def execute(self): op = self.op opts = self.opts if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename try: flat_address_space = FileAddressSpace(filename, fast=True) except: op.error("Unable to open image file %s" % (filename)) meta_info.set_datatypes(types) # Determine the applicable address space (ie hiber, crash) search_address_space = find_addr_space(flat_address_space, types) # Find a dtb value if opts.base is None: sysdtb = get_dtb(search_address_space, types) else: try: sysdtb = int(opts.base, 16) except: op.error("Directory table base must be a hexidecimal number.") meta_info.set_dtb(sysdtb) # Set the kernel address space kaddr_space = load_pae_address_space(filename, sysdtb) if kaddr_space is None: kaddr_space = load_nopae_address_space(filename, sysdtb) meta_info.set_kas(kaddr_space) scanners = [PoolScanHiveFast2(search_address_space)] objs = scan_addr_space(search_address_space, scanners) for obj in objs: print len(obj.matches) for m in obj.matches: print m
def execute(self): op = self.op opts = self.opts if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename try: flat_address_space = FileAddressSpace(filename,fast=True) except: op.error("Unable to open image file %s" % (filename)) meta_info.set_datatypes(types) # Determine the applicable address space (ie hiber, crash) search_address_space = find_addr_space(flat_address_space, types) # Find a dtb value if opts.base is None: sysdtb = get_dtb(search_address_space, types) else: try: sysdtb = int(opts.base, 16) except: op.error("Directory table base must be a hexidecimal number.") meta_info.set_dtb(sysdtb) # Set the kernel address space kaddr_space = load_pae_address_space(filename, sysdtb) if kaddr_space is None: kaddr_space = load_nopae_address_space(filename, sysdtb) meta_info.set_kas(kaddr_space) scanners = [PoolScanHiveFast2(search_address_space)] objs = scan_addr_space(search_address_space, scanners) for obj in objs: print len(obj.matches) for m in obj.matches: print m
def execute(self): # In general it's not recommended to update the global types on the fly, # but I'm special and I know what I'm doing ;) types.update(regtypes) op = self.op opts = self.opts if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename try: flat_address_space = FileAddressSpace(filename,fast=True) except: op.error("Unable to open image file %s" % (filename)) meta_info.set_datatypes(types) # Determine the applicable address space (ie hiber, crash) search_address_space = find_addr_space(flat_address_space, types) # Find a dtb value if opts.base is None: sysdtb = get_dtb(search_address_space, types) else: try: sysdtb = int(opts.base, 16) except: op.error("Directory table base must be a hexidecimal number.") meta_info.set_dtb(sysdtb) # Set the kernel address space kaddr_space = load_pae_address_space(filename, sysdtb) if kaddr_space is None: kaddr_space = load_nopae_address_space(filename, sysdtb) meta_info.set_kas(kaddr_space) print "%-15s %-15s" % ("Offset", "(hex)") scanners = [PoolScanHiveFast2(search_address_space)] objs = scan_addr_space(search_address_space, scanners)
def execute(self): scanners = [] op = self.op opts = self.opts global imgname if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename temp = filename.replace("\\", "/").lower().split("/") imgname = temp[-1] global outfd if not opts.outfd1 == None: outfd = opts.outfd1 conn = sqlite3.connect(outfd) cur = conn.cursor() try: cur.execute("select * from modscan2") except sqlite3.OperationalError: cur.execute("create table modscan2 (file text, base text, size text, name text, memimage text)") conn.commit() conn.close() else: outfd = None try: flat_address_space = FileAddressSpace(filename,fast=True) except: op.error("Unable to open image file %s" % (filename)) meta_info.set_datatypes(types) # Determine the applicable address space search_address_space = find_addr_space(flat_address_space, types) # Find a dtb value if opts.base is None: sysdtb = get_dtb(search_address_space, types) else: try: sysdtb = int(opts.base, 16) except: op.error("Directory table base must be a hexidecimal number.") meta_info.set_dtb(sysdtb) kaddr_space = load_pae_address_space(filename, sysdtb) if kaddr_space is None: kaddr_space = load_nopae_address_space(filename, sysdtb) meta_info.set_kas(kaddr_space) print "%-50s %-12s %-8s %s \n"%('File','Base', 'Size', 'Name') scanners.append((PoolScanModuleFast2SQL(search_address_space))) scan_addr_space(search_address_space,scanners)
def execute(self): op = self.op opts = self.opts global imgname if (opts.filename is None) or (not os.path.isfile(opts.filename)): op.error("File is required") else: filename = opts.filename temp = filename.replace("\\", "/").lower().split("/") imgname = temp[-1] global outfd if not opts.outfd1 == None: outfd = opts.outfd1 print outfd conn = sqlite3.connect(outfd) cur = conn.cursor() try: cur.execute("select * from sockscan2") except sqlite3.OperationalError: cur.execute("create table sockscan2(pid integer, port integer, proto text, ctime text, offset text, memimage text)") conn.commit() conn.close() else: outfd = None scanners = [] try: flat_address_space = FileAddressSpace(filename,fast=True) except: op.error("Unable to open image file %s" % (filename)) meta_info.set_datatypes(types) # Determine the applicable address space search_address_space = find_addr_space(flat_address_space, types) # Find a dtb value if opts.base is None: sysdtb = get_dtb(search_address_space, types) else: try: sysdtb = int(opts.base, 16) except: op.error("Directory table base must be a hexidecimal number.") meta_info.set_dtb(sysdtb) kaddr_space = load_pae_address_space(filename, sysdtb) if kaddr_space is None: kaddr_space = load_nopae_address_space(filename, sysdtb) meta_info.set_kas(kaddr_space) print "PID Port Proto Create Time Offset \n"+ \ "------ ------ ------ -------------------------- ----------\n"; scanners.append(PoolScanSockFast2SQL(search_address_space)) scan_addr_space(search_address_space,scanners)