Python volatility.obj.Pointer() Examples
The following are 27
code examples of volatility.obj.Pointer().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.obj
, or try the search function
.
Example #1
Source File: pidhashtable.py From aumfor with GNU General Public License v3.0 | 6 votes |
def _walk_upid(self, upid): while upid: pid = self.get_obj(upid.obj_offset, "pid", "numbers") for task in self._task_for_pid(upid, pid): yield task if type(upid.pid_chain) == obj.Pointer: pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space) else: pid_chain = upid.pid_chain if not pid_chain: break upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #2
Source File: pidhashtable.py From volatility with GNU General Public License v2.0 | 6 votes |
def _walk_upid(self, upid): while upid: pid = self.get_obj(upid.obj_offset, "pid", "numbers") for task in self._task_for_pid(upid, pid): yield task if type(upid.pid_chain) == obj.Pointer: pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space) else: pid_chain = upid.pid_chain if not pid_chain: break upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #3
Source File: pidhashtable.py From DAMM with GNU General Public License v2.0 | 6 votes |
def _walk_upid(self, upid): while upid: pid = self.get_obj(upid.obj_offset, "pid", "numbers") for task in self._task_for_pid(upid, pid): yield task if type(upid.pid_chain) == obj.Pointer: pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space) else: pid_chain = upid.pid_chain if not pid_chain: break upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #4
Source File: pidhashtable.py From vortessence with GNU General Public License v2.0 | 6 votes |
def _walk_upid(self, upid): while upid: pid = self.get_obj(upid.obj_offset, "pid", "numbers") for task in self._task_for_pid(upid, pid): yield task if type(upid.pid_chain) == obj.Pointer: pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space) else: pid_chain = upid.pid_chain if not pid_chain: break upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #5
Source File: pidhashtable.py From volatility with GNU General Public License v2.0 | 6 votes |
def _walk_upid(self, upid): seen = set() while upid and upid.is_valid() and upid.v() not in seen: seen.add(upid.v()) pid = self.get_obj(upid.obj_offset, "pid", "numbers") for task in self._task_for_pid(upid, pid): yield task if type(upid.pid_chain) == obj.Pointer: pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space) else: pid_chain = upid.pid_chain if not pid_chain: break upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #6
Source File: check_sysctl.py From vortessence with GNU General Public License v2.0 | 5 votes |
def _process_sysctl_list(self, sysctl_list, r = 0): if type(sysctl_list) == obj.Pointer: sysctl_list = sysctl_list.dereference_as("sysctl_oid_list") sysctl = sysctl_list.slh_first # skip the head entry if new list (recursive call) if r: sysctl = sysctl.oid_link.sle_next while sysctl and sysctl.is_valid(): name = sysctl.oid_name.dereference() if len(name) == 0: break name = str(name) ctltype = sysctl.get_ctltype() if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid(): val = self._parse_global_variable_sysctls(name) elif ctltype == 'CTLTYPE_NODE': if sysctl.oid_handler == 0: for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1): yield info val = "Node" elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']: val = sysctl.oid_arg1.dereference() elif ctltype == 'CTLTYPE_STRING': ## FIXME: can we do this without get_string? val = common.get_string(sysctl.oid_arg1, self.addr_space) else: val = ctltype yield (sysctl, name, val) sysctl = sysctl.oid_link.sle_next
Example #7
Source File: check_sysctl.py From volatility with GNU General Public License v2.0 | 5 votes |
def _process_sysctl_list(self, sysctl_list, r = 0): if type(sysctl_list) == obj.Pointer: sysctl_list = sysctl_list.dereference_as("sysctl_oid_list") sysctl = sysctl_list.slh_first # skip the head entry if new list (recursive call) if r: sysctl = sysctl.oid_link.sle_next while sysctl and sysctl.is_valid(): name = sysctl.oid_name.dereference() if len(name) == 0: break name = str(name) ctltype = sysctl.get_ctltype() if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid(): val = self._parse_global_variable_sysctls(name) elif ctltype == 'CTLTYPE_NODE': if sysctl.oid_handler == 0: for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1): yield info val = "Node" elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']: val = sysctl.oid_arg1.dereference() elif ctltype == 'CTLTYPE_STRING': ## FIXME: can we do this without get_string? val = common.get_string(sysctl.oid_arg1, self.addr_space) else: val = ctltype yield (sysctl, name, val) sysctl = sysctl.oid_link.sle_next
Example #8
Source File: windows64.py From volatility with GNU General Public License v2.0 | 5 votes |
def modification(self, profile): profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, { 'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ], 'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]], } ]}) profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"] profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, { 'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]], }]}) # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay # in windows.windows_overlay which sets the DTB to a single unsigned long, # but we do not want that bleeding through to the x64 profiles. Instead we # want the x64 DTB to be a single unsigned long long. profile.merge_overlay({'_KPROCESS' : [ None, { 'DirectoryTableBase' : [ None, ['unsigned long long']], }]}) # Note: the following method of profile modification is strongly discouraged # # Nasty hack because pointer64 has a special structure, # and therefore can't just be instantiated in object_classes # using profile.object_classes.update({'pointer64': obj.Pointer}) profile._list_to_type = Pointer64Decorator(profile._list_to_type)
Example #9
Source File: pidhashtable.py From volatility with GNU General Public License v2.0 | 5 votes |
def calculate_v3(self): self.seen_tasks = {} pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space) pidhash_size = 1 << pidhash_shift pidhash_addr = self.addr_space.profile.get_symbol("pid_hash") pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space) # pidhash is an array of hlist_heads pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size) for hlist in pidhash: # each entry in the hlist is a upid which is wrapped in a pid ent = hlist.first while ent.v(): upid = self.get_obj(ent.obj_offset, "upid", "pid_chain") for task in self._walk_upid(upid): if not task.obj_offset in self.seen_tasks: self.seen_tasks[task.obj_offset] = 1 if task.is_valid_task(): yield task ent = ent.m("next") # the following functions exist because crash has handlers for them # but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel # if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again
Example #10
Source File: slab_info.py From aumfor with GNU General Public License v3.0 | 5 votes |
def _get_nodelist(self): ent = self.nodelists if type(ent) == obj.Pointer: ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm) elif type(ent) == obj.Array: ret = ent[0] else: debug.error("Unknown nodelists types. %s" % type(ent)) return ret
Example #11
Source File: slab_info.py From volatility with GNU General Public License v2.0 | 5 votes |
def _get_nodelist(self): ent = self.nodelists if type(ent) == obj.Pointer: ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm) elif type(ent) == obj.Array: ret = ent[0] else: debug.error("Unknown nodelists types. %s" % type(ent)) return ret
Example #12
Source File: check_sysctl.py From DAMM with GNU General Public License v2.0 | 5 votes |
def _process_sysctl_list(self, sysctl_list, r = 0): if type(sysctl_list) == obj.Pointer: sysctl_list = sysctl_list.dereference_as("sysctl_oid_list") sysctl = sysctl_list.slh_first # skip the head entry if new list (recursive call) if r: sysctl = sysctl.oid_link.sle_next while sysctl and sysctl.is_valid(): name = sysctl.oid_name.dereference() if len(name) == 0: break name = str(name) ctltype = sysctl.get_ctltype() if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid(): val = self._parse_global_variable_sysctls(name) elif ctltype == 'CTLTYPE_NODE': if sysctl.oid_handler == 0: for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1): yield info val = "Node" elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']: val = sysctl.oid_arg1.dereference() elif ctltype == 'CTLTYPE_STRING': ## FIXME: can we do this without get_string? val = common.get_string(sysctl.oid_arg1, self.addr_space) else: val = ctltype yield (sysctl, name, val) sysctl = sysctl.oid_link.sle_next
Example #13
Source File: windows64.py From DAMM with GNU General Public License v2.0 | 5 votes |
def modification(self, profile): profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, { 'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ], 'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]], } ]}) profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"] profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, { 'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]], }]}) # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay # in windows.windows_overlay which sets the DTB to a single unsigned long, # but we do not want that bleeding through to the x64 profiles. Instead we # want the x64 DTB to be a single unsigned long long. profile.merge_overlay({'_KPROCESS' : [ None, { 'DirectoryTableBase' : [ None, ['unsigned long long']], }]}) # Note: the following method of profile modification is strongly discouraged # # Nasty hack because pointer64 has a special structure, # and therefore can't just be instantiated in object_classes # using profile.object_classes.update({'pointer64': obj.Pointer}) profile._list_to_type = Pointer64Decorator(profile._list_to_type)
Example #14
Source File: pidhashtable.py From DAMM with GNU General Public License v2.0 | 5 votes |
def calculate_v3(self): self.seen_tasks = {} pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space) pidhash_size = 1 << pidhash_shift pidhash_addr = self.addr_space.profile.get_symbol("pid_hash") pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space) # pidhash is an array of hlist_heads pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size) for hlist in pidhash: # each entry in the hlist is a upid which is wrapped in a pid ent = hlist.first while ent.v(): upid = self.get_obj(ent.obj_offset, "upid", "pid_chain") for task in self._walk_upid(upid): if not task.obj_offset in self.seen_tasks: self.seen_tasks[task.obj_offset] = 1 if task.is_valid_task(): yield task ent = ent.m("next") # the following functions exist because crash has handlers for them # but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel # if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again
Example #15
Source File: pidhashtable.py From aumfor with GNU General Public License v3.0 | 5 votes |
def _get_pidhash_array(self): pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space) pidhash_size = 1 << pidhash_shift pidhash_addr = self.addr_space.profile.get_symbol("pid_hash") pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space) # pidhash is an array of hlist_heads pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size) return pidhash
Example #16
Source File: slab_info.py From DAMM with GNU General Public License v2.0 | 5 votes |
def _get_nodelist(self): ent = self.nodelists if type(ent) == obj.Pointer: ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm) elif type(ent) == obj.Array: ret = ent[0] else: debug.error("Unknown nodelists types. %s" % type(ent)) return ret
Example #17
Source File: slab_info.py From volatility with GNU General Public License v2.0 | 5 votes |
def _get_nodelist(self): ent = self.nodelists if type(ent) == obj.Pointer: ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm) elif type(ent) == obj.Array: ret = ent[0] else: debug.error("Unknown nodelists types. %s" % type(ent)) return ret
Example #18
Source File: windows64.py From vortessence with GNU General Public License v2.0 | 5 votes |
def modification(self, profile): profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, { 'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ], 'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]], } ]}) profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"] profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, { 'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]], }]}) # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay # in windows.windows_overlay which sets the DTB to a single unsigned long, # but we do not want that bleeding through to the x64 profiles. Instead we # want the x64 DTB to be a single unsigned long long. profile.merge_overlay({'_KPROCESS' : [ None, { 'DirectoryTableBase' : [ None, ['unsigned long long']], }]}) # Note: the following method of profile modification is strongly discouraged # # Nasty hack because pointer64 has a special structure, # and therefore can't just be instantiated in object_classes # using profile.object_classes.update({'pointer64': obj.Pointer}) profile._list_to_type = Pointer64Decorator(profile._list_to_type)
Example #19
Source File: pidhashtable.py From vortessence with GNU General Public License v2.0 | 5 votes |
def calculate_v3(self): self.seen_tasks = {} pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space) pidhash_size = 1 << pidhash_shift pidhash_addr = self.addr_space.profile.get_symbol("pid_hash") pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space) # pidhash is an array of hlist_heads pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size) for hlist in pidhash: # each entry in the hlist is a upid which is wrapped in a pid ent = hlist.first while ent.v(): upid = self.get_obj(ent.obj_offset, "upid", "pid_chain") for task in self._walk_upid(upid): if not task.obj_offset in self.seen_tasks: self.seen_tasks[task.obj_offset] = 1 if task.is_valid_task(): yield task ent = ent.m("next") # the following functions exist because crash has handlers for them # but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel # if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again
Example #20
Source File: pidhashtable.py From aumfor with GNU General Public License v3.0 | 5 votes |
def calculate_v2(self): poff = self.addr_space.profile.get_obj_offset("task_struct", "pids") pidhash = self._get_pidhash_array() for p in pidhash: if p.v() == 0: continue ptr = obj.Object("Pointer", offset = p.v(), vm = self.addr_space) if ptr.v() == 0: continue pidl = obj.Object("pid_link", offset = ptr.v(), vm = self.addr_space) nexth = pidl.pid if not nexth.is_valid(): continue nexth = obj.Object("task_struct", offset = nexth - poff, vm = self.addr_space) while 1: if not pidl: break yield nexth pidl = pidl.node.m("next").dereference_as("pid_link") nexth = pidl.pid if not nexth.is_valid(): break nexth = obj.Object("task_struct", offset = nexth - poff, vm = self.addr_space)
Example #21
Source File: slab_info.py From vortessence with GNU General Public License v2.0 | 5 votes |
def _get_nodelist(self): ent = self.nodelists if type(ent) == obj.Pointer: ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm) elif type(ent) == obj.Array: ret = ent[0] else: debug.error("Unknown nodelists types. %s" % type(ent)) return ret
Example #22
Source File: check_sysctl.py From volatility with GNU General Public License v2.0 | 5 votes |
def _process_sysctl_list(self, sysctl_list, r = 0): if type(sysctl_list) == obj.Pointer: sysctl_list = sysctl_list.dereference_as("sysctl_oid_list") sysctl = sysctl_list.slh_first # skip the head entry if new list (recursive call) if r: sysctl = sysctl.oid_link.sle_next while sysctl and sysctl.is_valid(): name = sysctl.oid_name.dereference() if len(name) == 0: break name = str(name) ctltype = sysctl.get_ctltype() if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid(): val = self._parse_global_variable_sysctls(name) elif ctltype == 'CTLTYPE_NODE': if sysctl.oid_handler == 0: for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1): yield info val = "Node" elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']: val = sysctl.oid_arg1.dereference() elif ctltype == 'CTLTYPE_STRING': ## FIXME: can we do this without get_string? val = common.get_string(sysctl.oid_arg1, self.addr_space) else: val = ctltype yield (sysctl, name, val) sysctl = sysctl.oid_link.sle_next
Example #23
Source File: windows64.py From volatility with GNU General Public License v2.0 | 5 votes |
def modification(self, profile): profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, { 'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ], 'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]], } ]}) profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"] profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, { 'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]], }]}) # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay # in windows.windows_overlay which sets the DTB to a single unsigned long, # but we do not want that bleeding through to the x64 profiles. Instead we # want the x64 DTB to be a single unsigned long long. profile.merge_overlay({'_KPROCESS' : [ None, { 'DirectoryTableBase' : [ None, ['unsigned long long']], }]}) # Note: the following method of profile modification is strongly discouraged # # Nasty hack because pointer64 has a special structure, # and therefore can't just be instantiated in object_classes # using profile.object_classes.update({'pointer64': obj.Pointer}) profile._list_to_type = Pointer64Decorator(profile._list_to_type)
Example #24
Source File: pidhashtable.py From volatility with GNU General Public License v2.0 | 5 votes |
def _get_pidhash_array(self): pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space) pidhash_size = 1 << pidhash_shift pidhash_addr = self.addr_space.profile.get_symbol("pid_hash") pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space) # pidhash is an array of hlist_heads pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size) return pidhash
Example #25
Source File: windows64.py From aumfor with GNU General Public License v3.0 | 5 votes |
def modification(self, profile): profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, { 'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ], 'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]], } ]}) profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"] profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, { 'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]], }]}) # In some auto-generated vtypes, the DTB is an array of 2 unsigned longs # (for x86) or an array of 2 unsigned long long (for x64). We have an overlay # in windows.windows_overlay which sets the DTB to a single unsigned long, # but we do not want that bleeding through to the x64 profiles. Instead we # want the x64 DTB to be a single unsigned long long. profile.merge_overlay({'_KPROCESS' : [ None, { 'DirectoryTableBase' : [ None, ['unsigned long long']], }]}) # Note: the following method of profile modification is strongly discouraged # # Nasty hack because pointer64 has a special structure, # and therefore can't just be instantiated in object_classes # using profile.object_classes.update({'pointer64': obj.Pointer}) profile._list_to_type = Pointer64Decorator(profile._list_to_type)
Example #26
Source File: check_fops.py From volatility with GNU General Public License v2.0 | 5 votes |
def _get_name(self, pde, parent): if type(pde.name) == obj.Pointer: s = pde.name.dereference_as("String", length = 255) else: s = pde.obj_vm.read(pde.name.obj_offset, pde.namelen) return str(parent + "/" + str(s))
Example #27
Source File: check_fops.py From volatility with GNU General Public License v2.0 | 4 votes |
def check_proc_fop(self, f_op_members, modules): proc_mnt_addr = self.addr_space.profile.get_symbol("proc_mnt") if proc_mnt_addr: proc_mnt_ptr = obj.Object("Pointer", offset = proc_mnt_addr, vm = self.addr_space) proc_mnts = [proc_mnt_ptr.dereference_as("vfsmount")] else: proc_mnts = [] seen_pids = {} if self.addr_space.profile.obj_has_member("nsproxy", "pid_ns"): ns_member = "pid_ns" else: ns_member = "pid_ns_for_children" for task in self.tasks: nsp = task.nsproxy pidns = nsp.m(ns_member) if pidns.v() in seen_pids: continue seen_pids[pidns.v()] = 1 proc_mnts.append(pidns.proc_mnt) for proc_mnt in proc_mnts: root = proc_mnt.mnt_root for (hooked_member, hook_address) in self.verify_ops(root.d_inode.i_fop, f_op_members, modules): yield ("proc_mnt: root: %x" % root.v(), hooked_member, hook_address) # only check the root directory if self.addr_space.profile.obj_has_member("dentry", "d_child"): walk_member = "d_child" else: walk_member = "d_u" for dentry in root.d_subdirs.list_of_type("dentry", walk_member): name = dentry.d_name.name.dereference_as("String", length = 255) for (hooked_member, hook_address) in self.verify_ops(dentry.d_inode.i_fop, f_op_members, modules): yield("proc_mnt: {0:x}:{1}".format(root.v(), name), hooked_member, hook_address)