def get_kernel_function_addrs(obj_ref): import volatility.plugins.mac.lsmod as lsmod kernel_symbol_addresses = obj_ref.profile.get_all_function_addresses() # TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text kmods = [(kmod.address, kmod.address + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate() if str(kmod.name) != "com.apple.kpi.unsupported"] return (kernel_symbol_addresses, kmods)
def modules(self): mods = lsmod.mac_lsmod(self._config).calculate() for mod in mods: print( "{3:16x} {0:48} {1:16x} {2:6d}".format( mod.name, mod.address, mod.m('size'), mod.obj_offset ) )
def get_kernel_addrs(obj_ref): import volatility.plugins.mac.lsmod as lsmod # all the known addresses in the kernel # TODO -- make more stringent and get only symbols from .text kernel_symbol_addresses = obj_ref.profile.get_all_addresses() # module addresses, tuple of (start, end) # TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text kmods = [(kmod.address, kmod.address + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate()] return (kernel_symbol_addresses, kmods)
def get_modules(cls, addr_space): """Enumerate the kernel modules. :param addr_space | <addrspace.AbstractVirtualAddressSpace> :returns <tuple> """ mask = addr_space.address_mask config = addr_space.get_config() modules = mac_lsmod.mac_lsmod(config).calculate() mods = dict((mask(mod.address), mod) for mod in modules) mod_addrs = sorted(mods.keys()) return (mods, mod_addrs)
def get_kernel_addrs_start_end(obj_ref): import volatility.plugins.mac.lsmod as lsmod s = obj_ref.profile.get_symbol("_vm_kernel_stext") e = obj_ref.profile.get_symbol("_vm_kernel_etext") start = obj.Object("unsigned long", offset=s, vm=obj_ref.addr_space) end = obj.Object("unsigned long", offset=e, vm=obj_ref.addr_space) # module addresses, tuple of (start, end) # TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text kmods = [(kmod.address.v(), kmod.address.v() + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate() if str(kmod.name) != "com.apple.kpi.unsupported"] return (start, end, kmods)
def get_kernel_addrs_start_end(obj_ref): import volatility.plugins.mac.lsmod as lsmod s = obj_ref.profile.get_symbol("_vm_kernel_stext") e = obj_ref.profile.get_symbol("_vm_kernel_etext") start = obj.Object("unsigned long", offset = s, vm = obj_ref.addr_space) end = obj.Object("unsigned long", offset = e, vm = obj_ref.addr_space) # module addresses, tuple of (start, end) # TODO -- make sure more stringent and parse each kext in-memory so we only allow whitelist from .text kmods = [(kmod.address.v(), kmod.address.v() + kmod.m('size'), kmod.name) for kmod in lsmod.mac_lsmod(obj_ref._config).calculate() if str(kmod.name) != "com.apple.kpi.unsupported"] return (start, end, kmods)
def modules(self): mods = lsmod.mac_lsmod(self._config).calculate() for mod in mods: print "{3:16x} {0:48} {1:16x} {2:6d}".format(mod.name, mod.address, mod.m('size'), mod.obj_offset)