Python volatility.obj.Pointer() Examples
The following are 27
code examples of volatility.obj.Pointer().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.obj
, or try the search function
.
.
Example #1
| Source File: pidhashtable.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def _walk_upid(self, upid):
while upid:
pid = self.get_obj(upid.obj_offset, "pid", "numbers")
for task in self._task_for_pid(upid, pid):
yield task
if type(upid.pid_chain) == obj.Pointer:
pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
else:
pid_chain = upid.pid_chain
if not pid_chain:
break
upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #2
| Source File: pidhashtable.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def _walk_upid(self, upid):
while upid:
pid = self.get_obj(upid.obj_offset, "pid", "numbers")
for task in self._task_for_pid(upid, pid):
yield task
if type(upid.pid_chain) == obj.Pointer:
pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
else:
pid_chain = upid.pid_chain
if not pid_chain:
break
upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #3
| Source File: pidhashtable.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def _walk_upid(self, upid):
while upid:
pid = self.get_obj(upid.obj_offset, "pid", "numbers")
for task in self._task_for_pid(upid, pid):
yield task
if type(upid.pid_chain) == obj.Pointer:
pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
else:
pid_chain = upid.pid_chain
if not pid_chain:
break
upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #4
| Source File: pidhashtable.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def _walk_upid(self, upid):
while upid:
pid = self.get_obj(upid.obj_offset, "pid", "numbers")
for task in self._task_for_pid(upid, pid):
yield task
if type(upid.pid_chain) == obj.Pointer:
pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
else:
pid_chain = upid.pid_chain
if not pid_chain:
break
upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #5
| Source File: pidhashtable.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def _walk_upid(self, upid):
seen = set()
while upid and upid.is_valid() and upid.v() not in seen:
seen.add(upid.v())
pid = self.get_obj(upid.obj_offset, "pid", "numbers")
for task in self._task_for_pid(upid, pid):
yield task
if type(upid.pid_chain) == obj.Pointer:
pid_chain = obj.Object("hlist_node", offset = upid.pid_chain.obj_offset, vm = self.addr_space)
else:
pid_chain = upid.pid_chain
if not pid_chain:
break
upid = self.get_obj(pid_chain.next, "upid", "pid_chain")
Example #6
| Source File: check_sysctl.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def _process_sysctl_list(self, sysctl_list, r = 0):
if type(sysctl_list) == obj.Pointer:
sysctl_list = sysctl_list.dereference_as("sysctl_oid_list")
sysctl = sysctl_list.slh_first
# skip the head entry if new list (recursive call)
if r:
sysctl = sysctl.oid_link.sle_next
while sysctl and sysctl.is_valid():
name = sysctl.oid_name.dereference()
if len(name) == 0:
break
name = str(name)
ctltype = sysctl.get_ctltype()
if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid():
val = self._parse_global_variable_sysctls(name)
elif ctltype == 'CTLTYPE_NODE':
if sysctl.oid_handler == 0:
for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1):
yield info
val = "Node"
elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']:
val = sysctl.oid_arg1.dereference()
elif ctltype == 'CTLTYPE_STRING':
## FIXME: can we do this without get_string?
val = common.get_string(sysctl.oid_arg1, self.addr_space)
else:
val = ctltype
yield (sysctl, name, val)
sysctl = sysctl.oid_link.sle_next
Example #7
| Source File: check_sysctl.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _process_sysctl_list(self, sysctl_list, r = 0):
if type(sysctl_list) == obj.Pointer:
sysctl_list = sysctl_list.dereference_as("sysctl_oid_list")
sysctl = sysctl_list.slh_first
# skip the head entry if new list (recursive call)
if r:
sysctl = sysctl.oid_link.sle_next
while sysctl and sysctl.is_valid():
name = sysctl.oid_name.dereference()
if len(name) == 0:
break
name = str(name)
ctltype = sysctl.get_ctltype()
if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid():
val = self._parse_global_variable_sysctls(name)
elif ctltype == 'CTLTYPE_NODE':
if sysctl.oid_handler == 0:
for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1):
yield info
val = "Node"
elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']:
val = sysctl.oid_arg1.dereference()
elif ctltype == 'CTLTYPE_STRING':
## FIXME: can we do this without get_string?
val = common.get_string(sysctl.oid_arg1, self.addr_space)
else:
val = ctltype
yield (sysctl, name, val)
sysctl = sysctl.oid_link.sle_next
Example #8
| Source File: windows64.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def modification(self, profile):
profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, {
'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ],
'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]],
}
]})
profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"]
profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, {
'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]],
}]})
# In some auto-generated vtypes, the DTB is an array of 2 unsigned longs
# (for x86) or an array of 2 unsigned long long (for x64). We have an overlay
# in windows.windows_overlay which sets the DTB to a single unsigned long,
# but we do not want that bleeding through to the x64 profiles. Instead we
# want the x64 DTB to be a single unsigned long long.
profile.merge_overlay({'_KPROCESS' : [ None, {
'DirectoryTableBase' : [ None, ['unsigned long long']],
}]})
# Note: the following method of profile modification is strongly discouraged
#
# Nasty hack because pointer64 has a special structure,
# and therefore can't just be instantiated in object_classes
# using profile.object_classes.update({'pointer64': obj.Pointer})
profile._list_to_type = Pointer64Decorator(profile._list_to_type)
Example #9
| Source File: pidhashtable.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate_v3(self):
self.seen_tasks = {}
pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
pidhash_size = 1 << pidhash_shift
pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)
# pidhash is an array of hlist_heads
pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)
for hlist in pidhash:
# each entry in the hlist is a upid which is wrapped in a pid
ent = hlist.first
while ent.v():
upid = self.get_obj(ent.obj_offset, "upid", "pid_chain")
for task in self._walk_upid(upid):
if not task.obj_offset in self.seen_tasks:
self.seen_tasks[task.obj_offset] = 1
if task.is_valid_task():
yield task
ent = ent.m("next")
# the following functions exist because crash has handlers for them
# but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel
# if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again
Example #10
| Source File: slab_info.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def _get_nodelist(self):
ent = self.nodelists
if type(ent) == obj.Pointer:
ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)
elif type(ent) == obj.Array:
ret = ent[0]
else:
debug.error("Unknown nodelists types. %s" % type(ent))
return ret
Example #11
| Source File: slab_info.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _get_nodelist(self):
ent = self.nodelists
if type(ent) == obj.Pointer:
ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)
elif type(ent) == obj.Array:
ret = ent[0]
else:
debug.error("Unknown nodelists types. %s" % type(ent))
return ret
Example #12
| Source File: check_sysctl.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def _process_sysctl_list(self, sysctl_list, r = 0):
if type(sysctl_list) == obj.Pointer:
sysctl_list = sysctl_list.dereference_as("sysctl_oid_list")
sysctl = sysctl_list.slh_first
# skip the head entry if new list (recursive call)
if r:
sysctl = sysctl.oid_link.sle_next
while sysctl and sysctl.is_valid():
name = sysctl.oid_name.dereference()
if len(name) == 0:
break
name = str(name)
ctltype = sysctl.get_ctltype()
if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid():
val = self._parse_global_variable_sysctls(name)
elif ctltype == 'CTLTYPE_NODE':
if sysctl.oid_handler == 0:
for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1):
yield info
val = "Node"
elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']:
val = sysctl.oid_arg1.dereference()
elif ctltype == 'CTLTYPE_STRING':
## FIXME: can we do this without get_string?
val = common.get_string(sysctl.oid_arg1, self.addr_space)
else:
val = ctltype
yield (sysctl, name, val)
sysctl = sysctl.oid_link.sle_next
Example #13
| Source File: windows64.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def modification(self, profile):
profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, {
'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ],
'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]],
}
]})
profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"]
profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, {
'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]],
}]})
# In some auto-generated vtypes, the DTB is an array of 2 unsigned longs
# (for x86) or an array of 2 unsigned long long (for x64). We have an overlay
# in windows.windows_overlay which sets the DTB to a single unsigned long,
# but we do not want that bleeding through to the x64 profiles. Instead we
# want the x64 DTB to be a single unsigned long long.
profile.merge_overlay({'_KPROCESS' : [ None, {
'DirectoryTableBase' : [ None, ['unsigned long long']],
}]})
# Note: the following method of profile modification is strongly discouraged
#
# Nasty hack because pointer64 has a special structure,
# and therefore can't just be instantiated in object_classes
# using profile.object_classes.update({'pointer64': obj.Pointer})
profile._list_to_type = Pointer64Decorator(profile._list_to_type)
Example #14
| Source File: pidhashtable.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def calculate_v3(self):
self.seen_tasks = {}
pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
pidhash_size = 1 << pidhash_shift
pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)
# pidhash is an array of hlist_heads
pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)
for hlist in pidhash:
# each entry in the hlist is a upid which is wrapped in a pid
ent = hlist.first
while ent.v():
upid = self.get_obj(ent.obj_offset, "upid", "pid_chain")
for task in self._walk_upid(upid):
if not task.obj_offset in self.seen_tasks:
self.seen_tasks[task.obj_offset] = 1
if task.is_valid_task():
yield task
ent = ent.m("next")
# the following functions exist because crash has handlers for them
# but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel
# if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again
Example #15
| Source File: pidhashtable.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def _get_pidhash_array(self):
pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
pidhash_size = 1 << pidhash_shift
pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)
# pidhash is an array of hlist_heads
pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)
return pidhash
Example #16
| Source File: slab_info.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def _get_nodelist(self):
ent = self.nodelists
if type(ent) == obj.Pointer:
ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)
elif type(ent) == obj.Array:
ret = ent[0]
else:
debug.error("Unknown nodelists types. %s" % type(ent))
return ret
Example #17
| Source File: slab_info.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _get_nodelist(self):
ent = self.nodelists
if type(ent) == obj.Pointer:
ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)
elif type(ent) == obj.Array:
ret = ent[0]
else:
debug.error("Unknown nodelists types. %s" % type(ent))
return ret
Example #18
| Source File: windows64.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def modification(self, profile):
profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, {
'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ],
'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]],
}
]})
profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"]
profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, {
'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]],
}]})
# In some auto-generated vtypes, the DTB is an array of 2 unsigned longs
# (for x86) or an array of 2 unsigned long long (for x64). We have an overlay
# in windows.windows_overlay which sets the DTB to a single unsigned long,
# but we do not want that bleeding through to the x64 profiles. Instead we
# want the x64 DTB to be a single unsigned long long.
profile.merge_overlay({'_KPROCESS' : [ None, {
'DirectoryTableBase' : [ None, ['unsigned long long']],
}]})
# Note: the following method of profile modification is strongly discouraged
#
# Nasty hack because pointer64 has a special structure,
# and therefore can't just be instantiated in object_classes
# using profile.object_classes.update({'pointer64': obj.Pointer})
profile._list_to_type = Pointer64Decorator(profile._list_to_type)
Example #19
| Source File: pidhashtable.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate_v3(self):
self.seen_tasks = {}
pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
pidhash_size = 1 << pidhash_shift
pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)
# pidhash is an array of hlist_heads
pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)
for hlist in pidhash:
# each entry in the hlist is a upid which is wrapped in a pid
ent = hlist.first
while ent.v():
upid = self.get_obj(ent.obj_offset, "upid", "pid_chain")
for task in self._walk_upid(upid):
if not task.obj_offset in self.seen_tasks:
self.seen_tasks[task.obj_offset] = 1
if task.is_valid_task():
yield task
ent = ent.m("next")
# the following functions exist because crash has handlers for them
# but I was unable to find a profile/kernel that needed them (maybe too old or just a one-off distro kernel
# if someone actually triggers this message, I can quickly add in the support as I will have a sample to test again
Example #20
| Source File: pidhashtable.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate_v2(self):
poff = self.addr_space.profile.get_obj_offset("task_struct", "pids")
pidhash = self._get_pidhash_array()
for p in pidhash:
if p.v() == 0:
continue
ptr = obj.Object("Pointer", offset = p.v(), vm = self.addr_space)
if ptr.v() == 0:
continue
pidl = obj.Object("pid_link", offset = ptr.v(), vm = self.addr_space)
nexth = pidl.pid
if not nexth.is_valid():
continue
nexth = obj.Object("task_struct", offset = nexth - poff, vm = self.addr_space)
while 1:
if not pidl:
break
yield nexth
pidl = pidl.node.m("next").dereference_as("pid_link")
nexth = pidl.pid
if not nexth.is_valid():
break
nexth = obj.Object("task_struct", offset = nexth - poff, vm = self.addr_space)
Example #21
| Source File: slab_info.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def _get_nodelist(self):
ent = self.nodelists
if type(ent) == obj.Pointer:
ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)
elif type(ent) == obj.Array:
ret = ent[0]
else:
debug.error("Unknown nodelists types. %s" % type(ent))
return ret
Example #22
| Source File: check_sysctl.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _process_sysctl_list(self, sysctl_list, r = 0):
if type(sysctl_list) == obj.Pointer:
sysctl_list = sysctl_list.dereference_as("sysctl_oid_list")
sysctl = sysctl_list.slh_first
# skip the head entry if new list (recursive call)
if r:
sysctl = sysctl.oid_link.sle_next
while sysctl and sysctl.is_valid():
name = sysctl.oid_name.dereference()
if len(name) == 0:
break
name = str(name)
ctltype = sysctl.get_ctltype()
if sysctl.oid_arg1 == 0 or not sysctl.oid_arg1.is_valid():
val = self._parse_global_variable_sysctls(name)
elif ctltype == 'CTLTYPE_NODE':
if sysctl.oid_handler == 0:
for info in self._process_sysctl_list(sysctl.oid_arg1, r = 1):
yield info
val = "Node"
elif ctltype in ['CTLTYPE_INT', 'CTLTYPE_QUAD', 'CTLTYPE_OPAQUE']:
val = sysctl.oid_arg1.dereference()
elif ctltype == 'CTLTYPE_STRING':
## FIXME: can we do this without get_string?
val = common.get_string(sysctl.oid_arg1, self.addr_space)
else:
val = ctltype
yield (sysctl, name, val)
sysctl = sysctl.oid_link.sle_next
Example #23
| Source File: windows64.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def modification(self, profile):
profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, {
'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ],
'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]],
}
]})
profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"]
profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, {
'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]],
}]})
# In some auto-generated vtypes, the DTB is an array of 2 unsigned longs
# (for x86) or an array of 2 unsigned long long (for x64). We have an overlay
# in windows.windows_overlay which sets the DTB to a single unsigned long,
# but we do not want that bleeding through to the x64 profiles. Instead we
# want the x64 DTB to be a single unsigned long long.
profile.merge_overlay({'_KPROCESS' : [ None, {
'DirectoryTableBase' : [ None, ['unsigned long long']],
}]})
# Note: the following method of profile modification is strongly discouraged
#
# Nasty hack because pointer64 has a special structure,
# and therefore can't just be instantiated in object_classes
# using profile.object_classes.update({'pointer64': obj.Pointer})
profile._list_to_type = Pointer64Decorator(profile._list_to_type)
Example #24
| Source File: pidhashtable.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _get_pidhash_array(self):
pidhash_shift = obj.Object("unsigned int", offset = self.addr_space.profile.get_symbol("pidhash_shift"), vm = self.addr_space)
pidhash_size = 1 << pidhash_shift
pidhash_addr = self.addr_space.profile.get_symbol("pid_hash")
pidhash_ptr = obj.Object("Pointer", offset = pidhash_addr, vm = self.addr_space)
# pidhash is an array of hlist_heads
pidhash = obj.Object(theType = 'Array', offset = pidhash_ptr, vm = self.addr_space, targetType = 'hlist_head', count = pidhash_size)
return pidhash
Example #25
| Source File: windows64.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def modification(self, profile):
profile.merge_overlay({'VOLATILITY_MAGIC': [ 0x0, {
'PoolAlignment': [ 0x0, ['VolatilityMagic', dict(value = 16)] ],
'KUSER_SHARED_DATA': [ 0x0, ['VolatilityMagic', dict(value = 0xFFFFF78000000000)]],
}
]})
profile.vtypes["_IMAGE_NT_HEADERS"] = profile.vtypes["_IMAGE_NT_HEADERS64"]
profile.merge_overlay({'_DBGKD_GET_VERSION64' : [ None, {
'DebuggerDataList' : [ None, ['pointer', ['unsigned long long']]],
}]})
# In some auto-generated vtypes, the DTB is an array of 2 unsigned longs
# (for x86) or an array of 2 unsigned long long (for x64). We have an overlay
# in windows.windows_overlay which sets the DTB to a single unsigned long,
# but we do not want that bleeding through to the x64 profiles. Instead we
# want the x64 DTB to be a single unsigned long long.
profile.merge_overlay({'_KPROCESS' : [ None, {
'DirectoryTableBase' : [ None, ['unsigned long long']],
}]})
# Note: the following method of profile modification is strongly discouraged
#
# Nasty hack because pointer64 has a special structure,
# and therefore can't just be instantiated in object_classes
# using profile.object_classes.update({'pointer64': obj.Pointer})
profile._list_to_type = Pointer64Decorator(profile._list_to_type)
Example #26
| Source File: check_fops.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _get_name(self, pde, parent):
if type(pde.name) == obj.Pointer:
s = pde.name.dereference_as("String", length = 255)
else:
s = pde.obj_vm.read(pde.name.obj_offset, pde.namelen)
return str(parent + "/" + str(s))
Example #27
| Source File: check_fops.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def check_proc_fop(self, f_op_members, modules):
proc_mnt_addr = self.addr_space.profile.get_symbol("proc_mnt")
if proc_mnt_addr:
proc_mnt_ptr = obj.Object("Pointer", offset = proc_mnt_addr, vm = self.addr_space)
proc_mnts = [proc_mnt_ptr.dereference_as("vfsmount")]
else:
proc_mnts = []
seen_pids = {}
if self.addr_space.profile.obj_has_member("nsproxy", "pid_ns"):
ns_member = "pid_ns"
else:
ns_member = "pid_ns_for_children"
for task in self.tasks:
nsp = task.nsproxy
pidns = nsp.m(ns_member)
if pidns.v() in seen_pids:
continue
seen_pids[pidns.v()] = 1
proc_mnts.append(pidns.proc_mnt)
for proc_mnt in proc_mnts:
root = proc_mnt.mnt_root
for (hooked_member, hook_address) in self.verify_ops(root.d_inode.i_fop, f_op_members, modules):
yield ("proc_mnt: root: %x" % root.v(), hooked_member, hook_address)
# only check the root directory
if self.addr_space.profile.obj_has_member("dentry", "d_child"):
walk_member = "d_child"
else:
walk_member = "d_u"
for dentry in root.d_subdirs.list_of_type("dentry", walk_member):
name = dentry.d_name.name.dereference_as("String", length = 255)
for (hooked_member, hook_address) in self.verify_ops(dentry.d_inode.i_fop, f_op_members, modules):
yield("proc_mnt: {0:x}:{1}".format(root.v(), name), hooked_member, hook_address)
