Python volatility.win32.tasks.find_space() Examples
The following are 14
code examples of volatility.win32.tasks.find_space().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.win32.tasks
, or try the search function
.
.
Example #1
| Source File: moddump.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def render_text(self, outfd, data):
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
self.table_header(outfd, [("Module Base", "[addrpad]"),
("Module Name", "20"),
("Result", "")])
for addr_space, procs, mod_base, mod_name in data:
space = tasks.find_space(addr_space, procs, mod_base)
if space == None:
result = "Error: Cannot acquire AS"
else:
dump_file = "driver.{0:x}.sys".format(mod_base)
result = self.dump_pe(space, mod_base, dump_file)
self.table_row(outfd, mod_base, mod_name, result)
Example #2
| Source File: moddump.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def render_text(self, outfd, data):
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
self.table_header(outfd, [("Module Base", "[addrpad]"),
("Module Name", "20"),
("Result", "")])
for addr_space, procs, mod_base, mod_name in data:
space = tasks.find_space(addr_space, procs, mod_base)
if space == None:
result = "Error: Cannot acquire AS"
else:
dump_file = "driver.{0:x}.sys".format(mod_base)
result = self.dump_pe(space, mod_base, dump_file)
self.table_row(outfd, mod_base, mod_name, result)
Example #3
| Source File: moddump.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def render_text(self, outfd, data):
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
self.table_header(outfd, [("Module Base", "[addrpad]"),
("Module Name", "20"),
("Result", "")])
for addr_space, procs, mod_base, mod_name in data:
space = tasks.find_space(addr_space, procs, mod_base)
if space == None:
result = "Error: Cannot acquire AS"
else:
dump_file = "driver.{0:x}.sys".format(mod_base)
result = self.dump_pe(space, mod_base, dump_file)
self.table_row(outfd, mod_base, mod_name, result)
Example #4
| Source File: moddump.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def render_text(self, outfd, data):
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
self.table_header(outfd, [("Module Base", "[addrpad]"),
("Module Name", "20"),
("Result", "")])
for addr_space, procs, mod_base, mod_name in data:
space = tasks.find_space(addr_space, procs, mod_base)
if space == None:
result = "Error: Cannot acquire AS"
else:
dump_file = "driver.{0:x}.sys".format(mod_base)
result = self.dump_pe(space, mod_base, dump_file)
self.table_row(outfd, mod_base, mod_name, result)
Example #5
| Source File: moddump.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def generator(self, data):
for addr_space, procs, mod_base, mod_name in data:
space = tasks.find_space(addr_space, procs, mod_base)
if space == None:
result = "Error: Cannot acquire AS"
else:
dump_file = "driver.{0:x}.sys".format(mod_base)
result = self.dump_pe(space, mod_base, dump_file)
yield (0, [Address(mod_base),
str(mod_name),
str(result)])
Example #6
| Source File: moddump.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def generator(self, data):
for addr_space, procs, mod_base, mod_name in data:
space = tasks.find_space(addr_space, procs, mod_base)
if space == None:
result = "Error: Cannot acquire AS"
else:
dump_file = "driver.{0:x}.sys".format(mod_base)
result = self.dump_pe(space, mod_base, dump_file)
yield (0, [Address(mod_base),
str(mod_name),
str(result)])
Example #7
| Source File: moddump.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def generator(self, data):
for addr_space, procs, mod_base, mod_name in data:
space = tasks.find_space(addr_space, procs, mod_base)
if space == None:
result = "Error: Cannot acquire AS"
else:
dump_file = "driver.{0:x}.sys".format(mod_base)
result = self.dump_pe(space, mod_base, dump_file)
yield (0, [Address(mod_base),
str(mod_name),
str(result)])
Example #8
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 5 votes |
|
def get_data(self):
base_address = self.kmod.DllBase
size_to_read = self.kmod.SizeOfImage
data = ""
mod_filepath = os.path.join(g_cache_path, 'kmod_0x{0:x}'.format(self.kmod.DllBase)) + '.sys'
if os.path.exists(mod_filepath):
with open(mod_filepath, 'rb') as f:
data = f.read()
else:
if not size_to_read:
pefile = obj.Object("_IMAGE_DOS_HEADER",
offset = base_address,
vm = self.kernel_space)
try:
nt_header = pefile.get_nt_header()
size_to_read = nt_header.OptionalHeader.SizeOfImage
except ValueError:
pass
if not size_to_read:
debug.warning('cannot get size info (kernel module name={0} base=0x{1:x})'.format(str(self.kmod.BaseDllName or ''), self.kmod.DllBase))
procs = list(tasks.pslist(self.kernel_space))
kernel_space = tasks.find_space(self.kernel_space, procs, base_address) # for some GUI drivers (e.g., win32k.sys)
if not kernel_space:
debug.warning('Cannot read supplied address (kernel module name={0} base=0x{1:x})'.format(str(self.kmod.BaseDllName or ''), self.kmod.DllBase))
else:
data = kernel_space.zread(base_address, size_to_read)
with open(mod_filepath, 'wb') as f:
f.write(data)
return base_address, size_to_read, data
# based on impscan
Example #9
| Source File: ssdt.py From aumfor with GNU General Public License v3.0 | 4 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
## Get a sorted list of module addresses
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
ssdts = set()
if addr_space.profile.metadata.get('memory_model', '32bit') == '32bit':
# Gather up all SSDTs referenced by threads
print "[x86] Gathering all referenced SSDTs from KTHREADs..."
for proc in tasks.pslist(addr_space):
for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"):
ssdt_obj = thread.Tcb.ServiceTable.dereference_as('_SERVICE_DESCRIPTOR_TABLE')
ssdts.add(ssdt_obj)
else:
print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..."
# The NT module always loads first
ntos = list(modules.lsmod(addr_space))[0]
func_rva = ntos.getprocaddress("KeAddSystemServiceTable")
if func_rva == None:
raise StopIteration("Cannot locate KeAddSystemServiceTable")
KeAddSystemServiceTable = ntos.DllBase + func_rva
for table_rva in find_tables(KeAddSystemServiceTable, addr_space):
ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", ntos.DllBase + table_rva, addr_space)
ssdts.add(ssdt_obj)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt_obj in ssdts:
for i, desc in enumerate(ssdt_obj.Descriptors):
# Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit
# should be greater than 0 but not unbelievably high
if not desc.is_valid() or desc.ServiceLimit <= 0 or desc.ServiceLimit >= 0xFFFF or desc.KiServiceTable <= 0x80000000:
break
else:
tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v()))
print "Finding appropriate address space for tables..."
tables_with_vm = []
procs = list(tasks.pslist(addr_space))
for idx, table, n in tables:
vm = tasks.find_space(addr_space, procs, table)
if vm:
tables_with_vm.append((idx, table, n, vm))
else:
debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table))
for idx, table, n, vm in sorted(tables_with_vm, key = itemgetter(0)):
yield idx, table, n, vm, mods, mod_addrs
Example #10
| Source File: ssdt.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
## Get a sorted list of module addresses
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
ssdts = set()
if addr_space.profile.metadata.get('memory_model', '32bit') == '32bit':
# Gather up all SSDTs referenced by threads
print "[x86] Gathering all referenced SSDTs from KTHREADs..."
for proc in tasks.pslist(addr_space):
for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"):
ssdt_obj = thread.Tcb.ServiceTable.dereference_as('_SERVICE_DESCRIPTOR_TABLE')
ssdts.add(ssdt_obj)
else:
print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..."
# The NT module always loads first
ntos = list(modules.lsmod(addr_space))[0]
func_rva = ntos.getprocaddress("KeAddSystemServiceTable")
if func_rva == None:
raise StopIteration("Cannot locate KeAddSystemServiceTable")
KeAddSystemServiceTable = ntos.DllBase + func_rva
for table_addr in find_tables(ntos.DllBase, KeAddSystemServiceTable, addr_space):
ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", table_addr, addr_space)
ssdts.add(ssdt_obj)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt_obj in ssdts:
for i, desc in enumerate(ssdt_obj.Descriptors):
# Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit
# should be greater than 0 but not unbelievably high
if not desc.is_valid() or desc.ServiceLimit <= 0 or desc.ServiceLimit >= 2048 or desc.KiServiceTable <= 0x80000000:
break
else:
tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v()))
print "Finding appropriate address space for tables..."
tables_with_vm = []
procs = list(tasks.pslist(addr_space))
for idx, table, n in tables:
vm = tasks.find_space(addr_space, procs, table)
if vm:
tables_with_vm.append((idx, table, n, vm))
else:
debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table))
for idx, table, n, vm in sorted(tables_with_vm, key = itemgetter(0)):
yield idx, table, n, vm, mods, mod_addrs
Example #11
| Source File: ssdt.py From vortessence with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
## Get a sorted list of module addresses
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
ssdts = set()
if addr_space.profile.metadata.get('memory_model', '32bit') == '32bit':
# Gather up all SSDTs referenced by threads
print "[x86] Gathering all referenced SSDTs from KTHREADs..."
for proc in tasks.pslist(addr_space):
for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"):
ssdt_obj = thread.Tcb.ServiceTable.dereference_as('_SERVICE_DESCRIPTOR_TABLE')
ssdts.add(ssdt_obj)
else:
print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..."
# The NT module always loads first
ntos = list(modules.lsmod(addr_space))[0]
func_rva = ntos.getprocaddress("KeAddSystemServiceTable")
if func_rva == None:
raise StopIteration("Cannot locate KeAddSystemServiceTable")
KeAddSystemServiceTable = ntos.DllBase + func_rva
for table_rva in find_tables(KeAddSystemServiceTable, addr_space):
ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", ntos.DllBase + table_rva, addr_space)
ssdts.add(ssdt_obj)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt_obj in ssdts:
for i, desc in enumerate(ssdt_obj.Descriptors):
# Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit
# should be greater than 0 but not unbelievably high
if desc.is_valid() and desc.ServiceLimit > 0 and desc.ServiceLimit < 0xFFFF and desc.KiServiceTable > 0x80000000:
tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v()))
print "Finding appropriate address space for tables..."
tables_with_vm = []
procs = list(tasks.pslist(addr_space))
for idx, table, n in tables:
vm = tasks.find_space(addr_space, procs, table)
if vm:
tables_with_vm.append((idx, table, n, vm))
else:
debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table))
for idx, table, n, vm in sorted(tables_with_vm, key = itemgetter(0)):
yield idx, table, n, vm, mods, mod_addrs
Example #12
| Source File: ssdt.py From DAMM with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
## Get a sorted list of module addresses
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
ssdts = set()
if addr_space.profile.metadata.get('memory_model', '32bit') == '32bit':
# Gather up all SSDTs referenced by threads
print "[x86] Gathering all referenced SSDTs from KTHREADs..."
for proc in tasks.pslist(addr_space):
for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"):
ssdt_obj = thread.Tcb.ServiceTable.dereference_as('_SERVICE_DESCRIPTOR_TABLE')
ssdts.add(ssdt_obj)
else:
print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..."
# The NT module always loads first
ntos = list(modules.lsmod(addr_space))[0]
func_rva = ntos.getprocaddress("KeAddSystemServiceTable")
if func_rva == None:
raise StopIteration("Cannot locate KeAddSystemServiceTable")
KeAddSystemServiceTable = ntos.DllBase + func_rva
for table_rva in find_tables(KeAddSystemServiceTable, addr_space):
ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", ntos.DllBase + table_rva, addr_space)
ssdts.add(ssdt_obj)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt_obj in ssdts:
for i, desc in enumerate(ssdt_obj.Descriptors):
# Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit
# should be greater than 0 but not unbelievably high
if desc.is_valid() and desc.ServiceLimit > 0 and desc.ServiceLimit < 0xFFFF and desc.KiServiceTable > 0x80000000:
tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v()))
print "Finding appropriate address space for tables..."
tables_with_vm = []
procs = list(tasks.pslist(addr_space))
for idx, table, n in tables:
vm = tasks.find_space(addr_space, procs, table)
if vm:
tables_with_vm.append((idx, table, n, vm))
else:
debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table))
for idx, table, n, vm in sorted(tables_with_vm, key = itemgetter(0)):
yield idx, table, n, vm, mods, mod_addrs
Example #13
| Source File: openioc_scan.py From openioc_scan with GNU General Public License v2.0 | 4 votes |
|
def PEInfo_ImportedModules_Module_ImportedFunctions_string(self, content, condition, preserve_case):
if not self.util.is_condition_string(condition):
debug.error('{0} condition is not supported in DriverItem/PEInfo/ImportedModules/Module/ImportedFunctions/string'.format(condition))
return False
imp_funcs = []
count = self.fetchone_from_db_by_base("kernel_mods_impfunc", "count(*)")
if count > 0:
imp_funcs = self.fetchall_from_db_by_base("kernel_mods_impfunc", "func_name")
else:
debug.info("[time-consuming task] extracting import functions... (kernel module name={0} base=0x{1:x})".format(str(self.kmod.BaseDllName or ''), self.kmod.DllBase))
records = []
all_mods = list(win32.modules.lsmod(self.kernel_space))
base_address, size_to_read, data = self.get_data()
if data != '':
apis = self.enum_apis(all_mods)
procs = list(tasks.pslist(self.kernel_space))
addr_space = tasks.find_space(self.kernel_space, procs, base_address) # for some GUI drivers (e.g., win32k.sys)
calls_imported = dict(
(iat, call)
for (_, iat, call) in self.call_scan(addr_space, base_address, data)
if call in apis
)
self._vicinity_scan(addr_space,
calls_imported, apis, base_address, len(data),
forward = True)
self._vicinity_scan(addr_space,
calls_imported, apis, base_address, len(data),
forward = False)
for iat, call in sorted(calls_imported.items()):
mod_name, func_name = self._original_import(str(apis[call][0].BaseDllName or ''), apis[call][1])
#records.append((self.kmod.DllBase.v(), iat, call, mod_name, func_name))
records.append((str(self.kmod.DllBase.v()), str(iat), str(call), mod_name, func_name))
imp_funcs.append(func_name)
if len(records) == 0:
debug.info('inserting marker "done"... (kernel module name={0} base=0x{1:x})'.format(str(self.kmod.BaseDllName or ''), self.kmod.DllBase))
records.append((str(self.kmod.DllBase.v()), 0, 0, 'marker_done', 'marker_done'))
self.cur.executemany("insert or ignore into kernel_mods_impfunc values (?, ?, ?, ?, ?)", records)
return self.util.check_strings(imp_funcs, content, condition, preserve_case)
Example #14
| Source File: ssdt.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
## Get a sorted list of module addresses
mods = dict((addr_space.address_mask(mod.DllBase), mod) for mod in modules.lsmod(addr_space))
mod_addrs = sorted(mods.keys())
ssdts = set()
if addr_space.profile.metadata.get('memory_model', '32bit') == '32bit':
# Gather up all SSDTs referenced by threads
print "[x86] Gathering all referenced SSDTs from KTHREADs..."
for proc in tasks.pslist(addr_space):
for thread in proc.ThreadListHead.list_of_type("_ETHREAD", "ThreadListEntry"):
ssdt_obj = thread.Tcb.ServiceTable.dereference_as('_SERVICE_DESCRIPTOR_TABLE')
ssdts.add(ssdt_obj)
else:
print "[x64] Gathering all referenced SSDTs from KeAddSystemServiceTable..."
# The NT module always loads first
ntos = list(modules.lsmod(addr_space))[0]
func_rva = ntos.getprocaddress("KeAddSystemServiceTable")
if func_rva == None:
raise StopIteration("Cannot locate KeAddSystemServiceTable")
KeAddSystemServiceTable = ntos.DllBase + func_rva
for table_rva in find_tables(KeAddSystemServiceTable, addr_space):
ssdt_obj = obj.Object("_SERVICE_DESCRIPTOR_TABLE", ntos.DllBase + table_rva, addr_space)
ssdts.add(ssdt_obj)
# Get a list of *unique* SSDT entries. Typically we see only two.
tables = set()
for ssdt_obj in ssdts:
for i, desc in enumerate(ssdt_obj.Descriptors):
# Apply some extra checks - KiServiceTable should reside in kernel memory and ServiceLimit
# should be greater than 0 but not unbelievably high
if desc.is_valid() and desc.ServiceLimit > 0 and desc.ServiceLimit < 0xFFFF and desc.KiServiceTable > 0x80000000:
tables.add((i, desc.KiServiceTable.v(), desc.ServiceLimit.v()))
print "Finding appropriate address space for tables..."
tables_with_vm = []
procs = list(tasks.pslist(addr_space))
for idx, table, n in tables:
vm = tasks.find_space(addr_space, procs, table)
if vm:
tables_with_vm.append((idx, table, n, vm))
else:
debug.debug("[SSDT not resident at 0x{0:08X}]\n".format(table))
for idx, table, n, vm in sorted(tables_with_vm, key = itemgetter(0)):
yield idx, table, n, vm, mods, mod_addrs
