Python源码示例:volatility.plugins.filescan.PSScan()
示例1
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('STRING-FILE', short_option = 's', default = None,
help = 'File output in strings format (offset:string)',
action = 'store', type = 'str')
config.add_option("SCAN", short_option = 'S', default = False,
action = 'store_true', help = 'Use PSScan if no offset is provided')
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'EPROCESS offset (in hex) in the physical address space',
action = 'store', type = 'int')
config.add_option('PID', short_option = 'p', default = None,
help = 'Operate on these Process IDs (comma-separated)',
action = 'store', type = 'str')
config.add_option('LOOKUP-PID', short_option = 'L', default = False,
action = 'store_true', help = 'Lookup the ImageFileName of PIDs')
示例2
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('STRING-FILE', short_option = 's', default = None,
help = 'File output in strings format (offset:string)',
action = 'store', type = 'str')
config.add_option("SCAN", short_option = 'S', default = False,
action = 'store_true', help = 'Use PSScan if no offset is provided')
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'EPROCESS offset (in hex) in the physical address space',
action = 'store', type = 'int')
config.add_option('PID', short_option = 'p', default = None,
help = 'Operate on these Process IDs (comma-separated)',
action = 'store', type = 'str')
config.add_option('LOOKUP-PID', short_option = 'L', default = False,
action = 'store_true', help = 'Lookup the ImageFileName of PIDs')
示例3
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
bounce_back = taskmods.DllList.virtual_process_from_physical_offset
if self._config.OFFSET != None:
tasks = [bounce_back(addr_space, self._config.OFFSET)]
elif self._config.SCAN:
procs = list(filescan.PSScan(self._config).calculate())
tasks = []
for task in procs:
tasks.append(bounce_back(addr_space, task.obj_offset))
else:
tasks = win32.tasks.pslist(addr_space)
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(',')]
tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks
示例4
def check_psscan(self):
"""Enumerate processes with pool tag scanning"""
return dict((PsXview.get_file_offset(p), p)
for p in filescan.PSScan(self._config).calculate())
示例5
def calculate(self):
addr_space = utils.load_as(self._config)
tasklist = []
modslist = []
if self._config.SCAN:
if not self._config.KERNEL_ONLY:
for t in filescan.PSScan(self._config).calculate():
v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
if v:
tasklist.append(v)
if not self._config.PROCESS_ONLY:
modslist = [m for m in modscan.ModScan(self._config).calculate()]
else:
if not self._config.KERNEL_ONLY:
tasklist = [t for t in tasks.pslist(addr_space)]
if not self._config.PROCESS_ONLY:
modslist = [m for m in modules.lsmod(addr_space)]
for task in tasklist:
for mod in task.get_load_modules():
yield task, mod
for mod in modslist:
yield None, mod
示例6
def calculate(self):
eproc = {}
found = {}
cmdline = {}
pathname = {}
# Brute force search for eproc blocks in pool memory
address_space = utils.load_as(self._config)
for eprocess in filescan.PSScan(self._config).calculate():
eproc[eprocess.obj_offset] = eprocess
found[eprocess.obj_offset] = 1
# Walking the active process list.
# Remove any tasks we find here from the brute force search if the --short option is set.
# Anything left is something which was hidden/terminated/of interest.
address_space = utils.load_as(self._config)
for task in tasks.pslist(address_space):
phys = address_space.vtop(task.obj_offset)
if phys in eproc:
if self._config.SHORT :
del eproc[phys]
del found[phys]
else:
found[phys] = 0
# Grab command line and parameters
peb = task.Peb
if peb:
cmdline[phys] = peb.ProcessParameters.CommandLine
pathname[phys] = peb.ProcessParameters.ImagePathName
ret = [eproc, found, cmdline, pathname]
return ret
示例7
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
bounce_back = taskmods.DllList.virtual_process_from_physical_offset
if self._config.OFFSET != None:
tasks = [bounce_back(addr_space, self._config.OFFSET)]
elif self._config.SCAN:
procs = list(filescan.PSScan(self._config).calculate())
tasks = []
for task in procs:
tasks.append(bounce_back(addr_space, task.obj_offset))
else:
tasks = win32.tasks.pslist(addr_space)
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(',')]
tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks
示例8
def check_psscan(self):
"""Enumerate processes with pool tag scanning"""
return dict((PsXview.get_file_offset(p), p)
for p in filescan.PSScan(self._config).calculate())
示例9
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('STRING-FILE', short_option = 's', default = None,
help = 'File output in strings format (offset:string)',
action = 'store', type = 'str')
config.add_option("SCAN", short_option = 'S', default = False,
action = 'store_true', help = 'Use PSScan if no offset is provided')
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'EPROCESS offset (in hex) in the physical address space',
action = 'store', type = 'int')
config.add_option('PID', short_option = 'p', default = None,
help = 'Operate on these Process IDs (comma-separated)',
action = 'store', type = 'str')
示例10
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
bounce_back = taskmods.DllList.virtual_process_from_physical_offset
if self._config.OFFSET != None:
tasks = [bounce_back(addr_space, self._config.OFFSET)]
elif self._config.SCAN:
procs = list(filescan.PSScan(self._config).calculate())
tasks = []
for task in procs:
tasks.append(bounce_back(addr_space, task.obj_offset))
else:
tasks = win32.tasks.pslist(addr_space)
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(',')]
tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks
示例11
def check_psscan(self):
"""Enumerate processes with pool tag scanning"""
return dict((p.obj_offset, p)
for p in filescan.PSScan(self._config).calculate())
示例12
def calculate(self):
addr_space = utils.load_as(self._config)
tasklist = []
modslist = []
if self._config.SCAN:
if not self._config.KERNEL_ONLY:
for t in filescan.PSScan(self._config).calculate():
v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
if v:
tasklist.append(v)
if not self._config.PROCESS_ONLY:
modslist = [m for m in modscan.ModScan(self._config).calculate()]
else:
if not self._config.KERNEL_ONLY:
tasklist = [t for t in tasks.pslist(addr_space)]
if not self._config.PROCESS_ONLY:
modslist = [m for m in modules.lsmod(addr_space)]
for task in tasklist:
for mod in task.get_load_modules():
yield task, mod
for mod in modslist:
yield None, mod
示例13
def _get_dtb(self):
"""Use psscan to get system dtb and apply it."""
ps = filescan.PSScan(self.config)
for ep in ps.calculate():
if str(ep.ImageFileName) == "System":
self.config.update("dtb",ep.Pcb.DirectoryTableBase)
return True
return False
示例14
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('STRING-FILE', short_option = 's', default = None,
help = 'File output in strings format (offset:string)',
action = 'store', type = 'str')
config.add_option("SCAN", short_option = 'S', default = False,
action = 'store_true', help = 'Use PSScan if no offset is provided')
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'EPROCESS offset (in hex) in the physical address space',
action = 'store', type = 'int')
config.add_option('PID', short_option = 'p', default = None,
help = 'Operate on these Process IDs (comma-separated)',
action = 'store', type = 'str')
示例15
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
bounce_back = taskmods.DllList.virtual_process_from_physical_offset
if self._config.OFFSET != None:
tasks = [bounce_back(addr_space, self._config.OFFSET)]
elif self._config.SCAN:
procs = list(filescan.PSScan(self._config).calculate())
tasks = []
for task in procs:
tasks.append(bounce_back(addr_space, task.obj_offset))
else:
tasks = win32.tasks.pslist(addr_space)
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(',')]
tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks
示例16
def check_psscan(self):
"""Enumerate processes with pool tag scanning"""
return dict((p.obj_offset, p)
for p in filescan.PSScan(self._config).calculate())
示例17
def __init__(self, config, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
config.add_option('STRING-FILE', short_option = 's', default = None,
help = 'File output in strings format (offset:string)',
action = 'store', type = 'str')
config.add_option("SCAN", short_option = 'S', default = False,
action = 'store_true', help = 'Use PSScan if no offset is provided')
config.add_option('OFFSET', short_option = 'o', default = None,
help = 'EPROCESS offset (in hex) in the physical address space',
action = 'store', type = 'int')
config.add_option('PID', short_option = 'p', default = None,
help = 'Operate on these Process IDs (comma-separated)',
action = 'store', type = 'str')
示例18
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
bounce_back = taskmods.DllList.virtual_process_from_physical_offset
if self._config.OFFSET != None:
tasks = [bounce_back(addr_space, self._config.OFFSET)]
elif self._config.SCAN:
procs = list(filescan.PSScan(self._config).calculate())
tasks = []
for task in procs:
tasks.append(bounce_back(addr_space, task.obj_offset))
else:
tasks = win32.tasks.pslist(addr_space)
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(',')]
tasks = [t for t in tasks if int(t.UniqueProcessId) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks
示例19
def check_psscan(self):
"""Enumerate processes with pool tag scanning"""
return dict((p.obj_offset, p)
for p in filescan.PSScan(self._config).calculate())
示例20
def calculate(self):
addr_space = utils.load_as(self._config)
tasklist = []
modslist = []
if self._config.SCAN:
if not self._config.KERNEL_ONLY:
for t in filescan.PSScan(self._config).calculate():
v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
if v:
tasklist.append(v)
if not self._config.PROCESS_ONLY:
modslist = [m for m in modscan.ModScan(self._config).calculate()]
else:
if not self._config.KERNEL_ONLY:
tasklist = [t for t in tasks.pslist(addr_space)]
if not self._config.PROCESS_ONLY:
modslist = [m for m in modules.lsmod(addr_space)]
for task in tasklist:
for mod in task.get_load_modules():
yield task, mod
for mod in modslist:
yield None, mod
