Python volatility.utils.iterfind() Examples
The following are 30
code examples of volatility.utils.iterfind().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.utils
, or try the search function
.
.
Example #1
| Source File: mac.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory_rw_nofile(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if vma.get_perms() != "rw-" or vma.get_path() != "":
continue
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #2
| Source File: contacts.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
for proc in procs:
space = proc.get_process_address_space()
for map in proc.get_proc_maps():
# only read/write without filebacks
if not (map.get_perms() == "rw-" and not map.get_path()):
continue
# check the header for sqlite3 signature
header = space.zread(map.links.start, 32)
if "SQLite format" not in header:
continue
# get the whole sqlite3 data now
data = space.zread(map.links.start,
map.links.end - map.links.start)
for offset in utils.iterfind(data, ":ABPerson"):
person = obj.Object("String",
offset = map.links.start + offset,
vm = space, encoding = "utf8",
length = 256)
yield proc, person
Example #3
| Source File: windows.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s):
"""
Search memory for a simple byte string.
FIXME: as of 2.3 this parameter can also be a list to
search for mutliple strings concurrently. The
single string will be deprecated in 3.0.
@param s: the string to search for.
@returns every occurrance of the string
in process memory (as absolute address).
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
# All MMVADs that belong to this process.
for vad, address_space in self.get_vads(skip_max_commit = True):
offset = vad.Start
out_of_range = vad.Start + vad.Length
while offset < out_of_range:
# Read some data and match it.
to_read = min(constants.SCAN_BLOCKSIZE + overlap, out_of_range - offset)
data = address_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, constants.SCAN_BLOCKSIZE)
Example #4
| Source File: mac.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory_rw_nofile(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if vma.get_perms() != "rw-" or vma.get_path() != "":
continue
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #5
| Source File: mac.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #6
| Source File: linux.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s, heap_only = False):
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if heap_only:
if not (vma.vm_start <= self.mm.start_brk and vma.vm_end >= self.mm.brk):
continue
offset = vma.vm_start
out_of_range = vma.vm_start + (vma.vm_end - vma.vm_start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #7
| Source File: poolscan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def scan(self, address_space, offset = None, maxlen = None):
if offset is None:
current_offset = 0
else:
current_offset = offset
for (range_start, range_size) in sorted(address_space.get_available_addresses()):
# Jump to the next available point to scan from
# self.base_offset jumps up to be at least range_start
current_offset = max(range_start, current_offset)
range_end = range_start + range_size
# If we have a maximum length, we make sure it's less than the range_end
if maxlen is not None:
range_end = min(range_end, offset + maxlen)
while (current_offset < range_end):
# We've now got range_start <= self.base_offset < range_end
# Figure out how much data to read
l = min(constants.SCAN_BLOCKSIZE + self.overlap, range_end - current_offset)
data = address_space.zread(current_offset, l)
for needle in self.needles:
for addr in utils.iterfind(data, needle):
# this scanner yields the matched pool tag as well as
# the offset, to save the caller from having to perform
# another .read() just to see which tag was matched
yield data[addr:addr+4], addr + current_offset
current_offset += min(constants.SCAN_BLOCKSIZE, l)
#--------------------------------------------------------------------------------
# The main interface / API for concurrent scans
#--------------------------------------------------------------------------------
Example #8
| Source File: contacts.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
for proc in procs:
space = proc.get_process_address_space()
for map in proc.get_proc_maps():
# only read/write without filebacks
if not (map.get_perms() == "rw-" and not map.get_path()):
continue
# check the header for sqlite3 signature
header = space.zread(map.links.start, 32)
if "SQLite format" not in header:
continue
# get the whole sqlite3 data now
data = space.zread(map.links.start,
map.links.end - map.links.start)
for offset in utils.iterfind(data, ":ABPerson"):
person = obj.Object("String",
offset = map.links.start + offset,
vm = space, encoding = "utf8",
length = 256)
yield proc, person
Example #9
| Source File: windows.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s):
"""
Search memory for a simple byte string.
FIXME: as of 2.3 this parameter can also be a list to
search for mutliple strings concurrently. The
single string will be deprecated in 3.0.
@param s: the string to search for.
@returns every occurrance of the string
in process memory (as absolute address).
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
# All MMVADs that belong to this process.
for vad, address_space in self.get_vads(skip_max_commit = True):
offset = vad.Start
out_of_range = vad.Start + vad.Length
while offset < out_of_range:
# Read some data and match it.
to_read = min(constants.SCAN_BLOCKSIZE + overlap, out_of_range - offset)
data = address_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, constants.SCAN_BLOCKSIZE)
Example #10
| Source File: mac.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory_rw_nofile(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if vma.get_perms() != "rw-" or vma.get_path() != "":
continue
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #11
| Source File: mac.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #12
| Source File: linux.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s, heap_only = False):
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if heap_only:
if not (vma.vm_start <= self.mm.start_brk and vma.vm_end >= self.mm.brk):
continue
offset = vma.vm_start
out_of_range = vma.vm_start + (vma.vm_end - vma.vm_start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #13
| Source File: poolscan.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def scan(self, address_space, offset = None, maxlen = None):
if offset is None:
current_offset = 0
else:
current_offset = offset
for (range_start, range_size) in sorted(address_space.get_available_addresses()):
# Jump to the next available point to scan from
# self.base_offset jumps up to be at least range_start
current_offset = max(range_start, current_offset)
range_end = range_start + range_size
# If we have a maximum length, we make sure it's less than the range_end
if maxlen is not None:
range_end = min(range_end, offset + maxlen)
while (current_offset < range_end):
# We've now got range_start <= self.base_offset < range_end
# Figure out how much data to read
l = min(constants.SCAN_BLOCKSIZE + self.overlap, range_end - current_offset)
data = address_space.zread(current_offset, l)
for needle in self.needles:
for addr in utils.iterfind(data, needle):
# this scanner yields the matched pool tag as well as
# the offset, to save the caller from having to perform
# another .read() just to see which tag was matched
yield data[addr:addr+4], addr + current_offset
current_offset += min(constants.SCAN_BLOCKSIZE, l)
#--------------------------------------------------------------------------------
# The main interface / API for concurrent scans
#--------------------------------------------------------------------------------
Example #14
| Source File: contacts.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
for proc in procs:
space = proc.get_process_address_space()
for map in proc.get_proc_maps():
# only read/write without filebacks
if not (map.get_perms() == "rw-" and not map.get_path()):
continue
# check the header for sqlite3 signature
header = space.zread(map.links.start, 32)
if "SQLite format" not in header:
continue
# get the whole sqlite3 data now
data = space.zread(map.links.start,
map.links.end - map.links.start)
for offset in utils.iterfind(data, ":ABPerson"):
person = obj.Object("String",
offset = map.links.start + offset,
vm = space, encoding = "utf8",
length = 256)
yield proc, person
Example #15
| Source File: windows.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s):
"""
Search memory for a simple byte string.
FIXME: as of 2.3 this parameter can also be a list to
search for mutliple strings concurrently. The
single string will be deprecated in 3.0.
@param s: the string to search for.
@returns every occurrance of the string
in process memory (as absolute address).
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
# All MMVADs that belong to this process.
for vad, address_space in self.get_vads(skip_max_commit = True):
offset = vad.Start
out_of_range = vad.Start + vad.Length
while offset < out_of_range:
# Read some data and match it.
to_read = min(constants.SCAN_BLOCKSIZE + overlap, out_of_range - offset)
data = address_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, constants.SCAN_BLOCKSIZE)
Example #16
| Source File: poolscan.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def scan(self, address_space, offset = None, maxlen = None):
if offset is None:
current_offset = 0
else:
current_offset = offset
for (range_start, range_size) in sorted(address_space.get_available_addresses()):
# Jump to the next available point to scan from
# self.base_offset jumps up to be at least range_start
current_offset = max(range_start, current_offset)
range_end = range_start + range_size
# If we have a maximum length, we make sure it's less than the range_end
if maxlen is not None:
range_end = min(range_end, current_offset + maxlen)
while (current_offset < range_end):
# We've now got range_start <= self.base_offset < range_end
# Figure out how much data to read
l = min(constants.SCAN_BLOCKSIZE + self.overlap, range_end - current_offset)
data = address_space.zread(current_offset, l)
for needle in self.needles:
for addr in utils.iterfind(data, needle):
# this scanner yields the matched pool tag as well as
# the offset, to save the caller from having to perform
# another .read() just to see which tag was matched
yield data[addr:addr+4], addr + current_offset
current_offset += min(constants.SCAN_BLOCKSIZE, l)
#--------------------------------------------------------------------------------
# The main interface / API for concurrent scans
#--------------------------------------------------------------------------------
Example #17
| Source File: mac.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #18
| Source File: linux.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s, heap_only = False):
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if heap_only:
if not (vma.vm_start <= self.mm.start_brk and vma.vm_end >= self.mm.brk):
continue
offset = vma.vm_start
out_of_range = vma.vm_start + (vma.vm_end - vma.vm_start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #19
| Source File: poolscan.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def scan(self, address_space, offset = None, maxlen = None):
if offset is None:
current_offset = 0
else:
current_offset = offset
for (range_start, range_size) in sorted(address_space.get_available_addresses()):
# Jump to the next available point to scan from
# self.base_offset jumps up to be at least range_start
current_offset = max(range_start, current_offset)
range_end = range_start + range_size
# If we have a maximum length, we make sure it's less than the range_end
if maxlen is not None:
range_end = min(range_end, current_offset + maxlen)
while (current_offset < range_end):
# We've now got range_start <= self.base_offset < range_end
# Figure out how much data to read
l = min(constants.SCAN_BLOCKSIZE + self.overlap, range_end - current_offset)
data = address_space.zread(current_offset, l)
for needle in self.needles:
for addr in utils.iterfind(data, needle):
# this scanner yields the matched pool tag as well as
# the offset, to save the caller from having to perform
# another .read() just to see which tag was matched
yield data[addr:addr+4], addr + current_offset
current_offset += min(constants.SCAN_BLOCKSIZE, l)
#--------------------------------------------------------------------------------
# The main interface / API for concurrent scans
#--------------------------------------------------------------------------------
Example #20
| Source File: contacts.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
for proc in procs:
space = proc.get_process_address_space()
for map in proc.get_proc_maps():
# only read/write without filebacks
if not (map.get_perms() == "rw-" and not map.get_path()):
continue
# check the header for sqlite3 signature
header = space.zread(map.links.start, 32)
if "SQLite format" not in header:
continue
# get the whole sqlite3 data now
data = space.zread(map.links.start,
map.links.end - map.links.start)
for offset in utils.iterfind(data, ":ABPerson"):
person = obj.Object("String",
offset = map.links.start + offset,
vm = space, encoding = "utf8",
length = 256)
yield proc, person
Example #21
| Source File: windows.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s, vad_filter = None):
"""
Search memory for a simple byte string.
FIXME: as of 2.3 this parameter can also be a list to
search for mutliple strings concurrently. The
single string will be deprecated in 3.0.
@param s: the string to search for.
@returns every occurrance of the string
in process memory (as absolute address).
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
# All MMVADs that belong to this process.
for vad, address_space in self.get_vads(vad_filter, skip_max_commit = True):
offset = vad.Start
out_of_range = vad.Start + vad.Length
while offset < out_of_range:
# Read some data and match it.
to_read = min(constants.SCAN_BLOCKSIZE + overlap, out_of_range - offset)
data = address_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, constants.SCAN_BLOCKSIZE)
Example #22
| Source File: mac.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory_rw_nofile(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if vma.get_perms() != "rw-" or vma.get_path() != "":
if vma.get_special_path() != "[heap]":
continue
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #23
| Source File: mac.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #24
| Source File: linux.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def search_process_memory(self, s, heap_only = False):
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
if addr_space == None:
return
for vma in self.get_proc_maps():
if heap_only:
if not (vma.vm_start <= self.mm.brk and vma.vm_end >= self.mm.start_brk):
continue
offset = vma.vm_start
out_of_range = vma.vm_start + (vma.vm_end - vma.vm_start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #25
| Source File: poolscan.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def scan(self, address_space, offset = None, maxlen = None):
if offset is None:
current_offset = 0
else:
current_offset = offset
for (range_start, range_size) in sorted(address_space.get_available_addresses()):
# Jump to the next available point to scan from
# self.base_offset jumps up to be at least range_start
current_offset = max(range_start, current_offset)
range_end = range_start + range_size
# If we have a maximum length, we make sure it's less than the range_end
if maxlen is not None:
range_end = min(range_end, current_offset + maxlen)
while (current_offset < range_end):
# We've now got range_start <= self.base_offset < range_end
# Figure out how much data to read
l = min(constants.SCAN_BLOCKSIZE + self.overlap, range_end - current_offset)
data = address_space.zread(current_offset, l)
for needle in self.needles:
for addr in utils.iterfind(data, needle):
# this scanner yields the matched pool tag as well as
# the offset, to save the caller from having to perform
# another .read() just to see which tag was matched
yield data[addr:addr+4], addr + current_offset
current_offset += min(constants.SCAN_BLOCKSIZE, l)
#--------------------------------------------------------------------------------
# The main interface / API for concurrent scans
#--------------------------------------------------------------------------------
Example #26
| Source File: contacts.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
procs = pstasks.mac_tasks.calculate(self)
for proc in procs:
space = proc.get_process_address_space()
for map in proc.get_proc_maps():
# only read/write without filebacks
if not (map.get_perms() == "rw-" and not map.get_path()):
continue
# check the header for sqlite3 signature
header = space.zread(map.links.start, 32)
if "SQLite format" not in header:
continue
# get the whole sqlite3 data now
data = space.zread(map.links.start,
map.links.end - map.links.start)
for offset in utils.iterfind(data, ":ABPerson"):
person = obj.Object("String",
offset = map.links.start + offset,
vm = space, encoding = "utf8",
length = 256)
yield proc, person
Example #27
| Source File: windows.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def search_process_memory(self, s, vad_filter = None):
"""
Search memory for a simple byte string.
FIXME: as of 2.3 this parameter can also be a list to
search for mutliple strings concurrently. The
single string will be deprecated in 3.0.
@param s: the string to search for.
@returns every occurrance of the string
in process memory (as absolute address).
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
# All MMVADs that belong to this process.
for vad, address_space in self.get_vads(vad_filter, skip_max_commit = True):
offset = vad.Start
out_of_range = vad.Start + vad.Length
while offset < out_of_range:
# Read some data and match it.
to_read = min(constants.SCAN_BLOCKSIZE + overlap, out_of_range - offset)
data = address_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, constants.SCAN_BLOCKSIZE)
Example #28
| Source File: mac.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def search_process_memory_rw_nofile(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
if vma.get_perms() != "rw-" or vma.get_path() != "":
if vma.get_special_path() != "[heap]":
continue
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #29
| Source File: mac.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def search_process_memory(self, s):
"""Search process memory.
@param s: a list of strings like ["one", "two"]
"""
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
for vma in self.get_proc_maps():
offset = vma.links.start
out_of_range = vma.links.start + (vma.links.end - vma.links.start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
Example #30
| Source File: linux.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def search_process_memory(self, s, heap_only = False):
# Allow for some overlap in case objects are
# right on page boundaries
overlap = 1024
# Make sure s in a list. This allows you to search for
# multiple strings at once, without changing the API.
if type(s) != list:
debug.warning("Single strings to search_process_memory is deprecated, use a list instead")
s = [s]
scan_blk_sz = 1024 * 1024 * 10
addr_space = self.get_process_address_space()
if addr_space == None:
return
for vma in self.get_proc_maps():
if heap_only:
if not (vma.vm_start <= self.mm.start_brk and vma.vm_end >= self.mm.brk):
continue
offset = vma.vm_start
out_of_range = vma.vm_start + (vma.vm_end - vma.vm_start)
while offset < out_of_range:
# Read some data and match it.
to_read = min(scan_blk_sz + overlap, out_of_range - offset)
data = addr_space.zread(offset, to_read)
if not data:
break
for x in s:
for hit in utils.iterfind(data, x):
yield offset + hit
offset += min(to_read, scan_blk_sz)
