我试图写一个挥发性插件,从内存转储中提取恶意软件使用的配置文件。但是,当我在没有root权限的情况下运行这个插件(不带'sudo')时,插件会崩溃yara.编译. 如果我用“sudo”运行这个插件,代码yara.编译未执行行。我不知道为什么yara.编译导致了这个问题。有人能帮我吗?下面是我写的代码:
import volatility.plugins.common as common
import volatility.utils as utils
import volatility.win32.tasks as tasks
import volatility.debug as debug
import volatility.plugins.malware.malfind as malfind
import volatility.conf as conf
import volatility.plugins.taskmods as taskmods
try:
import yara
HAS_YARA = True
except ImportError:
HAS_YARA = False
YARA_SIGS = {
'malware_conf' : 'rule malware_conf {strings: $a = /<settings/ condition: $a}'
}
class malwarescan(taskmods.PSList):
def get_vad_base(self, task, address):
for vad in task.VadRoot.traverse():
if address >= vad.Start and address < vad.End:
return vad.Start
return None
def calculate(self):
if not HAS_YARA:
debug.error('Yara must be installed for this plugin')
print "in calculate function"
kernel_space = utils.load_as(self._config)
print "before yara compile"
rules = yara.compile(sources=YARA_SIGS)
print "after yara compile"
for process in tasks.pslist(kernel_space):
if "IEXPLORE.EXE".lower() == process.ImageFileName.lower():
scanner = malfind.VadYaraScanner(task=process, rules=rules)
for hit, address in scanner.scan():
vad_base_addr = self.get_vad_base(process, address)
yield process, address
def render_text(self, outfd, data):
for process, address in data:
outfd.write("Process: {0}, Pid: {1}\n".format(process.ImageFileName, process.UniqueProcessId))
所以当我用root权限运行这个插件时,我看不到“print'afteryara compile'”这行代码被执行。原因是什么?谢谢您。在
我通过pip安装了yara。如果通过pip安装yara,实际上会得到yaractypes(https://github.com/mjdorma/yara-ctypes),这与yarapython有点不同。所以我卸载了yara ctypes并安装了yarapython。然后就成功了。在
相关问题 更多 >
编程相关推荐