def calculate(self):
if self._config.MACHINE != "":
self._config.update("MACHINE", f"{self._config.MACHINE} ")
offsets = []
address_space = utils.load_as(self._config, astype='physical')
if self._config.OFFSET != None:
items = [int(o, 16) for o in self._config.OFFSET.split(',')]
for offset in items:
mft_buff = address_space.read(offset, self._config.ENTRYSIZE)
bufferas = addrspace.BufferAddressSpace(self._config,
data=mft_buff)
mft_entry = obj.Object('MFT_FILE_RECORD',
vm=bufferas,
offset=0)
offsets.append((offset, mft_entry, mft_buff))
else:
scanner = poolscan.MultiPoolScanner(needles=[b'FILE', b'BAAD'])
print(
"Scanning for MFT entries and building directory, this can take a while"
)
seen = []
for _, offset in scanner.scan(address_space):
mft_buff = address_space.read(offset, self._config.ENTRYSIZE)
bufferas = addrspace.BufferAddressSpace(self._config,
data=mft_buff)
name = ""
try:
mft_entry = obj.Object('MFT_FILE_RECORD',
vm=bufferas,
offset=0)
temp = mft_entry.advance_one(
mft_entry.ResidentAttributes.STDInfo.obj_offset +
mft_entry.ResidentAttributes.ContentSize,
mft_buff,
self._config.ENTRYSIZE,
)
if temp == None:
continue
mft_entry.add_path(temp.FileName)
name = temp.FileName.get_name()
except struct.error:
if self._config.DEBUGOUT:
print(f"Problem entry at offset: {hex(offset)}")
continue
if (int(mft_entry.RecordNumber), name) in seen:
continue
else:
seen.append((int(mft_entry.RecordNumber), name))
offsets.append((offset, mft_entry, mft_buff))
for offset, mft_entry, mft_buff in offsets:
if self._config.DEBUGOUT:
print(f"Processing MFT Entry at offset: {hex(offset)}")
attributes = mft_entry.parse_attributes(mft_buff,
not self._config.NOCHECK,
self._config.ENTRYSIZE)
yield offset, mft_entry, attributes
def calculate(self):
linux_common.set_plugin_members(self)
phys_addr_space = utils.load_as(self._config, astype='physical')
if phys_addr_space.profile.metadata.get('memory_model',
'32bit') == "32bit":
fmt = "<I"
else:
fmt = "<Q"
needles = []
for sym in phys_addr_space.profile.get_all_symbol_names("kernel"):
if sym.find("_sched_class") != -1:
addr = phys_addr_space.profile.get_symbol(sym)
needles.append(struct.pack(fmt, addr))
if len(needles) == 0:
debug.error(
"Unable to scan for processes. Please file a bug report.")
back_offset = phys_addr_space.profile.get_obj_offset(
"task_struct", "sched_class")
scanner = poolscan.MultiPoolScanner(needles)
for _, offset in scanner.scan(phys_addr_space):
ptask = obj.Object("task_struct",
offset=offset - back_offset,
vm=phys_addr_space)
if not ptask.exit_state.v() in [0, 16, 32, 16 | 32]:
continue
if not (0 < ptask.pid < 66000):
continue
yield ptask
