/我手敲的代码(中文注释)/chapter11/volatility-2.3/build/lib/volatility/plugins/sockets.py

https://github.com/giantbranch/python-hacker-code · Python · 72 lines · 39 code · 10 blank · 23 comment · 6 complexity · 6c51560a4a295023ea15a2bdc214af9a MD5 · raw file 

    

  1. # Volatility
    2. 

  2. #
    3. 

  3. # Authors:
    4. 

  4. # Mike Auty <mike.auty@gmail.com>
    5. 

  5. #
    6. 

  6. # This file is part of Volatility.
    7. 

  7. #
    8. 

  8. # Volatility is free software; you can redistribute it and/or modify
    9. 

  9. # it under the terms of the GNU General Public License Version 2 as
    10. 

  10. # published by the Free Software Foundation.  You may not use, modify or
    11. 

  11. # distribute this program under any other version of the GNU General
    12. 

  12. # Public License.
    13. 

  13. #
    14. 

  14. # Volatility is distributed in the hope that it will be useful,
    15. 

  15. # but WITHOUT ANY WARRANTY; without even the implied warranty of
    16. 

  16. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    17. 

  17. # GNU General Public License for more details.
    18. 

  18. #
    19. 

  19. # You should have received a copy of the GNU General Public License
    20. 

  20. # along with Volatility.  If not, see <http://www.gnu.org/licenses/>.
    21. 

  21. #
    22. 

  22. 

  23. #pylint: disable-msg=C0111
    24. 

  24. 

  25. import volatility.plugins.common as common
    26. 

  26. import volatility.debug as debug
    27. 

  27. import volatility.win32 as win32
    28. 

  28. import volatility.utils as utils
    29. 

  29. import volatility.protos as protos
    30. 

  30. 

  31. class Sockets(common.AbstractWindowsCommand):
    32. 

  32.     """Print list of open sockets"""
    33. 

  33.     def __init__(self, config, *args, **kwargs):
    34. 

  34.         common.AbstractWindowsCommand.__init__(self, config, *args, **kwargs)
    35. 

  35.         config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False,
    36. 

  36.                           cache_invalidator = False,
    37. 

  37.                           help = "Physical Offset", action = "store_true")
    38. 

  38. 

  39.     @staticmethod
    40. 

  40.     def is_valid_profile(profile):
    41. 

  41.         return (profile.metadata.get('os', 'unknown') == 'windows' and
    42. 

  42.                 profile.metadata.get('major', 0) == 5)
    43. 

  43. 

  44.     def render_text(self, outfd, data):
    45. 

  45.         offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)"
    46. 

  46.         self.table_header(outfd,
    47. 

  47.                           [("Offset{0}".format(offsettype), "[addrpad]"),
    48. 

  48.                            ("PID", ">8"),
    49. 

  49.                            ("Port", ">6"),
    50. 

  50.                            ("Proto", ">6"),
    51. 

  51.                            ("Protocol", "15"),
    52. 

  52.                            ("Address", "15"),
    53. 

  53.                            ("Create Time", "")
    54. 

  54.                            ])
    55. 

  55. 

  56.         for sock in data:
    57. 

  57.             if not self._config.PHYSICAL_OFFSET:
    58. 

  58.                 offset = sock.obj_offset
    59. 

  59.             else:
    60. 

  60.                 offset = sock.obj_vm.vtop(sock.obj_offset)
    61. 

  61. 

  62.             self.table_row(outfd, offset, sock.Pid, sock.LocalPort, sock.Protocol,
    63. 

  63.                            protos.protos.get(sock.Protocol.v(), "-"),
    64. 

  64.                            sock.LocalIpAddress, sock.CreateTime)
    65. 

  65. 

  66.     def calculate(self):
    67. 

  67.         addr_space = utils.load_as(self._config)
    68. 

  68. 

  69.         if not self.is_valid_profile(addr_space.profile):
    70. 

  70.             debug.error("This command does not support the selected profile.")
    71. 

  71. 

  72.         return win32.network.determine_sockets(addr_space)
    73.