Plugin to do analysis on the stack of user space applications. More...
Public Member Functions | |
def | __init__ (self, config, args, kwargs) |
def | load_symbols (self, dir) |
Loads function symbols from a directory. More... | |
def | calculate (self) |
def | analyze_stack (self, process_info, task, thread_number) |
Analyzes the stack, building the stack frames and performing validation. More... | |
def | find_oldschool_frames (self, p, proc_as, registers) |
This function builds a list of stack frames using the old frame pointer. More... | |
def | find_scanned_frames (self, p, address, end) |
Find frames by scanning for return addresses. More... | |
def | find_entry_point (self, proc_as, start_code) |
Read the entry point from the program header. More... | |
def | validate_stack_frames (self, frames) |
Attempt to validate stackframes, broken and unused. More... | |
def | is_return_address (self, address, process_info) |
Checks if the address is a return address by checking if the preceding instruction is a 'CALL'. More... | |
def | find_return_libc_start (self, proc_as, start_stack, return_start) |
Scans the stack for a certain address, in this case the return address of __libc_start_main. More... | |
def | find_return_main (self, proc_as, libc_start, libc_end, start_address) |
Find the return address of the main function by scanning for pointers into libc. More... | |
def | find_locals_size (self, proc_as, frames) |
Find the size of the locals of the function, similar to GDB's prologue analysis. More... | |
def | has_frame_pointer (self, function_address, proc_as) |
Check if the function at function_address has a frame pointer. More... | |
def | is_function_header (self, instructions) |
Check if something is a function header (with frame pointer and locals). More... | |
def | find_function_symbol (self, task, address) |
Match a function symbol to a functiona address. More... | |
def | find_function_address (self, proc_as, ret_addr) |
Calculates the function address given a return address. More... | |
def | calculate_annotations (self, frames) |
Create annotations using the frame list. More... | |
def | render_text (self, outfd, data) |
def | write_annotated_stack (self, f, stack_ann) |
Writes an annotated to a file ( the -o option ) More... | |
Public Attributes | |
symbols | |
undefined | |
dump_file | |
decode_as | |
outfd | |
Plugin to do analysis on the stack of user space applications.
def volatility.plugins.linux.process_stack.linux_process_stack.analyze_stack | ( | self, | |
process_info, | |||
task, | |||
thread_number | |||
) |
Analyzes the stack, building the stack frames and performing validation.
process_info | The porcess info object |
task | the task_struct |
thread_number | the thread number for use in process info |
def volatility.plugins.linux.process_stack.linux_process_stack.calculate_annotations | ( | self, | |
frames | |||
) |
Create annotations using the frame list.
frames | a list of stackframes |
def volatility.plugins.linux.process_stack.linux_process_stack.find_entry_point | ( | self, | |
proc_as, | |||
start_code | |||
) |
Read the entry point from the program header.
proc_as | Process address space |
start_code | Start of the program code mapping |
def volatility.plugins.linux.process_stack.linux_process_stack.find_function_address | ( | self, | |
proc_as, | |||
ret_addr | |||
) |
Calculates the function address given a return address.
Disassembles code to get through the double indirection introduced by the Linux PLT.
proc_as | Process address space |
ret_addr | Return address |
def volatility.plugins.linux.process_stack.linux_process_stack.find_function_symbol | ( | self, | |
task, | |||
address | |||
) |
Match a function symbol to a functiona address.
task | the task_struct |
address | The function address |
def volatility.plugins.linux.process_stack.linux_process_stack.find_locals_size | ( | self, | |
proc_as, | |||
frames | |||
) |
Find the size of the locals of the function, similar to GDB's prologue analysis.
Buggy and not actually used.
proc_as | Process address space |
frames | a list of stack frames |
def volatility.plugins.linux.process_stack.linux_process_stack.find_oldschool_frames | ( | self, | |
p, | |||
proc_as, | |||
registers | |||
) |
This function builds a list of stack frames using the old frame pointer.
p | process info |
proc_as | process address space |
registers | cpu registers |
def volatility.plugins.linux.process_stack.linux_process_stack.find_return_libc_start | ( | self, | |
proc_as, | |||
start_stack, | |||
return_start | |||
) |
Scans the stack for a certain address, in this case the return address of __libc_start_main.
proc_as | Process address space |
start_stack | Start address to search |
return_start | The return address to find |
def volatility.plugins.linux.process_stack.linux_process_stack.find_return_main | ( | self, | |
proc_as, | |||
libc_start, | |||
libc_end, | |||
start_address | |||
) |
Find the return address of the main function by scanning for pointers into libc.
At this point we will look for specific patterns in the code, to gather addresses.
proc_as | Process address space |
libc_start | Start address of libc code |
libc_end | End address of libc code |
start_address | The address to start the scan at. |
def volatility.plugins.linux.process_stack.linux_process_stack.find_scanned_frames | ( | self, | |
p, | |||
address, | |||
end | |||
) |
Find frames by scanning for return addresses.
p | process info object |
address | Start address |
end | End address |
def volatility.plugins.linux.process_stack.linux_process_stack.has_frame_pointer | ( | self, | |
function_address, | |||
proc_as | |||
) |
Check if the function at function_address has a frame pointer.
function_address | An address of a function (code) |
proc_as | Process address space |
def volatility.plugins.linux.process_stack.linux_process_stack.is_function_header | ( | self, | |
instructions | |||
) |
Check if something is a function header (with frame pointer and locals).
instructions | distorm disassembled instructions |
def volatility.plugins.linux.process_stack.linux_process_stack.is_return_address | ( | self, | |
address, | |||
process_info | |||
) |
Checks if the address is a return address by checking if the preceding instruction is a 'CALL'.
address | An address |
process_info | process info object |
def volatility.plugins.linux.process_stack.linux_process_stack.load_symbols | ( | self, | |
dir | |||
) |
Loads function symbols from a directory.
dir | the directory |
def volatility.plugins.linux.process_stack.linux_process_stack.validate_stack_frames | ( | self, | |
frames | |||
) |
Attempt to validate stackframes, broken and unused.
frames | list of frames |
def volatility.plugins.linux.process_stack.linux_process_stack.write_annotated_stack | ( | self, | |
f, | |||
stack_ann | |||
) |
Writes an annotated to a file ( the -o option )
f | The file to write |
stack_ann | the annotated stack dict as returned by calculate_annotations() |