Python volatility.obj.NoneObject() Examples
The following are 30
code examples of volatility.obj.NoneObject().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.obj
, or try the search function
.
Example #1
Source File: linux.py From volatility with GNU General Public License v2.0 | 6 votes |
def get_process_address_space(self): ## If we've got a NoneObject, return it maintain the reason if not self.mm: return self.mm if self.mm.pgd.v() == None: return self.mm.pgd.v() directory_table_base = self.obj_vm.vtop(self.mm.pgd.v()) try: process_as = self.obj_vm.__class__( self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base) except AssertionError, _e: return obj.NoneObject("Unable to get process AS")
Example #2
Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 6 votes |
def reference_object(self): """Reference the object this handle represents. If the object's type is not in our map, we don't know what type of object to instantiate so its filled with obj.NoneObject() instead. """ object_map = dict(TYPE_WINDOW = "tagWND", TYPE_HOOK = "tagHOOK", TYPE_CLIPDATA = "tagCLIPDATA", TYPE_WINEVENTHOOK = "tagEVENTHOOK", TYPE_TIMER = "tagTIMER", ) object_type = object_map.get(str(self.bType), None) if not object_type: return obj.NoneObject("Cannot reference object type") return obj.Object(object_type, offset = self.phead, vm = self.obj_vm)
Example #3
Source File: windows.py From aumfor with GNU General Public License v3.0 | 6 votes |
def get_object_bottom_up(self, struct_name, object_type, skip_type_check): """Get the windows object contained within this pool by using the bottom-up approach to finding the object """ if not object_type: return obj.Object(struct_name, vm = self.obj_vm, offset = self.obj_offset + self.obj_vm.profile.get_obj_size("_POOL_HEADER"), native_vm = self.obj_native_vm) pool_alignment = obj.VolMagic(self.obj_vm).PoolAlignment.v() the_object = obj.Object(struct_name, vm = self.obj_vm, offset = (self.obj_offset + self.BlockSize * pool_alignment - common.pool_align(self.obj_vm, struct_name, pool_alignment)), native_vm = self.obj_native_vm) header = the_object.get_object_header() if (skip_type_check or header.get_object_type() == object_type): return the_object else: return obj.NoneObject("Cannot find the object")
Example #4
Source File: apihooks.py From aumfor with GNU General Public License v3.0 | 6 votes |
def find_module(self, address): """Find a module by an address it contains. @param address: location in process or kernel AS to find an owning module. When performing thousands of lookups, this method is actually quicker than tasks.find_module. """ for base, end, mod in self.mod_fast: if address >= base and address <= end: return mod return obj.NoneObject("") #-------------------------------------------------------------------------------- # Hook Class #--------------------------------------------------------------------------------
Example #5
Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 6 votes |
def find_shared_info(self): """Find this session's tagSHAREDINFO structure. This structure is embedded in win32k's .data section, (i.e. not in dynamically allocated memory). Thus we iterate over each DWORD-aligned possibility and treat it as a tagSHAREDINFO until the sanity checks are met. """ for chunk in self._section_chunks(".data"): # If the base of the value is paged if not chunk.is_valid(): continue # Treat it as a shared info struct shared_info = obj.Object("tagSHAREDINFO", offset = chunk.obj_offset, vm = self.obj_vm) # Sanity check it try: if shared_info.is_valid(): return shared_info except obj.InvalidOffsetError: pass return obj.NoneObject("Cannot find win32k!gSharedInfo")
Example #6
Source File: windows.py From aumfor with GNU General Public License v3.0 | 6 votes |
def Peb(self): """ Returns a _PEB object which is using the process address space. The PEB structure is referencing back into the process address space so we need to switch address spaces when we look at it. This method ensure this happens automatically. """ process_ad = self.get_process_address_space() if process_ad: offset = self.m("Peb").v() peb = obj.Object("_PEB", offset, vm = process_ad, name = "Peb", parent = self) if peb.is_valid(): return peb return obj.NoneObject("Peb not found")
Example #7
Source File: win8.py From aumfor with GNU General Public License v3.0 | 6 votes |
def get_item(self, entry, handle_value = 0): """Starting with 8/2012 x64 the PsPCidTable pointers go directly to an object rather than an object header. """ if entry.LowValue == 0: return obj.NoneObject("LowValue pointer is invalid") body_offset = self.obj_vm.profile.get_obj_offset("_OBJECT_HEADER", "Body") head_offset = self.decode_pointer(entry.LowValue) - body_offset return obj.Object("_OBJECT_HEADER", offset = head_offset, vm = self.obj_vm, parent = entry, handle_value = handle_value)
Example #8
Source File: sessions.py From aumfor with GNU General Public License v3.0 | 6 votes |
def find_session_space(self, kernel_space, session_id): """ Get a session address space by its ID. @param space: a kernel AS for process enumeration @param session_id: the session ID to find. @returns _MM_SESSION_SPACE instantiated from the session space native_vm. """ for proc in tasks.pslist(kernel_space): if proc.SessionId == session_id: ps_ad = proc.get_process_address_space() if ps_ad != None: return obj.Object("_MM_SESSION_SPACE", offset = proc.Session.v(), vm = ps_ad) return obj.NoneObject("Cannot locate a session")
Example #9
Source File: linux.py From aumfor with GNU General Public License v3.0 | 6 votes |
def get_process_address_space(self): ## If we've got a NoneObject, return it maintain the reason if not self.mm: return self.mm if self.mm.pgd.v() == None: return self.mm.pgd.v() directory_table_base = self.obj_vm.vtop(self.mm.pgd.v()) try: process_as = self.obj_vm.__class__( self.obj_vm.base, self.obj_vm.get_config(), dtb = directory_table_base) except AssertionError, _e: return obj.NoneObject("Unable to get process AS")
Example #10
Source File: pslist.py From aumfor with GNU General Public License v3.0 | 6 votes |
def render_text(self, outfd, data): self.table_header(outfd, [("Task", "16"), ("Pid", "8"), ("Virtual", "[addrpad]"), ("Physical", "[addrpad]"), ("Size", "[addr]")]) for task in data: task_space = task.get_process_address_space() pagedata = task_space.get_available_pages() if pagedata: for p in pagedata: pa = task_space.vtop(p[0]) # pa can be 0, according to the old memmap, but can't == None(NoneObject) if pa != None: self.table_row(outfd, task.comm, task.pid, p[0], pa, p[1]) #else: # outfd.write("0x{0:10x} 0x000000 0x{1:12x}\n".format(p[0], p[1])) else: outfd.write("Unable to read pages for {0} pid {1}.\n".format(task.comm, task.pid))
Example #11
Source File: basic.py From aumfor with GNU General Public License v3.0 | 6 votes |
def v(self): """ Use zread to help emulate reading null-terminated C strings across page boundaries. @returns: If all bytes are available, return the full string as a raw byte buffer. If the end of the string is in a page that isn't available, return as much of the string as possible, padded with nulls to the string's length. If the string length is 0, vtop() fails, or the physical addr of the string is not valid, return NoneObject. Note: to get a null terminated string, use the __str__ method. """ result = self.obj_vm.zread(self.obj_offset, self.length) if not result: return obj.NoneObject("Cannot read string length {0} at {1:#x}".format(self.length, self.obj_offset)) return result
Example #12
Source File: cache.py From volatility with GNU General Public License v2.0 | 6 votes |
def _find_generators(self, item): """ A recursive function to flatten generators into lists """ try: result = [] # Make sure dicts aren't flattened to lists if isinstance(item, dict): result = {} for i in item: result[self._find_generators(i)] = self._find_generators(item[i]) return result # Since NoneObjects and strings are both iterable, treat them specially if isinstance(item, obj.NoneObject) or isinstance(item, str): return item if isinstance(item, types.GeneratorType): raise CacheContainsGenerator for x in iter(item): flat_x = self._find_generators(x) result.append(flat_x) return result except TypeError: return item
Example #13
Source File: atoms.py From aumfor with GNU General Public License v3.0 | 6 votes |
def calculate(self): seen = [] # Find the atom tables that belong to each window station for wndsta in windowstations.WndScan(self._config).calculate(): offset = wndsta.obj_native_vm.vtop(wndsta.pGlobalAtomTable) if offset in seen: continue seen.append(offset) # The atom table is dereferenced in the proper # session space atom_table = wndsta.AtomTable if atom_table.is_valid(): yield atom_table, wndsta # Find atom tables not linked to specific window stations. # This finds win32k!UserAtomHandleTable. for table in AtomScan(self._config).calculate(): if table.PhysicalAddress not in seen: yield table, obj.NoneObject("No windowstation")
Example #14
Source File: cache.py From aumfor with GNU General Public License v3.0 | 6 votes |
def _find_generators(self, item): """ A recursive function to flatten generators into lists """ try: result = [] # Make sure dicts aren't flattened to lists if isinstance(item, dict): result = {} for i in item: result[self._find_generators(i)] = self._find_generators(item[i]) return result # Since NoneObjects and strings are both iterable, treat them specially if isinstance(item, obj.NoneObject) or isinstance(item, str): return item if isinstance(item, types.GeneratorType): raise CacheContainsGenerator for x in iter(item): flat_x = self._find_generators(x) result.append(flat_x) return result except TypeError: return item
Example #15
Source File: pslist.py From volatility with GNU General Public License v2.0 | 6 votes |
def render_text(self, outfd, data): self.table_header(outfd, [("Task", "16"), ("Pid", "8"), ("Virtual", "[addrpad]"), ("Physical", "[addrpad]"), ("Size", "[addr]")]) for task in data: task_space = task.get_process_address_space() pagedata = task_space.get_available_pages() if pagedata: for p in pagedata: pa = task_space.vtop(p[0]) # pa can be 0, according to the old memmap, but can't == None(NoneObject) if pa != None: self.table_row(outfd, task.comm, task.pid, p[0], pa, p[1]) #else: # outfd.write("0x{0:10x} 0x000000 0x{1:12x}\n".format(p[0], p[1])) else: outfd.write("Unable to read pages for {0} pid {1}.\n".format(task.comm, task.pid))
Example #16
Source File: pslist.py From volatility with GNU General Public License v2.0 | 5 votes |
def virtual_process_from_physical_offset(addr_space, offset): pspace = utils.load_as(addr_space.get_config(), astype = 'physical') task = obj.Object("task_struct", vm = pspace, offset = offset) parent = obj.Object("task_struct", vm = addr_space, offset = task.parent) for child in parent.children.list_of_type("task_struct", "sibling"): if child.obj_vm.vtop(child.obj_offset) == task.obj_offset: return child return obj.NoneObject("Unable to bounce back from task_struct->parent->task_struct")
Example #17
Source File: hibinfo.py From volatility with GNU General Public License v2.0 | 5 votes |
def calculate(self): """Determines the address space""" addr_space = utils.load_as(self._config) result = None adrs = addr_space while adrs: if adrs.__class__.__name__ == 'WindowsHiberFileSpace32': sr = adrs.ProcState.SpecialRegisters peb = obj.NoneObject("Cannot locate a valid PEB") # Find the PEB by cycling through processes. This method works # on all versions of Windows x86 and x64. for task in tasks.pslist(addr_space): if task.Peb: peb = task.Peb break result = {'header': adrs.get_header(), 'sr': sr, 'peb': peb, 'adrs': adrs } adrs = adrs.base if result == None: debug.error("Memory Image could not be identified or did not contain hiberation information") return result
Example #18
Source File: hashdump.py From volatility with GNU General Public License v2.0 | 5 votes |
def dump_memory_hashes(addr_space, config, syshive, samhive): if syshive != None and samhive != None: sysaddr = hive.HiveAddressSpace(addr_space, config, syshive) samaddr = hive.HiveAddressSpace(addr_space, config, samhive) return dump_hashes(sysaddr, samaddr) return obj.NoneObject("SYSTEM or SAM address is None: Did you use the correct profile?")
Example #19
Source File: hashdump.py From volatility with GNU General Public License v2.0 | 5 votes |
def dump_hashes(sysaddr, samaddr): if sysaddr == None: yield obj.NoneObject("SYSTEM address is None: Did you use the correct profile?") if samaddr == None: yield obj.NoneObject("SAM address is None: Did you use the correct profile?") bootkey = get_bootkey(sysaddr) hbootkey = get_hbootkey(samaddr, bootkey) if hbootkey: for user in get_user_keys(samaddr): ret = get_user_hashes(user, hbootkey) if not ret: yield obj.NoneObject("Cannot get user hashes for {0}".format(user)) else: lmhash, nthash = ret if not lmhash: lmhash = empty_lm if not nthash: nthash = empty_nt ## temporary fix to prevent UnicodeDecodeError backtraces ## however this can cause truncated user names as a result name = get_user_name(user) if name is not None: name = name.encode('ascii', 'ignore') else: name = "(unavailable)" yield "{0}:{1}:{2}:{3}:::".format(name, int(str(user.Name), 16), lmhash.encode('hex'), nthash.encode('hex')) else: yield obj.NoneObject("Hbootkey is not valid")
Example #20
Source File: taskmods.py From volatility with GNU General Public License v2.0 | 5 votes |
def virtual_process_from_physical_offset(addr_space, offset): """ Returns a virtual process from a physical offset in memory """ # Since this is a physical offset, we find the process flat_addr_space = utils.load_as(addr_space.get_config(), astype = 'physical') flateproc = obj.Object("_EPROCESS", offset, flat_addr_space) # then use the virtual address of its first thread to get into virtual land # (Note: the addr_space and flat_addr_space use the same config, so should have the same profile) tleoffset = addr_space.profile.get_obj_offset("_ETHREAD", "ThreadListEntry") # start out with the member offset given to us from the profile offsets = [tleoffset] # if (and only if) we're dealing with 64-bit Windows 7 SP1 # then add the other commonly seen member offset to the list meta = addr_space.profile.metadata major = meta.get("major", 0) minor = meta.get("minor", 0) build = meta.get("build", 0) version = (major, minor, build) if meta.get("memory_model") == "64bit" and version == (6, 1, 7601): offsets.append(tleoffset + 8) ## use the member offset from the profile for ofs in offsets: ethread = obj.Object("_ETHREAD", offset = flateproc.ThreadListHead.Flink.v() - ofs, vm = addr_space) # and ask for the thread's process to get an _EPROCESS with a virtual address space virtual_process = ethread.owning_process() # Sanity check the bounce. See Issue 154. if virtual_process and offset == addr_space.vtop(virtual_process.obj_offset): return virtual_process return obj.NoneObject("Unable to bounce back from virtual _ETHREAD to virtual _EPROCESS")
Example #21
Source File: arm.py From aumfor with GNU General Public License v3.0 | 5 votes |
def read_long_phys(self, addr): ''' Returns an unsigned 32-bit integer from the address addr in physical memory. If unable to read from that location, returns None. ''' try: string = self.base.read(addr, 4) except IOError: string = None if not string: return obj.NoneObject("Could not read_long_phys at offset " + hex(addr)) longval, = self._long_struct.unpack(string) return longval
Example #22
Source File: rawreg.py From aumfor with GNU General Public License v3.0 | 5 votes |
def open_key(root, key): if key == []: return root if not root.is_valid(): return None keyname = key.pop(0) for s in subkeys(root): if s.Name.upper() == keyname.upper(): return open_key(s, key) debug.debug("Couldn't find subkey {0} of {1}".format(keyname, root.Name), 1) return obj.NoneObject("Couldn't find subkey {0} of {1}".format(keyname, root.Name))
Example #23
Source File: vmware.py From aumfor with GNU General Public License v3.0 | 5 votes |
def get_tag(header, grp_name, tag_name, indices = None, data_type = None): """Get a tag from the VMware headers @param grp_name: the group name (from _VMWARE_GROUP.Name) @param tag_name: the tag name (from _VMWARE_TAG.Name) @param indices: a group can contain multiple tags of the same name, and tags can also contain meta-tags. this parameter lets you specify which tag or meta-tag exactly to operate on. for example the 3rd CR register (CR3) of the first CPU would use [0][3] indices. If this parameter is None, then you just match on grp_name and tag_name. @param data_type: the type of data depends on the purpose of the tag. If you supply this parameter, the function returns an object of the specified type (for example an int or long). If not supplied, you just get back the _VMWARE_TAG object itself. """ for group in header.Groups: ## Match on the group's name if str(group.Name) != grp_name: continue ## Iterate the tags looking for a matchah for tag in group.Tags: if str(tag.Name) != tag_name: continue ## If a set of indices was supplied, make sure it matches if indices and tag.TagIndices != indices: continue ## If a data type is specified, cast the Tag and return the ## object. Otherwise return the Tag object itself. if data_type: return tag.cast_as(data_type) else: return tag return obj.NoneObject("Cannot find [{0}][{1}]".format(grp_name, tag_name))
Example #24
Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 5 votes |
def find_gahti(self): """Find this session's gahti. This can potentially be much faster by searching for '\0' * sizeof(tagHANDLETYPEINFO) instead of moving on a dword aligned boundary through the section. """ for chunk in self._section_chunks(".rdata"): if not chunk.is_valid(): continue gahti = obj.Object("gahti", offset = chunk.obj_offset, vm = self.obj_vm) ## The sanity check here is based on the fact that the first entry ## in the gahti is always for TYPE_FREE. The fnDestroy pointer will ## be NULL, the alloc tag will be an empty string, and the creation ## flags will be zero. We also then check the alloc tag of the first ## USER handle type which should be Uswd (TYPE_WINDOW). ## Update: fnDestroy is no longer NULL for TYPE_FREE on Win8/2012. if (str(gahti.types[0].dwAllocTag) == '' and gahti.types[0].bObjectCreateFlags == 0 and str(gahti.types[1].dwAllocTag) == "Uswd"): return gahti return obj.NoneObject("Cannot find win32k!_gahti")
Example #25
Source File: win7.py From aumfor with GNU General Public License v3.0 | 5 votes |
def find_shared_info(self): """The way we find win32k!gSharedInfo on Windows 7 is different than before. For each DWORD in the win32k.sys module's .data section (DWORD-aligned) we check if its the HeEntrySize member of a possible tagSHAREDINFO structure. This should equal the size of a _HANDLEENTRY. The HeEntrySize member didn't exist before Windows 7 thus the need for separate methods.""" handle_table_size = self.obj_vm.profile.\ get_obj_size("_HANDLEENTRY") handle_entry_offset = self.obj_vm.profile.\ get_obj_offset("tagSHAREDINFO", "HeEntrySize") for chunk in self._section_chunks(".data"): if chunk != handle_table_size: continue shared_info = obj.Object("tagSHAREDINFO", offset = chunk.obj_offset - handle_entry_offset, vm = self.obj_vm) if shared_info.is_valid(): return shared_info return obj.NoneObject("Cannot find win32k!gSharedInfo")
Example #26
Source File: intel.py From aumfor with GNU General Public License v3.0 | 5 votes |
def read_long_phys(self, addr): try: string = self.base.read(addr, 4) except IOError: string = None if not string: return obj.NoneObject("Unable to read_long_phys at " + hex(addr)) longval, = self._long_struct.unpack(string) return longval
Example #27
Source File: clipboard.py From aumfor with GNU General Public License v3.0 | 5 votes |
def generator(self, data): for session, wndsta, clip, handle in data: # If no tagCLIP is provided, we do not know the format if not clip: fmt = obj.NoneObject("Format unknown") else: # Try to get the format name, but failing that, print # the format number in hex instead. if clip.fmt.v() in consts.CLIPBOARD_FORMAT_ENUM: fmt = str(clip.fmt) else: fmt = hex(clip.fmt.v()) # Try to get the handle from tagCLIP first, but # fall back to using _HANDLEENTRY.phead. Note: this can # be a value like DUMMY_TEXT_HANDLE (1) etc. if clip: handle_value = clip.hData else: handle_value = handle.phead.h clip_data = "" if handle: try: clip_data = ''.join([chr(c) for c in handle.reference_object().abData]) except AttributeError: pass yield(0, [int(session.SessionId), str(wndsta.Name), str(fmt), Hex(handle_value), Address(handle.phead.v()), Bytes(clip_data) ])
Example #28
Source File: intel.py From aumfor with GNU General Public License v3.0 | 5 votes |
def _read_long_long_phys(self, addr): if not addr: return obj.NoneObject("Unable to read None") try: string = self.base.read(addr, 8) except IOError: string = None if not string: return obj.NoneObject("Unable to read base AS at " + hex(addr)) longlongval, = self._longlong_struct.unpack(string) return longlongval
Example #29
Source File: messagehooks.py From aumfor with GNU General Public License v3.0 | 5 votes |
def translate_atom(self, winsta, atom_tables, atom_id): """ Translate an atom into an atom name. @param winsta: a tagWINDOWSTATION in the proper session space @param atom_tables: a dictionary with _RTL_ATOM_TABLE instances as the keys and owning window stations as the values. @param index: the index into the atom handle table. """ # First check the default atoms if consts.DEFAULT_ATOMS.has_key(atom_id): return consts.DEFAULT_ATOMS[atom_id].Name # A list of tables to search. The session atom tables # have priority and will be searched first. table_list = [ table for (table, window_station) in atom_tables.items() if window_station == None ] table_list.append(winsta.AtomTable) ## Fixme: the session atom tables are found via physical ## AS pool tag scanning, and there's no good way (afaik) ## to associate the table with its session. Thus if more ## than one session has atoms with the same id but different ## values, then we could possibly select the wrong one. for table in table_list: atom = table.find_atom(atom_id) if atom: return atom.Name return obj.NoneObject("Cannot translate atom {0:#x}".format(atom_id))
Example #30
Source File: shellbags.py From aumfor with GNU General Public License v3.0 | 5 votes |
def v(self): result = self.obj_vm.zread(self.obj_offset, self.length).split("\x00\x00")[0].replace("\x00", "") if not result: return obj.NoneObject("Cannot read string length {0} at {1:#x}".format(self.length, self.obj_offset)) return result