volatility 2.4-4 / usr / lib / python2.7 / dist-packages / volatility / plugins / linux / pkt_queues.py

This file is indexed.

/usr/lib/python2.7/dist-packages/volatility/plugins/linux/pkt_queues.py is in volatility 2.4-4.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
# Volatility
# Copyright (C) 2007-2013 Volatility Foundation
#
# This file is part of Volatility.
#
# Volatility is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Volatility is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Volatility.  If not, see <http://www.gnu.org/licenses/>.
#

"""
@author:       Andrew Case
@license:      GNU General Public License 2.0
@contact:      atcuno@gmail.com
@organization: 
"""
import os
import volatility.obj as obj
import volatility.debug as debug
import volatility.plugins.linux.netstat as linux_netstat
import volatility.plugins.linux.common as linux_common

class linux_pkt_queues(linux_netstat.linux_netstat):
    """Writes per-process packet queues out to disk"""

    def __init__(self, config, *args, **kwargs):
        linux_netstat.linux_netstat.__init__(self, config, *args, **kwargs)
        self._config.add_option('DUMP-DIR', short_option = 'D', default = None, help = 'output directory for recovered packets', action = 'store', type = 'str')

    def process_queue(self, name, pid, fd_num, queue):
        if queue.qlen == 0:
            return

        wrote = 0

        fname = "{0:s}.{1:d}.{2:d}".format(name, pid, fd_num)
        fd = None 
 
        sk_buff = queue.m("next")

        while sk_buff and sk_buff != queue.v():

            pkt_len = sk_buff.len
            
            if pkt_len > 0 and pkt_len != 0xffffffff:

                # only open once we have a packet with data
                # otherwise we get 0 sized files
                if fd == None:
                    fd = open(os.path.join(self.edir, fname), "wb")

                start = sk_buff.data
                data  = self.addr_space.zread(start, pkt_len)

                fd.write(data)

                wrote = wrote + pkt_len
                
            sk_buff = sk_buff.next
                
        if wrote:
            yield "Wrote {0:d} bytes to {1:s}".format(wrote, fname)

        if fd:
            fd.close()

    def calculate(self):
        linux_common.set_plugin_members(self)
        self.edir = self._config.DUMP_DIR

        if not self.edir:
            debug.error("No output directory given.")

        if not os.path.isdir(self.edir):
            debug.error(self.edir + " is not a directory")

        for (task, fd_num, _, inet_sock) in linux_netstat.linux_netstat(self._config).calculate():

            sk = inet_sock.sk
            for msg in self.process_queue("receive", task.pid, fd_num, sk.sk_receive_queue):
                yield msg

            for msg in self.process_queue("write",   task.pid, fd_num, sk.sk_write_queue):
                yield msg

    def render_text(self, outfd, data):
        for msg in data:
            outfd.write(msg + "\n")

APT Browse - Built by Thomas Orozco.