def _load_yml(self, yml_path): with open(yml_path) as fp: data = self.pmem_metadata = yaml_utils.decode(fp.read()) self.session.SetCache("dtb", data["meta"]["dtb_off"]) self.session.SetCache("vm_kernel_slide", data["meta"]["kaslr_slide"]) for run in self._get_readable_runs(data["records"]): self.runs.insert(run)
def _parse_physical_memory_metadata(self, session, image_urn): try: with self.resolver.AFF4FactoryOpen(image_urn.Append("information.yaml")) as fd: metadata = yaml_utils.decode(fd.read(10e6)) # Allow the user to override the AFF4 file. if not session.HasParameter("dtb"): session.SetCache("dtb", metadata.get("Registers", {}).get("CR3"), volatile=False) if not session.HasParameter("kernel_base"): session.SetCache("kernel_base", metadata.get("KernBase"), volatile=False) except IOError: session.logging.info("AFF4 volume does not contain %s/information.yaml" % image_urn)
def _parse_physical_memory_metadata(self, session, image_urn): try: with self.resolver.AFF4FactoryOpen( image_urn.Append("information.yaml")) as fd: metadata = yaml_utils.decode(fd.read(10e6)) # Allow the user to override the AFF4 file. if not session.HasParameter("dtb"): session.SetCache("dtb", metadata.get("Registers", {}).get("CR3"), volatile=False) if not session.HasParameter("kernel_base"): session.SetCache("kernel_base", metadata.get("KernBase"), volatile=False) except IOError: session.logging.info( "AFF4 volume does not contain %s/information.yaml" % image_urn)
def _parse_physical_memory_metadata(self, session, image_urn): try: with self.resolver.AFF4FactoryOpen( image_urn.Append("information.yaml")) as fd: metadata = yaml_utils.decode(fd.read(10000000)) for session_param, info_para in self._parameter: # Allow the user to override the AFF4 file. if session.HasParameter(session_param): continue tmp = metadata value = None for key in info_para.split("."): value = tmp.get(key) if value is None: break tmp = value if value is not None: session.SetCache(session_param, value, volatile=False) except IOError: session.logging.info( "AFF4 volume does not contain %s/information.yaml" % image_urn)
def _load_yml(self, yml_path): with open(yml_path) as fp: data = self.pmem_metadata = yaml_utils.decode(fp.read()) for run in self._get_readable_runs(data["records"]): self.add_run(*run)
def Decoder(self, raw_data): return yaml_utils.decode(raw_data)