def calculate(self):
linux_common.set_plugin_members(self)
if not self.profile.has_type("inet_sock"):
# ancient (2.6.9) centos kernels do not have inet_sock in debug info
raise AttributeError(
"Given profile does not have inet_sock, please file a bug if the kernel version is > 2.6.11"
)
openfiles = linux_lsof.linux_lsof(self._config).calculate()
for (task, filp, i) in openfiles:
# its a socket!
if filp.f_op == self.get_profile_symbol(
"socket_file_ops"
) or filp.dentry.d_op == self.get_profile_symbol(
"sockfs_dentry_operations"):
iaddr = filp.dentry.d_inode
skt = self.SOCKET_I(iaddr)
inet_sock = obj.Object("inet_sock",
offset=skt.sk,
vm=self.addr_space)
yield task, i, inet_sock
def check_open_files_fop(self, f_op_members, modules):
# get all the members in file_operations, they are all function pointers
openfiles = linux_lsof.linux_lsof(self._config).calculate()
for (task, filp, i) in openfiles:
for (hooked_member, hook_address) in self.verify_ops(filp.f_op, f_op_members, modules):
name = "{0:s} {1:d} {2:s}".format(task.comm, i, linux_common.get_path(task, filp))
yield (name, hooked_member, hook_address)
def check_open_files_fop(self, f_op_members, modules):
# get all the members in file_operations, they are all function pointers
openfiles = linux_lsof.linux_lsof(self._config).calculate()
for (task, filp, i) in openfiles:
for (hooked_member, hook_address) in self.verify_ops(filp.f_op, f_op_members, modules):
name = "{0:s} {1:d} {2:s}".format(task.comm, i, linux_common.get_path(task, filp))
yield (name, hooked_member, hook_address)
def calculate(self):
linux_common.set_plugin_members(self)
if not self.profile.has_type("inet_sock"):
# ancient (2.6.9) centos kernels do not have inet_sock in debug info
raise AttributeError, "Given profile does not have inet_sock, please file a bug if the kernel version is > 2.6.11"
openfiles = linux_lsof.linux_lsof(self._config).calculate()
for (task, filp, i) in openfiles:
# its a socket!
if filp.f_op == self.get_profile_symbol("socket_file_ops") or filp.dentry.d_op == self.get_profile_symbol("sockfs_dentry_operations"):
iaddr = filp.dentry.d_inode
skt = self.SOCKET_I(iaddr)
inet_sock = obj.Object("inet_sock", offset = skt.sk, vm = self.addr_space)
yield task, i, inet_sock
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = "LinuxDebian31604x64"
config.LOCATION = "vmi://debian-hvm"
# Other imports
import time
# Retrieve lsof plugin
import volatility.plugins.linux.lsof as lsofPlugin
import volatility.plugins.linux.pslist as linux_pslist
lsofData = lsofPlugin.linux_lsof(config)
lsof_plugin_start_time = time.time()
tasks = linux_pslist.linux_pslist(config).allprocs()
for task in tasks:
if str(task.comm) == 'test':
mytasks = [task]
for msg in lsofData.generator(mytasks):
print msg
print("--- List Open Files Time Taken: %s seconds ---" %
(time.time() - lsof_plugin_start_time))
