Python volatility.utils.load_as() Examples

The following are 30 code examples of volatility.utils.load_as(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module volatility.utils , or try the search function .
Example #1
Source File: auditpol.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)
        regapi = registryapi.RegistryApi(self._config)
        regapi.reset_current()

        version = (addr_space.profile.metadata.get('major', 0),
                   addr_space.profile.metadata.get('minor', 0))

        for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'):
            bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
            if version <= (5, 1):
                ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas)
            elif version <= (6, 0):
                ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas)
            elif version == (6, 1):
                ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas)
            elif version == (6, 2) or version == (6, 3):     
                ap = obj.Object("AuditPolData8", offset = 0, vm = bufferas)
            else:
                ap = obj.Object("AuditPolData10", offset = 0, vm = bufferas)
                
            if ap == None:
                debug.error("No AuditPol data found")

            yield data_raw, ap 
Example #2
Source File: malfind.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        addr_space = utils.load_as(self._config)
        rules = self._compile_rules()
        process_mem = self._scan_process_memory(addr_space, rules)
        kernel_mem = self._scan_kernel_memory(addr_space, rules)

        if self._config.ALL:
            for p in process_mem:
                yield p
            for k in kernel_mem:
                yield k
        elif self._config.KERNEL:
            for k in kernel_mem:
                yield k
        else:
            for p in process_mem:
                yield p 
Example #3
Source File: gahti.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def generator(self, data):
        profile = utils.load_as(self._config).profile

        # Get the OS version being analyzed
        version = (profile.metadata.get('major', 0),
                   profile.metadata.get('minor', 0))

        # Choose which USER handle enum to use
        if version >= (6, 1):
            handle_types = consts.HANDLE_TYPE_ENUM_SEVEN
        else:
            handle_types = consts.HANDLE_TYPE_ENUM

        for session in data:
            gahti = session.find_gahti()
            if gahti:
                for i, h in handle_types.items():
                    yield (0,
                                    [str(session.SessionId),
                                     str(h),
                                     str(gahti.types[i].dwAllocTag),
                                     Address(gahti.types[i].fnDestroy),
                                     str(gahti.types[i].bObjectCreateFlags)]) 
Example #4
Source File: find_file.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def get_page_contents(self, inode, idx):
        page_addr = self.find_get_page(inode, idx)

        if page_addr:
            page = obj.Object("page", offset = page_addr, vm = self.addr_space)
            phys_offset = page.to_paddr()
            if phys_offset > 0:
                phys_as = utils.load_as(self._config, astype = 'physical')
                data = phys_as.zread(phys_offset, 4096)
            else:
                data = "\x00" * 4096
        else:
            data = "\x00" * 4096

        return data

    # main function to be called, handles getting all the pages of an inode
    # and handles the last page not being page_size aligned 
Example #5
Source File: userassist.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)
        self.regapi = registryapi.RegistryApi(self._config)
        win7 = addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) >= 1
        skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist"

        if not self._config.HIVE_OFFSET:
            self.regapi.set_current("ntuser.dat")
        else:
            name = obj.Object("_CMHIVE", vm = addr_space, offset = self._config.HIVE_OFFSET).get_name()
            self.regapi.all_offsets[self._config.HIVE_OFFSET] = name
            self.regapi.current_offsets[self._config.HIVE_OFFSET] = name

        for key, name in self.regapi.reg_yield_key(None, skey):
            for guidkey in self.regapi.reg_get_all_subkeys(None, None, given_root = key):
                for count in self.regapi.reg_get_all_subkeys(None, None, given_root = guidkey):
                    if count.Name == "Count":
                        yield win7, name, count 
Example #6
Source File: dlldump.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if self._config.DUMP_DIR == None:
            debug.error("Please specify a dump directory (--dump-dir)")
        if not os.path.isdir(self._config.DUMP_DIR):
            debug.error(self._config.DUMP_DIR + " is not a directory")

        if self._config.OFFSET != None:
            data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
        else:
            data = self.filter_tasks(tasks.pslist(addr_space))

        if self._config.REGEX:
            try:
                if self._config.IGNORE_CASE:
                    mod_re = re.compile(self._config.REGEX, re.I)
                else:
                    mod_re = re.compile(self._config.REGEX)
            except re.error, e:
                debug.error('Error parsing regular expression: %s' % e) 
Example #7
Source File: poisonivy.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):

        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
        
        rules = yara.compile(sources = signatures)

        for task in self.filter_tasks(tasks.pslist(addr_space)):
            scanner = malfind.VadYaraScanner(task = task, rules = rules)

            for hit, address in scanner.scan():
                vad_base_addr = self.get_vad_base(task, address)
                if address - vad_base_addr > 0x1000:
                    continue

                yield task, vad_base_addr 
Example #8
Source File: psempire.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):
        if not has_yara:
            debug.error("Yara must be installed for this plugin")

        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")
	    # For each process in the list
        for task in self.filter_tasks(tasks.pslist(addr_space)):
            # print task.ImageFileName
            for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
				# Injected code detected if there's values returned
                rules = yara.compile(sources = signatures)
                scanner = malfind.VadYaraScanner(task = task, rules = rules)
                # print 'before'
                for hit, address in scanner.scan():
            	    vad_base_addr = self.get_vad_base(task, address)
            	    
            	    # Get a chuck of memory of size 2048 next to where the string was detected
                    content = address_space.zread(address, 2048)
                    yield task, address, vad_base_addr, content
                    break
                # break  # Show only 1 instance of detected injection per process 
Example #9
Source File: unchain.py    From ROPMEMU with GNU Lesser General Public License v2.1 6 votes vote down vote up
def calculate(self):
        if not self.is_nasm():
            debug.error("Please install nasm")

        if not self._config.IJSON:
            debug.error("Please provide the input JSON trace")
       
        self._addrspace = utils.load_as(self._config)

        self.md = self.init_capstone()
        self.md.detail = True

        print "[+] From gadget: %s" % self._config.SGADGET
        print "[+] To gadget: %s" % self._config.GLIMIT

        self.get_json_trace()
        self.follow_trace()

        if self._config.DEBUG:
            self.get_trace_asm()
          
        if self._config.DB or self._config.IDB:
            self.serialize_opcodes() 
Example #10
Source File: lsadump.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self._config.sys_offset or not self._config.sec_offset:
            regapi = registryapi.RegistryApi(self._config)
            for offset in regapi.all_offsets:
                name = regapi.all_offsets[offset].lower().split("\\")[-1]
                if "system" == name:
                    self._config.update("SYS_OFFSET", offset)
                elif "security" == name:
                    self._config.update("SEC_OFFSET", offset)

        hashes = domcachedumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
        if hashes == None:
            debug.error("Unable to read hashes from registry")
        return hashes 
Example #11
Source File: lsadump.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self._config.sys_offset or not self._config.sam_offset:
            regapi = registryapi.RegistryApi(self._config)
            for offset in regapi.all_offsets:
                name = regapi.all_offsets[offset].lower().split("\\")[-1]
                if "system" == name:
                    self._config.update("SYS_OFFSET", offset)
                elif "sam" == name:
                    self._config.update("SAM_OFFSET", offset)

        hashes = hashdumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sam_offset)
        if not hashes:
            debug.error("Unable to read hashes from registry")
        return hashes 
Example #12
Source File: netscan.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")

        for objct in self.scan_results(addr_space):

            if isinstance(objct, _UDP_ENDPOINT):
                # For UdpA, the state is always blank and the remote end is asterisks
                for ver, laddr, _ in objct.dual_stack_sockets():
                    yield objct, "UDP" + ver, laddr, objct.Port, "*", "*", ""
            elif isinstance(objct, _TCP_ENDPOINT):

                if objct.AddressFamily == AF_INET:
                    proto = "TCPv4"
                elif objct.AddressFamily == AF_INET6:
                    proto = "TCPv6"

                yield objct, proto, objct.LocalAddress, objct.LocalPort, \
                    objct.RemoteAddress, objct.RemotePort, objct.State
            elif isinstance(objct, _TCP_LISTENER):
                # For TcpL, the state is always listening and the remote port is zero
                for ver, laddr, raddr in objct.dual_stack_sockets():
                    yield objct, "TCP" + ver, laddr, objct.Port, raddr, 0, "LISTENING" 
Example #13
Source File: netscan.py    From volatility with GNU General Public License v2.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self.is_valid_profile(addr_space.profile):
            debug.error("This command does not support the selected profile.")

        for objct in self.scan_results(addr_space):

            if isinstance(objct, _UDP_ENDPOINT):
                # For UdpA, the state is always blank and the remote end is asterisks
                for ver, laddr, _ in objct.dual_stack_sockets():
                    yield objct, "UDP" + ver, laddr, objct.Port, "*", "*", ""
            elif isinstance(objct, _TCP_ENDPOINT):

                if objct.AddressFamily == AF_INET:
                    proto = "TCPv4"
                elif objct.AddressFamily == AF_INET6:
                    proto = "TCPv6"

                yield objct, proto, objct.LocalAddress, objct.LocalPort, \
                    objct.RemoteAddress, objct.RemotePort, objct.State
            elif isinstance(objct, _TCP_LISTENER):
                # For TcpL, the state is always listening and the remote port is zero
                for ver, laddr, raddr in objct.dual_stack_sockets():
                    yield objct, "TCP" + ver, laddr, objct.Port, raddr, 0, "LISTENING" 
Example #14
Source File: lsadump.py    From aumfor with GNU General Public License v3.0 6 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self._config.sys_offset or not self._config.sec_offset:
            regapi = registryapi.RegistryApi(self._config)
            for offset in regapi.all_offsets:
                name = regapi.all_offsets[offset].lower().split("\\")[-1]
                if "system" == name:
                    self._config.update("SYS_OFFSET", offset)
                elif "security" == name:
                    self._config.update("SEC_OFFSET", offset)

        secrets = lsasecrets.get_memory_secrets(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
        if not secrets:
            debug.error("Unable to read LSA secrets from registry")

        return secrets 
Example #15
Source File: lastpass.py    From volatility_plugins with MIT License 5 votes vote down vote up
def calculate(self):
        """ Required: Runs YARA search to find hits """
        if not has_yara:
            debug.error('Yara must be installed for this plugin')

        addr_space = utils.load_as(self._config)
        rules = yara.compile(sources = signatures)
        for task in self.filter_tasks(tasks.pslist(addr_space)):
            if not task.ImageFileName.lower() in ['chrome.exe', 'firefox.exe', 'iexplore.exe']:
                continue
            scanner = malfind.VadYaraScanner(task=task, rules=rules)
            for hit, address in scanner.scan():
                yield task, address 
Example #16
Source File: psdispscan.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def calculate(self):
        address_space = utils.load_as(self._config, astype = 'physical')

        for offset in PSDispScanner().scan(address_space):
            yield obj.Object('_EPROCESS', vm = address_space, offset = offset) 
Example #17
Source File: enumfunc.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        tasklist = []
        modslist = []

        if self._config.SCAN:
            if not self._config.KERNEL_ONLY:
                for t in filescan.PSScan(self._config).calculate():
                    v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
                    if v:
                        tasklist.append(v)
            if not self._config.PROCESS_ONLY:
                modslist = [m for m in modscan.ModScan(self._config).calculate()]
        else:
            if not self._config.KERNEL_ONLY:
                tasklist = [t for t in tasks.pslist(addr_space)]
            if not self._config.PROCESS_ONLY:
                modslist = [m for m in modules.lsmod(addr_space)]

        for task in tasklist:
            for mod in task.get_load_modules():
                yield task, mod

        for mod in modslist:
            yield None, mod 
Example #18
Source File: browserhooks.py    From volatility-browserhooks with BSD 2-Clause "Simplified" License 5 votes vote down vote up
def calculate(self):

        addr_space = utils.load_as(self._config)
        ## prerequisities
        if not has_distorm3:
            debug.error("Install distorm3 code.google.com/p/distorm/")
        if not has_yara:
            debug.error("Please install Yara from https://plusvic.github.io/yara/")

        for proc in self.filter_tasks(tasks.pslist(addr_space)):
            process_space = proc.get_process_address_space()
            if not process_space:
                print("Cannot acquire process AS for {0} ({1})".format(proc.ImageFileName, proc.UniqueProcessId))
                continue
            #PK process_space.profile.add_types(wow64_types)
            process_space.profile.object_classes.update({'_UNICODE_STRING32': _UNICODE_STRING32,
                                                         '_LDR_DATA_TABLE_ENTRY32' : _LDR_DATA_TABLE_ENTRY32,
                                                         '_IMAGE_IMPORT_DESCRIPTOR32' : _IMAGE_IMPORT_DESCRIPTOR32})
            i = 0
            if proc.IsWow64:
                module_group = ModuleGroup(self.get_modules_wow64(proc))
            else:
                module_group = ModuleGroup(proc.get_load_modules())
            for dll in module_group.mods:
                if not process_space.is_valid_address(dll.DllBase):
                    continue

                dll_name = str(dll.BaseDllName or '').lower()

                if (dll_name not in self.critical_dlls and dll.DllBase != proc.Peb.ImageBaseAddress):
                    #PK print("Skipping non-critical dll {0} at {1:#x}".format( dll_name, dll.DllBase))
                    continue

                for hook in self.get_hooks(proc, dll, module_group):
                    if self.whitelist(hook.hook_type, str(proc.ImageFileName), hook.VictimModule, hook.HookModule, hook.Function):
                        continue

                    print "dll: %s"%(dll.BaseDllName)
                    yield proc, dll, hook 
Example #19
Source File: pstotal.py    From sift-saltstack with MIT License 5 votes vote down vote up
def calculate(self):
        eproc = {}
        found = {}
        cmdline = {}
        pathname = {}
              
        # Brute force search for eproc blocks in pool memory
        address_space = utils.load_as(self._config)
        for eprocess in filescan.PSScan(self._config).calculate():
            eproc[eprocess.obj_offset] = eprocess
            found[eprocess.obj_offset] = 1
        
        # Walking the active process list.
        # Remove any tasks we find here from the brute force search if the --short option is set.
        # Anything left is something which was hidden/terminated/of interest.
        address_space = utils.load_as(self._config)
        for task in tasks.pslist(address_space):
            phys = address_space.vtop(task.obj_offset)
            if phys in eproc:
                if self._config.SHORT :
                    del eproc[phys]
                    del found[phys] 
                else:
                    found[phys] = 0                
                    
        # Grab command line and parameters            
            peb = task.Peb
            if peb:
                cmdline[phys] = peb.ProcessParameters.CommandLine
                pathname[phys] = peb.ProcessParameters.ImagePathName
                    
        ret = [eproc, found, cmdline, pathname]

        return ret 
Example #20
Source File: kpcrscan.py    From volatility with GNU General Public License v2.0 5 votes vote down vote up
def calculate(self):
        """Determines the address space"""
        addr_space = utils.load_as(self._config, astype = 'any')

        scanner = KPCRScanner()
        for offset in scanner.scan(addr_space):
            kpcr = obj.Object("_KPCR", offset = offset, vm = addr_space)
            yield kpcr 
Example #21
Source File: autoruns.py    From volatility-autoruns with GNU General Public License v2.0 5 votes vote down vote up
def get_dll_list(self):
        addr_space = utils.load_as(self._config)
        task_objects = win32.tasks.pslist(addr_space)
        for task in task_objects:
            if task.Peb:
                self.process_dict[int(task.UniqueProcessId)] = (task, [m for m in task.get_load_modules()])

    # Matches a given module (executable, DLL) to a running process by looking either
    # in the CommandLine parameters or in the loaded modules 
Example #22
Source File: servicediff.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        from_memory = ServiceDiff.services_from_memory_list(addr_space)
        if not from_memory:
            debug.error("Could not enumerate services from memory")

        from_registry = ServiceDiff.services_from_registry(addr_space)
        if not from_registry:
            debug.error("Could not enumerate services from the registry")

        return ServiceDiff.compare(from_registry, from_memory) 
Example #23
Source File: evtlogs.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)
        
        if not self.is_valid_profile(addr_space.profile):
            debug.error("This plugin only works on XP and 2003")

        ## When verbose is specified, we recalculate the list of SIDs for
        ## services in the registry. Otherwise, we take the list from the 
        ## pre-populated dictionary in getservicesids.py
        if self._config.VERBOSE:
            ssids = getservicesids.GetServiceSids(self._config).calculate()
            for sid, service in ssids:
                self.extrasids[sid] = " (Service: " + service + ")" 
        else:
            for sid, service in getservicesids.servicesids.items():
                self.extrasids[sid] = " (Service: " + service + ")"

        ## Get the user's SIDs from the registry
        self.load_user_sids()

        for proc in tasks.pslist(addr_space):
            if str(proc.ImageFileName).lower() == "services.exe":
                for vad, process_space in proc.get_vads(vad_filter = proc._mapped_file_filter):
                    if vad.FileObject.FileName:
                        name = str(vad.FileObject.FileName).lower()
                        if name.endswith(".evt"):
                            ## Maybe check the length is reasonable, though probably there won't 
                            ## ever be event logs that are multiple GB or TB in size.
                            data = process_space.zread(vad.Start, vad.Length)
                            yield name, data 
Example #24
Source File: windowstations.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        seen = []

        for wind in self.scan_results(addr_space):
            
            # Find an address space for this window station's session  
            session = self.find_session_space(
                addr_space, wind.dwSessionId)

            if not session:
                continue

            # Reset the object's native VM so pointers are
            # dereferenced in session space 
            wind.set_native_vm(session.obj_vm)

            for winsta in wind.traverse():
                if winsta.is_valid() and len([desk for desk in winsta.desktops()]) > 0:

                    offset = winsta.PhysicalAddress
                    if offset in seen:
                        continue
                    seen.append(offset)

                    yield winsta 
Example #25
Source File: gditimers.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def calculate(self):
        kernel_as = utils.load_as(self._config)

        for session in self.session_spaces(kernel_as):

            shared_info = session.find_shared_info()
            if not shared_info:
                continue

            filters = [lambda x : str(x.bType) == "TYPE_TIMER"]

            for handle in shared_info.handles(filters):
                timer = handle.reference_object()
                yield session, handle, timer 
Example #26
Source File: sessions.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def calculate(self):
        kernel_space = utils.load_as(self._config)

        # Once for each unique _MM_SESSION_SPACE 
        for session in self.session_spaces(kernel_space):
            yield session 
Example #27
Source File: printkey.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        if not self._config.hive_offset:
            debug.error("A Hive offset must be provided (--hive-offset)")

        h = hivemod.HiveAddressSpace(addr_space, self._config, self._config.hive_offset)
        return rawreg.get_root(h) 
Example #28
Source File: hivescan.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)

        metadata = addr_space.profile.metadata
        version = (metadata.get("major", 0), metadata.get("minor", 0))
        arch = metadata.get("memory_model", "32bit")

        if version >= (6, 3) and arch == "64bit":
            for pool in bigpools.BigPagePoolScanner(addr_space).scan(["CM10"]):
                yield pool.Va.dereference_as("_CMHIVE")
        else:
            for result in self.scan_results(addr_space):
                yield result 
Example #29
Source File: registryapi.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def __init__(self, config):
        self._config = config
        self.addr_space = utils.load_as(self._config)
        self.all_offsets = {}
        self.current_offsets = {}
        self.populate_offsets() 
Example #30
Source File: shimcache.py    From aumfor with GNU General Public License v3.0 5 votes vote down vote up
def calculate(self):
        addr_space = utils.load_as(self._config)
        regapi = registryapi.RegistryApi(self._config)

        for entry in self.get_entries(addr_space, regapi):
            yield entry