def get_kernel_function_addrs(obj_ref):
import volatility.plugins.mac.lsmod as lsmod
kernel_symbol_addresses = obj_ref.profile.get_all_function_addresses()
# TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text
kmods = [(kmod.address, kmod.address + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate() if str(kmod.name) != "com.apple.kpi.unsupported"]
return (kernel_symbol_addresses, kmods)
def get_kernel_function_addrs(obj_ref):
import volatility.plugins.mac.lsmod as lsmod
kernel_symbol_addresses = obj_ref.profile.get_all_function_addresses()
# TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text
kmods = [(kmod.address, kmod.address + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate() if str(kmod.name) != "com.apple.kpi.unsupported"]
return (kernel_symbol_addresses, kmods)
def modules(self):
mods = lsmod.mac_lsmod(self._config).calculate()
for mod in mods:
print(
"{3:16x} {0:48} {1:16x} {2:6d}".format(
mod.name, mod.address, mod.m('size'), mod.obj_offset
)
)
def get_kernel_addrs(obj_ref):
import volatility.plugins.mac.lsmod as lsmod
# all the known addresses in the kernel
# TODO -- make more stringent and get only symbols from .text
kernel_symbol_addresses = obj_ref.profile.get_all_addresses()
# module addresses, tuple of (start, end)
# TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text
kmods = [(kmod.address, kmod.address + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate()]
return (kernel_symbol_addresses, kmods)
def get_kernel_addrs(obj_ref):
import volatility.plugins.mac.lsmod as lsmod
# all the known addresses in the kernel
# TODO -- make more stringent and get only symbols from .text
kernel_symbol_addresses = obj_ref.profile.get_all_addresses()
# module addresses, tuple of (start, end)
# TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text
kmods = [(kmod.address, kmod.address + kmod.m('size'), kmod.name)
for kmod in lsmod.mac_lsmod(obj_ref._config).calculate()]
return (kernel_symbol_addresses, kmods)
def get_modules(cls, addr_space):
"""Enumerate the kernel modules.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <tuple>
"""
mask = addr_space.address_mask
config = addr_space.get_config()
modules = mac_lsmod.mac_lsmod(config).calculate()
mods = dict((mask(mod.address), mod) for mod in modules)
mod_addrs = sorted(mods.keys())
return (mods, mod_addrs)
def get_modules(cls, addr_space):
"""Enumerate the kernel modules.
:param addr_space | <addrspace.AbstractVirtualAddressSpace>
:returns <tuple>
"""
mask = addr_space.address_mask
config = addr_space.get_config()
modules = mac_lsmod.mac_lsmod(config).calculate()
mods = dict((mask(mod.address), mod) for mod in modules)
mod_addrs = sorted(mods.keys())
return (mods, mod_addrs)
def get_kernel_addrs_start_end(obj_ref):
import volatility.plugins.mac.lsmod as lsmod
s = obj_ref.profile.get_symbol("_vm_kernel_stext")
e = obj_ref.profile.get_symbol("_vm_kernel_etext")
start = obj.Object("unsigned long", offset=s, vm=obj_ref.addr_space)
end = obj.Object("unsigned long", offset=e, vm=obj_ref.addr_space)
# module addresses, tuple of (start, end)
# TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text
kmods = [(kmod.address.v(), kmod.address.v() + kmod.m('size'), kmod.name)
for kmod in lsmod.mac_lsmod(obj_ref._config).calculate()
if str(kmod.name) != "com.apple.kpi.unsupported"]
return (start, end, kmods)
def get_kernel_addrs_start_end(obj_ref):
import volatility.plugins.mac.lsmod as lsmod
s = obj_ref.profile.get_symbol("_vm_kernel_stext")
e = obj_ref.profile.get_symbol("_vm_kernel_etext")
start = obj.Object("unsigned long", offset = s, vm = obj_ref.addr_space)
end = obj.Object("unsigned long", offset = e, vm = obj_ref.addr_space)
# module addresses, tuple of (start, end)
# TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text
kmods = [(kmod.address.v(), kmod.address.v() + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate() if str(kmod.name) != "com.apple.kpi.unsupported"]
return (start, end, kmods)
def modules(self):
mods = lsmod.mac_lsmod(self._config).calculate()
for mod in mods:
print "{3:16x} {0:48} {1:16x} {2:6d}".format(mod.name, mod.address, mod.m('size'), mod.obj_offset)
