概要
pyreboxの作法、調べて見た。
pluginを作って見た。
サンプルコード
プロセスを表示する。
from __future__ import print_function
from utils import get_addr_space
from api import CallbackManager
import volatility.win32.tasks as tasks
cm = None
pyrebox_print = None
def new_proc(params):
global cm
pid = params["pid"]
pgd = params["pgd"]
name = params["name"]
pyrebox_print("Process %x started with pgd: %x. Name: %s" % (pid, pgd, name))
addr_space = get_addr_space(pgd)
procs = [t for t in tasks.pslist(addr_space)]
for p in procs:
pyrebox_print("Process %s PID:%x" % (p.ImageFileName, p.UniqueProcessId))
def clean():
global cm
pyrebox_print("[*] Cleaning module")
cm.clean()
pyrebox_print("[*] Cleaned module")
def initialize_callbacks(module_hdl, printer):
global cm
global pyrebox_print
pyrebox_print = printer
pyrebox_print("[*] Initializing callbacks")
cm = CallbackManager(module_hdl, new_style = True)
cm.add_callback(CallbackManager.CREATEPROC_CB, new_proc, name="vmi_new_proc")
pyrebox_print("[*] Initialized callbacks")
if __name__ == "__main__":
print("[*] Loading python module %s" % (__file__))
以上。