Python volatility.plugins.filescan.FileScan() Examples

The following are 1 code examples of volatility.plugins.filescan.FileScan(). You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may also want to check out all available functions/classes of the module volatility.plugins.filescan , or try the search function .
Example #1
Source File: autoruns.py    From volatility-autoruns with GNU General Public License v2.0 4 votes vote down vote up 
def get_tasks(self):

        debug.debug('Started get_tasks()')
        addr_space = utils.load_as(self._config)
        f = filescan.FileScan(self._config)
        tasks = []
        parsed_tasks = []

        try:
            for file in f.calculate():
                filename = str(file.file_name_with_device() or '')
                if "system32\\tasks\\" in filename.lower() and (('system32\\tasks\\microsoft' not in filename.lower() or self._config.VERBOSE)):
                    tasks.append((file.obj_offset, filename))
                    debug.debug("Found task: 0x{0:x} {1}".format(file.obj_offset, filename))

            for offset, name in tasks:

                self._config.PHYSOFFSET = '0x{:x}'.format(offset)
                df = dumpfiles.DumpFiles(self._config)
                self._config.DUMP_DIR = '.'
                for data in df.calculate():
                    # Doing this with mmap would probably be cleaner
                    # Create a sufficiently large (dynamically resizable?)
                    # memory map so that we can seek and write the file accordingly
                    #
                    # SystemError: mmap: resizing not available--no mremap()

                    chopped_file = {}

                    for mdata in data['present']:
                        rdata = addr_space.base.read(mdata[0], mdata[2])
                        chopped_file[mdata[1]] = rdata

                    task_xml = "".join(part[1] for part in sorted(chopped_file.items(), key=lambda x: x[0]))

                    parsed = self.parse_task_xml(task_xml, name)

                    if parsed:
                        args = parsed['Actions']['Exec'].get("Arguments", None)
                        if args:
                            parsed['Actions']['Exec']['Command'] += " {}".format(args)
                        pids = self.find_pids_for_imagepath(parsed['Actions']['Exec']['Command'])
                        parsed_tasks.append((name.split('\\')[-1], parsed, task_xml, pids))

        except Exception as e:
            debug.warning('get_tasks() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))

        debug.debug('Finished get_tasks()')
        return parsed_tasks