/我手敲的代码(中文注释)/chapter11/volatility-2.3/build/lib/volatility/plugins/bioskbd.py

https://github.com/giantbranch/python-hacker-code · Python · 64 lines · 35 code · 4 blank · 25 comment · 1 complexity · 6bf15099428f6c8fa7828a1ffdebec38 MD5 · raw file 

    

  1. # Volatility
    2. 

  2. #
    3. 

  3. # Authors:
    4. 

  4. # Adam Boileau <metlstorm@storm.net.nz>
    5. 

  5. # Mike Auty <mike.auty@gmail.com>
    6. 

  6. #
    7. 

  7. # This file is part of Volatility.
    8. 

  8. #
    9. 

  9. # Volatility is free software; you can redistribute it and/or modify
    10. 

  10. # it under the terms of the GNU General Public License Version 2 as
    11. 

  11. # published by the Free Software Foundation.  You may not use, modify or
    12. 

  12. # distribute this program under any other version of the GNU General
    13. 

  13. # Public License.
    14. 

  14. #
    15. 

  15. # Volatility is distributed in the hope that it will be useful,
    16. 

  16. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    17. 

  17. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    18. 

  18. # GNU General Public License for more details.
    19. 

  19. #
    20. 

  20. # You should have received a copy of the GNU General Public License
    21. 

  21. # along with Volatility.  If not, see <http://www.gnu.org/licenses/>.
    22. 

  22. #
    23. 

  23. # *Heavily* based upon http://www.storm.net.nz/static/files/bioskbsnarf
    24. 

  24. 

  25. import struct
    26. 

  26. import volatility.plugins.common as common
    27. 

  27. import volatility.utils as utils
    28. 

  28. import volatility.debug as debug
    29. 

  29. 

  30. class BiosKbd(common.AbstractWindowsCommand):
    31. 

  31.     """Reads the keyboard buffer from Real Mode memory"""
    32. 

  32.     BASE = 0x400
    33. 

  33.     OFFSET = 0x17
    34. 

  34.     BUFOFFSET = 0x1e
    35. 

  35.     LEN = 39
    36. 

  36.     FORMAT = "<BBBHH32s"
    37. 

  37. 

  38.     def render_text(self, outfd, data):
    39. 

  39.         """Displays the character codes"""
    40. 

  40.         outfd.write("Ascii     Scancode\n")
    41. 

  41.         for c, s in data:
    42. 

  42.             outfd.write("{0} (0x{1:02x})   0x{2:02x}\n".format(self.format_char(c), ord(c), s))
    43. 

  43. 

  44.     def format_char(self, c):
    45. 

  45.         """Prints out an ascii printable character"""
    46. 

  46.         if c in '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ[]{};\'#:@~,./<>?!"$%^&*()_+-=`\\|':
    47. 

  47.             return c
    48. 

  48.         return "."
    49. 

  49. 

  50.     def calculate(self):
    51. 

  51.         """Calculate returns the results of the bios keyboard reading"""
    52. 

  52.         addr_space = utils.load_as(self._config, astype = 'physical')
    53. 

  53.         data = addr_space.read(self.BASE + self.OFFSET, self.LEN)
    54. 

  54.         if not data or len(data) != self.LEN:
    55. 

  55.             debug.error("Failed to read keyboard buffer, please check this is a physical memory image.")
    56. 

  56.         _shifta, _shiftb, _alt, readp, _writep, buf = struct.unpack(self.FORMAT, data)
    57. 

  57.         unringed = buf[readp - self.BUFOFFSET:]
    58. 

  58.         unringed += buf[:readp - self.BUFOFFSET]
    59. 

  59.         results = []
    60. 

  60.         for i in range(0, len(unringed) - 2, 2):
    61. 

  61.             if ord(unringed[i]) != 0:
    62. 

  62.                 results.append((unringed[i], ord(unringed[i + 1])))
    63. 

  63. 

  64.         return results
    65.