def calculate(self): linux_common.set_plugin_members(self) if not self.profile.has_type("inet_sock"): # ancient (2.6.9) centos kernels do not have inet_sock in debug info raise AttributeError( "Given profile does not have inet_sock, please file a bug if the kernel version is > 2.6.11" ) openfiles = linux_lsof.linux_lsof(self._config).calculate() for (task, filp, i) in openfiles: # its a socket! if filp.f_op == self.get_profile_symbol( "socket_file_ops" ) or filp.dentry.d_op == self.get_profile_symbol( "sockfs_dentry_operations"): iaddr = filp.dentry.d_inode skt = self.SOCKET_I(iaddr) inet_sock = obj.Object("inet_sock", offset=skt.sk, vm=self.addr_space) yield task, i, inet_sock
def check_open_files_fop(self, f_op_members, modules): # get all the members in file_operations, they are all function pointers openfiles = linux_lsof.linux_lsof(self._config).calculate() for (task, filp, i) in openfiles: for (hooked_member, hook_address) in self.verify_ops(filp.f_op, f_op_members, modules): name = "{0:s} {1:d} {2:s}".format(task.comm, i, linux_common.get_path(task, filp)) yield (name, hooked_member, hook_address)
def calculate(self): linux_common.set_plugin_members(self) if not self.profile.has_type("inet_sock"): # ancient (2.6.9) centos kernels do not have inet_sock in debug info raise AttributeError, "Given profile does not have inet_sock, please file a bug if the kernel version is > 2.6.11" openfiles = linux_lsof.linux_lsof(self._config).calculate() for (task, filp, i) in openfiles: # its a socket! if filp.f_op == self.get_profile_symbol("socket_file_ops") or filp.dentry.d_op == self.get_profile_symbol("sockfs_dentry_operations"): iaddr = filp.dentry.d_inode skt = self.SOCKET_I(iaddr) inet_sock = obj.Object("inet_sock", offset = skt.sk, vm = self.addr_space) yield task, i, inet_sock
config = conf.ConfObject() import volatility.commands as commands import volatility.addrspace as addrspace registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = "LinuxDebian31604x64" config.LOCATION = "vmi://debian-hvm" # Other imports import time # Retrieve lsof plugin import volatility.plugins.linux.lsof as lsofPlugin import volatility.plugins.linux.pslist as linux_pslist lsofData = lsofPlugin.linux_lsof(config) lsof_plugin_start_time = time.time() tasks = linux_pslist.linux_pslist(config).allprocs() for task in tasks: if str(task.comm) == 'test': mytasks = [task] for msg in lsofData.generator(mytasks): print msg print("--- List Open Files Time Taken: %s seconds ---" % (time.time() - lsof_plugin_start_time))