Python volatility.debug.warning() Examples

def _formatlookup(self, profile, code):
        """Code to turn profile specific values into format specifications"""
        code = code or ""
        if not code.startswith('['):
            return code

        # Strip off the square brackets
        code = code[1:-1].lower()
        if code.startswith('addr'):
            spec = fmtspec.FormatSpec("#10x")
            if profile.metadata.get('memory_model', '32bit') == '64bit':
                spec.minwidth += 8
            if 'pad' in code:
                spec.fill = "0"
                spec.align = spec.align if spec.align else "="
            else:
                # Non-padded addresses will come out as numbers,
                # so titles should align >
                spec.align = ">"
            return spec.to_string()

        # Something went wrong
        debug.warning("Unknown table format specification: " + code)
        return "" 

def parse_winlogon_registration_key(self, key):

        dllname = ""
        events = []
        pids = []
        key_path = self.regapi.reg_get_key_path(key) or str(key.Name)

        try:
            for v_name, v_data in self.regapi.reg_yield_values(hive_name=None, key=None, given_root=key):
                val_name = str(v_name or '')
                val_data = str(v_data or '').replace('\x00', '')

                if val_name.lower() == 'dllname':
                    dllname = val_data
                    pids = self.find_pids_for_imagepath(dllname)
                elif val_name in WINLOGON_NOTIFICATION_EVENTS:
                    events.append((val_name, val_data))

        except Exception as e:
            debug.warning('Failed while parsing {}. Exception: {} {}'.format(key_path, type(e).__name__, e.args))

        if dllname:
            return (dllname, events, key.LastWriteTime, key_path, pids)

    # Returns [] or a list of tuples(val_name, val_data, key.LastWriteTime, expected_val_data, [int(pids)]) 

def get_activesetup(self):

        debug.debug('Started get_activesetup()')
        results = []

        try:
            self.regapi.reset_current()
            for subkey in self.regapi.reg_get_all_subkeys(hive_name='software', key=ACTIVE_SETUP_KEY):
                r = self.parse_activesetup_keys(subkey)
                if r:
                    results.append(r)

        except Exception as e:
            debug.warning('get_activesetup() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))

        debug.debug('Finished get_activesetup()')
        return results

    # Returns None or a tuple(exe path, subkey.LastWriteTime, key path, [int(pids)]) 

def Object(theType, offset, vm, name = None, **kwargs):
    """ A function which instantiates the object named in theType (as
    a string) from the type in profile passing optional args of
    kwargs.
    """
    name = name or theType
    offset = int(offset)

    try:
        if vm.profile.has_type(theType):
            result = vm.profile.types[theType](offset = offset, vm = vm, name = name, **kwargs)
            return result
    except InvalidOffsetError:
        ## If we cant instantiate the object here, we just error out:
        return NoneObject("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name),
                          strict = vm.profile.strict)

    ## If we get here we have no idea what the type is supposed to be?
    ## This is a serious error.
    debug.warning("Cant find object {0} in profile {1}?".format(theType, vm.profile)) 

def get_sdb(self):

        debug.debug('Started get_sdb()')
        results = []

        try:
            self.regapi.reset_current()
            sdb_keys = self.regapi.reg_get_all_subkeys(hive_name='software', key=APPCOMPAT_SDB_KEY)
            for subkey in sdb_keys:
                parsed_sdb_entry = self.parse_sdb_key(subkey)
                if parsed_sdb_entry:
                    results.append(parsed_sdb_entry)

        except Exception as e:
            debug.warning('get_sdb() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))

        debug.debug('Finished get_sdb()')
        return results

    #Returns None or a tuple(exe, db_path, subkey.LastWriteTime, key path, [int(pids)]) 

def load_vtypes(self):
        """ Identifies the module from which to load the vtypes 
        
            Eventually this could do the importing directly, and avoid having
            the profiles loaded in memory all at once.
        """
        ntvar = self.metadata.get('memory_model', '32bit')
        self.native_types = copy.deepcopy(self.native_mapping.get(ntvar))

        vtype_module = self.metadata.get('vtype_module', None)
        if not vtype_module:
            debug.warning("No vtypes specified for this profile")
        else:
            module = sys.modules.get(vtype_module, None)

            # Try to locate the _types dictionary
            for i in dir(module):
                if i.endswith('_types'):
                    self.vtypes.update(getattr(module, i)) 

def get_services(self):

        debug.debug('Started get_services()')
        results = []
        service_key_path = "{}\\Services".format(self.currentcs)

        try:
            self.regapi.reset_current()
            for service_sk in self.regapi.reg_get_all_subkeys(hive_name='system', key=service_key_path):
                parsed_service = self.parse_service_key(service_sk)
                if parsed_service and (self._config.VERBOSE or 'system32' not in parsed_service[5].lower()):
                    results.append(parsed_service)

        except Exception as e:
            debug.warning('get_services() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))

        debug.debug('Finished get_services()')
        return results

    # Returns None or (key_path, timestamp, display_name, SERVICE_STARTUP[startup], SERVICE_TYPES[type], image_path, service_dll, [int(pids)]) 

def _write_file(self, ff, file_path, file_dentry):
        inode = file_dentry.d_inode
        
        if inode and inode.is_valid() and not inode.is_dir():
            ents = file_path.split("/")
            out_path = os.path.join(self._config.DUMP_DIR, *ents)

            try:
                fd = open(out_path, "wb")
            except IOError, e:
                debug.warning("Unable to process file: %s : %s" % (out_path, str(e)))
                return
                
            for page in ff.get_file_contents(inode):
                fd.write(page)  
            
            fd.close() 

def calculate(self):
        """ 
        This works by walking the system call table 
        and verifies that each is a symbol in the kernel
        """
        linux_common.set_plugin_members(self)

        if not has_distorm:
            debug.warning("distorm not installed. The best method to calculate the system call table size will not be used.")
                        
        if self._config.SYSCALL_INDEXES:
            if not os.path.exists(self._config.SYSCALL_INDEXES):
                debug.error("Given syscall indexes file does not exist!")

            index_lines = open(self._config.SYSCALL_INDEXES, "r").read()
        else:
            index_lines = None

        for (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked) in self.get_syscalls(index_lines, True): 
            yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked) 

def _check_inetsw(self, modules):
        try:
            self.addr_space.profile.get_obj_offset("inet_protosw", "list")
        except KeyError:
            debug.warning("You are using an old Linux profile. Please recreate the profile using the latest Volatility version.")
            return

        proto_members = self.profile.types['proto_ops'].keywords["members"].keys()       
        proto_members.remove('owner')
        proto_members.remove('family')
        
        inetsw_addr = self.addr_space.profile.get_symbol("inetsw")
        inetsw = obj.Object(theType = "Array", targetType = "list_head", offset = inetsw_addr, vm = self.addr_space, count = 11)
 
        for inet_list in inetsw:
            for inet in inet_list.list_of_type("inet_protosw", "list"):
                name = self.addr_space.read(inet.prot.name.obj_offset, 32)
                idx = name.index("\x00")
                if idx != -1:   
                    name = name[:idx]

                for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(inet.ops, proto_members,  modules):
                    yield (name, hooked_member, hook_type, hook_address) 

def _get_image_exe(self, unsafe, fix):
    
        nt_header = self.get_nt_header()
        soh = nt_header.OptionalHeader.SizeOfHeaders
        header = self.obj_vm.zread(self.obj_offset, soh)
        if fix:
            header = self._fix_header_image_base(header, nt_header)
        yield (0, header)

        fa = nt_header.OptionalHeader.FileAlignment
        for sect in nt_header.get_sections(unsafe):
            foa = self.round(sect.PointerToRawData, fa)
            if foa != sect.PointerToRawData:
                debug.warning("Section start on disk not aligned to file alignment.\n")
                debug.warning("Adjusted section start from {0} to {1}.\n".format(sect.PointerToRawData, foa))
            yield self.get_code(sect.VirtualAddress + self.obj_offset,
                                sect.SizeOfRawData, foa) 

def allprocs(self):
        p = self.addr_space.profile.get_symbol("_allproc")

        procsaddr = obj.Object("proclist", offset = p, vm = self.addr_space)
        proc = obj.Object("proc", offset = procsaddr.lh_first, vm = self.addr_space)
        seen = []

        while proc.is_valid():
    
            if proc.obj_offset in seen:
                debug.warning("Recursive process list detected (a result of non-atomic acquisition). Use mac_tasks or mac_psxview)")
                break
            else:
                seen.append(proc.obj_offset)

            yield proc 

            proc = proc.p_list.le_next.dereference() 

def calculate_alloc_stats(self):
        """Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data
           It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread.
        """
        available_allocs = list(self.get_available_allocs())

        self.minimum_size = int(min([size for _, size in available_allocs]))
        accumulator = self.minimum_size
        for start, _ in available_allocs:
            if accumulator is None and start > 1:
                accumulator = start
            if accumulator and start > 0:
                accumulator = fractions.gcd(accumulator, start)
        self.alignment_gcd = int(accumulator)
        # Pick an arbitrary cut-off that'll lead to too many reads
        if self.alignment_gcd < 0x4:
            debug.warning("Alignment of " + self.__class__.__name__ + " is too small, plugins will be extremely slow") 

def Object(theType, offset, vm, name = None, **kwargs):
    """ A function which instantiates the object named in theType (as
    a string) from the type in profile passing optional args of
    kwargs.
    """
    name = name or theType
    offset = int(offset)

    try:
        if vm.profile.has_type(theType):
            result = vm.profile.types[theType](offset = offset, vm = vm, name = name, **kwargs)
            return result
    except InvalidOffsetError:
        ## If we cant instantiate the object here, we just error out:
        return NoneObject("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name),
                          strict = vm.profile.strict)

    ## If we get here we have no idea what the type is supposed to be?
    ## This is a serious error.
    debug.warning("Cant find object {0} in profile {1}?".format(theType, vm.profile)) 

def load_vtypes(self):
        """ Identifies the module from which to load the vtypes 
        
            Eventually this could do the importing directly, and avoid having
            the profiles loaded in memory all at once.
        """
        ntvar = self.metadata.get('memory_model', '32bit')
        self.native_types = copy.deepcopy(self.native_mapping.get(ntvar))

        vtype_module = self.metadata.get('vtype_module', None)
        if not vtype_module:
            debug.warning("No vtypes specified for this profile")
        else:
            module = sys.modules.get(vtype_module, None)

            # Try to locate the _types dictionary
            for i in dir(module):
                if i.endswith('_types'):
                    self.vtypes.update(getattr(module, i)) 

def get_winlogon_registrations(self):

        debug.debug('Started get_winlogon_registrations()')
        results = []
        notify_key = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify"

        try:
            self.regapi.reset_current()
            for subkey in self.regapi.reg_get_all_subkeys(hive_name='software', key=notify_key):
                parsed_entry = self.parse_winlogon_registration_key(subkey)
                if parsed_entry and (self._config.VERBOSE or (parsed_entry[0].split('\\')[-1] not in WINLOGON_REGISTRATION_KNOWN_DLLS)):
                    results.append(parsed_entry)

        except Exception as e:
            debug.warning('get_winlogon_registrations() failed to complete. Exception: {0} {1}'.format(type(e).__name__, e.args))

        debug.debug('Finished get_winlogon_registrations()')
        return results

    # Returns None or (str(dllname), [(str(trigger)),str(event))], key.LastWriteTime, key path, [int(pids)]) 

def _write_file(self, ff, file_path, file_dentry):
        inode = file_dentry.d_inode
        
        if inode and inode.is_valid() and not inode.is_dir():
            ents = file_path.split("/")
            out_path = os.path.join(self._config.DUMP_DIR, *ents)

            try:
                fd = open(out_path, "wb")
            except IOError, e:
                debug.warning("Unable to process file: %s : %s" % (out_path, str(e)))
                return
                
            for page in ff.get_file_contents(inode):
                fd.write(page)  
            
            fd.close() 

def _check_inetsw(self, modules):
        try:
            self.addr_space.profile.get_obj_offset("inet_protosw", "list")
        except KeyError:
            debug.warning("You are using an old Linux profile. Please recreate the profile using the latest Volatility version.")
            return

        proto_members = self.profile.types['proto_ops'].keywords["members"].keys()       
        proto_members.remove('owner')
        proto_members.remove('family')
        
        inetsw_addr = self.addr_space.profile.get_symbol("inetsw")
        inetsw = obj.Object(theType = "Array", targetType = "list_head", offset = inetsw_addr, vm = self.addr_space, count = 11)
 
        for inet_list in inetsw:
            for inet in inet_list.list_of_type("inet_protosw", "list"):
                name = self.addr_space.read(inet.prot.name.obj_offset, 32)
                idx = name.index("\x00")
                if idx != -1:   
                    name = name[:idx]

                for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(inet.ops, proto_members,  modules):
                    yield (name, hooked_member, hook_type, hook_address) 

def _get_image_exe(self, unsafe, fix):
    
        nt_header = self.get_nt_header()
        soh = nt_header.OptionalHeader.SizeOfHeaders
        header = self.obj_vm.zread(self.obj_offset, soh)
        if fix:
            header = self._fix_header_image_base(header, nt_header)
        yield (0, header)

        fa = nt_header.OptionalHeader.FileAlignment
        for sect in nt_header.get_sections(unsafe):
            foa = self.round(sect.PointerToRawData, fa)
            if foa != sect.PointerToRawData:
                debug.warning("Section start on disk not aligned to file alignment.\n")
                debug.warning("Adjusted section start from {0} to {1}.\n".format(sect.PointerToRawData, foa))
            yield self.get_code(sect.VirtualAddress + self.obj_offset,
                                sect.SizeOfRawData, foa) 

def calculate_alloc_stats(self):
        """Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data
           It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread.
        """
        available_allocs = list(self.get_available_allocs())

        self.minimum_size = int(min([size for _, size in available_allocs]))
        accumulator = self.minimum_size
        for start, _ in available_allocs:
            if accumulator is None and start > 1:
                accumulator = start
            if accumulator and start > 0:
                accumulator = fractions.gcd(accumulator, start)
        self.alignment_gcd = int(accumulator)
        # Pick an arbitrary cut-off that'll lead to too many reads
        if self.alignment_gcd < 0x4:
            debug.warning("Alignment of " + self.__class__.__name__ + " is too small, plugins will be extremely slow") 

def Object(theType, offset, vm, name = None, **kwargs):
    """ A function which instantiates the object named in theType (as
    a string) from the type in profile passing optional args of
    kwargs.
    """
    name = name or theType
    offset = int(offset)

    try:
        if vm.profile.has_type(theType):
            result = vm.profile.types[theType](offset = offset, vm = vm, name = name, **kwargs)
            return result
    except InvalidOffsetError:
        ## If we cant instantiate the object here, we just error out:
        return NoneObject("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name),
                          strict = vm.profile.strict)

    ## If we get here we have no idea what the type is supposed to be?
    ## This is a serious error.
    debug.warning("Cant find object {0} in profile {1}?".format(theType, vm.profile)) 

def load_vtypes(self):
        """ Identifies the module from which to load the vtypes 
        
            Eventually this could do the importing directly, and avoid having
            the profiles loaded in memory all at once.
        """
        ntvar = self.metadata.get('memory_model', '32bit')
        self.native_types = copy.deepcopy(self.native_mapping.get(ntvar))

        vtype_module = self.metadata.get('vtype_module', None)
        if not vtype_module:
            debug.warning("No vtypes specified for this profile")
        else:
            module = sys.modules.get(vtype_module, None)

            # Try to locate the _types dictionary
            for i in dir(module):
                if i.endswith('_types'):
                    self.vtypes.update(getattr(module, i)) 

def _formatlookup(self, profile, code):
        """Code to turn profile specific values into format specifications"""
        code = code or ""
        if not code.startswith('['):
            return code

        # Strip off the square brackets
        code = code[1:-1].lower()
        if code.startswith('addr'):
            spec = fmtspec.FormatSpec("#10x")
            if profile.metadata.get('memory_model', '32bit') == '64bit':
                spec.minwidth += 8
            if 'pad' in code:
                spec.fill = "0"
                spec.align = spec.align if spec.align else "="
            else:
                # Non-padded addresses will come out as numbers,
                # so titles should align >
                spec.align = ">"
            return spec.to_string()

        # Something went wrong
        debug.warning("Unknown table format specification: " + code)
        return "" 

def _write_file(self, ff, file_path, file_dentry):
        inode = file_dentry.d_inode
        
        if inode and inode.is_valid() and not inode.is_dir():
            ents = file_path.split("/")
            out_path = os.path.join(self._config.DUMP_DIR, *ents)

            try:
                fd = open(out_path, "wb")
            except IOError, e:
                debug.warning("Unable to process file: %s : %s" % (out_path, str(e)))
                return
                
            for page in ff.get_file_contents(inode):
                fd.write(page)  
            
            fd.close() 

def calculate(self):
        """ 
        This works by walking the system call table 
        and verifies that each is a symbol in the kernel
        """
        linux_common.set_plugin_members(self)

        if not has_distorm:
            debug.warning("distorm not installed. The best method to calculate the system call table size will not be used.")
                        
        if self._config.SYSCALL_INDEXES:
            if not os.path.exists(self._config.SYSCALL_INDEXES):
                debug.error("Given syscall indexes file does not exist!")

            index_lines = open(self._config.SYSCALL_INDEXES, "r").read()
        else:
            index_lines = None

        for (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked) in self.get_syscalls(index_lines, True): 
            yield (tableaddr, table_name, i, idx_name, call_addr, sym_name, hooked) 

def _check_inetsw(self, modules):
        try:
            self.addr_space.profile.get_obj_offset("inet_protosw", "list")
        except KeyError:
            debug.warning("You are using an old Linux profile. Please recreate the profile using the latest Volatility version.")
            return

        proto_members = self.profile.types['proto_ops'].keywords["members"].keys()       
        proto_members.remove('owner')
        proto_members.remove('family')
        
        inetsw_addr = self.addr_space.profile.get_symbol("inetsw")
        inetsw = obj.Object(theType = "Array", targetType = "list_head", offset = inetsw_addr, vm = self.addr_space, count = 11)
 
        for inet_list in inetsw:
            for inet in inet_list.list_of_type("inet_protosw", "list"):
                name = self.addr_space.read(inet.prot.name.obj_offset, 32)
                idx = name.index("\x00")
                if idx != -1:   
                    name = name[:idx]

                for (hooked_member, hook_type, hook_address) in self._is_inline_hooked(inet.ops, proto_members,  modules):
                    yield (name, hooked_member, hook_type, hook_address) 

def _get_image_exe(self, unsafe, fix):
    
        nt_header = self.get_nt_header()
        soh = nt_header.OptionalHeader.SizeOfHeaders
        header = self.obj_vm.zread(self.obj_offset, soh)
        if fix:
            header = self._fix_header_image_base(header, nt_header)
        yield (0, header)

        fa = nt_header.OptionalHeader.FileAlignment
        for sect in nt_header.get_sections(unsafe):
            foa = self.round(sect.PointerToRawData, fa)
            if foa != sect.PointerToRawData:
                debug.warning("Section start on disk not aligned to file alignment.\n")
                debug.warning("Adjusted section start from {0} to {1}.\n".format(sect.PointerToRawData, foa))
            yield self.get_code(sect.VirtualAddress + self.obj_offset,
                                sect.SizeOfRawData, foa) 

def calculate_alloc_stats(self):
        """Calculates the minimum_size and alignment_gcd to determine "virtual allocs" when read lengths of data
           It's particularly important to cast all numbers to ints, since they're used a lot and object take effort to reread.
        """
        available_allocs = list(self.get_available_allocs())

        self.minimum_size = int(min([size for _, size in available_allocs]))
        accumulator = self.minimum_size
        for start, _ in available_allocs:
            if accumulator is None and start > 1:
                accumulator = start
            if accumulator and start > 0:
                accumulator = fractions.gcd(accumulator, start)
        self.alignment_gcd = int(accumulator)
        # Pick an arbitrary cut-off that'll lead to too many reads
        if self.alignment_gcd < 0x4:
            debug.warning("Alignment of " + self.__class__.__name__ + " is too small, plugins will be extremely slow") 

def Object(theType, offset, vm, name = None, **kwargs):
    """ A function which instantiates the object named in theType (as
    a string) from the type in profile passing optional args of
    kwargs.
    """
    name = name or theType
    offset = int(offset)

    try:
        if vm.profile.has_type(theType):
            result = vm.profile.types[theType](offset = offset, vm = vm, name = name, **kwargs)
            return result
    except InvalidOffsetError:
        ## If we cant instantiate the object here, we just error out:
        return NoneObject("Invalid Address 0x{0:08X}, instantiating {1}".format(offset, name),
                          strict = vm.profile.strict)

    ## If we get here we have no idea what the type is supposed to be?
    ## This is a serious error.
    debug.warning("Cant find object {0} in profile {1}?".format(theType, vm.profile)) 

def load_vtypes(self):
        """ Identifies the module from which to load the vtypes 
        
            Eventually this could do the importing directly, and avoid having
            the profiles loaded in memory all at once.
        """
        ntvar = self.metadata.get('memory_model', '32bit')
        self.native_types = copy.deepcopy(self.native_mapping.get(ntvar))

        vtype_module = self.metadata.get('vtype_module', None)
        if not vtype_module:
            debug.warning("No vtypes specified for this profile")
        else:
            module = sys.modules.get(vtype_module, None)

            # Try to locate the _types dictionary
            for i in dir(module):
                if i.endswith('_types'):
                    self.vtypes.update(getattr(module, i))