Python volatility.debug.info() Examples
The following are 30
code examples of volatility.debug.info().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.debug
, or try the search function
.
.
Example #1
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 6 votes |
|
def extract_services(self, is_service_name=False, is_display_name=False, is_bin_path=False):
debug.info("[time-consuming task] extracting service information...")
records = []
for rec in svcscan.SvcScan.calculate(self):
service_name = '{0}'.format(rec.ServiceName.dereference())
display_name = '{0}'.format(rec.DisplayName.dereference())
bin_path = '{0}'.format(rec.Binary)
records.append((service_name, display_name, bin_path))
self.cur.executemany("insert or ignore into service values (?, ?, ?)", records)
if is_service_name:
return [record[0] for record in records]
elif is_display_name:
return [record[1] for record in records]
elif is_bin_path:
return [record[2] for record in records]
Example #2
| Source File: process_stack.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def find_scanned_frames(self, p, address, end):
"""
Find frames by scanning for return addresses.
@param p: process info object
@param address: Start address
@param end: End address
@return: a list of frames
"""
address_size = linux_process_info.address_size
frames = []
debug.info("Scan range (%rsp to end) = (0x{:016x} to 0x{:016x})".format(address, end))
count = 0
while address <= end:
if p.proc_as.is_valid_address(address) and self.is_return_address(read_address(p.proc_as, address, address_size), p):
st = stack_frame(address + address_size, p.proc_as, count)
frames.append(st)
count += 1
address += address_size
return frames
Example #3
| Source File: slab_info.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def get_all_kmem_caches(self):
linux_common.set_plugin_members(self)
cache_chain = self.addr_space.profile.get_symbol("cache_chain")
slab_caches = self.addr_space.profile.get_symbol("slab_caches")
if cache_chain: #slab
caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space)
listm = "next"
ret = [cache for cache in caches.list_of_type("kmem_cache", listm)]
elif slab_caches: #slub
debug.info("SLUB is currently unsupported.")
ret = []
else:
debug.error("Unknown or unimplemented slab type.")
return ret
Example #4
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 6 votes |
|
def extract_timers(self):
debug.info("[time-consuming task] extracting kernel timers...")
records = []
# added for default option value
self._config.LISTHEAD = None
for timer, module in timers.Timers.calculate(self):
if timer.Header.SignalState.v():
signaled = "Yes"
else:
signaled = "-"
due_time = "{0:#010x}:{1:#010x}".format(timer.DueTime.HighPart, timer.DueTime.LowPart)
#records.append((module.DllBase.v(), timer.obj_offset, due_time, timer.Period.v(), signaled, timer.Dpc.DeferredRoutine.v()))
#Quickfix for module=None
if module is None:
records.append(('None', str(timer.obj_offset), due_time, timer.Period.v(), signaled, str(timer.Dpc.DeferredRoutine.v())))
else:
records.append((str(module.DllBase.v()), str(timer.obj_offset), due_time, timer.Period.v(), signaled, str(timer.Dpc.DeferredRoutine.v())))
if len(records) == 0:
records.append(('dummy', 'dummy', 'dummy', 'dummy', 'dummy', 'dummy')) # insert dummy for done
self.cur.executemany("insert or ignore into kernel_mods_timers values (?, ?, ?, ?, ?, ?)", records)
timer_routines = [record[5] for record in records if self.kmod.DllBase.v() == record[0]]
return len(timer_routines)
Example #5
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 6 votes |
|
def render_text(self, outfd, data):
if self._config.show:
for definitions in data:
outfd.write(definitions)
outfd.write('++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\n')
else:
for process, kmod, ioc_result in data:
outfd.write('***************************************************************\n')
outfd.write(ioc_result)
if process is not None:
outfd.write("Note: ProcessItem was evaluated only in {0} (Pid={1})\n".format(process.ImageFileName, process.UniqueProcessId))
if kmod is not None:
outfd.write("Note: DriverItem was evaluated only in {0} (base=0x{1:x})\n".format(str(kmod.BaseDllName or ''), kmod.DllBase))
outfd.write('***************************************************************\n')
self.db.commit()
self.cur.close()
debug.info("=> elapsed scan total: about {0} s".format(self.total_secs))
Example #6
| Source File: slab_info.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def get_all_kmem_caches(self):
linux_common.set_plugin_members(self)
cache_chain = self.addr_space.profile.get_symbol("cache_chain")
slab_caches = self.addr_space.profile.get_symbol("slab_caches")
if cache_chain: #slab
caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space)
listm = "next"
ret = [cache for cache in caches.list_of_type("kmem_cache", listm)]
elif slab_caches: #slub
debug.info("SLUB is currently unsupported.")
ret = []
else:
debug.error("Unknown or unimplemented slab type.")
return ret
Example #7
| Source File: process_stack.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def find_return_libc_start(self, proc_as, start_stack, return_start):
"""
Scans the stack for a certain address, in this case the return address of __libc_start_main.
@param proc_as: Process address space
@param start_stack: Start address to search
@param return_start: The return address to find
@return The address found or None
"""
address = start_stack
for value in yield_address(proc_as, start_stack, reverse=True):
if value == return_start:
debug.info("Scanned {} stack addresses before finding the __libc_start_main return address".format((start_stack-address)/linux_process_info.address_size))
return address
address -= linux_process_info.address_size
debug.info("Exhausted search for __libc_start_main return address at stack address {:016x}".format(address))
return None
Example #8
| Source File: process_stack.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def is_return_address(self, address, process_info):
"""
Checks if the address is a return address by checking if the preceding instruction is a 'CALL'.
@param address: An address
@param process_info: process info object
@return True or False
"""
proc_as = process_info.proc_as
size = 5
if distorm_loaded and process_info.is_code_pointer(address):
offset = address - size
instr = distorm3.Decode(offset, proc_as.read(offset, size), self.decode_as)
# last instr, third tuple item (instr string), first 7 letters
# if instr[-1][2][:7] == 'CALL 0x':
# print(instr[-1][2])
if len(instr) > 0:
return instr[-1][2][:4] == 'CALL'
# there's also call <register>
return False
Example #9
| Source File: process_stack.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def find_entry_point(self, proc_as, start_code):
"""
Read the entry point from the program header.
@param proc_as: Process address space
@param start_code: Start of the program code mapping
@return The address of the entry point (_start)
"""
# entry point lives at ELF header + 0x18
# add it to the memory mapping of the binary
if not proc_as.is_valid_address(start_code+0x18):
# it's gone from memory
debug.info("We could not find program entry point, skipping _start detection")
return False
offset = read_address(proc_as, start_code+0x18)
if offset > start_code:
# it's an absolute address
return offset
else:
# it's a relative offset, i.e. PIE code
return start_code + offset
Example #10
| Source File: process_stack.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def find_scanned_frames(self, p, address, end):
"""
Find frames by scanning for return addresses.
@param p: process info object
@param address: Start address
@param end: End address
@return: a list of frames
"""
address_size = linux_process_info.address_size
frames = []
debug.info("Scan range (%rsp to end) = (0x{:016x} to 0x{:016x})".format(address, end))
count = 0
while address <= end:
if p.proc_as.is_valid_address(address) and self.is_return_address(read_address(p.proc_as, address, address_size), p):
st = stack_frame(address + address_size, p.proc_as, count)
frames.append(st)
count += 1
address += address_size
return frames
Example #11
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 6 votes |
|
def extract_callbacks(self):
debug.info("[time-consuming task] extracting kernel callbacks...")
records = []
# added for default option values (filescan)
self._config.VIRTUAL = False
self._config.SHOW_UNALLOCATED = False
self._config.START = None
self._config.LENGTH = None
for (sym, cb, detail), mods, mod_addrs in callbacks.Callbacks.calculate(self):
module = tasks.find_module(mods, mod_addrs, mods.values()[0].obj_vm.address_mask(cb))
type_name = '{0}'.format(sym)
#records.append((module.DllBase.v(), type_name, cb.v(), str(detail or "-")))
records.append((str(module.DllBase.v()), type_name, str(cb.v()), str(detail or "-")))
if len(records) == 0:
records.append(('dummy', 'dummy', 'dummy', 'dummy')) # insert dummy for done
self.cur.executemany("insert or ignore into kernel_mods_callbacks values (?, ?, ?, ?)", records)
return [record[1] for record in records if self.kmod.DllBase.v() == record[0]]
Example #12
| Source File: process_stack.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def find_entry_point(self, proc_as, start_code):
"""
Read the entry point from the program header.
@param proc_as: Process address space
@param start_code: Start of the program code mapping
@return The address of the entry point (_start)
"""
# entry point lives at ELF header + 0x18
# add it to the memory mapping of the binary
if not proc_as.is_valid_address(start_code+0x18):
# it's gone from memory
debug.info("We could not find program entry point, skipping _start detection")
return False
offset = read_address(proc_as, start_code+0x18)
if offset > start_code:
# it's an absolute address
return offset
else:
# it's a relative offset, i.e. PIE code
return start_code + offset
Example #13
| Source File: process_stack.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def is_return_address(self, address, process_info):
"""
Checks if the address is a return address by checking if the preceding instruction is a 'CALL'.
@param address: An address
@param process_info: process info object
@return True or False
"""
proc_as = process_info.proc_as
size = 5
if distorm_loaded and process_info.is_code_pointer(address):
offset = address - size
instr = distorm3.Decode(offset, proc_as.read(offset, size), self.decode_as)
# last instr, third tuple item (instr string), first 7 letters
# if instr[-1][2][:7] == 'CALL 0x':
# print(instr[-1][2])
if len(instr) > 0:
return instr[-1][2][:4] == 'CALL'
# there's also call <register>
return False
Example #14
| Source File: process_stack.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def find_return_libc_start(self, proc_as, start_stack, return_start):
"""
Scans the stack for a certain address, in this case the return address of __libc_start_main.
@param proc_as: Process address space
@param start_stack: Start address to search
@param return_start: The return address to find
@return The address found or None
"""
address = start_stack
for value in yield_address(proc_as, start_stack, reverse=True):
if value == return_start:
debug.info("Scanned {} stack addresses before finding the __libc_start_main return address".format((start_stack-address)/linux_process_info.address_size))
return address
address -= linux_process_info.address_size
debug.info("Exhausted search for __libc_start_main return address at stack address {:016x}".format(address))
return None
Example #15
| Source File: linux.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def info(self, task):
if self.vm_file:
pgoff = self.vm_pgoff << 12
inode = self.vm_file.dentry.d_inode
if inode and inode.is_valid():
major, minor = inode.i_sb.major, inode.i_sb.minor
ino = inode.i_ino
else:
major, minor, ino = [0] * 3
else:
(major, minor, ino, pgoff) = [0] * 4
fname = self.vm_name(task)
if fname == "Anonymous Mapping":
fname = ""
return fname, major, minor, ino, pgoff
Example #16
| Source File: slab_info.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def get_all_kmem_caches(self):
linux_common.set_plugin_members(self)
cache_chain = self.addr_space.profile.get_symbol("cache_chain")
slab_caches = self.addr_space.profile.get_symbol("slab_caches")
if cache_chain: #slab
caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space)
listm = "next"
ret = [cache for cache in caches.list_of_type("kmem_cache", listm)]
elif slab_caches: #slub
debug.info("SLUB is currently unsupported.")
ret = []
else:
debug.error("Unknown or unimplemented slab type.")
return ret
Example #17
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 6 votes |
|
def ShimCache_ExecutablePath(self, content, condition, preserve_case):
if not self.util.is_condition_string(condition):
debug.error('{0} condition is not supported in RegistryItem/ShimCache/ExecutablePath'.format(condition))
return False
paths = []
records = []
count = self.util.fetchone_from_db(self.cur, "shimcache", "count(*)")
if count > 0:
paths = self.util.fetchall_from_db(self.cur, "shimcache", "path")
else:
debug.info("[time-consuming task] extracting shimcache registry information...")
for path, modified, updated in shimcache.ShimCache.calculate(self):
path_str ='{0}'.format(path)
records.append((path_str, modified.v()))
if len(records) == 0:
records.append(('dummy', 'dummy')) # insert dummy for done
self.cur.executemany("insert or ignore into shimcache values (?, ?)", records)
paths = [record[0] for record in records]
return self.util.check_strings(paths, content, condition, preserve_case)
Example #18
| Source File: slab_info.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def get_all_kmem_caches(self):
linux_common.set_plugin_members(self)
cache_chain = self.addr_space.profile.get_symbol("cache_chain")
slab_caches = self.addr_space.profile.get_symbol("slab_caches")
if cache_chain: #slab
caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space)
listm = "next"
ret = [cache for cache in caches.list_of_type("kmem_cache", listm)]
elif slab_caches: #slub
debug.info("SLUB is currently unsupported.")
ret = []
else:
debug.error("Unknown or unimplemented slab type.")
return ret
Example #19
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 6 votes |
|
def extract_privileges(self):
debug.info("[time-consuming task] extracting enabled privilege information... (pid={0})".format(self.process.UniqueProcessId))
records = []
for value, present, enabled, default in self.process.get_token().privileges():
try:
name, desc = PRIVILEGE_INFO[int(value)]
except KeyError:
continue
if enabled:
records.append((self.process.UniqueProcessId.v(), name))
self.cur.executemany("insert or ignore into privs values (?, ?)", records)
self.update_done('privs')
return [record[1] for record in records]
Example #20
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 6 votes |
|
def extract_hooked_APIs(self, is_API=False, is_hookingMod=False):
debug.info("[time-consuming task] extracting hooked APIs... (pid={0})".format(self.process.UniqueProcessId))
process_space = self.process.get_process_address_space()
if not process_space:
return []
module_group = apihooks.ModuleGroup(self.process.get_load_modules())
records = []
for dll in module_group.mods:
if not process_space.is_valid_address(dll.DllBase):
continue
for hook in self.get_hooks(HOOK_MODE_USER, process_space, dll, module_group):
if self.whitelist(hook.hook_mode | hook.hook_type, self.process.ImageFileName.v(), hook.VictimModule, hook.HookModule, hook.Function):
continue
records.append((self.process.UniqueProcessId.v(), hook.Mode, hook.Type, str(dll.BaseDllName or ''), hook.Function, hook.HookModule))
self.cur.executemany("insert or ignore into api_hooked values (?, ?, ?, ?, ?, ?)", records)
self.update_done('api_hooked')
if is_API:
return [record[4] for record in records]
elif is_hookingMod:
return [record[5] for record in records]
Example #21
| Source File: process_stack.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def find_scanned_frames(self, p, address, end):
"""
Find frames by scanning for return addresses.
@param p: process info object
@param address: Start address
@param end: End address
@return: a list of frames
"""
address_size = linux_process_info.address_size
frames = []
debug.info("Scan range (%rsp to end) = (0x{:016x} to 0x{:016x})".format(address, end))
count = 0
while address <= end:
if p.proc_as.is_valid_address(address) and self.is_return_address(read_address(p.proc_as, address, address_size), p):
st = stack_frame(address + address_size, p.proc_as, count)
frames.append(st)
count += 1
address += address_size
return frames
Example #22
| Source File: process_stack.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def find_entry_point(self, proc_as, start_code):
"""
Read the entry point from the program header.
@param proc_as: Process address space
@param start_code: Start of the program code mapping
@return The address of the entry point (_start)
"""
# entry point lives at ELF header + 0x18
# add it to the memory mapping of the binary
if not proc_as.is_valid_address(start_code+0x18):
# it's gone from memory
debug.info("We could not find program entry point, skipping _start detection")
return False
offset = read_address(proc_as, start_code+0x18)
if offset > start_code:
# it's an absolute address
return offset
else:
# it's a relative offset, i.e. PIE code
return start_code + offset
Example #23
| Source File: process_stack.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def is_return_address(self, address, process_info):
"""
Checks if the address is a return address by checking if the preceding instruction is a 'CALL'.
@param address: An address
@param process_info: process info object
@return True or False
"""
proc_as = process_info.proc_as
size = 5
if distorm_loaded and process_info.is_code_pointer(address):
offset = address - size
instr = distorm3.Decode(offset, proc_as.read(offset, size), self.decode_as)
# last instr, third tuple item (instr string), first 7 letters
# if instr[-1][2][:7] == 'CALL 0x':
# print(instr[-1][2])
if len(instr) > 0:
return instr[-1][2][:4] == 'CALL'
# there's also call <register>
return False
Example #24
| Source File: process_stack.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def find_return_libc_start(self, proc_as, start_stack, return_start):
"""
Scans the stack for a certain address, in this case the return address of __libc_start_main.
@param proc_as: Process address space
@param start_stack: Start address to search
@param return_start: The return address to find
@return The address found or None
"""
address = start_stack
for value in yield_address(proc_as, start_stack, reverse=True):
if value == return_start:
debug.info("Scanned {} stack addresses before finding the __libc_start_main return address".format((start_stack-address)/linux_process_info.address_size))
return address
address -= linux_process_info.address_size
debug.info("Exhausted search for __libc_start_main return address at stack address {:016x}".format(address))
return None
Example #25
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 6 votes |
|
def extract_strings(self):
debug.info("[time-consuming task] extracting strings from VADs (pid={0})".format(self.process.UniqueProcessId))
strings = []
for vad, address_space in self.process.get_vads(skip_max_commit = True):
data = self.read_without_zero_page(vad, address_space)
if len(data) == 0:
continue
elif len(data) > READ_BLOCKSIZE:
debug.debug('data size in VAD is more than READ_BLOCKSIZE (pid{0})'.format(self.process.UniqueProcessId))
extracted = list(set(self.util.extract_unicode(data) + self.util.extract_ascii(data)))
strings.extend(extracted)
records = ((self.process.UniqueProcessId.v(), string) for string in strings)
self.cur.executemany("insert or ignore into strings values (?, ?)", records)
self.update_done('strings')
return strings
Example #26
| Source File: slab_info.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def get_all_kmem_caches(self):
linux_common.set_plugin_members(self)
cache_chain = self.addr_space.profile.get_symbol("cache_chain")
slab_caches = self.addr_space.profile.get_symbol("slab_caches")
if cache_chain: #slab
caches = obj.Object("list_head", offset = cache_chain, vm = self.addr_space)
listm = "next"
ret = [cache for cache in caches.list_of_type("kmem_cache", listm)]
elif slab_caches: #slub
debug.info("SLUB is currently unsupported.")
ret = []
else:
debug.error("Unknown or unimplemented slab type.")
return ret
Example #27
| Source File: process_stack.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def find_return_libc_start(self, proc_as, start_stack, return_start):
"""
Scans the stack for a certain address, in this case the return address of __libc_start_main.
@param proc_as: Process address space
@param start_stack: Start address to search
@param return_start: The return address to find
@return The address found or None
"""
address = start_stack
for value in yield_address(proc_as, start_stack, reverse=True):
if value == return_start:
debug.info("Scanned {} stack addresses before finding the __libc_start_main return address".format((start_stack-address)/linux_process_info.address_size))
return address
address -= linux_process_info.address_size
debug.info("Exhausted search for __libc_start_main return address at stack address {:016x}".format(address))
return None
Example #28
| Source File: process_stack.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def is_return_address(self, address, process_info):
"""
Checks if the address is a return address by checking if the preceding instruction is a 'CALL'.
@param address: An address
@param process_info: process info object
@return True or False
"""
proc_as = process_info.proc_as
size = 5
if distorm_loaded and process_info.is_code_pointer(address):
offset = address - size
instr = distorm3.Decode(offset, proc_as.read(offset, size), self.decode_as)
# last instr, third tuple item (instr string), first 7 letters
# if instr[-1][2][:7] == 'CALL 0x':
# print(instr[-1][2])
if len(instr) > 0:
return instr[-1][2][:4] == 'CALL'
# there's also call <register>
return False
Example #29
| Source File: process_stack.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def find_scanned_frames(self, p, address, end):
"""
Find frames by scanning for return addresses.
@param p: process info object
@param address: Start address
@param end: End address
@return: a list of frames
"""
address_size = linux_process_info.address_size
frames = []
debug.info("Scan range (%rsp to end) = (0x{:016x} to 0x{:016x})".format(address, end))
count = 0
while address <= end:
if p.proc_as.is_valid_address(address) and self.is_return_address(read_address(p.proc_as, address, address_size), p):
st = stack_frame(address + address_size, p.proc_as, count)
frames.append(st)
count += 1
address += address_size
return frames
Example #30
| Source File: process_stack.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def find_entry_point(self, proc_as, start_code):
"""
Read the entry point from the program header.
@param proc_as: Process address space
@param start_code: Start of the program code mapping
@return The address of the entry point (_start)
"""
# entry point lives at ELF header + 0x18
# add it to the memory mapping of the binary
if not proc_as.is_valid_address(start_code+0x18):
# it's gone from memory
debug.info("We could not find program entry point, skipping _start detection")
return False
offset = read_address(proc_as, start_code+0x18)
if offset > start_code:
# it's an absolute address
return offset
else:
# it's a relative offset, i.e. PIE code
return start_code + offset
