Python volatility.obj.VolMagic() Examples
The following are 30
code examples of volatility.obj.VolMagic().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.obj
, or try the search function
.
.
Example #1
| Source File: example.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def get_image_time(self, addr_space):
"""Extracts the time and date from the KUSER_SHARED_DATA area"""
# Get the Image Datetime
result = {}
# Create a VOLATILITY_MAGIC object to look up the location of certain constants
# Get the KUSER_SHARED_DATA location
KUSER_SHARED_DATA = obj.VolMagic(addr_space).KUSER_SHARED_DATA.v()
# Create the _KUSER_SHARED_DATA object at the appropriate offset
k = obj.Object("_KUSER_SHARED_DATA",
offset = KUSER_SHARED_DATA,
vm = addr_space)
# Start reading members from it
result['ImageDatetime'] = k.SystemTime
result['ImageTz'] = timefmt.OffsetTzInfo(-k.TimeZoneBias.as_windows_timestamp() / 10000000)
# Return any results we got
return result
Example #2
| Source File: win8_kdbg.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def decode_kdbg(self, vals):
"""Decoder the KDBG block using the provided
magic values and the algorithm reversed from
the Windows kernel file."""
block_encoded, kdbg_block, wait_never, wait_always = vals
header = obj.VolMagic(self.obj_vm).KDBGHeader.v()
kdbg_size = struct.unpack("<H", header[-2:])[0]
buffer = ""
entries = obj.Object("Array",
targetType = "unsigned long long",
count = kdbg_size / 8,
offset = kdbg_block, vm = self.obj_vm)
for entry in entries:
low_byte = (wait_never & 0xFFFFFFFF) & 0xFF
entry = patchguard.rol(entry ^ wait_never, low_byte)
swap_xor = block_encoded.obj_offset | 0xFFFF000000000000
entry = patchguard.bswap(entry ^ swap_xor)
buffer += struct.pack("Q", entry ^ wait_always)
return buffer
Example #3
| Source File: filescan.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, address_space):
poolscan.PoolScanner.__init__(self, address_space)
self.struct_name = "_DRIVER_OBJECT"
self.object_type = "Driver"
# due to the placement of the driver extension, we
# use the top down approach instead of bottom-up.
self.use_top_down = True
self.pooltag = obj.VolMagic(address_space).DriverPoolTag.v()
size = 0xf8 # self.address_space.profile.get_obj_size("_DRIVER_OBJECT")
self.checks = [
('CheckPoolSize', dict(condition = lambda x: x >= size)),
('CheckPoolType', dict(paged = False, non_paged = True, free = True)),
('CheckPoolIndex', dict(value = lambda x : x < 5)),
]
Example #4
| Source File: paged.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs):
## We must be stacked on someone else:
self.as_assert(base, "No base Address Space")
addrspace.AbstractVirtualAddressSpace.__init__(self, base, config, *args, **kwargs)
## We can not stack on someone with a dtb
self.as_assert(not (hasattr(base, 'paging_address_space') and base.paging_address_space), "Can not stack over another paging address space")
self.dtb = dtb or self.load_dtb()
# No need to set the base or dtb, it's already been by the inherited class
self.as_assert(self.dtb != None, "No valid DTB found")
if not skip_as_check:
volmag = obj.VolMagic(self)
if hasattr(volmag, self.checkname):
self.as_assert(getattr(volmag, self.checkname).v(), "Failed valid Address Space check")
else:
self.as_assert(False, "Profile does not have valid Address Space check")
# Reserved for future use
#self.pagefile = config.PAGEFILE
self.name = 'Kernel AS'
Example #5
| Source File: paged.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def load_dtb(self):
"""Loads the DTB as quickly as possible from the config, then the base, then searching for it"""
try:
# If the user has manually specified one, then shortcircuit to that one
if self._config.DTB:
raise AttributeError
## Try to be lazy and see if someone else found dtb for
## us:
return self.base.dtb
except AttributeError:
## Ok so we need to find our dtb ourselves:
dtb = obj.VolMagic(self.base).DTB.v()
if dtb:
## Make sure to save dtb for other AS's
## Will this have an effect on following ASes attempts if this fails?
self.base.dtb = dtb
return dtb
Example #6
| Source File: example.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def get_image_time(self, addr_space):
"""Extracts the time and date from the KUSER_SHARED_DATA area"""
# Get the Image Datetime
result = {}
# Create a VOLATILITY_MAGIC object to look up the location of certain constants
# Get the KUSER_SHARED_DATA location
KUSER_SHARED_DATA = obj.VolMagic(addr_space).KUSER_SHARED_DATA.v()
# Create the _KUSER_SHARED_DATA object at the appropriate offset
k = obj.Object("_KUSER_SHARED_DATA",
offset = KUSER_SHARED_DATA,
vm = addr_space)
# Start reading members from it
result['ImageDatetime'] = k.SystemTime
result['ImageTz'] = timefmt.OffsetTzInfo(-k.TimeZoneBias.as_windows_timestamp() / 10000000)
# Return any results we got
return result
Example #7
| Source File: windows.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def get_object_bottom_up(self, struct_name, object_type, skip_type_check):
"""Get the windows object contained within this pool
by using the bottom-up approach to finding the object
"""
if not object_type:
return obj.Object(struct_name, vm = self.obj_vm,
offset = self.obj_offset +
self.obj_vm.profile.get_obj_size("_POOL_HEADER"),
native_vm = self.obj_native_vm)
pool_alignment = obj.VolMagic(self.obj_vm).PoolAlignment.v()
the_object = obj.Object(struct_name, vm = self.obj_vm,
offset = (self.obj_offset + self.BlockSize * pool_alignment -
common.pool_align(self.obj_vm, struct_name, pool_alignment)),
native_vm = self.obj_native_vm)
header = the_object.get_object_header()
if (skip_type_check or
header.get_object_type() == object_type):
return the_object
else:
return obj.NoneObject("Cannot find the object")
Example #8
| Source File: win8_kdbg.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def unique_sizes(self):
items = registry.get_plugin_classes(obj.Profile).items()
sizes = set()
for name, cls in items:
if (cls._md_os != "windows" or cls._md_memory_model != "64bit"):
continue
#if (cls._md_major, cls._md_minor) < (6, 2):
# continue
conf = copy.deepcopy(self.obj_vm.get_config())
conf.PROFILE = name
buff = addrspace.BufferAddressSpace(config = conf)
header = obj.VolMagic(buff).KDBGHeader.v()
# this unpacks the kdbgsize from the signature
size = struct.unpack("<H", header[-2:])[0]
sizes.add(size)
return sizes
Example #9
| Source File: windows.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def get_object_bottom_up(self, struct_name, object_type, skip_type_check):
"""Get the windows object contained within this pool
by using the bottom-up approach to finding the object
"""
if not object_type:
return obj.Object(struct_name, vm = self.obj_vm,
offset = self.obj_offset +
self.obj_vm.profile.get_obj_size("_POOL_HEADER"),
native_vm = self.obj_native_vm)
pool_alignment = obj.VolMagic(self.obj_vm).PoolAlignment.v()
the_object = obj.Object(struct_name, vm = self.obj_vm,
offset = (self.obj_offset + self.BlockSize * pool_alignment -
common.pool_align(self.obj_vm, struct_name, pool_alignment)),
native_vm = self.obj_native_vm)
header = the_object.get_object_header()
if (skip_type_check or
header.get_object_type() == object_type):
return the_object
else:
return obj.NoneObject("Cannot find the object")
Example #10
| Source File: windows.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def get_object_bottom_up(self, struct_name, object_type, skip_type_check):
"""Get the windows object contained within this pool
by using the bottom-up approach to finding the object
"""
if not object_type:
return obj.Object(struct_name, vm = self.obj_vm,
offset = self.obj_offset +
self.obj_vm.profile.get_obj_size("_POOL_HEADER"),
native_vm = self.obj_native_vm)
pool_alignment = obj.VolMagic(self.obj_vm).PoolAlignment.v()
the_object = obj.Object(struct_name, vm = self.obj_vm,
offset = (self.obj_offset + self.BlockSize * pool_alignment -
common.pool_align(self.obj_vm, struct_name, pool_alignment)),
native_vm = self.obj_native_vm)
header = the_object.get_object_header()
if (skip_type_check or
header.get_object_type() == object_type):
return the_object
else:
return obj.NoneObject("Cannot find the object")
Example #11
| Source File: bigpagepools.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def scan(self, tags = []):
"""
Scan for the pools by tag.
@param tags: a list of pool tags to scan for,
or empty for scanning for all tags.
"""
(table_base, table_size) = \
obj.VolMagic(self.kernel_space).BigPageTable.v()
pools = obj.Object('Array', targetType = '_POOL_TRACKER_BIG_PAGES',
offset = table_base,
count = table_size, vm = self.kernel_space
)
for pool in pools:
if pool.Va.is_valid():
if not tags or pool.Key in tags:
yield pool
#--------------------------------------------------------------------------------
# BigPools Plugin
#--------------------------------------------------------------------------------
Example #12
| Source File: bigpagepools.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def scan(self, tags = []):
"""
Scan for the pools by tag.
@param tags: a list of pool tags to scan for,
or empty for scanning for all tags.
"""
(table_base, table_size) = \
obj.VolMagic(self.kernel_space).BigPageTable.v()
pools = obj.Object('Array', targetType = '_POOL_TRACKER_BIG_PAGES',
offset = table_base,
count = table_size, vm = self.kernel_space
)
for pool in pools:
if pool.Va.is_valid():
if not tags or pool.Key in tags:
yield pool
#--------------------------------------------------------------------------------
# BigPools Plugin
#--------------------------------------------------------------------------------
Example #13
| Source File: filescan.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, address_space):
poolscan.PoolScanner.__init__(self, address_space)
self.struct_name = "_DRIVER_OBJECT"
self.object_type = "Driver"
# due to the placement of the driver extension, we
# use the top down approach instead of bottom-up.
self.use_top_down = True
self.pooltag = obj.VolMagic(address_space).DriverPoolTag.v()
size = 0xf8 # self.address_space.profile.get_obj_size("_DRIVER_OBJECT")
self.checks = [
('CheckPoolSize', dict(condition = lambda x: x >= size)),
('CheckPoolType', dict(paged = False, non_paged = True, free = True)),
('CheckPoolIndex', dict(value = 0)),
]
Example #14
| Source File: paged.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, dtb = 0, skip_as_check = False, *args, **kwargs):
## We must be stacked on someone else:
self.as_assert(base, "No base Address Space")
addrspace.AbstractVirtualAddressSpace.__init__(self, base, config, *args, **kwargs)
## We can not stack on someone with a dtb
self.as_assert(not (hasattr(base, 'paging_address_space') and base.paging_address_space), "Can not stack over another paging address space")
self.dtb = dtb or self.load_dtb()
# No need to set the base or dtb, it's already been by the inherited class
self.as_assert(self.dtb != None, "No valid DTB found")
if not skip_as_check:
volmag = obj.VolMagic(self)
if hasattr(volmag, self.checkname):
self.as_assert(getattr(volmag, self.checkname).v(), "Failed valid Address Space check")
else:
self.as_assert(False, "Profile does not have valid Address Space check")
# Reserved for future use
#self.pagefile = config.PAGEFILE
self.name = 'Kernel AS'
Example #15
| Source File: paged.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def load_dtb(self):
"""Loads the DTB as quickly as possible from the config, then the base, then searching for it"""
try:
# If the user has manually specified one, then shortcircuit to that one
if self._config.DTB:
raise AttributeError
## Try to be lazy and see if someone else found dtb for
## us:
return self.base.dtb
except AttributeError:
## Ok so we need to find our dtb ourselves:
dtb = obj.VolMagic(self.base).DTB.v()
if dtb:
## Make sure to save dtb for other AS's
## Will this have an effect on following ASes attempts if this fails?
self.base.dtb = dtb
return dtb
Example #16
| Source File: poolscan.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def check(self, offset):
pool_hdr = obj.Object('_POOL_HEADER', vm = self.address_space,
offset = offset - 4)
block_size = pool_hdr.BlockSize.v()
pool_alignment = obj.VolMagic(self.address_space).PoolAlignment.v()
return self.condition(block_size * pool_alignment)
Example #17
| Source File: windowstations.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, address_space):
poolscan.PoolScanner.__init__(self, address_space)
self.struct_name = "tagWINDOWSTATION"
self.object_type = "WindowStation"
self.pooltag = obj.VolMagic(address_space).WindPoolTag.v()
size = 0x90 # self.address_space.profile.get_obj_size("tagWINDOWSTATION")
self.checks = [
# seen as 0x98 on xpsp2 and xpsp3, 0x90 on w2k3*, 0xa0 on w7sp0
('CheckPoolSize', dict(condition = lambda x: x >= size)),
# only look in non-paged or free pools
('CheckPoolType', dict(paged = False, non_paged = True, free = True)),
('CheckPoolIndex', dict(value = 0)),
]
Example #18
| Source File: modscan.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, address_space):
poolscan.PoolScanner.__init__(self, address_space)
self.struct_name = "_ETHREAD"
self.object_type = "Thread"
# this allows us to find terminated threads
self.skip_type_check = True
self.pooltag = obj.VolMagic(address_space).ThreadPoolTag.v()
size = 0x278 # self.address_space.profile.get_obj_size("_ETHREAD")
self.checks = [
('CheckPoolSize', dict(condition = lambda x: x >= size)),
('CheckPoolType', dict(paged = False, non_paged = True, free = True)),
('CheckPoolIndex', dict(value = 0)),
]
Example #19
| Source File: lsasecrets.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def get_lsa_key(addr_space, secaddr, bootkey):
if not bootkey:
return None
root = rawreg.get_root(secaddr)
if not root:
return None
volmag = obj.VolMagic(addr_space)
enc_reg_key = rawreg.open_key(root, ["Policy", volmag.PolicyKey.v()])
if not enc_reg_key:
return None
enc_reg_value = enc_reg_key.ValueList.List.dereference()[0]
if not enc_reg_value:
return None
obf_lsa_key = secaddr.read(enc_reg_value.Data,
enc_reg_value.DataLength)
if not obf_lsa_key:
return None
if addr_space.profile.metadata.get('major', 0) == 5:
md5 = MD5.new()
md5.update(bootkey)
for _i in range(1000):
md5.update(obf_lsa_key[60:76])
rc4key = md5.digest()
rc4 = ARC4.new(rc4key)
lsa_key = rc4.decrypt(obf_lsa_key[12:60])
lsa_key = lsa_key[0x10:0x20]
else:
lsa_key = decrypt_aes(obf_lsa_key, bootkey)
lsa_key = lsa_key[68:100]
return lsa_key
Example #20
| Source File: tasks.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def get_kdbg(addr_space):
"""A function designed to return the KDBG structure from
an address space. First we try scanning for KDBG and if
that fails, we try scanning for KPCR and bouncing back to
KDBG from there.
Also note, both the primary and backup methods rely on the
4-byte KDBG.Header.OwnerTag. If someone overwrites this
value, then neither method will succeed. The same is true
even if a user specifies --kdbg, because we check for the
OwnerTag even in that case.
"""
kdbg = obj.VolMagic(addr_space).KDBG.v()
if kdbg.is_valid():
return kdbg
# skip the KPCR backup method for x64
memmode = addr_space.profile.metadata.get('memory_model', '32bit')
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
if memmode == '32bit' or version <= (6, 1):
# Fall back to finding it via the KPCR. We cannot
# accept the first/best suggestion, because only
# the KPCR for the first CPU allows us to find KDBG.
for kpcr_off in obj.VolMagic(addr_space).KPCR.get_suggestions():
kpcr = obj.Object("_KPCR", offset = kpcr_off, vm = addr_space)
kdbg = kpcr.get_kdbg()
if kdbg.is_valid():
return kdbg
return obj.NoneObject("KDDEBUGGER structure not found using either KDBG signature or KPCR pointer")
Example #21
| Source File: poolscan.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, addr_space, scanners = [], scan_virtual = False, show_unalloc = False, use_top_down = False, start_offset = None, max_length = None):
"""An interface into the multiple concurrent pool scanner.
@param addr_space: a Volatility address space
@param scanners: a list of PoolScanner classes to scan for.
@param scan_virtual: True to scan in virtual/kernel space
or False to scan at the physical layer.
@param show_unalloc: True to skip unallocated objects whose
_OBJECT_TYPE structure are 0xbad0b0b0.
@param use_topdown: True to carve objects out of the pool using
the top-down approach or False to use the bottom-up trick.
@param start_offset: the starting offset to begin scanning.
@param max_length: the size in bytes to scan from the start.
"""
self.scanners = scanners
self.scan_virtual = scan_virtual
self.show_unalloc = show_unalloc
self.use_top_down = use_top_down
self.start_offset = start_offset
self.max_length = max_length
self.address_space = addr_space
self.pool_alignment = obj.VolMagic(self.address_space).PoolAlignment.v()
Example #22
| Source File: filescan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, address_space, **kwargs):
poolscan.PoolScanner.__init__(self, address_space, **kwargs)
self.struct_name = "_KMUTANT"
self.object_type = "Mutant"
self.pooltag = obj.VolMagic(address_space).MutexPoolTag.v()
size = 0x40 # self.address_space.profile.get_obj_size("_KMUTANT")
self.checks = [
('CheckPoolSize', dict(condition = lambda x: x >= size)),
('CheckPoolType', dict(paged = False, non_paged = True, free = True)),
('CheckPoolIndex', dict(value = lambda x : x < 5)),
]
Example #23
| Source File: poolscan.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, addr_space, scanners = [], scan_virtual = False, show_unalloc = False, use_top_down = False, start_offset = None, max_length = None):
"""An interface into the multiple concurrent pool scanner.
@param addr_space: a Volatility address space
@param scanners: a list of PoolScanner classes to scan for.
@param scan_virtual: True to scan in virtual/kernel space
or False to scan at the physical layer.
@param show_unalloc: True to skip unallocated objects whose
_OBJECT_TYPE structure are 0xbad0b0b0.
@param use_topdown: True to carve objects out of the pool using
the top-down approach or False to use the bottom-up trick.
@param start_offset: the starting offset to begin scanning.
@param max_length: the size in bytes to scan from the start.
"""
self.scanners = scanners
self.scan_virtual = scan_virtual
self.show_unalloc = show_unalloc
self.use_top_down = use_top_down
self.start_offset = start_offset
self.max_length = max_length
self.address_space = addr_space
self.pool_alignment = obj.VolMagic(self.address_space).PoolAlignment.v()
Example #24
| Source File: tasks.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def get_kdbg(addr_space):
"""A function designed to return the KDBG structure from
an address space. First we try scanning for KDBG and if
that fails, we try scanning for KPCR and bouncing back to
KDBG from there.
Also note, both the primary and backup methods rely on the
4-byte KDBG.Header.OwnerTag. If someone overwrites this
value, then neither method will succeed. The same is true
even if a user specifies --kdbg, because we check for the
OwnerTag even in that case.
"""
kdbg = obj.VolMagic(addr_space).KDBG.v()
if kdbg.is_valid():
return kdbg
# skip the KPCR backup method for x64
memmode = addr_space.profile.metadata.get('memory_model', '32bit')
version = (addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0))
if memmode == '32bit' or version <= (6, 1):
# Fall back to finding it via the KPCR. We cannot
# accept the first/best suggestion, because only
# the KPCR for the first CPU allows us to find KDBG.
for kpcr_off in obj.VolMagic(addr_space).KPCR.get_suggestions():
kpcr = obj.Object("_KPCR", offset = kpcr_off, vm = addr_space)
kdbg = kpcr.get_kdbg()
if kdbg.is_valid():
return kdbg
return obj.NoneObject("KDDEBUGGER structure not found using either KDBG signature or KPCR pointer")
Example #25
| Source File: lsasecrets.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def get_lsa_key(addr_space, secaddr, bootkey):
if not bootkey:
return None
root = rawreg.get_root(secaddr)
if not root:
return None
volmag = obj.VolMagic(addr_space)
enc_reg_key = rawreg.open_key(root, ["Policy", volmag.PolicyKey.v()])
if not enc_reg_key:
return None
enc_reg_value = enc_reg_key.ValueList.List.dereference()[0]
if not enc_reg_value:
return None
obf_lsa_key = secaddr.read(enc_reg_value.Data,
enc_reg_value.DataLength)
if not obf_lsa_key:
return None
if addr_space.profile.metadata.get('major', 0) == 5:
md5 = MD5.new()
md5.update(bootkey)
for _i in range(1000):
md5.update(obf_lsa_key[60:76])
rc4key = md5.digest()
rc4 = ARC4.new(rc4key)
lsa_key = rc4.decrypt(obf_lsa_key[12:60])
lsa_key = lsa_key[0x10:0x20]
else:
lsa_key = decrypt_aes(obf_lsa_key, bootkey)
lsa_key = lsa_key[68:100]
return lsa_key
Example #26
| Source File: windowstations.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, address_space):
poolscan.PoolScanner.__init__(self, address_space)
self.struct_name = "tagWINDOWSTATION"
self.object_type = "WindowStation"
self.pooltag = obj.VolMagic(address_space).WindPoolTag.v()
size = 0x90 # self.address_space.profile.get_obj_size("tagWINDOWSTATION")
self.checks = [
# seen as 0x98 on xpsp2 and xpsp3, 0x90 on w2k3*, 0xa0 on w7sp0
('CheckPoolSize', dict(condition = lambda x: x >= size)),
# only look in non-paged or free pools
('CheckPoolType', dict(paged = False, non_paged = True, free = True)),
('CheckPoolIndex', dict(value = 0)),
]
Example #27
| Source File: objtypescan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, address_space, **kwargs):
poolscan.PoolScanner.__init__(self, address_space, **kwargs)
self.struct_name = "_OBJECT_TYPE"
self.object_type = "Type"
self.pooltag = obj.VolMagic(address_space).ObjectTypePoolTag.v()
size = 0xc8 # self.address_space.profile.get_obj_size("_OBJECT_TYPE")
self.checks = [
('CheckPoolSize', dict(condition = lambda x: x >= size)),
('CheckPoolType', dict(paged = False, non_paged = True, free = True)),
#('CheckPoolIndex', dict(value = 0)),
]
Example #28
| Source File: pooltracker.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def render_text(self, outfd, data):
for pool, buf in data:
pool_alignment = obj.VolMagic(pool.obj_vm).PoolAlignment.v()
outfd.write("Pool Header: {0:#x}, Size: {1}\n".format(
pool.obj_offset,
pool.BlockSize * pool_alignment))
outfd.write("{0}\n".format("\n".join(
["{0:#010x} {1:<48} {2}".format(pool.obj_offset + o, h, ''.join(c))
for o, h, c in utils.Hexdump(buf)
])))
outfd.write("\n")
Example #29
| Source File: filescan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, address_space, **kwargs):
poolscan.PoolScanner.__init__(self, address_space, **kwargs)
self.struct_name = "_EPROCESS"
self.object_type = "Process"
# this allows us to find terminated processes
self.skip_type_check = True
self.pooltag = obj.VolMagic(address_space).ProcessPoolTag.v()
size = 0x1ae # self.address_space.profile.get_obj_size("_EPROCESS")
self.checks = [
('CheckPoolSize', dict(condition = lambda x: x >= size)),
('CheckPoolType', dict(paged = False, non_paged = True, free = True)),
('CheckPoolIndex', dict(value = lambda x : x < 5)),
]
Example #30
| Source File: filescan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, address_space):
poolscan.PoolScanner.__init__(self, address_space)
self.struct_name = "_OBJECT_SYMBOLIC_LINK"
self.object_type = "SymbolicLink"
self.pooltag = obj.VolMagic(address_space).SymlinkPoolTag.v()
size = 0x48 # self.address_space.profile.get_obj_size("_OBJECT_SYMBOLIC_LINK")
self.checks = [
('CheckPoolSize', dict(condition = lambda x: x >= size)),
('CheckPoolType', dict(paged = True, non_paged = True, free = True)),
]
