Python volatility.obj.Array() Examples

def lsof(self):
        fds = self.files.get_fds()
        max_fds = self.files.get_max_fds()

        fds = obj.Object(theType = 'Array', offset = fds.obj_offset, vm = self.obj_vm, targetType = 'Pointer', count = max_fds)

        # mem corruption check
        if max_fds > 500000:
            return 

        for i in range(max_fds):
            if fds[i]:
                filp = obj.Object('file', offset = fds[i], vm = self.obj_vm)
                yield filp, i

    # has to get the struct socket given an inode (see SOCKET_I in sock.h) 

def get_symbols(self):
        ret_syms = []

        if self.obj_vm.profile.metadata.get('arch').lower() == 'x64':
            struct_name = "elf64_sym"
        else:
            struct_name = "elf32_sym"

        syms = obj.Object(theType = "Array", targetType = struct_name, offset = self.symtab, count = self.num_symtab + 1, vm = self.obj_vm)           

        for sym_struct in syms:
            sym_name_addr = self.strtab + sym_struct.st_name

            sym_name = self.obj_vm.read(sym_name_addr, 64)
            if not sym_name:
                continue
            
            idx = sym_name.index("\x00")
            if idx != -1:
                sym_name = sym_name[:idx]

            if sym_name != "":
                ret_syms.append((str(sym_name), sym_struct.st_value.v()))

        return ret_syms 

def get_symbols(self):
        ret_syms = []

        if self.obj_vm.profile.metadata.get('arch').lower() == 'x64':
            struct_name = "elf64_sym"
        else:
            struct_name = "elf32_sym"

        syms = obj.Object(theType = "Array", targetType = struct_name, offset = self.symtab, count = self.num_symtab + 1, vm = self.obj_vm)           

        for sym_struct in syms:
            sym_name_addr = self.strtab + sym_struct.st_name

            sym_name = self.obj_vm.read(sym_name_addr, 64)
            if not sym_name:
                continue
            
            idx = sym_name.index("\x00")
            if idx != -1:
                sym_name = sym_name[:idx]

            if sym_name != "":
                ret_syms.append((str(sym_name), sym_struct.st_value.v()))

        return ret_syms 

def get_symbols(self):
        ret_syms = []

        if self.obj_vm.profile.metadata.get('arch').lower() == 'x64':
            struct_name = "elf64_sym"
        else:
            struct_name = "elf32_sym"

        syms = obj.Object(theType = "Array", targetType = struct_name, offset = self.symtab, count = self.num_symtab + 1, vm = self.obj_vm)           

        for sym_struct in syms:
            sym_name_addr = self.strtab + sym_struct.st_name

            sym_name = self.obj_vm.read(sym_name_addr, 64)
            if not sym_name:
                continue
            
            idx = sym_name.index("\x00")
            if idx != -1:
                sym_name = sym_name[:idx]

            if sym_name != "":
                ret_syms.append((str(sym_name), sym_struct.st_value.v()))

        return ret_syms 

def lsof(self):
        fds = self.files.get_fds()
        max_fds = self.files.get_max_fds()

        fds = obj.Object(theType = 'Array', offset = fds.obj_offset, vm = self.obj_vm, targetType = 'Pointer', count = max_fds)

        # mem corruption check
        if max_fds > 500000:
            return 

        for i in range(max_fds):
            if fds[i]:
                filp = obj.Object('file', offset = fds[i], vm = self.obj_vm)
                yield filp, i

    # has to get the struct socket given an inode (see SOCKET_I in sock.h) 

def get_symbols(self):
        ret_syms = []

        if self.obj_vm.profile.metadata.get('arch').lower() == 'x64':
            struct_name = "elf64_sym"
        else:
            struct_name = "elf32_sym"

        syms = obj.Object(theType = "Array", targetType = struct_name, offset = self.symtab, count = self.num_symtab + 1, vm = self.obj_vm)           

        for sym_struct in syms:
            sym_name_addr = self.strtab + sym_struct.st_name

            sym_name = self.obj_vm.read(sym_name_addr, 64)
            if not sym_name:
                continue
            
            idx = sym_name.index("\x00")
            if idx != -1:
                sym_name = sym_name[:idx]

            if sym_name != "":
                ret_syms.append((str(sym_name), sym_struct.st_value.v()))

        return ret_syms 

def get_symbols(self):
        ret_syms = []

        if self.obj_vm.profile.metadata.get('arch').lower() == 'x64':
            struct_name = "elf64_sym"
        else:
            struct_name = "elf32_sym"

        syms = obj.Object(theType = "Array", targetType = struct_name, offset = self.symtab, count = self.num_symtab + 1, vm = self.obj_vm)           

        for sym_struct in syms:
            sym_name_addr = self.strtab + sym_struct.st_name

            sym_name = self.obj_vm.read(sym_name_addr, 64)
            if not sym_name:
                continue
            
            idx = sym_name.index("\x00")
            if idx != -1:
                sym_name = sym_name[:idx]

            if sym_name != "":
                ret_syms.append((str(sym_name), sym_struct.st_value.v()))

        return ret_syms 

def lsof(self):
        fds = self.files.get_fds()
        max_fds = self.files.get_max_fds()

        fds = obj.Object(theType = 'Array', offset = fds.obj_offset, vm = self.obj_vm, targetType = 'Pointer', count = max_fds)

        # mem corruption check
        if max_fds > 500000:
            return 

        for i in range(max_fds):
            if fds[i]:
                filp = obj.Object('file', offset = fds[i], vm = self.obj_vm)
                yield filp, i

    # has to get the struct socket given an inode (see SOCKET_I in sock.h) 

def lsof(self):
        fds = self.files.get_fds()
        max_fds = self.files.get_max_fds()

        fds = obj.Object(theType = 'Array', offset = fds.obj_offset, vm = self.obj_vm, targetType = 'Pointer', count = max_fds)

        for i in range(max_fds):
            if fds[i]:
                filp = obj.Object('file', offset = fds[i], vm = self.obj_vm)
                yield filp, i

    # has to get the struct socket given an inode (see SOCKET_I in sock.h) 

def __iter__(self):

        if not self.unalloc:
            for slab in self._get_full_list():
                for i in range(self.num):
                    yield self._get_object(slab.s_mem.v() + i * self.buffer_size)

        for slab in self._get_partial_list():
            if not self.num or self.num == 0:
                return                

            bufctl = obj.Object("Array",
                        offset = slab.v() + slab.size(),
                        vm = self.obj_vm,
                        parent = self.obj_parent,
                        targetType = "unsigned int",
                        count = self.num)

            unallocated = [0] * self.num

            i = slab.free
            while i != 0xFFFFFFFF:
                if i >= self.num:
                    break
                unallocated[i] = 1
                i = bufctl[i]

            for i in range(0, self.num):
                if unallocated[i] == self.unalloc:
                    yield self._get_object(slab.s_mem.v() + i * self.buffer_size)

        if self.unalloc:
            for slab in self._get_free_list():
                for i in range(self.num):
                    yield self._get_object(slab.s_mem.v() + i * self.buffer_size) 

def sect_name(self):
        if type(self.m("name")) == obj.Array:
            name = obj.Object("String", offset = self.m("name").obj_offset, vm = self.obj_vm, length = 32)
        else:
            name = self.name.dereference_as("String", length = 255)

        return str(name) 

def _get_sect_count(self, grp):
        arr = obj.Object(theType = 'Array', offset = grp.attrs, vm = self.obj_vm, targetType = 'Pointer', count = 25)

        idx = 0
        while arr[idx]:
            idx = idx + 1

        return idx 

def get_sections(self):
        if hasattr(self.sect_attrs, "nsections"):
            num_sects = self.sect_attrs.nsections
        else:
            num_sects = self._get_sect_count(self.sect_attrs.grp)

        attrs = obj.Object(theType = 'Array', offset = self.sect_attrs.attrs.obj_offset, vm = self.obj_vm, targetType = 'module_sect_attr', count = num_sects)

        for attr in attrs:
            yield attr 

def bash_hash_entries(self):
        nbuckets_offset = self.obj_vm.profile.get_obj_offset("_bash_hash_table", "nbuckets") 
        
        heap_vma = self.find_heap_vma()

        if heap_vma == None:
            debug.debug("Unable to find heap for pid %d" % self.pid)
            return

        proc_as = self.get_process_address_space()

        for off in self.search_process_memory(["\x40\x00\x00\x00"], heap_only=True):
            # test the number of buckets
            htable = obj.Object("_bash_hash_table", offset = off - nbuckets_offset, vm = proc_as)
            
            if htable.is_valid():
                bucket_array = obj.Object(theType="Array", targetType="Pointer", offset = htable.bucket_array, vm = htable.nbuckets.obj_vm, count = 64)
       
                for bucket_ptr in bucket_array:
                    bucket = bucket_ptr.dereference_as("bucket_contents")
                    while bucket.times_found > 0 and bucket.data.is_valid() and bucket.key.is_valid():  
                        pdata = bucket.data 

                        if pdata.path.is_valid() and (0 <= pdata.flags <= 2):
                            yield bucket

                        bucket = bucket.next
        
            off = off + 1 

def lsof(self):
        fds = self.files.get_fds()
        max_fds = self.files.get_max_fds()

        fds = obj.Object(theType = 'Array', offset = fds.obj_offset, vm = self.obj_vm, targetType = 'Pointer', count = max_fds)

        for i in range(max_fds):
            if fds[i]:
                filp = obj.Object('file', offset = fds[i], vm = self.obj_vm)
                yield filp, i

    # has to get the struct socket given an inode (see SOCKET_I in sock.h) 

def _get_nodelist(self):
        ent = self.nodelists

        if type(ent) == obj.Pointer:
            ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)

        elif type(ent) == obj.Array:
            ret = ent[0]
        else:
            debug.error("Unknown nodelists types. %s" % type(ent))

        return ret 

def __iter__(self):

        if not self.unalloc:
            for slab in self._get_full_list():
                for i in range(self.num):
                    yield self._get_object(slab.s_mem.v() + i * self.buffer_size)

        for slab in self._get_partial_list():
            if not self.num or self.num == 0:
                return                

            bufctl = obj.Object("Array",
                        offset = slab.v() + slab.size(),
                        vm = self.obj_vm,
                        parent = self.obj_parent,
                        targetType = "unsigned int",
                        count = self.num)

            unallocated = [0] * self.num

            i = slab.free
            while i != 0xFFFFFFFF:
                if i >= self.num:
                    break
                unallocated[i] = 1
                i = bufctl[i]

            for i in range(0, self.num):
                if unallocated[i] == self.unalloc:
                    yield self._get_object(slab.s_mem.v() + i * self.buffer_size)

        if self.unalloc:
            for slab in self._get_free_list():
                for i in range(self.num):
                    yield self._get_object(slab.s_mem.v() + i * self.buffer_size) 

def sect_name(self):
        if type(self.m("name")) == obj.Array:
            name = obj.Object("String", offset = self.m("name").obj_offset, vm = self.obj_vm, length = 32)
        else:
            name = self.name.dereference_as("String", length = 255)

        return str(name) 

def _get_sect_count(self, grp):
        arr = obj.Object(theType = 'Array', offset = grp.attrs, vm = self.obj_vm, targetType = 'Pointer', count = 25)

        idx = 0
        while arr[idx]:
            idx = idx + 1

        return idx 

def get_sections(self):
        if hasattr(self.sect_attrs, "nsections"):
            num_sects = self.sect_attrs.nsections
        else:
            num_sects = self._get_sect_count(self.sect_attrs.grp)

        attrs = obj.Object(theType = 'Array', offset = self.sect_attrs.attrs.obj_offset, vm = self.obj_vm, targetType = 'module_sect_attr', count = num_sects)

        for attr in attrs:
            yield attr 

def bash_hash_entries(self):
        nbuckets_offset = self.obj_vm.profile.get_obj_offset("_bash_hash_table", "nbuckets") 
        
        heap_vma = self.find_heap_vma()

        if heap_vma == None:
            debug.debug("Unable to find heap for pid %d" % self.pid)
            return

        proc_as = self.get_process_address_space()

        for off in self.search_process_memory(["\x40\x00\x00\x00"], heap_only=True):
            # test the number of buckets
            htable = obj.Object("_bash_hash_table", offset = off - nbuckets_offset, vm = proc_as)
            
            if htable.is_valid():
                bucket_array = obj.Object(theType="Array", targetType="Pointer", offset = htable.bucket_array, vm = htable.nbuckets.obj_vm, count = 64)
       
                for bucket_ptr in bucket_array:
                    bucket = bucket_ptr.dereference_as("bucket_contents")
                    while bucket.times_found > 0 and bucket.data.is_valid() and bucket.key.is_valid():  
                        pdata = bucket.data 

                        if pdata.path.is_valid() and (0 <= pdata.flags <= 2):
                            yield bucket

                        bucket = bucket.next
        
            off = off + 1 

def _get_nodelist(self):
        ent = self.nodelists

        if type(ent) == obj.Pointer:
            ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)

        elif type(ent) == obj.Array:
            ret = ent[0]
        else:
            debug.error("Unknown nodelists types. %s" % type(ent))

        return ret 

def _get_nodelist(self):
        ent = self.nodelists

        if type(ent) == obj.Pointer:
            ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)

        elif type(ent) == obj.Array:
            ret = ent[0]
        else:
            debug.error("Unknown nodelists types. %s" % type(ent))

        return ret 

def bash_hash_entries(self):
        nbuckets_offset = self.obj_vm.profile.get_obj_offset("_bash_hash_table", "nbuckets") 
        
        heap_vma = self.find_heap_vma()

        if heap_vma == None:
            debug.debug("Unable to find heap for pid %d" % self.pid)
            return

        proc_as = self.get_process_address_space()

        for off in self.search_process_memory(["\x40\x00\x00\x00"], heap_only=True):
            # test the number of buckets
            htable = obj.Object("_bash_hash_table", offset = off - nbuckets_offset, vm = proc_as)
            
            if htable.is_valid():
                bucket_array = obj.Object(theType="Array", targetType="Pointer", offset = htable.bucket_array, vm = htable.nbuckets.obj_vm, count = 64)
       
                for bucket_ptr in bucket_array:
                    bucket = bucket_ptr.dereference_as("bucket_contents")
                    while bucket.times_found > 0 and bucket.data.is_valid() and bucket.key.is_valid():  
                        pdata = bucket.data 

                        if pdata.path.is_valid() and (0 <= pdata.flags <= 2):
                            yield bucket

                        bucket = bucket.next
        
            off = off + 1 

def get_sections(self):
        if hasattr(self.sect_attrs, "nsections"):
            num_sects = self.sect_attrs.nsections
        else:
            num_sects = self._get_sect_count(self.sect_attrs.grp)

        attrs = obj.Object(theType = 'Array', offset = self.sect_attrs.attrs.obj_offset, vm = self.obj_vm, targetType = 'module_sect_attr', count = num_sects)

        for attr in attrs:
            yield attr 

def _get_sect_count(self, grp):
        arr = obj.Object(theType = 'Array', offset = grp.attrs, vm = self.obj_vm, targetType = 'Pointer', count = 25)

        idx = 0
        while arr[idx]:
            idx = idx + 1

        return idx 

def sect_name(self):
        if type(self.m("name")) == obj.Array:
            name = obj.Object("String", offset = self.m("name").obj_offset, vm = self.obj_vm, length = 32)
        else:
            name = self.name.dereference_as("String", length = 255)

        return str(name) 

def __iter__(self):

        if not self.unalloc:
            for slab in self._get_full_list():
                for i in range(self.num):
                    yield self._get_object(slab.s_mem.v() + i * self.buffer_size)

        for slab in self._get_partial_list():
            if not self.num or self.num == 0:
                return                

            bufctl = obj.Object("Array",
                        offset = slab.v() + slab.size(),
                        vm = self.obj_vm,
                        parent = self.obj_parent,
                        targetType = "unsigned int",
                        count = self.num)

            unallocated = [0] * self.num

            i = slab.free
            while i != 0xFFFFFFFF:
                if i >= self.num:
                    break
                unallocated[i] = 1
                i = bufctl[i]

            for i in range(0, self.num):
                if unallocated[i] == self.unalloc:
                    yield self._get_object(slab.s_mem.v() + i * self.buffer_size)

        if self.unalloc:
            for slab in self._get_free_list():
                for i in range(self.num):
                    yield self._get_object(slab.s_mem.v() + i * self.buffer_size) 

def _get_nodelist(self):
        ent = self.nodelists

        if type(ent) == obj.Pointer:
            ret = obj.Object("kmem_list3", offset = ent.dereference(), vm = self.obj_vm)

        elif type(ent) == obj.Array:
            ret = ent[0]
        else:
            debug.error("Unknown nodelists types. %s" % type(ent))

        return ret 

def get_sections(self):
        if hasattr(self.sect_attrs, "nsections"):
            num_sects = self.sect_attrs.nsections
        else:
            num_sects = self._get_sect_count(self.sect_attrs.grp)

        attrs = obj.Object(theType = 'Array', offset = self.sect_attrs.attrs.obj_offset, vm = self.obj_vm, targetType = 'module_sect_attr', count = num_sects)

        for attr in attrs:
            yield attr