def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: """This vmware translation layer always requires a separate metadata layer.""" return [ requirements.TranslationLayerRequirement(name = 'base_layer', optional = False), requirements.TranslationLayerRequirement(name = 'meta_layer', optional = False) ]
def get_requirements(cls): # Since we're calling the plugin, make sure we have the plugin's requirements return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), requirements.SymbolTableRequirement( name="nt_symbols", description="Windows kernel symbols"), requirements.IntRequirement( name='pid', description= "Process ID to include (all other processes are excluded)", optional=True), requirements.StringRequirement( name="imphash", description="Search single imphash value", optional=True), requirements.StringRequirement( name="imphashlist", description="Search imphash list file", optional=True), requirements.PluginRequirement(name='pslist', plugin=pslist.PsList, version=(2, 0, 0)), requirements.PluginRequirement(name='vadinfo', plugin=vadinfo.VadInfo, version=(2, 0, 0)), ]
def get_requirements(cls): return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), ]
def get_requirements( cls) -> List[interfaces.configuration.RequirementInterface]: # Since we're calling the plugin, make sure we have the plugin's requirements return [requirements.TranslationLayerRequirement(name = 'primary', description = 'Memory layer for the kernel', architectures = ["Intel32", "Intel64"]), requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"), # TODO: Convert this to a ListRequirement so that people can filter on sets of ranges requirements.IntRequirement(name = 'address', description = "Process virtual memory address to include " \ "(all other address ranges are excluded). This must be " \ "a base address, not an address within the desired range.", optional = True), requirements.ListRequirement(name = 'pid', description = 'Filter on specific process IDs', element_type = int, optional = True), requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (2, 0, 0)), requirements.BooleanRequirement(name = 'dump', description = "Extract listed memory ranges", default = False, optional = True), requirements.IntRequirement(name = 'maxsize', description = "Maximum size for dumped VAD sections " \ "(all the bigger sections will be ignored)", default = cls.MAXSIZE_DEFAULT, optional = True), ]
def get_requirements(cls): # Since we're calling the plugin, make sure we have the plugin's requirements return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), requirements.SymbolTableRequirement( name="nt_symbols", description="Windows kernel symbols"), requirements.ListRequirement( name='pid', element_type=int, description= "Process IDs to include (all other processes are excluded)", optional=True), requirements.BooleanRequirement( name='dump', description="Extract injected VADs", default=False, optional=True), requirements.VersionRequirement(name='pslist', component=pslist.PsList, version=(2, 0, 0)), requirements.VersionRequirement(name='vadinfo', component=vadinfo.VadInfo, version=(2, 0, 0)) ]
def get_requirements(cls): return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), requirements.SymbolTableRequirement( name="nt_symbols", description="Windows kernel symbols"), requirements.PluginRequirement(name='pslist', plugin=pslist.PsList, version=(2, 0, 0)), requirements.VersionRequirement(name='info', component=info.Info, version=(1, 0, 0)), requirements.ListRequirement( name='pid', element_type=int, description= "Process ID to include (all other processes are excluded)", optional=True), requirements.BooleanRequirement( name='dump', description="Extract listed processes", default=False, optional=True) ]
def get_requirements( cls) -> List[interfaces.configuration.RequirementInterface]: # Since we're calling the plugin, make sure we have the plugin's requirements return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), requirements.SymbolTableRequirement( name="nt_symbols", description="Windows kernel symbols"), requirements.IntRequirement( name='pid', description= "Process ID to include (all other processes are excluded)", optional=True), requirements.IntRequirement( name='virtaddr', description= "Dump a single _FILE_OBJECT at this virtual address", optional=True), requirements.IntRequirement( name='physaddr', description= "Dump a single _FILE_OBJECT at this physical address", optional=True), requirements.VersionRequirement(name='pslist', component=pslist.PsList, version=(2, 0, 0)), requirements.VersionRequirement(name='handles', component=handles.Handles, version=(1, 0, 0)) ]
def get_requirements(cls): return [ requirements.TranslationLayerRequirement(name = 'primary', description = 'Memory layer for the kernel', architectures = ["Intel32", "Intel64"]), requirements.SymbolTableRequirement(name = "darwin", description = "Mac kernel"), ]
def get_requirements( cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.TranslationLayerRequirement( name='primary', description="Memory layer for the kernel", architectures=["Intel32", "Intel64"]), requirements.SymbolTableRequirement( name="nt_symbols", description="Windows kernel symbols"), requirements.IntRequirement( name="max_size", default=0x40000000, description="Set the maximum size (default is 1GB)", optional=True), requirements.VersionRequirement(name='pslist', component=pslist.PsList, version=(2, 0, 0)), requirements.IntRequirement( name='pid', description= "Process ID to include (all other processes are excluded)", optional=True), requirements.URIRequirement(name="yara_file", description="Yara rules (as a file)", optional=True), requirements.PluginRequirement(name='vadyarascan', plugin=vadyarascan.VadYaraScan, version=(1, 0, 0)), requirements.VersionRequirement(name='vadinfo', component=vadinfo.VadInfo, version=(2, 0, 0)), ]
def get_requirements( cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), requirements.SymbolTableRequirement( name="nt_symbols", description="Windows kernel symbols"), requirements.PluginRequirement(name='hivelist', plugin=hivelist.HiveList, version=(1, 0, 0)), requirements.IntRequirement(name='offset', description="Hive Offset", default=None, optional=True), requirements.StringRequirement(name='key', description="Key to start from", default=None, optional=True), requirements.BooleanRequirement( name='recurse', description='Recurses through keys', default=False, optional=True) ]
def get_requirements( cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.TranslationLayerRequirement( name='primary', description="Memory layer for the kernel", architectures=["Intel32", "Intel64"]), requirements.BooleanRequirement( name="insensitive", description="Makes the search case insensitive", default=False, optional=True), requirements.BooleanRequirement( name="wide", description="Match wide (unicode) strings", default=False, optional=True), requirements.StringRequirement( name="yara_rules", description="Yara rules (as a string)", optional=True), requirements.URIRequirement(name="yara_file", description="Yara rules (as a file)", optional=True), requirements.IntRequirement( name="max_size", default=0x40000000, description="Set the maximum size (default is 1GB)", optional=True) ]
def get_requirements( cls) -> List[interfaces.configuration.RequirementInterface]: ## TODO: we might add a regex option on the name later, but otherwise we're good ## TODO: and we don't want any CLI options from pslist, modules, or moddump return [ requirements.PluginRequirement(name='pslist', plugin=pslist.PsList, version=(2, 0, 0)), requirements.PluginRequirement(name='modules', plugin=modules.Modules, version=(1, 0, 0)), requirements.VersionRequirement(name='dlllist', component=dlllist.DllList, version=(2, 0, 0)), requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), requirements.SymbolTableRequirement( name="nt_symbols", description="Windows kernel symbols"), requirements.BooleanRequirement( name="extensive", description="Search physical layer for version information", optional=True, default=False), ]
def get_requirements( cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), requirements.IntRequirement( name='block_size', description="Size of blocks to copy over", default=cls.default_block_size, optional=True), requirements.BooleanRequirement( name='list', description='List available layers', default=False, optional=True), requirements.ListRequirement( name='layers', element_type=str, description= 'Names of layers to write (defaults to the highest non-mapped layer)', default=None, optional=True) ]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.TranslationLayerRequirement(name = 'primary', description = "Memory layer for the kernel", architectures = ["Intel32", "Intel64"]), requirements.BooleanRequirement(name = "insensitive", description = "Makes the search case insensitive", default = False, optional = True), requirements.BooleanRequirement(name = "wide", description = "Match wide (unicode) strings", default = False, optional = True), requirements.StringRequirement(name = "yara_rules", description = "Yara rules (as a string)", optional = True), requirements.URIRequirement(name = "yara_file", description = "Yara rules (as a file)", optional = True), # This additional requirement is to follow suit with upstream, who feel that compiled rules could potentially be used to execute malicious code # As such, there's a separate option to run compiled files, as happened with yara-3.9 and later requirements.URIRequirement(name = "yara_compiled_file", description = "Yara compiled rules (as a file)", optional = True), requirements.IntRequirement(name = "max_size", default = 0x40000000, description = "Set the maximum size (default is 1GB)", optional = True) ]
def get_requirements(cls): return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), requirements.SymbolTableRequirement( name="nt_symbols", description="Windows kernel symbols"), requirements.BooleanRequirement( name='physical', description='Display physical offsets instead of virtual', default=cls.PHYSICAL_DEFAULT, optional=True), requirements.ListRequirement( name='pid', element_type=int, description= "Process ID to include (all other processes are excluded)", optional=True), requirements.BooleanRequirement( name='dump', description="Extract listed processes", default=False, optional=True) ]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.TranslationLayerRequirement(name = 'primary', description = 'Memory layer for the kernel', architectures = ["Intel32", "Intel64"]), requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols") ]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.TranslationLayerRequirement(name = 'memory_layer', optional = False), requirements.LayerListRequirement(name = 'swap_layers', optional = True), requirements.IntRequirement(name = 'page_map_offset', optional = False), requirements.IntRequirement(name = 'kernel_virtual_offset', optional = True), requirements.StringRequirement(name = 'kernel_banner', optional = True) ]
def get_requirements(cls): return [ requirements.TranslationLayerRequirement(name = 'primary', description = 'Memory layer for the kernel', architectures = ["Intel32", "Intel64"]), requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"), requirements.PluginRequirement(name = 'hivelist', plugin = hivelist.HiveList, version = (1, 0, 0)) ]
def get_requirements( cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]) ]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.TranslationLayerRequirement(name = 'primary', description = 'Memory layer for the kernel', architectures = ["Intel32", "Intel64"]), requirements.SymbolTableRequirement(name = "vmlinux", description = "Linux kernel symbols"), requirements.VersionRequirement(name = 'linuxutils', component = linux.LinuxUtilities, version = (1, 0, 0)), requirements.PluginRequirement(name = 'lsmod', plugin = lsmod.Lsmod, version = (1, 0, 0)) ]
def get_requirements( cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.ListRequirement(name='pages', element_type=int, min_elements=1), requirements.TranslationLayerRequirement(name='base_layer'), requirements.IntRequirement(name='maximum_size') ]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.TranslationLayerRequirement(name = 'primary', description = 'Memory layer for the kernel', architectures = ["Intel32", "Intel64"]), requirements.BooleanRequirement(name = 'extra', description = 'Outputs whole configuration tree', default = False, optional = True) ]
def get_requirements(cls): return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), requirements.VersionRequirement(name='yarascanner', component=yarascan.YaraScanner, version=(2, 0, 0)), ]
def __call__(self, context: interfaces.context.ContextInterface, config_path: str, requirement: interfaces.configuration.RequirementInterface, progress_callback: constants.ProgressCallback = None) -> None: """Finds translation layers that can have swap layers added.""" path_join = interfaces.configuration.path_join self._translation_requirement = self.find_requirements( context, config_path, requirement, requirements.TranslationLayerRequirement, shortcut=False) for trans_sub_config, trans_req in self._translation_requirement: if not isinstance(trans_req, requirements.TranslationLayerRequirement): # We need this so the type-checker knows we're a TranslationLayerRequirement continue swap_sub_config, swap_req = self.find_swap_requirement( trans_sub_config, trans_req) counter = 0 swap_config = interfaces.configuration.parent_path(swap_sub_config) if swap_req and swap_req.unsatisfied(context, swap_config): # See if any of them need constructing for swap_location in self.config.get('single_swap_locations', []): # Setup config locations/paths current_layer_name = swap_req.name + str(counter) current_layer_path = path_join(swap_sub_config, current_layer_name) layer_loc_path = path_join(current_layer_path, "location") layer_class_path = path_join(current_layer_path, "class") counter += 1 # Fill in the config if swap_location: context.config[current_layer_path] = current_layer_name context.config[layer_loc_path] = swap_location context.config[ layer_class_path] = 'volatility3.framework.layers.physical.FileLayer' # Add the requirement new_req = requirements.TranslationLayerRequirement( name=current_layer_name, description="Swap Layer", optional=False) swap_req.add_requirement(new_req) context.config[path_join(swap_sub_config, 'number_of_elements')] = counter context.config[swap_sub_config] = True swap_req.construct(context, swap_config)
def get_requirements(cls): return [ requirements.TranslationLayerRequirement( name='primary', description='Kernel Address Space', architectures=["Intel32", "Intel64"]), requirements.SymbolTableRequirement(name="darwin", description="Mac Kernel"), requirements.PluginRequirement(name='mount', plugin=mount.Mount, version=(1, 0, 0)), ]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: return [ requirements.TranslationLayerRequirement(name = 'primary', description = 'Memory layer for the kernel', architectures = ["Intel32", "Intel64"]), requirements.SymbolTableRequirement(name = "vmlinux", description = "Linux kernel symbols"), requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (1, 0, 0)), requirements.ListRequirement(name = 'pid', description = 'Filter on specific process IDs', element_type = int, optional = True) ]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: # Since we're calling the plugin, make sure we have the plugin's requirements return [ requirements.TranslationLayerRequirement(name = 'primary', description = 'Memory layer for the kernel', architectures = ["Intel32", "Intel64"]), requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"), requirements.StringRequirement(name = 'tags', description = "Comma separated list of pool tags to filter pools returned", optional = True, default = None) ]
def get_requirements(cls): return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), requirements.SymbolTableRequirement( name="vmlinux", description="Linux kernel symbols"), requirements.PluginRequirement(name='pslist', plugin=pslist.PsList, version=(1, 0, 0)) ]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: reqs: List[interfaces.configuration.RequirementInterface] = [] if cls == Volshell: reqs = [ requirements.URIRequirement(name = 'script', description = 'File to load and execute at start', default = None, optional = True) ] return reqs + [ requirements.TranslationLayerRequirement(name = 'primary', description = 'Memory layer for the kernel'), ]
def get_requirements(cls): return [ requirements.TranslationLayerRequirement( name='primary', description='Memory layer for the kernel', architectures=["Intel32", "Intel64"]), requirements.VersionRequirement(name='macutils', component=mac.MacUtilities, version=(1, 0, 0)), requirements.SymbolTableRequirement( name="darwin", description="Mac kernel symbols") ]