Python volatility.win32.tasks.pslist() Examples
The following are 30
code examples of volatility.win32.tasks.pslist().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.win32.tasks
, or try the search function
.
.
Example #1
| Source File: sessions.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def find_session_space(self, kernel_space, session_id):
""" Get a session address space by its ID.
@param space: a kernel AS for process enumeration
@param session_id: the session ID to find.
@returns _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
for proc in tasks.pslist(kernel_space):
if proc.SessionId == session_id:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
return obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
return obj.NoneObject("Cannot locate a session")
Example #2
| Source File: cmdhistory.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def cmdhistory_process_filter(self, addr_space):
"""Generator for processes that might contain command
history information.
Takes into account if we're on Windows 7 or an earlier
operator system.
@param addr_space: a kernel address space.
"""
# Detect if we're on windows seven
use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for task in tasks.pslist(addr_space):
process_name = str(task.ImageFileName).lower()
# The process we select is conhost on Win7 or csrss for others
if ((use_conhost and process_name == "conhost.exe") or
(not use_conhost and process_name == "csrss.exe")):
yield task
Example #3
| Source File: dlldump.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.OFFSET != None:
data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
else:
data = self.filter_tasks(tasks.pslist(addr_space))
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error, e:
debug.error('Error parsing regular expression: %s' % e)
Example #4
| Source File: sessions.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def find_session_space(self, kernel_space, session_id):
""" Get a session address space by its ID.
@param space: a kernel AS for process enumeration
@param session_id: the session ID to find.
@returns _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
for proc in tasks.pslist(kernel_space):
if proc.SessionId == session_id:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
return obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
return obj.NoneObject("Cannot locate a session")
Example #5
| Source File: sessions.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def session_spaces(self, kernel_space):
""" Generators unique _MM_SESSION_SPACE objects
referenced by active processes.
@param space: a kernel AS for process enumeration
@yields _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
seen = []
for proc in tasks.pslist(kernel_space):
if proc.SessionId != None and proc.SessionId.v() not in seen:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
seen.append(proc.SessionId.v())
yield obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
Example #6
| Source File: sessions.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def session_spaces(self, kernel_space):
""" Generators unique _MM_SESSION_SPACE objects
referenced by active processes.
@param space: a kernel AS for process enumeration
@yields _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
seen = []
for proc in tasks.pslist(kernel_space):
if proc.SessionId != None and proc.SessionId.v() not in seen:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
seen.append(proc.SessionId.v())
yield obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
Example #7
| Source File: sessions.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def find_session_space(self, kernel_space, session_id):
""" Get a session address space by its ID.
@param space: a kernel AS for process enumeration
@param session_id: the session ID to find.
@returns _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
for proc in tasks.pslist(kernel_space):
if proc.SessionId == session_id:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
return obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
return obj.NoneObject("Cannot locate a session")
Example #8
| Source File: dlldump.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
if self._config.OFFSET != None:
data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
else:
data = self.filter_tasks(tasks.pslist(addr_space))
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error, e:
debug.error('Error parsing regular expression: %s' % e)
Example #9
| Source File: cmdhistory.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def cmdhistory_process_filter(self, addr_space):
"""Generator for processes that might contain command
history information.
Takes into account if we're on Windows 7 or an earlier
operator system.
@param addr_space: a kernel address space.
"""
# Detect if we're on windows seven
use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for task in tasks.pslist(addr_space):
process_name = str(task.ImageFileName).lower()
# The process we select is conhost on Win7 or csrss for others
if ((use_conhost and process_name == "conhost.exe") or
(not use_conhost and process_name == "csrss.exe")):
yield task
Example #10
| Source File: cmdhistory.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def cmdhistory_process_filter(self, addr_space):
"""Generator for processes that might contain command
history information.
Takes into account if we're on Windows 7 or an earlier
operator system.
@param addr_space: a kernel address space.
"""
# Detect if we're on windows seven
use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for task in tasks.pslist(addr_space):
process_name = str(task.ImageFileName).lower()
# The process we select is conhost on Win7 or csrss for others
if ((use_conhost and process_name == "conhost.exe") or
(not use_conhost and process_name == "csrss.exe")):
yield task
Example #11
| Source File: psempire.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
# For each process in the list
for task in self.filter_tasks(tasks.pslist(addr_space)):
# print task.ImageFileName
for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
# Injected code detected if there's values returned
rules = yara.compile(sources = signatures)
scanner = malfind.VadYaraScanner(task = task, rules = rules)
# print 'before'
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
# Get a chuck of memory of size 2048 next to where the string was detected
content = address_space.zread(address, 2048)
yield task, address, vad_base_addr, content
break
# break # Show only 1 instance of detected injection per process
Example #12
| Source File: dlldump.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
if self._config.OFFSET != None:
data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
else:
data = self.filter_tasks(tasks.pslist(addr_space))
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error, e:
debug.error('Error parsing regular expression: %s' % e)
Example #13
| Source File: dlldump.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.OFFSET != None:
data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
else:
data = self.filter_tasks(tasks.pslist(addr_space))
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error, e:
debug.error('Error parsing regular expression: %s' % e)
Example #14
| Source File: sessions.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def find_session_space(self, kernel_space, session_id):
""" Get a session address space by its ID.
@param space: a kernel AS for process enumeration
@param session_id: the session ID to find.
@returns _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
for proc in tasks.pslist(kernel_space):
if proc.SessionId == session_id:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
return obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
return obj.NoneObject("Cannot locate a session")
Example #15
| Source File: dlldump.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
if self._config.OFFSET != None:
data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
else:
data = self.filter_tasks(tasks.pslist(addr_space))
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error, e:
debug.error('Error parsing regular expression: %s' % e)
Example #16
| Source File: poisonivy.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
if address - vad_base_addr > 0x1000:
continue
yield task, vad_base_addr
Example #17
| Source File: sessions.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def session_spaces(self, kernel_space):
""" Generators unique _MM_SESSION_SPACE objects
referenced by active processes.
@param space: a kernel AS for process enumeration
@yields _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
seen = []
for proc in tasks.pslist(kernel_space):
if proc.SessionId != None and proc.SessionId.v() not in seen:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
seen.append(proc.SessionId.v())
yield obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
Example #18
| Source File: sessions.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def session_spaces(self, kernel_space):
""" Generators unique _MM_SESSION_SPACE objects
referenced by active processes.
@param space: a kernel AS for process enumeration
@yields _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
seen = []
for proc in tasks.pslist(kernel_space):
if proc.SessionId != None and proc.SessionId.v() not in seen:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
seen.append(proc.SessionId.v())
yield obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
Example #19
| Source File: sessions.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def find_session_space(self, kernel_space, session_id):
""" Get a session address space by its ID.
@param space: a kernel AS for process enumeration
@param session_id: the session ID to find.
@returns _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
for proc in tasks.pslist(kernel_space):
if proc.SessionId == session_id:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
return obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
return obj.NoneObject("Cannot locate a session")
Example #20
| Source File: cmdhistory.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def cmdhistory_process_filter(self, addr_space):
"""Generator for processes that might contain command
history information.
Takes into account if we're on Windows 7 or an earlier
operator system.
@param addr_space: a kernel address space.
"""
# Detect if we're on windows seven
use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for task in tasks.pslist(addr_space):
process_name = str(task.ImageFileName).lower()
# The process we select is conhost on Win7 or csrss for others
if ((use_conhost and process_name == "conhost.exe") or
(not use_conhost and process_name == "csrss.exe")):
yield task
Example #21
| Source File: cmdhistory.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def cmdhistory_process_filter(self, addr_space):
"""Generator for processes that might contain command
history information.
Takes into account if we're on Windows 7 or an earlier
operator system.
@param addr_space: a kernel address space.
"""
# Detect if we're on windows seven
use_conhost = (6, 1) <= (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for task in tasks.pslist(addr_space):
process_name = str(task.ImageFileName).lower()
# The process we select is conhost on Win7 or csrss for others
if ((use_conhost and process_name == "conhost.exe") or
(not use_conhost and process_name == "csrss.exe")):
yield task
Example #22
| Source File: sessions.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def session_spaces(self, kernel_space):
""" Generators unique _MM_SESSION_SPACE objects
referenced by active processes.
@param space: a kernel AS for process enumeration
@yields _MM_SESSION_SPACE instantiated from the
session space native_vm.
"""
seen = []
for proc in tasks.pslist(kernel_space):
if proc.SessionId != None and proc.SessionId.v() not in seen:
ps_ad = proc.get_process_address_space()
if ps_ad != None:
seen.append(proc.SessionId.v())
yield obj.Object("_MM_SESSION_SPACE",
offset = proc.Session.v(), vm = ps_ad)
Example #23
| Source File: malfind.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def _scan_kernel_memory(self, addr_space, rules):
# Find KDBG so we know where kernel memory begins. Do not assume
# the starting range is 0x80000000 because we may be dealing with
# an image with the /3GB boot switch.
kdbg = tasks.get_kdbg(addr_space)
start = kdbg.MmSystemRangeStart.dereference_as("Pointer")
# Modules so we can map addresses to owners
mods = dict((addr_space.address_mask(mod.DllBase), mod)
for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
# There are multiple views (GUI sessions) of kernel memory.
# Since we're scanning virtual memory and not physical,
# all sessions must be scanned for full coverage. This
# really only has a positive effect if the data you're
# searching for is in GUI memory.
sessions = []
for proc in tasks.pslist(addr_space):
sid = proc.SessionId
# Skip sessions we've already seen
if sid == None or sid in sessions:
continue
session_space = proc.get_process_address_space()
if session_space == None:
continue
sessions.append(sid)
scanner = DiscontigYaraScanner(address_space = session_space,
rules = rules)
for hit, address in scanner.scan(start_offset = start):
module = tasks.find_module(mods, mod_addrs, addr_space.address_mask(address))
yield (module, address, hit, session_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #24
| Source File: malfind.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def _scan_process_memory(self, addr_space, rules):
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
yield (task, address, hit, scanner.address_space.zread(address - self._config.REVERSE, self._config.SIZE))
Example #25
| Source File: evtlogs.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This plugin only works on XP and 2003")
## When verbose is specified, we recalculate the list of SIDs for
## services in the registry. Otherwise, we take the list from the
## pre-populated dictionary in getservicesids.py
if self._config.VERBOSE:
ssids = getservicesids.GetServiceSids(self._config).calculate()
for sid, service in ssids:
self.extrasids[sid] = " (Service: " + service + ")"
else:
for sid, service in getservicesids.servicesids.items():
self.extrasids[sid] = " (Service: " + service + ")"
## Get the user's SIDs from the registry
self.load_user_sids()
for proc in tasks.pslist(addr_space):
if str(proc.ImageFileName).lower() == "services.exe":
for vad, process_space in proc.get_vads(vad_filter = proc._mapped_file_filter):
if vad.FileObject.FileName:
name = str(vad.FileObject.FileName).lower()
if name.endswith(".evt"):
## Maybe check the length is reasonable, though probably there won't
## ever be event logs that are multiple GB or TB in size.
data = process_space.zread(vad.Start, vad.Length)
yield name, data
Example #26
| Source File: psxview.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
if self._config.OUTPUT == "xlsx" and not has_openpyxl:
debug.error("You must install OpenPyxl 2.1.2 for xlsx format:\n\thttps://pypi.python.org/pypi/openpyxl")
elif self._config.OUTPUT == "xlsx" and not self._config.OUTPUT_FILE:
debug.error("You must specify an output *.xlsx file!\n\t(Example: --output-file=OUTPUT.xlsx)")
addr_space = utils.load_as(self._config)
all_tasks = list(tasks.pslist(addr_space))
ps_sources = {}
# The keys are names of process sources. The values
# are dictionaries whose keys are physical process
# offsets and the values are _EPROCESS objects.
ps_sources['pslist'] = self.check_pslist(all_tasks)
ps_sources['psscan'] = self.check_psscan()
ps_sources['thrdproc'] = self.check_thrdproc(addr_space)
ps_sources['csrss'] = self.check_csrss_handles(all_tasks)
ps_sources['pspcid'] = self.check_pspcid(addr_space)
ps_sources['session'] = self.check_sessions(addr_space)
ps_sources['deskthrd'] = self.check_desktop_thread(addr_space)
# Build a list of offsets from all sources
seen_offsets = []
for source in ps_sources.values():
for offset in source.keys():
if offset not in seen_offsets:
seen_offsets.append(offset)
yield offset, source[offset], ps_sources
Example #27
| Source File: psxview.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def unified_output(self, data):
return TreeGrid([("Offset(P)", Address),
("Name", str),
("PID", int),
("pslist", str),
("psscan", str),
("thrdproc", str),
("pspcid", str),
("csrss", str),
("session", str),
("deskthrd", str),
("ExitTime", str)],
self.generator(data))
Example #28
| Source File: enumfunc.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
tasklist = []
modslist = []
if self._config.SCAN:
if not self._config.KERNEL_ONLY:
for t in filescan.PSScan(self._config).calculate():
v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
if v:
tasklist.append(v)
if not self._config.PROCESS_ONLY:
modslist = [m for m in modscan.ModScan(self._config).calculate()]
else:
if not self._config.KERNEL_ONLY:
tasklist = [t for t in tasks.pslist(addr_space)]
if not self._config.PROCESS_ONLY:
modslist = [m for m in modules.lsmod(addr_space)]
for task in tasklist:
for mod in task.get_load_modules():
yield task, mod
for mod in modslist:
yield None, mod
Example #29
| Source File: evtlogs.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This plugin only works on XP and 2003")
## When verbose is specified, we recalculate the list of SIDs for
## services in the registry. Otherwise, we take the list from the
## pre-populated dictionary in getservicesids.py
if self._config.VERBOSE:
ssids = getservicesids.GetServiceSids(self._config).calculate()
for sid, service in ssids:
self.extrasids[sid] = " (Service: " + service + ")"
else:
for sid, service in getservicesids.servicesids.items():
self.extrasids[sid] = " (Service: " + service + ")"
## Get the user's SIDs from the registry
self.load_user_sids()
for proc in tasks.pslist(addr_space):
if str(proc.ImageFileName).lower() == "services.exe":
for vad, process_space in proc.get_vads(vad_filter = proc._mapped_file_filter):
if vad.FileObject.FileName:
name = str(vad.FileObject.FileName).lower()
if name.endswith(".evt"):
## Maybe check the length is reasonable, though probably there won't
## ever be event logs that are multiple GB or TB in size.
data = process_space.zread(vad.Start, vad.Length)
yield name, data
Example #30
| Source File: psxview.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
if self._config.OUTPUT == "xlsx" and not has_openpyxl:
debug.error("You must install OpenPyxl for xlsx format:\n\thttps://bitbucket.org/ericgazoni/openpyxl/wiki/Home")
elif self._config.OUTPUT == "xlsx" and not self._config.OUTPUT_FILE:
debug.error("You must specify an output *.xlsx file!\n\t(Example: --output-file=OUTPUT.xlsx)")
addr_space = utils.load_as(self._config)
all_tasks = list(tasks.pslist(addr_space))
ps_sources = {}
# The keys are names of process sources. The values
# are dictionaries whose keys are physical process
# offsets and the values are _EPROCESS objects.
ps_sources['pslist'] = self.check_pslist(all_tasks)
ps_sources['psscan'] = self.check_psscan()
ps_sources['thrdproc'] = self.check_thrdproc(addr_space)
ps_sources['csrss'] = self.check_csrss_handles(all_tasks)
ps_sources['pspcid'] = self.check_pspcid(addr_space)
ps_sources['session'] = self.check_sessions(addr_space)
ps_sources['deskthrd'] = self.check_desktop_thread(addr_space)
# Build a list of offsets from all sources
seen_offsets = []
for source in ps_sources.values():
for offset in source.keys():
if offset not in seen_offsets:
seen_offsets.append(offset)
yield offset, source[offset], ps_sources
