def execute(self):
op = self.op
opts = self.opts
if (opts.filename is None) or (not os.path.isfile(opts.filename)):
op.error("File is required")
else:
filename = opts.filename
try:
flat_address_space = FileAddressSpace(filename, fast=True)
except:
op.error("Unable to open image file %s" % (filename))
meta_info.set_datatypes(types)
# Determine the applicable address space (ie hiber, crash)
search_address_space = find_addr_space(flat_address_space, types)
# Find a dtb value
if opts.base is None:
sysdtb = get_dtb(search_address_space, types)
else:
try:
sysdtb = int(opts.base, 16)
except:
op.error("Directory table base must be a hexidecimal number.")
meta_info.set_dtb(sysdtb)
# Set the kernel address space
kaddr_space = load_pae_address_space(filename, sysdtb)
if kaddr_space is None:
kaddr_space = load_nopae_address_space(filename, sysdtb)
meta_info.set_kas(kaddr_space)
scanners = [PoolScanHiveFast2(search_address_space)]
objs = scan_addr_space(search_address_space, scanners)
for obj in objs:
print len(obj.matches)
for m in obj.matches:
print m
def execute(self):
op = self.op
opts = self.opts
if (opts.filename is None) or (not os.path.isfile(opts.filename)):
op.error("File is required")
else:
filename = opts.filename
try:
flat_address_space = FileAddressSpace(filename,fast=True)
except:
op.error("Unable to open image file %s" % (filename))
meta_info.set_datatypes(types)
# Determine the applicable address space (ie hiber, crash)
search_address_space = find_addr_space(flat_address_space, types)
# Find a dtb value
if opts.base is None:
sysdtb = get_dtb(search_address_space, types)
else:
try:
sysdtb = int(opts.base, 16)
except:
op.error("Directory table base must be a hexidecimal number.")
meta_info.set_dtb(sysdtb)
# Set the kernel address space
kaddr_space = load_pae_address_space(filename, sysdtb)
if kaddr_space is None:
kaddr_space = load_nopae_address_space(filename, sysdtb)
meta_info.set_kas(kaddr_space)
scanners = [PoolScanHiveFast2(search_address_space)]
objs = scan_addr_space(search_address_space, scanners)
for obj in objs:
print len(obj.matches)
for m in obj.matches:
print m
def execute(self):
# In general it's not recommended to update the global types on the fly,
# but I'm special and I know what I'm doing ;)
types.update(regtypes)
op = self.op
opts = self.opts
if (opts.filename is None) or (not os.path.isfile(opts.filename)):
op.error("File is required")
else:
filename = opts.filename
try:
flat_address_space = FileAddressSpace(filename,fast=True)
except:
op.error("Unable to open image file %s" % (filename))
meta_info.set_datatypes(types)
# Determine the applicable address space (ie hiber, crash)
search_address_space = find_addr_space(flat_address_space, types)
# Find a dtb value
if opts.base is None:
sysdtb = get_dtb(search_address_space, types)
else:
try:
sysdtb = int(opts.base, 16)
except:
op.error("Directory table base must be a hexidecimal number.")
meta_info.set_dtb(sysdtb)
# Set the kernel address space
kaddr_space = load_pae_address_space(filename, sysdtb)
if kaddr_space is None:
kaddr_space = load_nopae_address_space(filename, sysdtb)
meta_info.set_kas(kaddr_space)
print "%-15s %-15s" % ("Offset", "(hex)")
scanners = [PoolScanHiveFast2(search_address_space)]
objs = scan_addr_space(search_address_space, scanners)
def execute(self):
scanners = []
op = self.op
opts = self.opts
global imgname
if (opts.filename is None) or (not os.path.isfile(opts.filename)):
op.error("File is required")
else:
filename = opts.filename
temp = filename.replace("\\", "/").lower().split("/")
imgname = temp[-1]
global outfd
if not opts.outfd1 == None:
outfd = opts.outfd1
conn = sqlite3.connect(outfd)
cur = conn.cursor()
try:
cur.execute("select * from modscan2")
except sqlite3.OperationalError:
cur.execute("create table modscan2 (file text, base text, size text, name text, memimage text)")
conn.commit()
conn.close()
else:
outfd = None
try:
flat_address_space = FileAddressSpace(filename,fast=True)
except:
op.error("Unable to open image file %s" % (filename))
meta_info.set_datatypes(types)
# Determine the applicable address space
search_address_space = find_addr_space(flat_address_space, types)
# Find a dtb value
if opts.base is None:
sysdtb = get_dtb(search_address_space, types)
else:
try:
sysdtb = int(opts.base, 16)
except:
op.error("Directory table base must be a hexidecimal number.")
meta_info.set_dtb(sysdtb)
kaddr_space = load_pae_address_space(filename, sysdtb)
if kaddr_space is None:
kaddr_space = load_nopae_address_space(filename, sysdtb)
meta_info.set_kas(kaddr_space)
print "%-50s %-12s %-8s %s \n"%('File','Base', 'Size', 'Name')
scanners.append((PoolScanModuleFast2SQL(search_address_space)))
scan_addr_space(search_address_space,scanners)
def execute(self):
op = self.op
opts = self.opts
global imgname
if (opts.filename is None) or (not os.path.isfile(opts.filename)):
op.error("File is required")
else:
filename = opts.filename
temp = filename.replace("\\", "/").lower().split("/")
imgname = temp[-1]
global outfd
if not opts.outfd1 == None:
outfd = opts.outfd1
print outfd
conn = sqlite3.connect(outfd)
cur = conn.cursor()
try:
cur.execute("select * from sockscan2")
except sqlite3.OperationalError:
cur.execute("create table sockscan2(pid integer, port integer, proto text, ctime text, offset text, memimage text)")
conn.commit()
conn.close()
else:
outfd = None
scanners = []
try:
flat_address_space = FileAddressSpace(filename,fast=True)
except:
op.error("Unable to open image file %s" % (filename))
meta_info.set_datatypes(types)
# Determine the applicable address space
search_address_space = find_addr_space(flat_address_space, types)
# Find a dtb value
if opts.base is None:
sysdtb = get_dtb(search_address_space, types)
else:
try:
sysdtb = int(opts.base, 16)
except:
op.error("Directory table base must be a hexidecimal number.")
meta_info.set_dtb(sysdtb)
kaddr_space = load_pae_address_space(filename, sysdtb)
if kaddr_space is None:
kaddr_space = load_nopae_address_space(filename, sysdtb)
meta_info.set_kas(kaddr_space)
print "PID Port Proto Create Time Offset \n"+ \
"------ ------ ------ -------------------------- ----------\n";
scanners.append(PoolScanSockFast2SQL(search_address_space))
scan_addr_space(search_address_space,scanners)
