def calculate(self): if self._config.MACHINE != "": self._config.update("MACHINE", f"{self._config.MACHINE} ") offsets = [] address_space = utils.load_as(self._config, astype='physical') if self._config.OFFSET != None: items = [int(o, 16) for o in self._config.OFFSET.split(',')] for offset in items: mft_buff = address_space.read(offset, self._config.ENTRYSIZE) bufferas = addrspace.BufferAddressSpace(self._config, data=mft_buff) mft_entry = obj.Object('MFT_FILE_RECORD', vm=bufferas, offset=0) offsets.append((offset, mft_entry, mft_buff)) else: scanner = poolscan.MultiPoolScanner(needles=[b'FILE', b'BAAD']) print( "Scanning for MFT entries and building directory, this can take a while" ) seen = [] for _, offset in scanner.scan(address_space): mft_buff = address_space.read(offset, self._config.ENTRYSIZE) bufferas = addrspace.BufferAddressSpace(self._config, data=mft_buff) name = "" try: mft_entry = obj.Object('MFT_FILE_RECORD', vm=bufferas, offset=0) temp = mft_entry.advance_one( mft_entry.ResidentAttributes.STDInfo.obj_offset + mft_entry.ResidentAttributes.ContentSize, mft_buff, self._config.ENTRYSIZE, ) if temp == None: continue mft_entry.add_path(temp.FileName) name = temp.FileName.get_name() except struct.error: if self._config.DEBUGOUT: print(f"Problem entry at offset: {hex(offset)}") continue if (int(mft_entry.RecordNumber), name) in seen: continue else: seen.append((int(mft_entry.RecordNumber), name)) offsets.append((offset, mft_entry, mft_buff)) for offset, mft_entry, mft_buff in offsets: if self._config.DEBUGOUT: print(f"Processing MFT Entry at offset: {hex(offset)}") attributes = mft_entry.parse_attributes(mft_buff, not self._config.NOCHECK, self._config.ENTRYSIZE) yield offset, mft_entry, attributes
def calculate(self): linux_common.set_plugin_members(self) phys_addr_space = utils.load_as(self._config, astype='physical') if phys_addr_space.profile.metadata.get('memory_model', '32bit') == "32bit": fmt = "<I" else: fmt = "<Q" needles = [] for sym in phys_addr_space.profile.get_all_symbol_names("kernel"): if sym.find("_sched_class") != -1: addr = phys_addr_space.profile.get_symbol(sym) needles.append(struct.pack(fmt, addr)) if len(needles) == 0: debug.error( "Unable to scan for processes. Please file a bug report.") back_offset = phys_addr_space.profile.get_obj_offset( "task_struct", "sched_class") scanner = poolscan.MultiPoolScanner(needles) for _, offset in scanner.scan(phys_addr_space): ptask = obj.Object("task_struct", offset=offset - back_offset, vm=phys_addr_space) if not ptask.exit_state.v() in [0, 16, 32, 16 | 32]: continue if not (0 < ptask.pid < 66000): continue yield ptask