def __init__(self,
path="\\\\.\\pmem",
profile="Win10x64_16299",
kdbg=None,
debug_enabled=False):
self.config = libapi.get_config(profile, path)
if debug_enabled:
print "Config created with Profile: {0} and Path: {1}".format(
profile, path)
if kdbg:
self.kdbg = kdbg
if debug_enabled:
print "KDBG:", hex(kdbg.v())
else:
self.kdbg = self.get_the_kdbg()
if self.kdbg != None:
self.kdbg = self.kdbg.v()
if debug_enabled:
print "KDBG:", hex(self.kdbg)
if hasattr(self.kdbg, 'KdCopyDataBlock'):
self.kdbg = self.kdbg.KdCopyDataBlock
if debug_enabled:
print "KDBG:", hex(self.kdbg)
self.config.KDBG = self.kdbg
def main():
## sys.argv[1] = volatility profile
## sys.argv[2] = full path on disk to your memory sample
config = libapi.get_config(sys.argv[1], sys.argv[2])
data = libapi.get_json(config, taskmods.PSList)
## `data` now contains json with two keys: `columns` and `rows`, where `columns`
## contains a list of column headings (matching the corresponding volatility
## plugin output) and `rows` contains a list of the values for each object found.
## you can either print/save all columns, or you can drill down to a particular
## column by getting the desired column's index as shown below and then accessing
## the index in each row. the following example prints each process' name.
name_index = data['columns'].index('Name')
for row in data['rows']:
print(row[name_index])
def main():
## sys.argv[1] = volatility profile
## sys.argv[2] = full path on disk to your memory sample
config = libapi.get_config(sys.argv[1], sys.argv[2])
data = libapi.get_json(config, taskmods.PSList)
## `data` now contains json with two keys: `columns` and `rows`, where `columns`
## contains a list of column headings (matching the corresponding volatility
## plugin output) and `rows` contains a list of the values for each object found.
## you can either print/save all columns, or you can drill down to a particular
## column by getting the desired column's index as shown below and then accessing
## the index in each row. the following example prints each process' name.
name_index = data['columns'].index('Name')
for row in data['rows']:
print row[name_index]
def __init__(self, path = "\\\\.\\pmem", profile = "Win10x64_16299", kdbg = None, debug = False):
self.config = libapi.get_config(profile, path)
if debug:
print "Config created with Profile: {0} and Path: {1}".format(profile, path)
if kdbg:
self.kdbg = kdbg
if debug:
print "KDBG:", hex(kdbg.v())
else:
self.kdbg = self.get_the_kdbg()
if self.kdbg != None:
self.kdbg = self.kdbg.v()
if debug:
print "KDBG:", hex(self.kdbg)
if hasattr(self.kdbg, 'KdCopyDataBlock'):
self.kdbg = self.kdbg.KdCopyDataBlock
if debug:
print "KDBG:", hex(self.kdbg)
self.config.KDBG = self.kdbg
class Configs:
def __init__(self, path = "\\\\.\\pmem", profile = "Win10x64_16299", kdbg = None, debug = False):
self.config = libapi.get_config(profile, path)
if debug:
def main():
config = libapi.get_config("WinXPSP2x86","/home/ml-petridish/cridex.vmem" )
process_list(config)