Plugin to do analysis on the stack of user space applications. More...

Inheritance diagram for volatility.plugins.linux.process_stack.linux_process_stack:

Public Member Functions
def	__init__ (self, config, args, kwargs)

def	load_symbols (self, dir)
	Loads function symbols from a directory. More...

def	calculate (self)

def	analyze_stack (self, process_info, task, thread_number)
	Analyzes the stack, building the stack frames and performing validation. More...

def	find_oldschool_frames (self, p, proc_as, registers)
	This function builds a list of stack frames using the old frame pointer. More...

def	find_scanned_frames (self, p, address, end)
	Find frames by scanning for return addresses. More...

def	find_entry_point (self, proc_as, start_code)
	Read the entry point from the program header. More...

def	validate_stack_frames (self, frames)
	Attempt to validate stackframes, broken and unused. More...

def	is_return_address (self, address, process_info)
	Checks if the address is a return address by checking if the preceding instruction is a 'CALL'. More...

def	find_return_libc_start (self, proc_as, start_stack, return_start)
	Scans the stack for a certain address, in this case the return address of __libc_start_main. More...

def	find_return_main (self, proc_as, libc_start, libc_end, start_address)
	Find the return address of the main function by scanning for pointers into libc. More...

def	find_locals_size (self, proc_as, frames)
	Find the size of the locals of the function, similar to GDB's prologue analysis. More...

def	has_frame_pointer (self, function_address, proc_as)
	Check if the function at function_address has a frame pointer. More...

def	is_function_header (self, instructions)
	Check if something is a function header (with frame pointer and locals). More...

def	find_function_symbol (self, task, address)
	Match a function symbol to a functiona address. More...

def	find_function_address (self, proc_as, ret_addr)
	Calculates the function address given a return address. More...

def	calculate_annotations (self, frames)
	Create annotations using the frame list. More...

def	render_text (self, outfd, data)

def	write_annotated_stack (self, f, stack_ann)
	Writes an annotated to a file ( the -o option ) More...

Public Attributes
	symbols

	undefined

	dump_file

	decode_as

	outfd

Detailed Description

Plugin to do analysis on the stack of user space applications.

Member Function Documentation

def volatility.plugins.linux.process_stack.linux_process_stack.analyze_stack	(	self,
		process_info,
		task,
		thread_number
	)

Analyzes the stack, building the stack frames and performing validation.

Parameters

process_info	The porcess info object
task	the task_struct
thread_number	the thread number for use in process info

Returns: : a tuple (process info, registers, frames list) or None

def volatility.plugins.linux.process_stack.linux_process_stack.calculate_annotations	(	self,
		frames
	)

Create annotations using the frame list.

Parameters

frames a list of stackframes

Returns: a dict of stack address -> (value, annotation)

def volatility.plugins.linux.process_stack.linux_process_stack.find_entry_point	(	self,
		proc_as,
		start_code
	)

Read the entry point from the program header.

Parameters

proc_as	Process address space
start_code	Start of the program code mapping

Returns: The address of the entry point (_start)

def volatility.plugins.linux.process_stack.linux_process_stack.find_function_address	(	self,
		proc_as,
		ret_addr
	)

Calculates the function address given a return address.

Disassembles code to get through the double indirection introduced by the Linux PLT.

Parameters

proc_as	Process address space
ret_addr	Return address

Returns: The function address or None

def volatility.plugins.linux.process_stack.linux_process_stack.find_function_symbol	(	self,
		task,
		address
	)

Match a function symbol to a functiona address.

Parameters

task	the task_struct
address	The function address

Returns: : The function symbol or None

def volatility.plugins.linux.process_stack.linux_process_stack.find_locals_size	(	self,
		proc_as,
		frames
	)

Find the size of the locals of the function, similar to GDB's prologue analysis.

Buggy and not actually used.

Parameters

proc_as	Process address space
frames	a list of stack frames

Returns: None

def volatility.plugins.linux.process_stack.linux_process_stack.find_oldschool_frames	(	self,
		p,
		proc_as,
		registers
	)

This function builds a list of stack frames using the old frame pointer.

Parameters

p	process info
proc_as	process address space
registers	cpu registers

Returns: : a list of frames

def volatility.plugins.linux.process_stack.linux_process_stack.find_return_libc_start	(	self,
		proc_as,
		start_stack,
		return_start
	)

Scans the stack for a certain address, in this case the return address of __libc_start_main.

Parameters

proc_as	Process address space
start_stack	Start address to search
return_start	The return address to find

Returns: The address found or None

def volatility.plugins.linux.process_stack.linux_process_stack.find_return_main	(	self,
		proc_as,
		libc_start,
		libc_end,
		start_address
	)

Find the return address of the main function by scanning for pointers into libc.

At this point we will look for specific patterns in the code, to gather addresses.

Parameters

proc_as	Process address space
libc_start	Start address of libc code
libc_end	End address of libc code
start_address	The address to start the scan at.

Returns: : The address on the stack and an offset (the location of the main address on the stack) or None/False

def volatility.plugins.linux.process_stack.linux_process_stack.find_scanned_frames	(	self,
		p,
		address,
		end
	)

Find frames by scanning for return addresses.

Parameters

p	process info object
address	Start address
end	End address

Returns: : a list of frames

def volatility.plugins.linux.process_stack.linux_process_stack.has_frame_pointer	(	self,
		function_address,
		proc_as
	)

Check if the function at function_address has a frame pointer.

Parameters

function_address	An address of a function (code)
proc_as	Process address space

Returns: : True or False

def volatility.plugins.linux.process_stack.linux_process_stack.is_function_header	(	self,
		instructions
	)

Check if something is a function header (with frame pointer and locals).

Parameters

instructions distorm disassembled instructions

Returns: True or False

def volatility.plugins.linux.process_stack.linux_process_stack.is_return_address	(	self,
		address,
		process_info
	)

Checks if the address is a return address by checking if the preceding instruction is a 'CALL'.

Parameters

address	An address
process_info	process info object

Returns: True or False

def volatility.plugins.linux.process_stack.linux_process_stack.load_symbols	(	self,
		dir
	)

Loads function symbols from a directory.

Parameters

dir	the directory

Returns: : a symbol dict or None

def volatility.plugins.linux.process_stack.linux_process_stack.validate_stack_frames	(	self,
		frames
	)

Attempt to validate stackframes, broken and unused.

Parameters

frames list of frames

Returns: : None

def volatility.plugins.linux.process_stack.linux_process_stack.write_annotated_stack	(	self,
		f,
		stack_ann
	)

Writes an annotated to a file ( the -o option )

Parameters

f	The file to write
stack_ann	the annotated stack dict as returned by calculate_annotations()

Returns: : None

The documentation for this class was generated from the following file:

volatility/plugins/linux/process_stack.py

Public Member Functions

Public Attributes

Detailed Description

Member Function Documentation