A class to collect various information about a process/task. More...

Inheritance diagram for volatility.plugins.linux.process_info.process_info:

Public Member Functions
def	__init__ (self, task)

def	maps (self)

def	maps (self, value)
	Setter for maps. More...

def	reg (self)

def	reg (self, value)
	Setter for reg. More...

def	stack (self)
	Get the list of stack values (old code). More...

def	stack (self, value)
	Set the stack list (old code). More...

def	threads (self)
	Get the list of threads for this process. More...

def	threads (self, value)
	Set the list of threads. More...

def	get_stack_value (self, address)
	Read a value from the stack, by using the stack list (old code). More...

def	get_stack_index (self, address)
	Calculates the index on the stack list given an address. More...

def	annotate_addr_list
	Annotates a list of addresses with some basic pointer and register information (old code). More...

def	is_stack_pointer (self, addr)
	Check if addr is a pointer to the (main) stack. More...

def	is_thread_stack_pointer (self, addr)
	Check if addr is a pointer to a thread stack. More...

def	is_heap_pointer (self, addr)
	Check if addr is a pointer to the heap. More...

def	is_constant_pointer (self, addr)
	Check if addr is a pointer to a program constant. More...

def	is_program_code_pointer (self, addr)
	Check if addr is a pointer to the program code. More...

def	is_library_code_pointer (self, addr)
	Check if addr is a pointer to library code. More...

def	is_code_pointer (self, addr)
	Check if addr is a pointer to an executable section of memory. More...

def	is_data_pointer (self, addr)
	Check if addr points to data (not code) More...

def	is_pointer
	Check if addr is any sort of pointer. More...

def	get_map_by_name
	Find a memory mapping (vm_area) by its name (not exact match). More...

def	get_unique_data_pointers (self)
	A filter over get_data_pointers() to get only unique values. More...

def	get_unique_pointers
	Filter an iterator to only return unique values. More...

def	get_data_pointers (self)
	Calls get_pointers with self.is_data_pointer as a filter. More...

def	get_pointers
	Finds pointers given a condition and a space. More...

def	get_data_pointers_from_heap (self)
	Find data pointers on the heap, very slow. More...

def	get_data_pointers_from_map (self, m)
	Find data pointers from a specific mapping, very slow. More...

def	get_data_pointers_from_threads (self)
	Find data pointers from all threads. More...

def	get_pointers_from_stack (self)
	Find pointers on the main stack. More...

def	get_pointer_type (self, addr)
	Determine the pointer type for a specific address. More...

def	annotated_stack (self)
	Uses annotate_addr_list() to annotate the stack. More...

Public Attributes
	task

	mm

	mm_brk
	obj.CType is really slow (getattr), so we do this

	mm_end_code

	mm_end_data

	mm_env_end

	mm_start_brk

	mm_start_code

	mm_start_data

	proc_as

	kernel_as

	env

	rest_stack

	args

	vm_stack_low

	vm_stack_high

	stack_frames

	thread_stacks

	thread_stack_ranges

	is_pointer_dict

	thread_registers

Detailed Description

A class to collect various information about a process/task.

Includes helper functions to detect pointers.

Member Function Documentation

def volatility.plugins.linux.process_info.process_info.annotate_addr_list	(	self,
		l,
		offset = `None`,
		skip_zero = `True`
	)

Annotates a list of addresses with some basic pointer and register information (old code).

Parameters

l	list of addresses.
offset	Offset of the list
skip_zero

Returns: : An annotated list

def volatility.plugins.linux.process_info.process_info.annotated_stack ( self )

Uses annotate_addr_list() to annotate the stack.

Returns: : An annotated address list of the stack

def volatility.plugins.linux.process_info.process_info.get_data_pointers ( self )

Calls get_pointers with self.is_data_pointer as a filter.

Returns: : An iterator of pointers

def volatility.plugins.linux.process_info.process_info.get_data_pointers_from_heap ( self )

Find data pointers on the heap, very slow.

Returns: : An iterator of pointers

def volatility.plugins.linux.process_info.process_info.get_data_pointers_from_map	(	self,
		m
	)

Find data pointers from a specific mapping, very slow.

Parameters

m	The vm_area map

Returns: : An iterator of pointers

def volatility.plugins.linux.process_info.process_info.get_data_pointers_from_threads ( self )

Find data pointers from all threads.

Returns: : An iterator of all pointers on thread stacks

def volatility.plugins.linux.process_info.process_info.get_map_by_name	(	self,
		name,
		permissions = `'r-x'`
	)

Find a memory mapping (vm_area) by its name (not exact match).

Optionally, check permissions.

Parameters

name	The mapped name to find.
permissions	Permissions in 'rwx' format

Returns: : A (vm_start, vm_end, libname) tuple or None

def volatility.plugins.linux.process_info.process_info.get_pointer_type	(	self,
		addr
	)

Determine the pointer type for a specific address.

Parameters

addr	An address.

Returns: : String pointer type

def volatility.plugins.linux.process_info.process_info.get_pointers	(	self,
		cond = `None`,
		space = `None`
	)

Finds pointers given a condition and a space.

(old code)

Parameters

cond	The type of pointer to filter, defaults to self.is_pointer
space	The list of values to use, defaults to self.stack

Returns: : An iterator of addresses and their values.

def volatility.plugins.linux.process_info.process_info.get_pointers_from_stack ( self )

Find pointers on the main stack.

Returns: : An iterator of pointers

def volatility.plugins.linux.process_info.process_info.get_stack_index	(	self,
		address
	)

Calculates the index on the stack list given an address.

Parameters

address The address to find

Returns: : an index into process_info.stack

def volatility.plugins.linux.process_info.process_info.get_stack_value	(	self,
		address
	)

Read a value from the stack, by using the stack list (old code).

Parameters

address The address to read.

Returns: : The word at this address.

def volatility.plugins.linux.process_info.process_info.get_unique_data_pointers ( self )

A filter over get_data_pointers() to get only unique values.

Returns: : A iterator of pointers.

def volatility.plugins.linux.process_info.process_info.get_unique_pointers	(	self,
		pointer_iter = `None`
	)

Filter an iterator to only return unique values.

Parameters

pointer_iter The pointer iterator to use. If None, use get_pointers().

Returns: : An iterator of unique pointers

def volatility.plugins.linux.process_info.process_info.is_code_pointer	(	self,
		addr
	)

Check if addr is a pointer to an executable section of memory.

Parameters

addr	An address

Returns: : True or False

def volatility.plugins.linux.process_info.process_info.is_constant_pointer	(	self,
		addr
	)

Check if addr is a pointer to a program constant.

Parameters

addr	An address

Returns: : True of False

def volatility.plugins.linux.process_info.process_info.is_data_pointer	(	self,
		addr
	)

Check if addr points to data (not code)

Parameters

addr	An address

Returns: : True or False

def volatility.plugins.linux.process_info.process_info.is_heap_pointer	(	self,
		addr
	)

Check if addr is a pointer to the heap.

Parameters

addr	An address

Returns: : True or False

def volatility.plugins.linux.process_info.process_info.is_library_code_pointer	(	self,
		addr
	)

Check if addr is a pointer to library code.

Parameters

addr	An address

Returns: : True or False

def volatility.plugins.linux.process_info.process_info.is_pointer	(	self,
		addr,
		space = `None`
	)

Check if addr is any sort of pointer.

Parameters

addr	An address
space	A choice of stack, heap, etc

Returns: : True or False

def volatility.plugins.linux.process_info.process_info.is_program_code_pointer	(	self,
		addr
	)

Check if addr is a pointer to the program code.

Parameters

addr	An address

Returns: : True of False

def volatility.plugins.linux.process_info.process_info.is_stack_pointer	(	self,
		addr
	)

Check if addr is a pointer to the (main) stack.

Parameters

addr	An address

Returns: : True or False

def volatility.plugins.linux.process_info.process_info.is_thread_stack_pointer	(	self,
		addr
	)

Check if addr is a pointer to a thread stack.

FIXME: enable checking a specific stack.

Parameters

addr	An address

Returns: : True or False

def volatility.plugins.linux.process_info.process_info.maps ( self )

Returns: : the vm_area maps list.

def volatility.plugins.linux.process_info.process_info.maps	(	self,
		value
	)

Setter for maps.

Also initializes some other values.

Parameters

value The list of vm_area maps

Returns: : None

def volatility.plugins.linux.process_info.process_info.reg ( self )

Returns: : the registers named tuple for this process

def volatility.plugins.linux.process_info.process_info.reg	(	self,
		value
	)

Setter for reg.

Parameters

value The named tuple for registers.

Returns: : None

def volatility.plugins.linux.process_info.process_info.stack ( self )

Get the list of stack values (old code).

Returns: : stack integer list.

def volatility.plugins.linux.process_info.process_info.stack	(	self,
		value
	)

Set the stack list (old code).

Parameters

value a list of integers.

Returns: : None

def volatility.plugins.linux.process_info.process_info.threads ( self )

Get the list of threads for this process.

Returns: : a list of task_structs (threads).

def volatility.plugins.linux.process_info.process_info.threads	(	self,
		value
	)

Set the list of threads.

Initializes the list of register tuples for these threads.

Parameters

value The list of task_structs.

Returns: : None

The documentation for this class was generated from the following file:

volatility/plugins/linux/process_info.py

Public Member Functions

Public Attributes

Detailed Description

Member Function Documentation