc.IsWow64:
module_group = ModuleGroup(self.get_modules_wow64(proc))
else:
module_group = ModuleGroup(proc.get_load_modules())
for dll in module_group.mods:
if not process_space.is_valid_address(dll.DllBase):
continue
dll_name = str(dll.BaseDllName or '').lower()
if (dll_name not in self.critical_dlls and dll.DllBase != proc.Peb.ImageBaseAddress):
#PK print("Skipping non-critical dll {0} at {1:#x}".format( dll_name, dll.DllBase))
continue
for hook in self.get_hooks(proc, dll, module_group):
if self.whitelist(hook.hook_type, str(proc.ImageFileName), hook.VictimModule, hook.HookModule, hook.Function):
continue
print "dll: %s"%(dll.BaseDllName)
yield proc, dll, hook
Example #28
| Source File: browserhooks.py From volatility-browserhooks with BSD 2-Clause "Simplified" License | 5 votes |
|
def debug_dir(self):
"""Return the IMAGE_DEBUG_DIRECTORY for debug info"""
return self._directory(6) # IMAGE_DEBUG_DIRECTORY
Example #29
| Source File: lsadump.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def render_text(self, outfd, data):
for d in data:
if d == None:
debug.debug("Unable to read hashes from registry")
else:
outfd.write(d + "\n")
Example #30
| Source File: strings.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
bounce_back = taskmods.DllList.virtual_process_from_physical_offset
if self._config.OFFSET != None:
tasks = [bounce_back(addr_space, self._config.OFFSET)]
elif self._config.SCAN:
procs = list(filescan.PSScan(self._config).calculate())
tasks = []
for task in procs:
tasks.append(bounce_back(addr_space, task.obj_offset))
else:
tasks = win32.tasks.pslist(addr_space)
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(',')]
tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks
