Python volatility.utils.load_as() Examples
The following are 30
code examples of volatility.utils.load_as().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.utils
, or try the search function
.
.
Example #1
| Source File: auditpol.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
regapi.reset_current()
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
for value, data_raw in regapi.reg_yield_values('security', 'Policy\\PolAdtEv', thetype = 'REG_NONE'):
bufferas = addrspace.BufferAddressSpace(self._config, data = data_raw)
if version <= (5, 1):
ap = obj.Object("AuditPolDataXP", offset = 0, vm = bufferas)
elif version <= (6, 0):
ap = obj.Object("AuditPolDataVista", offset = 0, vm = bufferas)
elif version == (6, 1):
ap = obj.Object("AuditPolData7", offset = 0, vm = bufferas)
elif version == (6, 2) or version == (6, 3):
ap = obj.Object("AuditPolData8", offset = 0, vm = bufferas)
else:
ap = obj.Object("AuditPolData10", offset = 0, vm = bufferas)
if ap == None:
debug.error("No AuditPol data found")
yield data_raw, ap
Example #2
| Source File: malfind.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
addr_space = utils.load_as(self._config)
rules = self._compile_rules()
process_mem = self._scan_process_memory(addr_space, rules)
kernel_mem = self._scan_kernel_memory(addr_space, rules)
if self._config.ALL:
for p in process_mem:
yield p
for k in kernel_mem:
yield k
elif self._config.KERNEL:
for k in kernel_mem:
yield k
else:
for p in process_mem:
yield p
Example #3
| Source File: gahti.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def generator(self, data):
profile = utils.load_as(self._config).profile
# Get the OS version being analyzed
version = (profile.metadata.get('major', 0),
profile.metadata.get('minor', 0))
# Choose which USER handle enum to use
if version >= (6, 1):
handle_types = consts.HANDLE_TYPE_ENUM_SEVEN
else:
handle_types = consts.HANDLE_TYPE_ENUM
for session in data:
gahti = session.find_gahti()
if gahti:
for i, h in handle_types.items():
yield (0,
[str(session.SessionId),
str(h),
str(gahti.types[i].dwAllocTag),
Address(gahti.types[i].fnDestroy),
str(gahti.types[i].bObjectCreateFlags)])
Example #4
| Source File: find_file.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def get_page_contents(self, inode, idx):
page_addr = self.find_get_page(inode, idx)
if page_addr:
page = obj.Object("page", offset = page_addr, vm = self.addr_space)
phys_offset = page.to_paddr()
if phys_offset > 0:
phys_as = utils.load_as(self._config, astype = 'physical')
data = phys_as.zread(phys_offset, 4096)
else:
data = "\x00" * 4096
else:
data = "\x00" * 4096
return data
# main function to be called, handles getting all the pages of an inode
# and handles the last page not being page_size aligned
Example #5
| Source File: userassist.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
self.regapi = registryapi.RegistryApi(self._config)
win7 = addr_space.profile.metadata.get('major', 0) == 6 and addr_space.profile.metadata.get('minor', 0) >= 1
skey = "software\\microsoft\\windows\\currentversion\\explorer\\userassist"
if not self._config.HIVE_OFFSET:
self.regapi.set_current("ntuser.dat")
else:
name = obj.Object("_CMHIVE", vm = addr_space, offset = self._config.HIVE_OFFSET).get_name()
self.regapi.all_offsets[self._config.HIVE_OFFSET] = name
self.regapi.current_offsets[self._config.HIVE_OFFSET] = name
for key, name in self.regapi.reg_yield_key(None, skey):
for guidkey in self.regapi.reg_get_all_subkeys(None, None, given_root = key):
for count in self.regapi.reg_get_all_subkeys(None, None, given_root = guidkey):
if count.Name == "Count":
yield win7, name, count
Example #6
| Source File: dlldump.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if self._config.DUMP_DIR == None:
debug.error("Please specify a dump directory (--dump-dir)")
if not os.path.isdir(self._config.DUMP_DIR):
debug.error(self._config.DUMP_DIR + " is not a directory")
if self._config.OFFSET != None:
data = [self.virtual_process_from_physical_offset(addr_space, self._config.OFFSET)]
else:
data = self.filter_tasks(tasks.pslist(addr_space))
if self._config.REGEX:
try:
if self._config.IGNORE_CASE:
mod_re = re.compile(self._config.REGEX, re.I)
else:
mod_re = re.compile(self._config.REGEX)
except re.error, e:
debug.error('Error parsing regular expression: %s' % e)
Example #7
| Source File: poisonivy.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
scanner = malfind.VadYaraScanner(task = task, rules = rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
if address - vad_base_addr > 0x1000:
continue
yield task, vad_base_addr
Example #8
| Source File: psempire.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
if not has_yara:
debug.error("Yara must be installed for this plugin")
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
# For each process in the list
for task in self.filter_tasks(tasks.pslist(addr_space)):
# print task.ImageFileName
for vad, address_space in task.get_vads(vad_filter = task._injection_filter):
# Injected code detected if there's values returned
rules = yara.compile(sources = signatures)
scanner = malfind.VadYaraScanner(task = task, rules = rules)
# print 'before'
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(task, address)
# Get a chuck of memory of size 2048 next to where the string was detected
content = address_space.zread(address, 2048)
yield task, address, vad_base_addr, content
break
# break # Show only 1 instance of detected injection per process
Example #9
| Source File: unchain.py From ROPMEMU with GNU Lesser General Public License v2.1 | 6 votes |
|
def calculate(self):
if not self.is_nasm():
debug.error("Please install nasm")
if not self._config.IJSON:
debug.error("Please provide the input JSON trace")
self._addrspace = utils.load_as(self._config)
self.md = self.init_capstone()
self.md.detail = True
print "[+] From gadget: %s" % self._config.SGADGET
print "[+] To gadget: %s" % self._config.GLIMIT
self.get_json_trace()
self.follow_trace()
if self._config.DEBUG:
self.get_trace_asm()
if self._config.DB or self._config.IDB:
self.serialize_opcodes()
Example #10
| Source File: lsadump.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self._config.sys_offset or not self._config.sec_offset:
regapi = registryapi.RegistryApi(self._config)
for offset in regapi.all_offsets:
name = regapi.all_offsets[offset].lower().split("\\")[-1]
if "system" == name:
self._config.update("SYS_OFFSET", offset)
elif "security" == name:
self._config.update("SEC_OFFSET", offset)
hashes = domcachedumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
if hashes == None:
debug.error("Unable to read hashes from registry")
return hashes
Example #11
| Source File: lsadump.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self._config.sys_offset or not self._config.sam_offset:
regapi = registryapi.RegistryApi(self._config)
for offset in regapi.all_offsets:
name = regapi.all_offsets[offset].lower().split("\\")[-1]
if "system" == name:
self._config.update("SYS_OFFSET", offset)
elif "sam" == name:
self._config.update("SAM_OFFSET", offset)
hashes = hashdumpmod.dump_memory_hashes(addr_space, self._config, self._config.sys_offset, self._config.sam_offset)
if not hashes:
debug.error("Unable to read hashes from registry")
return hashes
Example #12
| Source File: netscan.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
for objct in self.scan_results(addr_space):
if isinstance(objct, _UDP_ENDPOINT):
# For UdpA, the state is always blank and the remote end is asterisks
for ver, laddr, _ in objct.dual_stack_sockets():
yield objct, "UDP" + ver, laddr, objct.Port, "*", "*", ""
elif isinstance(objct, _TCP_ENDPOINT):
if objct.AddressFamily == AF_INET:
proto = "TCPv4"
elif objct.AddressFamily == AF_INET6:
proto = "TCPv6"
yield objct, proto, objct.LocalAddress, objct.LocalPort, \
objct.RemoteAddress, objct.RemotePort, objct.State
elif isinstance(objct, _TCP_LISTENER):
# For TcpL, the state is always listening and the remote port is zero
for ver, laddr, raddr in objct.dual_stack_sockets():
yield objct, "TCP" + ver, laddr, objct.Port, raddr, 0, "LISTENING"
Example #13
| Source File: netscan.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This command does not support the selected profile.")
for objct in self.scan_results(addr_space):
if isinstance(objct, _UDP_ENDPOINT):
# For UdpA, the state is always blank and the remote end is asterisks
for ver, laddr, _ in objct.dual_stack_sockets():
yield objct, "UDP" + ver, laddr, objct.Port, "*", "*", ""
elif isinstance(objct, _TCP_ENDPOINT):
if objct.AddressFamily == AF_INET:
proto = "TCPv4"
elif objct.AddressFamily == AF_INET6:
proto = "TCPv6"
yield objct, proto, objct.LocalAddress, objct.LocalPort, \
objct.RemoteAddress, objct.RemotePort, objct.State
elif isinstance(objct, _TCP_LISTENER):
# For TcpL, the state is always listening and the remote port is zero
for ver, laddr, raddr in objct.dual_stack_sockets():
yield objct, "TCP" + ver, laddr, objct.Port, raddr, 0, "LISTENING"
Example #14
| Source File: lsadump.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self._config.sys_offset or not self._config.sec_offset:
regapi = registryapi.RegistryApi(self._config)
for offset in regapi.all_offsets:
name = regapi.all_offsets[offset].lower().split("\\")[-1]
if "system" == name:
self._config.update("SYS_OFFSET", offset)
elif "security" == name:
self._config.update("SEC_OFFSET", offset)
secrets = lsasecrets.get_memory_secrets(addr_space, self._config, self._config.sys_offset, self._config.sec_offset)
if not secrets:
debug.error("Unable to read LSA secrets from registry")
return secrets
Example #15
| Source File: lastpass.py From volatility_plugins with MIT License | 5 votes |
|
def calculate(self):
""" Required: Runs YARA search to find hits """
if not has_yara:
debug.error('Yara must be installed for this plugin')
addr_space = utils.load_as(self._config)
rules = yara.compile(sources = signatures)
for task in self.filter_tasks(tasks.pslist(addr_space)):
if not task.ImageFileName.lower() in ['chrome.exe', 'firefox.exe', 'iexplore.exe']:
continue
scanner = malfind.VadYaraScanner(task=task, rules=rules)
for hit, address in scanner.scan():
yield task, address
Example #16
| Source File: psdispscan.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
address_space = utils.load_as(self._config, astype = 'physical')
for offset in PSDispScanner().scan(address_space):
yield obj.Object('_EPROCESS', vm = address_space, offset = offset)
Example #17
| Source File: enumfunc.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
tasklist = []
modslist = []
if self._config.SCAN:
if not self._config.KERNEL_ONLY:
for t in filescan.PSScan(self._config).calculate():
v = self.virtual_process_from_physical_offset(addr_space, t.obj_offset)
if v:
tasklist.append(v)
if not self._config.PROCESS_ONLY:
modslist = [m for m in modscan.ModScan(self._config).calculate()]
else:
if not self._config.KERNEL_ONLY:
tasklist = [t for t in tasks.pslist(addr_space)]
if not self._config.PROCESS_ONLY:
modslist = [m for m in modules.lsmod(addr_space)]
for task in tasklist:
for mod in task.get_load_modules():
yield task, mod
for mod in modslist:
yield None, mod
Example #18
| Source File: browserhooks.py From volatility-browserhooks with BSD 2-Clause "Simplified" License | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
## prerequisities
if not has_distorm3:
debug.error("Install distorm3 code.google.com/p/distorm/")
if not has_yara:
debug.error("Please install Yara from https://plusvic.github.io/yara/")
for proc in self.filter_tasks(tasks.pslist(addr_space)):
process_space = proc.get_process_address_space()
if not process_space:
print("Cannot acquire process AS for {0} ({1})".format(proc.ImageFileName, proc.UniqueProcessId))
continue
#PK process_space.profile.add_types(wow64_types)
process_space.profile.object_classes.update({'_UNICODE_STRING32': _UNICODE_STRING32,
'_LDR_DATA_TABLE_ENTRY32' : _LDR_DATA_TABLE_ENTRY32,
'_IMAGE_IMPORT_DESCRIPTOR32' : _IMAGE_IMPORT_DESCRIPTOR32})
i = 0
if proc.IsWow64:
module_group = ModuleGroup(self.get_modules_wow64(proc))
else:
module_group = ModuleGroup(proc.get_load_modules())
for dll in module_group.mods:
if not process_space.is_valid_address(dll.DllBase):
continue
dll_name = str(dll.BaseDllName or '').lower()
if (dll_name not in self.critical_dlls and dll.DllBase != proc.Peb.ImageBaseAddress):
#PK print("Skipping non-critical dll {0} at {1:#x}".format( dll_name, dll.DllBase))
continue
for hook in self.get_hooks(proc, dll, module_group):
if self.whitelist(hook.hook_type, str(proc.ImageFileName), hook.VictimModule, hook.HookModule, hook.Function):
continue
print "dll: %s"%(dll.BaseDllName)
yield proc, dll, hook
Example #19
| Source File: pstotal.py From sift-saltstack with MIT License | 5 votes |
|
def calculate(self):
eproc = {}
found = {}
cmdline = {}
pathname = {}
# Brute force search for eproc blocks in pool memory
address_space = utils.load_as(self._config)
for eprocess in filescan.PSScan(self._config).calculate():
eproc[eprocess.obj_offset] = eprocess
found[eprocess.obj_offset] = 1
# Walking the active process list.
# Remove any tasks we find here from the brute force search if the --short option is set.
# Anything left is something which was hidden/terminated/of interest.
address_space = utils.load_as(self._config)
for task in tasks.pslist(address_space):
phys = address_space.vtop(task.obj_offset)
if phys in eproc:
if self._config.SHORT :
del eproc[phys]
del found[phys]
else:
found[phys] = 0
# Grab command line and parameters
peb = task.Peb
if peb:
cmdline[phys] = peb.ProcessParameters.CommandLine
pathname[phys] = peb.ProcessParameters.ImagePathName
ret = [eproc, found, cmdline, pathname]
return ret
Example #20
| Source File: kpcrscan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
"""Determines the address space"""
addr_space = utils.load_as(self._config, astype = 'any')
scanner = KPCRScanner()
for offset in scanner.scan(addr_space):
kpcr = obj.Object("_KPCR", offset = offset, vm = addr_space)
yield kpcr
Example #21
| Source File: autoruns.py From volatility-autoruns with GNU General Public License v2.0 | 5 votes |
|
def get_dll_list(self):
addr_space = utils.load_as(self._config)
task_objects = win32.tasks.pslist(addr_space)
for task in task_objects:
if task.Peb:
self.process_dict[int(task.UniqueProcessId)] = (task, [m for m in task.get_load_modules()])
# Matches a given module (executable, DLL) to a running process by looking either
# in the CommandLine parameters or in the loaded modules
Example #22
| Source File: servicediff.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
from_memory = ServiceDiff.services_from_memory_list(addr_space)
if not from_memory:
debug.error("Could not enumerate services from memory")
from_registry = ServiceDiff.services_from_registry(addr_space)
if not from_registry:
debug.error("Could not enumerate services from the registry")
return ServiceDiff.compare(from_registry, from_memory)
Example #23
| Source File: evtlogs.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self.is_valid_profile(addr_space.profile):
debug.error("This plugin only works on XP and 2003")
## When verbose is specified, we recalculate the list of SIDs for
## services in the registry. Otherwise, we take the list from the
## pre-populated dictionary in getservicesids.py
if self._config.VERBOSE:
ssids = getservicesids.GetServiceSids(self._config).calculate()
for sid, service in ssids:
self.extrasids[sid] = " (Service: " + service + ")"
else:
for sid, service in getservicesids.servicesids.items():
self.extrasids[sid] = " (Service: " + service + ")"
## Get the user's SIDs from the registry
self.load_user_sids()
for proc in tasks.pslist(addr_space):
if str(proc.ImageFileName).lower() == "services.exe":
for vad, process_space in proc.get_vads(vad_filter = proc._mapped_file_filter):
if vad.FileObject.FileName:
name = str(vad.FileObject.FileName).lower()
if name.endswith(".evt"):
## Maybe check the length is reasonable, though probably there won't
## ever be event logs that are multiple GB or TB in size.
data = process_space.zread(vad.Start, vad.Length)
yield name, data
Example #24
| Source File: windowstations.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
seen = []
for wind in self.scan_results(addr_space):
# Find an address space for this window station's session
session = self.find_session_space(
addr_space, wind.dwSessionId)
if not session:
continue
# Reset the object's native VM so pointers are
# dereferenced in session space
wind.set_native_vm(session.obj_vm)
for winsta in wind.traverse():
if winsta.is_valid() and len([desk for desk in winsta.desktops()]) > 0:
offset = winsta.PhysicalAddress
if offset in seen:
continue
seen.append(offset)
yield winsta
Example #25
| Source File: gditimers.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
kernel_as = utils.load_as(self._config)
for session in self.session_spaces(kernel_as):
shared_info = session.find_shared_info()
if not shared_info:
continue
filters = [lambda x : str(x.bType) == "TYPE_TIMER"]
for handle in shared_info.handles(filters):
timer = handle.reference_object()
yield session, handle, timer
Example #26
| Source File: sessions.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
kernel_space = utils.load_as(self._config)
# Once for each unique _MM_SESSION_SPACE
for session in self.session_spaces(kernel_space):
yield session
Example #27
| Source File: printkey.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
if not self._config.hive_offset:
debug.error("A Hive offset must be provided (--hive-offset)")
h = hivemod.HiveAddressSpace(addr_space, self._config, self._config.hive_offset)
return rawreg.get_root(h)
Example #28
| Source File: hivescan.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
metadata = addr_space.profile.metadata
version = (metadata.get("major", 0), metadata.get("minor", 0))
arch = metadata.get("memory_model", "32bit")
if version >= (6, 3) and arch == "64bit":
for pool in bigpools.BigPagePoolScanner(addr_space).scan(["CM10"]):
yield pool.Va.dereference_as("_CMHIVE")
else:
for result in self.scan_results(addr_space):
yield result
Example #29
| Source File: registryapi.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, config):
self._config = config
self.addr_space = utils.load_as(self._config)
self.all_offsets = {}
self.current_offsets = {}
self.populate_offsets()
Example #30
| Source File: shimcache.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
addr_space = utils.load_as(self._config)
regapi = registryapi.RegistryApi(self._config)
for entry in self.get_entries(addr_space, regapi):
yield entry
