Python volatility.plugins.taskmods.DllList() Examples
The following are 30
code examples of volatility.plugins.taskmods.DllList().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.plugins.taskmods
, or try the search function
.
.
Example #1
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("ALL", short_option = 'A', default = False, action = 'store_true',
help = 'Scan both process and kernel memory')
config.add_option("CASE", short_option = 'C', default = False, action = 'store_true',
help = 'Make the search case insensitive')
config.add_option("KERNEL", short_option = 'K', default = False, action = 'store_true',
help = 'Scan kernel modules')
config.add_option("WIDE", short_option = 'W', default = False, action = 'store_true',
help = 'Match wide (unicode) strings')
config.add_option('YARA-RULES', short_option = 'Y', default = None,
help = 'Yara rules (as a string)')
config.add_option('YARA-FILE', short_option = 'y', default = None,
help = 'Yara rules (rules file)')
config.add_option('DUMP-DIR', short_option = 'D', default = None,
help = 'Directory in which to dump the files')
config.add_option('SIZE', short_option = 's', default = 256,
help = 'Size of preview hexdump (in bytes)',
action = 'store', type = 'int')
config.add_option('REVERSE', short_option = 'R', default = 0,
help = 'Reverse this number of bytes',
action = 'store', type = 'int')
config.add_option('MAX-SIZE', short_option = 'M', default = 0x40000000,
action = 'store', type = 'long',
help = 'Set the maximum size (default is 1GB)')
Example #2
| Source File: malfind.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("ALL", short_option = 'A', default = False, action = 'store_true',
help = 'Scan both process and kernel memory')
config.add_option("CASE", short_option = 'C', default = False, action = 'store_true',
help = 'Make the search case insensitive')
config.add_option("KERNEL", short_option = 'K', default = False, action = 'store_true',
help = 'Scan kernel modules')
config.add_option("WIDE", short_option = 'W', default = False, action = 'store_true',
help = 'Match wide (unicode) strings')
config.add_option('YARA-RULES', short_option = 'Y', default = None,
help = 'Yara rules (as a string)')
config.add_option('YARA-FILE', short_option = 'y', default = None,
help = 'Yara rules (rules file)')
config.add_option('DUMP-DIR', short_option = 'D', default = None,
help = 'Directory in which to dump the files')
config.add_option('SIZE', short_option = 's', default = 256,
help = 'Size of preview hexdump (in bytes)',
action = 'store', type = 'int')
config.add_option('REVERSE', short_option = 'R', default = 0,
help = 'Reverse this number of bytes',
action = 'store', type = 'int')
Example #3
| Source File: malfind.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("ALL", short_option = 'A', default = False, action = 'store_true',
help = 'Scan both process and kernel memory')
config.add_option("CASE", short_option = 'C', default = False, action = 'store_true',
help = 'Make the search case insensitive')
config.add_option("KERNEL", short_option = 'K', default = False, action = 'store_true',
help = 'Scan kernel modules')
config.add_option("WIDE", short_option = 'W', default = False, action = 'store_true',
help = 'Match wide (unicode) strings')
config.add_option('YARA-RULES', short_option = 'Y', default = None,
help = 'Yara rules (as a string)')
config.add_option('YARA-FILE', short_option = 'y', default = None,
help = 'Yara rules (rules file)')
config.add_option('DUMP-DIR', short_option = 'D', default = None,
help = 'Directory in which to dump the files')
config.add_option('SIZE', short_option = 's', default = 256,
help = 'Size of preview hexdump (in bytes)',
action = 'store', type = 'int')
config.add_option('REVERSE', short_option = 'R', default = 0,
help = 'Reverse this number of bytes',
action = 'store', type = 'int')
config.add_option('MAX-SIZE', short_option = 'M', default = 0x40000000,
action = 'store', type = 'long',
help = 'Set the maximum size (default is 1GB)')
Example #4
| Source File: iehistory.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
## Select the tags to scan for. Always find visited URLs,
## but make freed and redirected records optional.
tags = ["URL "]
if self._config.LEAK:
tags.append("LEAK")
if self._config.REDR:
tags.append("REDR")
## Define the record type based on the tag
tag_records = {
"URL " : "_URL_RECORD",
"LEAK" : "_URL_RECORD",
"REDR" : "_REDR_RECORD"}
## Enumerate processes based on the --pid and --offset
for proc in taskmods.DllList(self._config).calculate():
## Acquire a process specific AS
ps_as = proc.get_process_address_space()
for hit in proc.search_process_memory(tags):
## Get a preview of the data to see what tag was detected
tag = ps_as.read(hit, 4)
## Create the appropriate object type based on the tag
record = obj.Object(tag_records[tag], offset = hit, vm = ps_as)
if record.is_valid():
yield proc, record
Example #5
| Source File: joblinks.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("PHYSICAL-OFFSET", short_option = 'P',
default = False, cache_invalidator = False,
help = "Display physical offsets instead of virtual",
action = "store_true")
Example #6
| Source File: privileges.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args):
taskmods.DllList.__init__(self, config, *args)
config.add_option("SILENT", short_option = "s", default = False,
help = "Suppress less meaningful results",
action = "store_true")
config.add_option('REGEX', short_option = 'r',
help = 'Show privileges matching REGEX',
action = 'store', type = 'string')
Example #7
| Source File: iehistory.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("LEAK", short_option = 'L',
default = False, action = 'store_true',
help = 'Find LEAK records (deleted)')
config.add_option("REDR", short_option = 'R',
default = False, action = 'store_true',
help = 'Find REDR records (redirected)')
Example #8
| Source File: iehistory.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
## Select the tags to scan for. Always find visited URLs,
## but make freed and redirected records optional.
tags = ["URL "]
if self._config.LEAK:
tags.append("LEAK")
if self._config.REDR:
tags.append("REDR")
## Define the record type based on the tag
tag_records = {
"URL " : "_URL_RECORD",
"LEAK" : "_URL_RECORD",
"REDR" : "_REDR_RECORD"}
## Enumerate processes based on the --pid and --offset
for proc in taskmods.DllList(self._config).calculate():
## Acquire a process specific AS
ps_as = proc.get_process_address_space()
for hit in proc.search_process_memory(tags):
## Get a preview of the data to see what tag was detected
tag = ps_as.read(hit, 4)
## Create the appropriate object type based on the tag
record = obj.Object(tag_records[tag], offset = hit, vm = ps_as)
if record.is_valid():
yield proc, record
Example #9
| Source File: envars.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("SILENT", short_option = 's',
default = False,
help = "Suppress common and non-persistent variables",
action = "store_true")
Example #10
| Source File: enumfunc.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.remove_option("PID")
config.remove_option("OFFSET")
config.add_option("SCAN", short_option = 's', default = False,
action = 'store_true', help = 'Scan for objects')
config.add_option("PROCESS-ONLY", short_option = 'P', default = False,
action = 'store_true', help = 'Process only')
config.add_option("KERNEL-ONLY", short_option = 'K', default = False,
action = 'store_true', help = 'Kernel only')
config.add_option("IMPORT-ONLY", short_option = 'I', default = False,
action = 'store_true', help = 'Imports only')
config.add_option("EXPORT-ONLY", short_option = 'E', default = False,
action = 'store_true', help = 'Exports only')
Example #11
| Source File: notepad.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("DUMP-DIR", short_option = "D", default = None,
help = "Dump binary data to this directory")
Example #12
| Source File: procdump.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option('DUMP-DIR', short_option = 'D', default = None,
cache_invalidator = False,
help = 'Directory in which to dump executable files')
config.add_option("UNSAFE", short_option = "u", default = False, action = 'store_true',
help = 'Bypasses certain sanity checks when creating image')
config.add_option("MEMORY", short_option = "m", default = False, action = 'store_true',
help = "Carve as a memory sample rather than exe/disk")
config.add_option('FIX', short_option = 'x', default = False,
help = 'Modify the image base of the dump to the in-memory base address',
action = 'store_true')
Example #13
| Source File: handles.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False,
help = "Physical Offset", action = "store_true")
config.add_option("OBJECT-TYPE", short_option = 't', default = None,
help = 'Show these object types (comma-separated)',
action = 'store', type = 'str')
config.add_option("SILENT", short_option = 's', default = False,
action = 'store_true', help = 'Suppress less meaningful results')
Example #14
| Source File: handles.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
for task in taskmods.DllList.calculate(self):
pid = task.UniqueProcessId
if task.ObjectTable.HandleTableList:
for handle in task.ObjectTable.handles():
if not handle.is_valid():
continue
name = ""
object_type = handle.get_object_type()
if object_type == "File":
file_obj = handle.dereference_as("_FILE_OBJECT")
name = str(file_obj.file_name_with_device())
elif object_type == "Key":
key_obj = handle.dereference_as("_CM_KEY_BODY")
name = key_obj.full_key_name()
elif object_type == "Process":
proc_obj = handle.dereference_as("_EPROCESS")
name = "{0}({1})".format(proc_obj.ImageFileName, proc_obj.UniqueProcessId)
elif object_type == "Thread":
thrd_obj = handle.dereference_as("_ETHREAD")
name = "TID {0} PID {1}".format(thrd_obj.Cid.UniqueThread, thrd_obj.Cid.UniqueProcess)
elif handle.NameInfo.Name == None:
name = ''
else:
name = str(handle.NameInfo.Name)
yield pid, handle, object_type, name
Example #15
| Source File: vadinfo.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option('ADDR', short_option = 'a', default = None,
help = 'Show info on VAD at or containing this address',
action = 'store', type = 'int')
Example #16
| Source File: privileges.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args):
taskmods.DllList.__init__(self, config, *args)
config.add_option("SILENT", short_option = "s", default = False,
help = "Suppress less meaningful results",
action = "store_true")
config.add_option('REGEX', short_option = 'r',
help = 'Show privileges matching REGEX',
action = 'store', type = 'string')
Example #17
| Source File: iehistory.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("LEAK", short_option = 'L',
default = False, action = 'store_true',
help = 'Find LEAK records (deleted)')
config.add_option("REDR", short_option = 'R',
default = False, action = 'store_true',
help = 'Find REDR records (redirected)')
Example #18
| Source File: handles.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False,
help = "Physical Offset", action = "store_true")
config.add_option("OBJECT-TYPE", short_option = 't', default = None,
help = 'Show these object types (comma-separated)',
action = 'store', type = 'str')
config.add_option("SILENT", short_option = 's', default = False,
action = 'store_true', help = 'Suppress less meaningful results')
Example #19
| Source File: envars.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("SILENT", short_option = 's',
default = False,
help = "Suppress common and non-persistent variables",
action = "store_true")
Example #20
| Source File: threads.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
self.bits32 = None
config.add_option("FILTER", short_option = 'F', default = None,
help = 'Tags to filter (comma-separated)')
config.add_option("LISTTAGS", short_option = 'L', default = False,
action = 'store_true', help = 'List all available tags')
Example #21
| Source File: notepad.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("DUMP-DIR", short_option = "D", default = None,
help = "Dump binary data to this directory")
Example #22
| Source File: procdump.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option('DUMP-DIR', short_option = 'D', default = None,
cache_invalidator = False,
help = 'Directory in which to dump executable files')
config.add_option("UNSAFE", short_option = "u", default = False, action = 'store_true',
help = 'Bypasses certain sanity checks when creating image')
config.add_option("MEMORY", short_option = "m", default = False, action = 'store_true',
help = "Carve as a memory sample rather than exe/disk")
config.add_option('FIX', short_option = 'x', default = False,
help = 'Modify the image base of the dump to the in-memory base address',
action = 'store_true')
Example #23
| Source File: handles.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False,
help = "Physical Offset", action = "store_true")
config.add_option("OBJECT-TYPE", short_option = 't', default = None,
help = 'Show these object types (comma-separated)',
action = 'store', type = 'str')
config.add_option("SILENT", short_option = 's', default = False,
action = 'store_true', help = 'Suppress less meaningful results')
Example #24
| Source File: handles.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
for task in taskmods.DllList.calculate(self):
pid = task.UniqueProcessId
if task.ObjectTable.HandleTableList:
for handle in task.ObjectTable.handles():
if not handle.is_valid():
continue
name = ""
object_type = handle.get_object_type()
if object_type == "File":
file_obj = handle.dereference_as("_FILE_OBJECT")
name = str(file_obj.file_name_with_device())
elif object_type == "Key":
key_obj = handle.dereference_as("_CM_KEY_BODY")
name = key_obj.full_key_name()
elif object_type == "Process":
proc_obj = handle.dereference_as("_EPROCESS")
name = "{0}({1})".format(proc_obj.ImageFileName, proc_obj.UniqueProcessId)
elif object_type == "Thread":
thrd_obj = handle.dereference_as("_ETHREAD")
name = "TID {0} PID {1}".format(thrd_obj.Cid.UniqueThread, thrd_obj.Cid.UniqueProcess)
elif handle.NameInfo.Name == None:
name = ''
else:
name = str(handle.NameInfo.Name)
yield pid, handle, object_type, name
Example #25
| Source File: vadinfo.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option('ADDR', short_option = 'a', default = None,
help = 'Show info on VAD at or containing this address',
action = 'store', type = 'int')
Example #26
| Source File: privileges.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args):
taskmods.DllList.__init__(self, config, *args)
config.add_option("SILENT", short_option = "s", default = False,
help = "Suppress less meaningful results",
action = "store_true")
config.add_option('REGEX', short_option = 'r',
help = 'Show privileges matching REGEX',
action = 'store', type = 'string')
Example #27
| Source File: iehistory.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("LEAK", short_option = 'L',
default = False, action = 'store_true',
help = 'Find LEAK records (deleted)')
config.add_option("REDR", short_option = 'R',
default = False, action = 'store_true',
help = 'Find REDR records (redirected)')
Example #28
| Source File: iehistory.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
## Select the tags to scan for. Always find visited URLs,
## but make freed and redirected records optional.
tags = ["URL "]
if self._config.LEAK:
tags.append("LEAK")
if self._config.REDR:
tags.append("REDR")
## Define the record type based on the tag
tag_records = {
"URL " : "_URL_RECORD",
"LEAK" : "_URL_RECORD",
"REDR" : "_REDR_RECORD"}
## Enumerate processes based on the --pid and --offset
for proc in taskmods.DllList(self._config).calculate():
## Acquire a process specific AS
ps_as = proc.get_process_address_space()
for hit in proc.search_process_memory(tags):
## Get a preview of the data to see what tag was detected
tag = ps_as.read(hit, 4)
## Create the appropriate object type based on the tag
record = obj.Object(tag_records[tag], offset = hit, vm = ps_as)
if record.is_valid():
yield proc, record
Example #29
| Source File: envars.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("SILENT", short_option = 's',
default = False,
help = "Suppress common and non-persistent variables",
action = "store_true")
Example #30
| Source File: threads.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
self.bits32 = None
config.add_option("FILTER", short_option = 'F', default = None,
help = 'Tags to filter (comma-separated)')
config.add_option("LISTTAGS", short_option = 'L', default = False,
action = 'store_true', help = 'List all available tags')
