Python volatility.conf.ConfObject() Examples
The following are 13
code examples of volatility.conf.ConfObject().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
volatility.conf
, or try the search function
.
.
Example #1
| Source File: libapi.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def get_config(profile, target_path):
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = "file://{0}".format(target_path)
return config
Example #2
| Source File: libapi.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def get_config(profile, target_path):
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = "file://{0}".format(target_path)
return config
Example #3
| Source File: libapi.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def get_config(profile, target_path):
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = "file://{0}".format(target_path)
return config
Example #4
| Source File: vol_interface.py From VolUtility with GNU General Public License v3.0 | 5 votes |
|
def init_config(self):
"""Creates a volatility configuration."""
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
base_conf = {
"profile": "WinXPSP2x86",
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://" + self.memdump,
"plugins": 'plugins',
"debug": 4,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
if self.osprofile:
base_conf["profile"] = self.osprofile
for key, value in base_conf.items():
self.config.update(key, value)
self.plugins = registry.get_plugin_classes(commands.Command, lower=True)
return self.config
Example #5
| Source File: VolatilityInterface.py From quincy with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, path, profile='WinXPSP2x86'):
self.config = conf.ConfObject()
registry.PluginImporter()
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
# self.config.parse_options()
self.config.PROFILE = profile
self.config.LOCATION = "file://" + path
self.Memory = utils.load_as(self.config)
self.Processes = self.__getProcesses()
self.Threads = self.__getThreads()
Example #6
| Source File: win32k_core.py From aumfor with GNU General Public License v3.0 | 4 votes |
|
def _section_chunks(self, sec_name):
"""Get the win32k.sys section as an array of
32-bit unsigned longs.
@param sec_name: name of the PE section in win32k.sys
to search for.
@returns all chunks on a 4-byte boundary.
"""
dos_header = obj.Object("_IMAGE_DOS_HEADER",
offset = self.Win32KBase, vm = self.obj_vm)
if dos_header:
try:
nt_header = dos_header.get_nt_header()
sections = [
sec for sec in nt_header.get_sections()
if str(sec.Name) == sec_name
]
# There should be exactly one section
if sections:
desired_section = sections[0]
return obj.Object("Array", targetType = "unsigned long",
offset = desired_section.VirtualAddress + dos_header.obj_offset,
count = desired_section.Misc.VirtualSize / 4,
vm = self.obj_vm)
except ValueError:
## This catches PE header parsing exceptions
pass
## Don't try to read an address that doesn't exist
if not self.Win32KBase:
return []
## In the rare case when win32k.sys PE header is paged or corrupted
## thus preventing us from parsing the sections, use the fallback
## mechanism of just reading 5 MB (max size of win32k.sys) from the
## base of the kernel module.
data = self.obj_vm.zread(self.Win32KBase, 0x500000)
## Fill a Buffer AS with the zread data and set its base to win32k.sys
## so we can still instantiate an Array and have each chunk at the
## correct offset in virtual memory.
buffer_as = addrspace.BufferAddressSpace(conf.ConfObject(),
data = data,
base_offset = self.Win32KBase)
return obj.Object("Array", targetType = "unsigned long",
offset = self.Win32KBase,
count = len(data) / 4,
vm = buffer_as)
Example #7
| Source File: win32k_core.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def _section_chunks(self, sec_name):
"""Get the win32k.sys section as an array of
32-bit unsigned longs.
@param sec_name: name of the PE section in win32k.sys
to search for.
@returns all chunks on a 4-byte boundary.
"""
dos_header = obj.Object("_IMAGE_DOS_HEADER",
offset = self.Win32KBase, vm = self.obj_vm)
if dos_header:
try:
nt_header = dos_header.get_nt_header()
sections = [
sec for sec in nt_header.get_sections()
if str(sec.Name) == sec_name
]
# There should be exactly one section
if sections:
desired_section = sections[0]
return obj.Object("Array", targetType = "unsigned long",
offset = desired_section.VirtualAddress + dos_header.obj_offset,
count = desired_section.Misc.VirtualSize / 4,
vm = self.obj_vm)
except ValueError:
## This catches PE header parsing exceptions
pass
## Don't try to read an address that doesn't exist
if not self.Win32KBase:
return []
## In the rare case when win32k.sys PE header is paged or corrupted
## thus preventing us from parsing the sections, use the fallback
## mechanism of just reading 5 MB (max size of win32k.sys) from the
## base of the kernel module.
data = self.obj_vm.zread(self.Win32KBase, 0x500000)
## Fill a Buffer AS with the zread data and set its base to win32k.sys
## so we can still instantiate an Array and have each chunk at the
## correct offset in virtual memory.
buffer_as = addrspace.BufferAddressSpace(conf.ConfObject(),
data = data,
base_offset = self.Win32KBase)
return obj.Object("Array", targetType = "unsigned long",
offset = self.Win32KBase,
count = len(data) / 4,
vm = buffer_as)
Example #8
| Source File: win32k_core.py From vortessence with GNU General Public License v2.0 | 4 votes |
|
def _section_chunks(self, sec_name):
"""Get the win32k.sys section as an array of
32-bit unsigned longs.
@param sec_name: name of the PE section in win32k.sys
to search for.
@returns all chunks on a 4-byte boundary.
"""
dos_header = obj.Object("_IMAGE_DOS_HEADER",
offset = self.Win32KBase, vm = self.obj_vm)
if dos_header:
try:
nt_header = dos_header.get_nt_header()
sections = [
sec for sec in nt_header.get_sections()
if str(sec.Name) == sec_name
]
# There should be exactly one section
if sections:
desired_section = sections[0]
return obj.Object("Array", targetType = "unsigned long",
offset = desired_section.VirtualAddress + dos_header.obj_offset,
count = desired_section.Misc.VirtualSize / 4,
vm = self.obj_vm)
except ValueError:
## This catches PE header parsing exceptions
pass
## Don't try to read an address that doesn't exist
if not self.Win32KBase:
return []
## In the rare case when win32k.sys PE header is paged or corrupted
## thus preventing us from parsing the sections, use the fallback
## mechanism of just reading 5 MB (max size of win32k.sys) from the
## base of the kernel module.
data = self.obj_vm.zread(self.Win32KBase, 0x500000)
## Fill a Buffer AS with the zread data and set its base to win32k.sys
## so we can still instantiate an Array and have each chunk at the
## correct offset in virtual memory.
buffer_as = addrspace.BufferAddressSpace(conf.ConfObject(),
data = data,
base_offset = self.Win32KBase)
return obj.Object("Array", targetType = "unsigned long",
offset = self.Win32KBase,
count = len(data) / 4,
vm = buffer_as)
Example #9
| Source File: memory.py From CuckooSploit with GNU General Public License v3.0 | 4 votes |
|
def __config(self):
"""Creates a volatility configuration."""
if self.config != None and self.addr_space != None:
return self.config
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
base_conf = {
"profile": "WinXPSP2x86",
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://" + self.memdump,
"plugins": None,
"debug": None,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
if self.osprofile:
base_conf["profile"] = self.osprofile
for key, value in base_conf.items():
self.config.update(key, value)
# Deal with Volatility support for KVM/qemu memory dump.
# See: #464.
try:
self.addr_space = utils.load_as(self.config)
except exc.AddrSpaceError as e:
if self._get_dtb():
self.addr_space = utils.load_as(self.config)
else:
raise
self.plugins = registry.get_plugin_classes(commands.Command,
lower=True)
return self.config
Example #10
| Source File: win32k_core.py From DAMM with GNU General Public License v2.0 | 4 votes |
|
def _section_chunks(self, sec_name):
"""Get the win32k.sys section as an array of
32-bit unsigned longs.
@param sec_name: name of the PE section in win32k.sys
to search for.
@returns all chunks on a 4-byte boundary.
"""
dos_header = obj.Object("_IMAGE_DOS_HEADER",
offset = self.Win32KBase, vm = self.obj_vm)
if dos_header:
try:
nt_header = dos_header.get_nt_header()
sections = [
sec for sec in nt_header.get_sections()
if str(sec.Name) == sec_name
]
# There should be exactly one section
if sections:
desired_section = sections[0]
return obj.Object("Array", targetType = "unsigned long",
offset = desired_section.VirtualAddress + dos_header.obj_offset,
count = desired_section.Misc.VirtualSize / 4,
vm = self.obj_vm)
except ValueError:
## This catches PE header parsing exceptions
pass
## Don't try to read an address that doesn't exist
if not self.Win32KBase:
return []
## In the rare case when win32k.sys PE header is paged or corrupted
## thus preventing us from parsing the sections, use the fallback
## mechanism of just reading 5 MB (max size of win32k.sys) from the
## base of the kernel module.
data = self.obj_vm.zread(self.Win32KBase, 0x500000)
## Fill a Buffer AS with the zread data and set its base to win32k.sys
## so we can still instantiate an Array and have each chunk at the
## correct offset in virtual memory.
buffer_as = addrspace.BufferAddressSpace(conf.ConfObject(),
data = data,
base_offset = self.Win32KBase)
return obj.Object("Array", targetType = "unsigned long",
offset = self.Win32KBase,
count = len(data) / 4,
vm = buffer_as)
Example #11
| Source File: volsetup.py From DAMM with GNU General Public License v2.0 | 4 votes |
|
def __init__(self, profile, kdbg, memimg):
'''
@profile: a Volatality profile string
@kdbg: a kdbg address string
@memimg: a memory image file name
'''
# volatility black magic
registry.PluginImporter()
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler(handler="resolve")
registry.register_global_options(self.config, commands.Command)
if memimg:
self.base_conf = {'profile': profile,
'use_old_as': None,
'kdbg': None if kdbg is None else int(kdbg, 16),
'help': False,
'kpcr': None,
'tz': None,
'pid': None,
'output_file': None,
'physical_offset': None,
'conf_file': None,
'dtb': None,
'output': None,
'info': None,
'location': "file://" + memimg,
'plugins': None,
'debug': None,
'cache_dtb': True,
'filename': None,
'cache_directory': None,
'verbose': None,
'write': False}
# set the default config
for k, v in self.base_conf.items():
self.config.update(k, v)
if profile == None:
profile = self.guess_profile(memimg)
sys.stderr.write("Using profile: %s\n" % profile)
Example #12
| Source File: vol.py From fame_modules with GNU General Public License v3.0 | 4 votes |
|
def initialize(self):
# Check dependencies
if not HAVE_VOLATILITY:
raise ModuleInitializationError(self, "Missing dependency: volatility")
# Default configuration
base_conf = {
"profile": self.volatility.profile,
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"plugins": self.volatility.plugins,
"debug": None,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
# Create Volatility API configuration
self._volconfig = conf.ConfObject()
self._volconfig.optparser.set_conflict_handler("resolve")
for key, value in base_conf.items():
self._volconfig.update(key, value)
# Get all available plugins
# These two imports must occur after configuration init
# Else, 'plugins' configuration will not be effective
self._volcommands = import_module("volatility.commands")
self._volregistry = import_module("volatility.registry")
self._volutils = import_module("volatility.utils")
self._volregistry.PluginImporter()
self.plugins = self._volregistry.get_plugin_classes(self._volcommands.Command, lower=True)
# Check if we have the right volatility plugins for this module
if self.plugin_name is not None:
self.needs_plugin(self.plugin_name)
Example #13
| Source File: win32k_core.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def _section_chunks(self, sec_name):
"""Get the win32k.sys section as an array of
32-bit unsigned longs.
@param sec_name: name of the PE section in win32k.sys
to search for.
@returns all chunks on a 4-byte boundary.
"""
dos_header = obj.Object("_IMAGE_DOS_HEADER",
offset = self.Win32KBase, vm = self.obj_vm)
if dos_header:
try:
nt_header = dos_header.get_nt_header()
sections = [
sec for sec in nt_header.get_sections()
if str(sec.Name) == sec_name
]
# There should be exactly one section
if sections:
desired_section = sections[0]
return obj.Object("Array", targetType = "unsigned long",
offset = desired_section.VirtualAddress + dos_header.obj_offset,
count = desired_section.Misc.VirtualSize / 4,
vm = self.obj_vm)
except ValueError:
## This catches PE header parsing exceptions
pass
## Don't try to read an address that doesn't exist
if not self.Win32KBase:
return []
## In the rare case when win32k.sys PE header is paged or corrupted
## thus preventing us from parsing the sections, use the fallback
## mechanism of just reading 5 MB (max size of win32k.sys) from the
## base of the kernel module.
data = self.obj_vm.zread(self.Win32KBase, 0x500000)
## Fill a Buffer AS with the zread data and set its base to win32k.sys
## so we can still instantiate an Array and have each chunk at the
## correct offset in virtual memory.
buffer_as = addrspace.BufferAddressSpace(conf.ConfObject(),
data = data,
base_offset = self.Win32KBase)
return obj.Object("Array", targetType = "unsigned long",
offset = self.Win32KBase,
count = len(data) / 4,
vm = buffer_as)
