Python volatility.obj.Profile() Examples
The following are 30
code examples of volatility.obj.Profile().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.obj
, or try the search function
.
.
Example #1
| Source File: addrspace.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def _set_profile(self, profile_name):
## Load the required profile
if profile_name == None:
raise ASAssertionError, "You must set a profile!"
if profile_name in PROFILES:
ret = PROFILES[profile_name]
else:
profs = registry.get_plugin_classes(obj.Profile)
if profile_name in profs:
ret = profs[profile_name]()
PROFILES[profile_name] = ret
else:
raise ASAssertionError, "Invalid profile " + profile_name + " selected"
if not self.is_valid_profile(ret):
raise ASAssertionError, "Incompatible profile " + profile_name + " selected"
return ret
Example #2
| Source File: vol_interface.py From VolUtility with GNU General Public License v3.0 | 6 votes |
|
def list_plugins(self):
"""
list of plugins valid for the selected profile
:return:
"""
plugin_list = []
cmds = registry.get_plugin_classes(commands.Command, lower=True)
profs = registry.get_plugin_classes(obj.Profile)
profile_type = self.config.PROFILE
if profile_type not in profs:
print "Not a valid profile"
profile = profs[profile_type]()
for cmdname in sorted(cmds):
command = cmds[cmdname]
helpline = command.help() or ''
if command.is_valid_profile(profile):
plugin_list.append([cmdname, helpline])
return plugin_list
Example #3
| Source File: addrspace.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def _set_profile(self, profile_name):
## Load the required profile
if profile_name == None:
raise ASAssertionError, "You must set a profile!"
if profile_name in PROFILES:
ret = PROFILES[profile_name]
else:
profs = registry.get_plugin_classes(obj.Profile)
if profile_name in profs:
ret = profs[profile_name]()
PROFILES[profile_name] = ret
else:
raise ASAssertionError, "Invalid profile " + profile_name + " selected"
if not self.is_valid_profile(ret):
raise ASAssertionError, "Incompatible profile " + profile_name + " selected"
return ret
Example #4
| Source File: addrspace.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def _set_profile(self, profile_name):
## Load the required profile
if profile_name == None:
raise ASAssertionError, "You must set a profile!"
if profile_name in PROFILES:
ret = PROFILES[profile_name]
else:
profs = registry.get_plugin_classes(obj.Profile)
if profile_name in profs:
ret = profs[profile_name]()
PROFILES[profile_name] = ret
else:
raise ASAssertionError, "Invalid profile " + profile_name + " selected"
if not self.is_valid_profile(ret):
raise ASAssertionError, "Incompatible profile " + profile_name + " selected"
return ret
Example #5
| Source File: addrspace.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def _set_profile(self, profile_name):
## Load the required profile
if profile_name == None:
raise ASAssertionError, "You must set a profile!"
if profile_name in PROFILES:
ret = PROFILES[profile_name]
else:
profs = registry.get_plugin_classes(obj.Profile)
if profile_name in profs:
ret = profs[profile_name]()
PROFILES[profile_name] = ret
else:
raise ASAssertionError, "Invalid profile " + profile_name + " selected"
if not self.is_valid_profile(ret):
raise ASAssertionError, "Incompatible profile " + profile_name + " selected"
return ret
Example #6
| Source File: vol.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def print_info():
""" Returns the results """
categories = {addrspace.BaseAddressSpace: 'Address Spaces',
commands.Command : 'Plugins',
obj.Profile: 'Profiles',
scan.ScannerCheck: 'Scanner Checks'}
for c, n in sorted(categories.items()):
lower = (c == commands.Command)
plugins = registry.get_plugin_classes(c, lower = lower)
print "\n"
print "{0}".format(n)
print "-" * len(n)
result = []
max_length = 0
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
max_length = max(len(clsname), max_length)
for (name, doc) in result:
print "{0:{2}} - {1:15}".format(name, doc, max_length)
Example #7
| Source File: addrspace.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def _set_profile(self, profile_name):
## Load the required profile
if profile_name == None:
raise ASAssertionError, "You must set a profile!"
if profile_name in PROFILES:
ret = PROFILES[profile_name]
else:
profs = registry.get_plugin_classes(obj.Profile)
if profile_name in profs:
ret = profs[profile_name]()
PROFILES[profile_name] = ret
else:
raise ASAssertionError, "Invalid profile " + profile_name + " selected"
if not self.is_valid_profile(ret):
raise ASAssertionError, "Incompatible profile " + profile_name + " selected"
return ret
Example #8
| Source File: vol.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def print_info():
""" Returns the results """
categories = {addrspace.BaseAddressSpace: 'Address Spaces',
commands.Command : 'Plugins',
obj.Profile: 'Profiles',
scan.ScannerCheck: 'Scanner Checks'}
for c, n in sorted(categories.items()):
lower = (c == commands.Command)
plugins = registry.get_plugin_classes(c, lower = lower)
print "\n"
print "{0}".format(n)
print "-" * len(n)
result = []
max_length = 0
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
max_length = max(len(clsname), max_length)
for (name, doc) in result:
print "{0:{2}} - {1:15}".format(name, doc, max_length)
Example #9
| Source File: win8_kdbg.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def unique_sizes(self):
items = registry.get_plugin_classes(obj.Profile).items()
sizes = set()
for name, cls in items:
if (cls._md_os != "windows" or cls._md_memory_model != "64bit"):
continue
#if (cls._md_major, cls._md_minor) < (6, 2):
# continue
conf = copy.deepcopy(self.obj_vm.get_config())
conf.PROFILE = name
buff = addrspace.BufferAddressSpace(config = conf)
header = obj.VolMagic(buff).KDBGHeader.v()
# this unpacks the kdbgsize from the signature
size = struct.unpack("<H", header[-2:])[0]
sizes.add(size)
return sizes
Example #10
| Source File: addrspace.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def check_valid_profile(option, _opt_str, value, parser):
"""Checks to make sure the selected profile is valid"""
# PROFILES may not have been created yet,
# but the callback should get called once it has
# during the final parse of the config options
profs = registry.get_plugin_classes(obj.Profile)
if profs:
try:
profs[value]
except KeyError:
debug.error("Invalid profile " + value + " selected")
setattr(parser.values, option.dest, value)
Example #11
| Source File: addrspace.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def check_valid_profile(option, _opt_str, value, parser):
"""Checks to make sure the selected profile is valid"""
# PROFILES may not have been created yet,
# but the callback should get called once it has
# during the final parse of the config options
profs = registry.get_plugin_classes(obj.Profile)
if profs:
try:
profs[value]
except KeyError:
debug.error("Invalid profile " + value + " selected")
setattr(parser.values, option.dest, value)
Example #12
| Source File: vol_interface.py From VolUtility with GNU General Public License v3.0 | 5 votes |
|
def profile_list(self):
"""
return a list of profiles
:return: list
"""
prof_list = []
profs = registry.get_plugin_classes(obj.Profile)
for profile in profs.iterkeys():
prof_list.append(profile)
return sorted(prof_list)
Example #13
| Source File: vol_interface.py From VolUtility with GNU General Public License v3.0 | 5 votes |
|
def profile_list():
"""
Return a list of available Profiles
:return:
"""
prof_list = ['AutoDetect']
profs = registry.get_plugin_classes(obj.Profile)
for profile in profs.iterkeys():
prof_list.append(profile)
return sorted(prof_list)
Example #14
| Source File: vol.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def list_plugins():
result = "\n\tSupported Plugin Commands:\n\n"
cmds = registry.get_plugin_classes(commands.Command, lower = True)
profs = registry.get_plugin_classes(obj.Profile)
if config.PROFILE == None:
config.update("PROFILE", "WinXPSP2x86")
if config.PROFILE not in profs:
raise BaseException("Invalid profile " + config.PROFILE + " selected")
profile = profs[config.PROFILE]()
wrongprofile = ""
for cmdname in sorted(cmds):
command = cmds[cmdname]
helpline = command.help() or ''
## Just put the title line (First non empty line) in this
## abbreviated display
for line in helpline.splitlines():
if line:
helpline = line
break
if command.is_valid_profile(profile):
result += "\t\t{0:15}\t{1}\n".format(cmdname, helpline)
else:
wrongprofile += "\t\t{0:15}\t{1}\n".format(cmdname, helpline)
if wrongprofile and config.VERBOSE:
result += "\n\tPlugins requiring a different profile:\n\n"
result += wrongprofile
return result
Example #15
| Source File: commands.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def execute(self):
""" Executes the plugin command."""
# Check we can support the plugins
profs = registry.get_plugin_classes(obj.Profile)
# force user to give a profile if a plugin
# other than kdbgscan or imageinfo are given:
if self.__class__.__name__.lower() in ["kdbgscan", "imageinfo"] and self._config.PROFILE == None:
self._config.update("PROFILE", "WinXPSP2x86")
elif self._config.PROFILE == None:
debug.error("You must set a profile!")
if self._config.PROFILE not in profs:
debug.error("Invalid profile " + self._config.PROFILE + " selected")
if not self.is_valid_profile(profs[self._config.PROFILE]()):
debug.error("This command does not support the profile " + self._config.PROFILE)
# # Executing plugins is done in two stages - first we calculate
data = self.calculate()
## Then we render the result in some way based on the
## requested output mode:
function_name = "render_{0}".format(self._config.OUTPUT)
if self._config.OUTPUT_FILE:
outfd = open(self._config.OUTPUT_FILE, 'w')
# TODO: We should probably check that this won't blat over an existing file
else:
outfd = sys.stdout
try:
func = getattr(self, function_name)
except AttributeError:
## Try to find out what formats are supported
result = []
for x in dir(self):
if x.startswith("render_"):
_a, b = x.split("_", 1)
result.append(b)
print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result)
return
func(outfd, data)
Example #16
| Source File: addrspace.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def check_valid_profile(option, _opt_str, value, parser):
"""Checks to make sure the selected profile is valid"""
# PROFILES may not have been created yet,
# but the callback should get called once it has
# during the final parse of the config options
profs = registry.get_plugin_classes(obj.Profile)
if profs:
try:
profs[value]
except KeyError:
debug.error("Invalid profile " + value + " selected")
setattr(parser.values, option.dest, value)
Example #17
| Source File: volsetup.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def guess_profile(self, memimg):
'''
Using one of the user-specified memory image files, try to guess a
working Volatility profile. This can easily take on the order of
minutes.
@memimg: a memory image file name
@return: the guessed Volatiltiy profile string
'''
sys.stderr.write("Auto configuring profile. This may take a some time.\n")
self.set_memimg(memimg)
# Must set a dummy profile or volatility dies
self.set_profile('WinXPSP2x86')
chosen = None
profilelist = [p.__name__ for p in registry.get_plugin_classes(obj.Profile).values()]
for profile in profilelist:
self.config.update('profile', profile)
addr_space = utils.load_as(self.config, astype='any')
if hasattr(addr_space, "dtb"):
chosen = profile
break
return chosen
Example #18
| Source File: commands.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def execute(self):
""" Executes the plugin command."""
# Check we can support the plugins
profs = registry.get_plugin_classes(obj.Profile)
# force user to give a profile if a plugin
# other than kdbgscan or imageinfo are given:
if self.__class__.__name__.lower() in ["kdbgscan", "imageinfo"] and self._config.PROFILE == None:
self._config.update("PROFILE", "WinXPSP2x86")
elif self._config.PROFILE == None:
debug.error("You must set a profile!")
if self._config.PROFILE not in profs:
debug.error("Invalid profile " + self._config.PROFILE + " selected")
if not self.is_valid_profile(profs[self._config.PROFILE]()):
debug.error("This command does not support the profile " + self._config.PROFILE)
# # Executing plugins is done in two stages - first we calculate
data = self.calculate()
## Then we render the result in some way based on the
## requested output mode:
function_name = "render_{0}".format(self._config.OUTPUT)
if self._config.OUTPUT_FILE:
outfd = open(self._config.OUTPUT_FILE, 'w')
# TODO: We should probably check that this won't blat over an existing file
else:
outfd = sys.stdout
try:
func = getattr(self, function_name)
except AttributeError:
## Try to find out what formats are supported
result = []
for x in dir(self):
if x.startswith("render_"):
_a, b = x.split("_", 1)
result.append(b)
print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result)
return
func(outfd, data)
Example #19
| Source File: addrspace.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def check_valid_profile(option, _opt_str, value, parser):
"""Checks to make sure the selected profile is valid"""
# PROFILES may not have been created yet,
# but the callback should get called once it has
# during the final parse of the config options
profs = registry.get_plugin_classes(obj.Profile)
if profs:
try:
profs[value]
except KeyError:
debug.error("Invalid profile " + value + " selected")
setattr(parser.values, option.dest, value)
Example #20
| Source File: vol.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def list_plugins():
result = "\n\tSupported Plugin Commands:\n\n"
cmds = registry.get_plugin_classes(commands.Command, lower = True)
profs = registry.get_plugin_classes(obj.Profile)
if config.PROFILE == None:
config.update("PROFILE", "WinXPSP2x86")
if config.PROFILE not in profs:
raise BaseException("Invalid profile " + config.PROFILE + " selected")
profile = profs[config.PROFILE]()
wrongprofile = ""
for cmdname in sorted(cmds):
command = cmds[cmdname]
helpline = command.help() or ''
## Just put the title line (First non empty line) in this
## abbreviated display
for line in helpline.splitlines():
if line:
helpline = line
break
if command.is_valid_profile(profile):
result += "\t\t{0:15}\t{1}\n".format(cmdname, helpline)
else:
wrongprofile += "\t\t{0:15}\t{1}\n".format(cmdname, helpline)
if wrongprofile and config.VERBOSE:
result += "\n\tPlugins requiring a different profile:\n\n"
result += wrongprofile
return result
Example #21
| Source File: addrspace.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def check_valid_profile(option, _opt_str, value, parser):
"""Checks to make sure the selected profile is valid"""
# PROFILES may not have been created yet,
# but the callback should get called once it has
# during the final parse of the config options
profs = registry.get_plugin_classes(obj.Profile)
if profs:
try:
profs[value]
except KeyError:
debug.error("Invalid profile " + value + " selected")
setattr(parser.values, option.dest, value)
Example #22
| Source File: windows64.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def modification(self, profile):
profiles = registry.get_plugin_classes(obj.Profile)
meta = profile.metadata
# find the equivalent 32-bit profile to this 64-bit profile.
# the prof._md_build + 1 accounts for a poor decision we made
# a while back where we added + 1 to the build number for
# server-based profiles as a method to distinguish between
# client vs server in a plugin.
profile_32bit = None
for prof in profiles.values():
if (prof._md_os == "windows" and
prof._md_major == meta.get("major") and
prof._md_minor == meta.get("minor") and
((prof._md_build == meta.get("build")) or (prof._md_build + 1 == meta.get("build"))) and
prof._md_memory_model == "32bit"):
profile_32bit = prof()
break
if profile_32bit == None:
debug.warning("Cannot find a 32-bit equivalent profile. The "\
"WoW64 plugins (dlllist, ldrmodules, etc) may not work.")
return
profile.vtypes.update({
"_PEB32_LDR_DATA": self.cast_as_32bit(profile_32bit.vtypes["_PEB_LDR_DATA"]),
"_LDR32_DATA_TABLE_ENTRY": self.cast_as_32bit(profile_32bit.vtypes["_LDR_DATA_TABLE_ENTRY"]),
'_UNICODE32_STRING': self.cast_as_32bit(profile_32bit.vtypes["_UNICODE_STRING"]),
})
profile.object_classes.update({
"_LDR32_DATA_TABLE_ENTRY": pe_vtypes._LDR_DATA_TABLE_ENTRY,
"_UNICODE32_STRING": windows._UNICODE_STRING,
"LIST_ENTRY32": LIST_ENTRY32,
})
profile.merge_overlay({
'_PEB32': [None, {
'Ldr': [None, ['pointer32', ['_PEB32_LDR_DATA']]],
}]})
Example #23
| Source File: kdbgscan.py From DAMM with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
encrypted_kdbg_profiles = []
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and
(buf.profile.metadata.get('major', 0),
buf.profile.metadata.get('minor', 0)) >= (6, 2)):
encrypted_kdbg_profiles.append(p)
self._config.update('PROFILE', origprofile)
# keep track of the number of potential KDBGs we find
count = 0
if origprofile not in encrypted_kdbg_profiles:
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
yield l, kdbg
count += 1
# only perform the special win8/2012 scan if we didn't find
# any others and if a virtual x64 address space is available
if count == 0:
if origprofile in encrypted_kdbg_profiles:
encrypted_kdbg_profiles = [origprofile]
for profile in encrypted_kdbg_profiles:
self._config.update('PROFILE', profile)
aspace = utils.load_as(self._config, astype = 'any')
if hasattr(aspace, 'vtop'):
for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
yield profile, kdbg
Example #24
| Source File: kdbgscan.py From vortessence with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
encrypted_kdbg_profiles = []
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and
(buf.profile.metadata.get('major', 0),
buf.profile.metadata.get('minor', 0)) >= (6, 2)):
encrypted_kdbg_profiles.append(p)
self._config.update('PROFILE', origprofile)
# keep track of the number of potential KDBGs we find
count = 0
if origprofile not in encrypted_kdbg_profiles:
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
yield l, kdbg
count += 1
# only perform the special win8/2012 scan if we didn't find
# any others and if a virtual x64 address space is available
if count == 0:
if origprofile in encrypted_kdbg_profiles:
encrypted_kdbg_profiles = [origprofile]
for profile in encrypted_kdbg_profiles:
self._config.update('PROFILE', profile)
aspace = utils.load_as(self._config, astype = 'any')
if hasattr(aspace, 'vtop'):
for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
yield profile, kdbg
Example #25
| Source File: commands.py From vortessence with GNU General Public License v2.0 | 4 votes |
|
def execute(self):
""" Executes the plugin command."""
# Check we can support the plugins
profs = registry.get_plugin_classes(obj.Profile)
# force user to give a profile if a plugin
# other than kdbgscan or imageinfo are given:
if self.__class__.__name__.lower() in ["kdbgscan", "imageinfo"] and self._config.PROFILE == None:
self._config.update("PROFILE", "WinXPSP2x86")
elif self._config.PROFILE == None:
debug.error("You must set a profile!")
if self._config.PROFILE not in profs:
debug.error("Invalid profile " + self._config.PROFILE + " selected")
if not self.is_valid_profile(profs[self._config.PROFILE]()):
debug.error("This command does not support the profile " + self._config.PROFILE)
# # Executing plugins is done in two stages - first we calculate
data = self.calculate()
## Then we render the result in some way based on the
## requested output mode:
function_name = "render_{0}".format(self._config.OUTPUT)
if self._config.OUTPUT_FILE:
if os.path.exists(self._config.OUTPUT_FILE):
debug.error("File " + self._config.OUTPUT_FILE + " already exists. Cowardly refusing to overwrite it...")
outfd = open(self._config.OUTPUT_FILE, 'wb')
# TODO: We should probably check that this won't blat over an existing file
else:
outfd = sys.stdout
try:
func = getattr(self, function_name)
except AttributeError:
## Try to find out what formats are supported
result = []
for x in dir(self):
if x.startswith("render_"):
_a, b = x.split("_", 1)
result.append(b)
print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result)
return
func(outfd, data)
Example #26
| Source File: commands.py From aumfor with GNU General Public License v3.0 | 4 votes |
|
def execute(self):
""" Executes the plugin command."""
# Check we can support the plugins
profs = registry.get_plugin_classes(obj.Profile)
# force user to give a profile if a plugin
# other than kdbgscan or imageinfo are given:
plugin_name = self.__class__.__name__.lower()
if plugin_name != "mac_get_profile":
if self._config.PROFILE == None:
if plugin_name in ["kdbgscan", "imageinfo"]:
self._config.update("PROFILE", "WinXPSP2x86")
else:
debug.error("You must set a profile!")
if self._config.PROFILE not in profs:
debug.error("Invalid profile " + self._config.PROFILE + " selected")
if not self.is_valid_profile(profs[self._config.PROFILE]()):
debug.error("This command does not support the profile " + self._config.PROFILE)
# # Executing plugins is done in two stages - first we calculate
data = self.calculate()
## Then we render the result in some way based on the
## requested output mode:
function_name = "render_{0}".format(self._config.OUTPUT)
if not self._config.OUTPUT == "sqlite" and self._config.OUTPUT_FILE:
out_file = '{0}_{1}.txt'.format(time.strftime('%Y%m%d%H%M%S'), plugin_name) if self._config.OUTPUT_FILE == '.' else self._config.OUTPUT_FILE
if os.path.exists(out_file):
debug.error("File " + out_file + " already exists. Cowardly refusing to overwrite it...")
print 'Outputting to: {0}'.format(out_file)
outfd = open(out_file, 'wb')
else:
outfd = sys.stdout
try:
func = getattr(self, function_name)
except AttributeError:
## Try to find out what formats are supported
result = []
for x in dir(self):
if x.startswith("render_"):
_a, b = x.split("_", 1)
result.append(b)
print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result)
return
func(outfd, data)
Example #27
| Source File: kdbgscan.py From aumfor with GNU General Public License v3.0 | 4 votes |
|
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
encrypted_kdbg_profiles = []
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and
(buf.profile.metadata.get('major', 0),
buf.profile.metadata.get('minor', 0)) >= (6, 2)):
encrypted_kdbg_profiles.append(p)
self._config.update('PROFILE', origprofile)
# keep track of the number of potential KDBGs we find
count = 0
if origprofile not in encrypted_kdbg_profiles:
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
suspects = []
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
suspects.append((l, kdbg))
count += 1
for p, k in suspects:
if not self._config.FORCE:
yield p, k
continue
self._config.update("PROFILE", p)
nspace = utils.load_as(self._config, astype = "any")
for offset in scanner.scan(nspace):
val = nspace.read(offset, maxlen + 0x10)
if val.find(proflens[p]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = nspace)
yield p, kdbg
self._config.update('PROFILE', origprofile)
# only perform the special win8/2012 scan if we didn't find
# any others and if a virtual x64 address space is available
if count == 0:
if origprofile in encrypted_kdbg_profiles:
encrypted_kdbg_profiles = [origprofile]
for profile in encrypted_kdbg_profiles:
self._config.update('PROFILE', profile)
aspace = utils.load_as(self._config, astype = 'any')
if hasattr(aspace, 'vtop'):
for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
yield profile, kdbg
Example #28
| Source File: kdbgscan.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
encrypted_kdbg_profiles = []
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and
(buf.profile.metadata.get('major', 0),
buf.profile.metadata.get('minor', 0)) >= (6, 2)):
encrypted_kdbg_profiles.append(p)
self._config.update('PROFILE', origprofile)
# keep track of the number of potential KDBGs we find
count = 0
if origprofile not in encrypted_kdbg_profiles:
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
yield l, kdbg
count += 1
# only perform the special win8/2012 scan if we didn't find
# any others and if a virtual x64 address space is available
if count == 0:
if origprofile in encrypted_kdbg_profiles:
encrypted_kdbg_profiles = [origprofile]
for profile in encrypted_kdbg_profiles:
self._config.update('PROFILE', profile)
aspace = utils.load_as(self._config, astype = 'any')
if hasattr(aspace, 'vtop'):
for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
yield profile, kdbg
Example #29
| Source File: kdbgscan.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def calculate(self):
"""Determines the address space"""
profilelist = [ p.__name__ for p in registry.get_plugin_classes(obj.Profile).values() ]
encrypted_kdbg_profiles = []
proflens = {}
maxlen = 0
origprofile = self._config.PROFILE
for p in profilelist:
self._config.update('PROFILE', p)
buf = addrspace.BufferAddressSpace(self._config)
if buf.profile.metadata.get('os', 'unknown') == 'windows':
proflens[p] = str(obj.VolMagic(buf).KDBGHeader)
maxlen = max(maxlen, len(proflens[p]))
if (buf.profile.metadata.get('memory_model', '64bit') == '64bit' and
(buf.profile.metadata.get('major', 0),
buf.profile.metadata.get('minor', 0)) >= (6, 2)):
encrypted_kdbg_profiles.append(p)
self._config.update('PROFILE', origprofile)
# keep track of the number of potential KDBGs we find
count = 0
if origprofile not in encrypted_kdbg_profiles:
scanner = KDBGScanner(needles = proflens.values())
aspace = utils.load_as(self._config, astype = 'any')
suspects = []
for offset in scanner.scan(aspace):
val = aspace.read(offset, maxlen + 0x10)
for l in proflens:
if val.find(proflens[l]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = aspace)
suspects.append((l, kdbg))
count += 1
for p, k in suspects:
if not self._config.FORCE:
yield p, k
continue
self._config.update("PROFILE", p)
nspace = utils.load_as(self._config, astype = "any")
for offset in scanner.scan(nspace):
val = nspace.read(offset, maxlen + 0x10)
if val.find(proflens[p]) >= 0:
kdbg = obj.Object("_KDDEBUGGER_DATA64", offset = offset, vm = nspace)
yield p, kdbg
self._config.update('PROFILE', origprofile)
# only perform the special win8/2012 scan if we didn't find
# any others and if a virtual x64 address space is available
if count == 0:
if origprofile in encrypted_kdbg_profiles:
encrypted_kdbg_profiles = [origprofile]
for profile in encrypted_kdbg_profiles:
self._config.update('PROFILE', profile)
aspace = utils.load_as(self._config, astype = 'any')
if hasattr(aspace, 'vtop'):
for kdbg in obj.VolMagic(aspace).KDBG.generate_suggestions():
yield profile, kdbg
Example #30
| Source File: commands.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def execute(self):
""" Executes the plugin command."""
# Check we can support the plugins
profs = registry.get_plugin_classes(obj.Profile)
# force user to give a profile if a plugin
# other than kdbgscan or imageinfo are given:
plugin_name = self.__class__.__name__.lower()
if plugin_name != "mac_get_profile":
if self._config.PROFILE == None:
if plugin_name in ["kdbgscan", "imageinfo"]:
self._config.update("PROFILE", "WinXPSP2x86")
else:
debug.error("You must set a profile!")
if self._config.PROFILE not in profs:
debug.error("Invalid profile " + self._config.PROFILE + " selected")
if not self.is_valid_profile(profs[self._config.PROFILE]()):
debug.error("This command does not support the profile " + self._config.PROFILE)
# # Executing plugins is done in two stages - first we calculate
data = self.calculate()
## Then we render the result in some way based on the
## requested output mode:
function_name = "render_{0}".format(self._config.OUTPUT)
if not self._config.OUTPUT == "sqlite" and self._config.OUTPUT_FILE:
out_file = '{0}_{1}.txt'.format(time.strftime('%Y%m%d%H%M%S'), plugin_name) if self._config.OUTPUT_FILE == '.' else self._config.OUTPUT_FILE
if os.path.exists(out_file):
debug.error("File " + out_file + " already exists. Cowardly refusing to overwrite it...")
print 'Outputting to: {0}'.format(out_file)
outfd = open(out_file, 'wb')
else:
outfd = sys.stdout
try:
func = getattr(self, function_name)
except AttributeError:
## Try to find out what formats are supported
result = []
for x in dir(self):
if x.startswith("render_"):
_a, b = x.split("_", 1)
result.append(b)
print "Plugin {0} is unable to produce output in format {1}. Supported formats are {2}. Please send a feature request".format(self.__class__.__name__, self._config.OUTPUT, result)
return
func(outfd, data)
