forked from volatilityfoundation/volatility
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathlinux_strings.py
More file actions
113 lines (86 loc) · 3.59 KB
/
linux_strings.py
File metadata and controls
113 lines (86 loc) · 3.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# Volatility
# Copyright (C) 2007,2008 Volatile Systems
# Copyright (C) 2009 Timothy D. Morgan (strings optimization)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or (at
# your option) any later version.
#
# This program is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
from bisect import bisect_right
import volatility.plugins.linux.pslist as linux_pslist
import volatility.plugins.strings as strings
import volatility.plugins.linux.common as linux_common
import volatility.plugins.linux.lsmod as linux_lsmod
class linux_strings(strings.Strings, linux_common.AbstractLinuxCommand):
"""Match physical offsets to virtual addresses (may take a while, VERY verbose)"""
@staticmethod
def is_valid_profile(profile):
return profile.metadata.get('os', 'Unknown').lower() == 'linux'
def get_processes(self, addr_space):
"""Enumerate processes based on user options.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <list>
"""
tasks = linux_pslist.linux_pslist(self._config).calculate()
try:
if self._config.PID is not None:
pidlist = [int(p) for p in self._config.PID.split(',')]
tasks = [t for t in tasks if int(t.pid) in pidlist]
except (ValueError, TypeError):
debug.error("Invalid PID {0}".format(self._config.PID))
return tasks
@classmethod
def get_modules(cls, addr_space):
"""Enumerate the kernel modules.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <tuple>
"""
mask = addr_space.address_mask
config = addr_space.get_config()
modules = linux_lsmod.linux_lsmod(config).calculate()
mods = dict((mask(mod[0].module_core), mod[0]) for mod in modules)
mod_addrs = sorted(mods.keys())
return (mods, mod_addrs)
@classmethod
def find_module(cls, modlist, mod_addrs, addr_space, vpage):
"""Determine which module owns a virtual page.
:param modlist | <list>
mod_addrs | <list>
addr_space | <addrspace.AbstractVirtualAddressSpace>
vpage | <int>
:returns <module> || None
"""
pos = bisect_right(mod_addrs, vpage) - 1
if pos == -1:
return None
mod = modlist[mod_addrs[pos]]
compare = mod.obj_vm.address_compare
if (compare(vpage, mod.module_core) != -1 and
compare(vpage, mod.module_core + mod.core_size) == -1):
return mod
else:
return None
@classmethod
def get_module_name(cls, module):
"""Get the name of a kernel module.
:param module | <module>
:returns <str>
"""
return str(module.m("name"))
@classmethod
def get_task_pid(cls, task):
"""Get the PID of a process.
:param task | <task>
:returns <int>
"""
return task.pid