/usr/lib/python2.7/dist-packages/volatility/plugins/handles.py is in volatility 2.4-4.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 | # Volatility
# Copyright (C) 2007-2013 Volatility Foundation
#
# Additional Authors:
# Michael Ligh <michael.ligh@mnin.org>
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility. If not, see <http://www.gnu.org/licenses/>.
#
import volatility.plugins.taskmods as taskmods
# Inherit from Dlllist for command line options
class Handles(taskmods.DllList):
"""Print list of open handles for each process"""
def __init__(self, config, *args, **kwargs):
taskmods.DllList.__init__(self, config, *args, **kwargs)
config.add_option("PHYSICAL-OFFSET", short_option = 'P', default = False,
help = "Physical Offset", action = "store_true")
config.add_option("OBJECT-TYPE", short_option = 't', default = None,
help = 'Show these object types (comma-separated)',
action = 'store', type = 'str')
config.add_option("SILENT", short_option = 's', default = False,
action = 'store_true', help = 'Suppress less meaningful results')
def render_text(self, outfd, data):
offsettype = "(V)" if not self._config.PHYSICAL_OFFSET else "(P)"
self.table_header(outfd,
[("Offset{0}".format(offsettype), "[addrpad]"),
("Pid", ">6"),
("Handle", "[addr]"),
("Access", "[addr]"),
("Type", "26"),
("Details", "")
])
if self._config.OBJECT_TYPE:
object_list = [s for s in self._config.OBJECT_TYPE.split(',')]
else:
object_list = []
for pid, handle, object_type, name in data:
if object_list and object_type not in object_list:
continue
if self._config.SILENT:
if len(name.replace("'", "")) == 0:
continue
if not self._config.PHYSICAL_OFFSET:
offset = handle.Body.obj_offset
else:
offset = handle.obj_vm.vtop(handle.Body.obj_offset)
self.table_row(outfd, offset, pid, handle.HandleValue, handle.GrantedAccess, object_type, name)
def calculate(self):
for task in taskmods.DllList.calculate(self):
pid = task.UniqueProcessId
if task.ObjectTable.HandleTableList:
for handle in task.ObjectTable.handles():
if not handle.is_valid():
continue
name = ""
object_type = handle.get_object_type()
if object_type == "File":
file_obj = handle.dereference_as("_FILE_OBJECT")
name = str(file_obj.file_name_with_device())
elif object_type == "Key":
key_obj = handle.dereference_as("_CM_KEY_BODY")
name = key_obj.full_key_name()
elif object_type == "Process":
proc_obj = handle.dereference_as("_EPROCESS")
name = "{0}({1})".format(proc_obj.ImageFileName, proc_obj.UniqueProcessId)
elif object_type == "Thread":
thrd_obj = handle.dereference_as("_ETHREAD")
name = "TID {0} PID {1}".format(thrd_obj.Cid.UniqueThread, thrd_obj.Cid.UniqueProcess)
elif handle.NameInfo.Name == None:
name = ''
else:
name = str(handle.NameInfo.Name)
yield pid, handle, object_type, name
|