Python volatility.addrspace.BaseAddressSpace() Examples
The following are 30
code examples of volatility.addrspace.BaseAddressSpace().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.addrspace
, or try the search function
.
.
Example #1
| Source File: standard.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, layered = False, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, 'Must be first Address Space')
self.as_assert(config.LOCATION.startswith("file://"), 'Location is not of file scheme')
path = urllib.url2pathname(config.LOCATION[7:])
self.as_assert(os.path.exists(path), 'Filename must be specified and exist')
self.name = os.path.abspath(path)
self.fname = self.name
self.mode = 'rb'
if config.WRITE:
self.mode += '+'
self.fhandle = open(self.fname, self.mode)
self.fhandle.seek(0, 2)
self.fsize = self.fhandle.tell()
self._long_struct = struct.Struct("=I")
# Abstract Classes cannot register options, and since this checks config.WRITE in __init__, we define the option here
Example #2
| Source File: vol.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def print_info():
""" Returns the results """
categories = {addrspace.BaseAddressSpace: 'Address Spaces',
commands.Command : 'Plugins',
obj.Profile: 'Profiles',
scan.ScannerCheck: 'Scanner Checks'}
for c, n in sorted(categories.items()):
lower = (c == commands.Command)
plugins = registry.get_plugin_classes(c, lower = lower)
print "\n"
print "{0}".format(n)
print "-" * len(n)
result = []
max_length = 0
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
max_length = max(len(clsname), max_length)
for (name, doc) in result:
print "{0:{2}} - {1:15}".format(name, doc, max_length)
Example #3
| Source File: vol.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def print_info():
""" Returns the results """
categories = {addrspace.BaseAddressSpace: 'Address Spaces',
commands.Command : 'Plugins',
obj.Profile: 'Profiles',
scan.ScannerCheck: 'Scanner Checks'}
for c, n in sorted(categories.items()):
lower = (c == commands.Command)
plugins = registry.get_plugin_classes(c, lower = lower)
print "\n"
print "{0}".format(n)
print "-" * len(n)
result = []
max_length = 0
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
max_length = max(len(clsname), max_length)
for (name, doc) in result:
print "{0:{2}} - {1:15}".format(name, doc, max_length)
Example #4
| Source File: standard.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, layered = False, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, 'Must be first Address Space')
self.as_assert(config.LOCATION.startswith("file://"), 'Location is not of file scheme')
path = urllib.url2pathname(config.LOCATION[7:])
self.as_assert(os.path.exists(path), 'Filename must be specified and exist')
self.name = os.path.abspath(path)
self.fname = self.name
self.mode = 'rb'
if config.WRITE:
self.mode += '+'
self.fhandle = open(self.fname, self.mode)
self.fhandle.seek(0, 2)
self.fsize = self.fhandle.tell()
# Abstract Classes cannot register options, and since this checks config.WRITE in __init__, we define the option here
Example #5
| Source File: standard.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, base, config, layered = False, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, 'Must be first Address Space')
self.as_assert(config.LOCATION.startswith("file://"), 'Location is not of file scheme')
path = urllib.url2pathname(config.LOCATION[7:])
self.as_assert(os.path.exists(path), 'Filename must be specified and exist')
self.name = os.path.abspath(path)
self.fname = self.name
self.mode = 'rb'
if config.WRITE:
self.mode += '+'
self.fhandle = open(self.fname, self.mode)
self.fhandle.seek(0, 2)
self.fsize = self.fhandle.tell()
self._long_struct = struct.Struct("=I")
# Abstract Classes cannot register options, and since this checks config.WRITE in __init__, we define the option here
Example #6
| Source File: vol.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def print_info():
""" Returns the results """
categories = {addrspace.BaseAddressSpace: 'Address Spaces',
commands.Command : 'Plugins',
obj.Profile: 'Profiles',
scan.ScannerCheck: 'Scanner Checks'}
for c, n in sorted(categories.items()):
lower = (c == commands.Command)
plugins = registry.get_plugin_classes(c, lower = lower)
print "\n"
print "{0}".format(n)
print "-" * len(n)
result = []
max_length = 0
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
max_length = max(len(clsname), max_length)
for (name, doc) in result:
print "{0:{2}} - {1:15}".format(name, doc, max_length)
Example #7
| Source File: hive.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, hive_addr, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config)
self.hive = obj.Object("_HHIVE", hive_addr, base)
# Win10_17063 introduced the Registry process, change base to its address space
meta = self.profile.metadata
version = (meta.get("major", 0), meta.get("minor", 0), meta.get("build", 0))
if version >= (6, 4, 17063):
for t in win32.tasks.pslist(self.base):
if str(t.ImageFileName) == "Registry" and int(t.InheritedFromUniqueProcessId) == 4:
reg_proc = t
break
if reg_proc:
self.base = reg_proc.get_process_address_space()
else:
## If we get here we couldn't find the Registry process so address translation
## probably won't work
debug.warning("Couldn't locate Registry process. Registry address translation may fail.")
else:
self.base = base
self.baseblock = self.hive.BaseBlock.v()
self.flat = self.hive.Flat.v() > 0
Example #8
| Source File: standard.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, layered = False, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, 'Must be first Address Space')
self.as_assert(config.LOCATION.startswith("file://"), 'Location is not of file scheme')
path = urllib.url2pathname(config.LOCATION[7:])
self.as_assert(os.path.exists(path), 'Filename must be specified and exist')
self.name = os.path.abspath(path)
self.fname = self.name
self.mode = 'rb'
if config.WRITE:
self.mode += '+'
self.fhandle = open(self.fname, self.mode)
self.fhandle.seek(0, 2)
self.fsize = self.fhandle.tell()
# Abstract Classes cannot register options, and since this checks config.WRITE in __init__, we define the option here
Example #9
| Source File: vol.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def print_info():
""" Returns the results """
categories = {addrspace.BaseAddressSpace: 'Address Spaces',
commands.Command : 'Plugins',
obj.Profile: 'Profiles',
scan.ScannerCheck: 'Scanner Checks'}
for c, n in sorted(categories.items()):
lower = (c == commands.Command)
plugins = registry.get_plugin_classes(c, lower = lower)
print "\n"
print "{0}".format(n)
print "-" * len(n)
result = []
max_length = 0
for clsname, cls in sorted(plugins.items()):
try:
doc = cls.__doc__.strip().splitlines()[0]
except AttributeError:
doc = 'No docs'
result.append((clsname, doc))
max_length = max(len(clsname), max_length)
for (name, doc) in result:
print "{0:{2}} - {1:15}".format(name, doc, max_length)
Example #10
| Source File: standard.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, base, config, layered = False, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base == None or layered, 'Must be first Address Space')
self.as_assert(config.LOCATION.startswith("file://"), 'Location is not of file scheme')
path = urllib.url2pathname(config.LOCATION[7:])
self.as_assert(os.path.exists(path), 'Filename must be specified and exist')
self.name = os.path.abspath(path)
self.fname = self.name
self.mode = 'rb'
if config.WRITE:
self.mode += '+'
self.fhandle = open(self.fname, self.mode)
self.fhandle.seek(0, 2)
self.fsize = self.fhandle.tell()
self._long_struct = struct.Struct("=I")
# Abstract Classes cannot register options, and since this checks config.WRITE in __init__, we define the option here
Example #11
| Source File: utils.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def load_as(config, astype = 'virtual', **kwargs):
"""Loads an address space by stacking valid ASes on top of each other (priority order first)"""
base_as = None
error = exceptions.AddrSpaceError()
# Start off requiring another round
found = True
## A full iteration through all the classes without anyone
## selecting us means we are done:
while found:
debug.debug("Voting round")
found = False
for cls in sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values(),
key = lambda x: x.order if hasattr(x, 'order') else 10):
debug.debug("Trying {0} ".format(cls))
try:
base_as = cls(base_as, config, astype = astype, **kwargs)
debug.debug("Succeeded instantiating {0}".format(base_as))
found = True
break
except addrspace.ASAssertionError, e:
debug.debug("Failed instantiating {0}: {1}".format(cls.__name__, e), 2)
error.append_reason(cls.__name__, e)
continue
except Exception, e:
debug.debug("Failed instantiating (exception): {0}".format(e))
error.append_reason(cls.__name__ + " - EXCEPTION", e)
continue
Example #12
| Source File: libapi.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def get_config(profile, target_path):
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = "file://{0}".format(target_path)
return config
Example #13
| Source File: utils.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def load_as(config, astype = 'virtual', **kwargs):
"""Loads an address space by stacking valid ASes on top of each other (priority order first)"""
base_as = None
error = exceptions.AddrSpaceError()
# Start off requiring another round
found = True
## A full iteration through all the classes without anyone
## selecting us means we are done:
while found:
debug.debug("Voting round")
found = False
for cls in sorted(registry.get_plugin_classes(addrspace.BaseAddressSpace).values(),
key = lambda x: x.order if hasattr(x, 'order') else 10):
debug.debug("Trying {0} ".format(cls))
try:
base_as = cls(base_as, config, astype = astype, **kwargs)
debug.debug("Succeeded instantiating {0}".format(base_as))
found = True
break
except addrspace.ASAssertionError, e:
debug.debug("Failed instantiating {0}: {1}".format(cls.__name__, e), 2)
error.append_reason(cls.__name__, e)
continue
except Exception, e:
debug.debug("Failed instantiating (exception): {0}".format(e))
error.append_reason(cls.__name__ + " - EXCEPTION", e)
continue
Example #14
| Source File: hive.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, base, config, hive_addr, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config)
self.base = base
self.hive = obj.Object("_HHIVE", hive_addr, base)
self.baseblock = self.hive.BaseBlock.v()
self.flat = self.hive.Flat.v() > 0
Example #15
| Source File: hive.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __getstate__(self):
result = addrspace.BaseAddressSpace.__getstate__(self)
result['hive_addr'] = self.hive.obj_offset
return result
Example #16
| Source File: hive.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, base, config):
addrspace.BaseAddressSpace.__init__(self, base, config)
self.base = base
Example #17
| Source File: hibernate.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, base, config, **kwargs):
self.as_assert(base, "No base Address Space")
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.runs = []
self.PageDict = {}
self.HighestPage = 0
self.PageIndex = 0
self.AddressList = []
self.LookupCache = {}
self.PageCache = Store(50)
self.MemRangeCnt = 0
self.entry_count = 0xFF
# Extract header information
self.as_assert(self.profile.has_type("PO_MEMORY_IMAGE"), "PO_MEMORY_IMAGE is not available in profile")
self.header = obj.Object('PO_MEMORY_IMAGE', 0, base)
## Is the signature right?
if self.header.Signature.lower() not in ['hibr', 'wake']:
self.header = obj.NoneObject("Invalid hibernation header")
volmag = obj.VolMagic(base)
self.entry_count = volmag.HibrEntryCount.v()
PROC_PAGE = volmag.HibrProcPage.v()
# Check it's definitely a hibernation file
self.as_assert(self._get_first_table_page() is not None, "No xpress signature found")
# Extract processor state
self.ProcState = obj.Object("_KPROCESSOR_STATE", PROC_PAGE * 4096, base)
## This is a pointer to the page table - any ASs above us dont
## need to search for it.
self.dtb = self.ProcState.SpecialRegisters.Cr3.v()
# This is a lengthy process, it was cached, but it may be best to delay this
# until it's absolutely necessary and/or convert it into a generator...
self.build_page_cache()
Example #18
| Source File: hive.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, base, config):
addrspace.BaseAddressSpace.__init__(self, base, config)
self.base = base
Example #19
| Source File: hive.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, base, config, hive_addr, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config)
self.base = base
self.hive = obj.Object("_HHIVE", hive_addr, base)
self.baseblock = self.hive.BaseBlock.v()
self.flat = self.hive.Flat.v() > 0
Example #20
| Source File: hive.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __getstate__(self):
result = addrspace.BaseAddressSpace.__getstate__(self)
result['hive_addr'] = self.hive.obj_offset
return result
Example #21
| Source File: hive.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, base, config):
addrspace.BaseAddressSpace.__init__(self, base, config)
self.base = base
Example #22
| Source File: hibernate.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, base, config, **kwargs):
self.as_assert(base, "No base Address Space")
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.runs = []
self.PageDict = {}
self.HighestPage = 0
self.PageIndex = 0
self.AddressList = []
self.LookupCache = {}
self.PageCache = Store(50)
self.MemRangeCnt = 0
self.entry_count = 0xFF
# Extract header information
self.as_assert(self.profile.has_type("PO_MEMORY_IMAGE"), "PO_MEMORY_IMAGE is not available in profile")
self.header = obj.Object('PO_MEMORY_IMAGE', 0, base)
## Is the signature right?
if self.header.Signature.lower() not in ['hibr', 'wake']:
self.header = obj.NoneObject("Invalid hibernation header")
volmag = obj.VolMagic(base)
self.entry_count = volmag.HibrEntryCount.v()
PROC_PAGE = volmag.HibrProcPage.v()
# Check it's definitely a hibernation file
self.as_assert(self._get_first_table_page() is not None, "No xpress signature found")
# Extract processor state
self.ProcState = obj.Object("_KPROCESSOR_STATE", PROC_PAGE * 4096, base)
## This is a pointer to the page table - any ASs above us dont
## need to search for it.
self.dtb = self.ProcState.SpecialRegisters.Cr3.v()
# This is a lengthy process, it was cached, but it may be best to delay this
# until it's absolutely necessary and/or convert it into a generator...
self.build_page_cache()
Example #23
| Source File: vol_interface.py From VolUtility with GNU General Public License v3.0 | 5 votes |
|
def init_config(self):
"""Creates a volatility configuration."""
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
base_conf = {
"profile": "WinXPSP2x86",
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://" + self.memdump,
"plugins": 'plugins',
"debug": 4,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
if self.osprofile:
base_conf["profile"] = self.osprofile
for key, value in base_conf.items():
self.config.update(key, value)
self.plugins = registry.get_plugin_classes(commands.Command, lower=True)
return self.config
Example #24
| Source File: VolatilityInterface.py From quincy with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, path, profile='WinXPSP2x86'):
self.config = conf.ConfObject()
registry.PluginImporter()
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
# self.config.parse_options()
self.config.PROFILE = profile
self.config.LOCATION = "file://" + path
self.Memory = utils.load_as(self.config)
self.Processes = self.__getProcesses()
self.Threads = self.__getThreads()
Example #25
| Source File: hive.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __getstate__(self):
result = addrspace.BaseAddressSpace.__getstate__(self)
result['hive_addr'] = self.hive.obj_offset
return result
Example #26
| Source File: hive.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, base, config, hive_addr, **kwargs):
addrspace.BaseAddressSpace.__init__(self, base, config)
self.base = base
self.hive = obj.Object("_HHIVE", hive_addr, base)
self.baseblock = self.hive.BaseBlock.v()
self.flat = self.hive.Flat.v() > 0
Example #27
| Source File: hive.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __getstate__(self):
result = addrspace.BaseAddressSpace.__getstate__(self)
result['hive_addr'] = self.hive.obj_offset
return result
Example #28
| Source File: hive.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, base, config):
addrspace.BaseAddressSpace.__init__(self, base, config)
self.base = base
Example #29
| Source File: libapi.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def get_config(profile, target_path):
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = "file://{0}".format(target_path)
return config
Example #30
| Source File: vmi.py From python with GNU Lesser General Public License v3.0 | 5 votes |
|
def __init__(self, base, config, layered=False, **kwargs):
self.as_assert(libvmi, "The LibVMI python bindings must be installed")
addrspace.BaseAddressSpace.__init__(self, base, config, **kwargs)
self.as_assert(base is None or layered, 'Must be first Address Space')
self.as_assert(config.LOCATION.startswith("vmi://"),
"Location doesn't start with vmi://")
domain = config.LOCATION[len("vmi://"):]
self.vmi = Libvmi(domain, partial=True)
self.dtb = self.vmi.get_vcpureg(X86Reg.CR3.value, 0)
