def __init__(self): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on #sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION)) #sys.stderr.flush() self.config = conf.ConfObject() self.cmds = {} #self.profile = "--profile=Linuxcentos5_5x86" self.vmprocessMap = {} self.config.add_option("INFO", default = None, action = "store_true", cache_invalidator = False, help = "Print information about all registered objects") # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(self.config, addrspace.BaseAddressSpace) registry.register_global_options(self.config, commands.Command) # Reset the logging level now we know whether debug is set or not debug.setup(self.config.DEBUG) #pdb.set_trace() ## Try to find the first thing that looks like a module name self.cmds = registry.get_plugin_classes(commands.Command, lower = True)
def __init__(self): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on #sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION)) #sys.stderr.flush() self.config.add_option("INFO", default = None, action = "store_true", cache_invalidator = False, help = "Print information about all registered objects") # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(self.config, addrspace.BaseAddressSpace) registry.register_global_options(self.config, commands.Command) # Reset the logging level now we know whether debug is set or not debug.setup(self.config.DEBUG) #pdb.set_trace() ## Try to find the first thing that looks like a module name self.cmds = registry.get_plugin_classes(commands.Command, lower = True)
def __init__(self, profile, mem_path): # Setup Vol Debugger debug.setup() registry.PluginImporter() self.memdump = mem_path self.osprofile = profile self.config = None self.addr_space = None self.init_config()
def main(): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on sys.stderr.write( "Volatility Foundation Volatility Framework {0}\n".format( constants.VERSION ) ) sys.stderr.flush() # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) if config.INFO: print_info() sys.exit(0) ## Parse all the options now config.parse_options(False) # Reset the logging level now we know whether debug is set or not debug.setup(config.DEBUG) module = None ## Try to find the first thing that looks like a module name cmds = registry.get_plugin_classes(commands.Command, lower=True) for m in config.args: if m in list(cmds.keys()): module = m break if not module: config.parse_options() debug.error("You must specify something to do (try -h)") try: if module in list(cmds.keys()): command = cmds[module](config) ## Register the help cb from the command itself config.set_help_hook(obj.Curry(command_help, command)) config.parse_options() if not config.LOCATION: debug.error("Please specify a location (-l) or filename (-f)") command.execute() except exceptions.VolatilityException as e: print(e)
def volmain(argv): # Few modifications in original code config.set_usage(usage = "Volatility - A memory forensics analysis platform.") config.add_help_hook(list_plugins) argv = argv.split(" ") sys.argv = argv #print sys.argv # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION)) # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) if config.INFO: print_info() #sys.exit(0) ## Parse all the options now config.parse_options(False) # Reset the logging level now we know whether debug is set or not debug.setup(config.DEBUG) module = None ## Try to find the first thing that looks like a module name cmds = registry.get_plugin_classes(commands.Command, lower = True) for m in config.args: if m in cmds.keys(): module = m break if not module: config.parse_options() #debug.error("You must specify something to do (try -h)") try: if module in cmds.keys(): command = cmds[module](config) ## Register the help cb from the command itself config.set_help_hook(obj.Curry(command_help, command)) config.parse_options() if not config.LOCATION: debug.error("Please specify a location (-l) or filename (-f)") #print config.LOCATION command.execute() except exceptions.VolatilityException, e: print e
def __init__(self, profile, mem_path): """ setup base config :param profile: :param mem_path: :return: """ debug.setup() registry.PluginImporter() self.memdump = mem_path self.osprofile = profile self.config = None self.addr_space = None self.init_config()
def main(): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION)) # Setup the debugging format debug.setup() # Load up modules in case they set config options MemoryRegistry.Init() ## Parse all the options now config.parse_options(False) # Reset the logging level now we know whether debug is set or not debug.setup(config.DEBUG) module = None ## Try to find the first thing that looks like a module name for m in config.args: if m in MemoryRegistry.PLUGIN_COMMANDS.commands: module = m break if not module: config.parse_options() debug.error("You must specify something to do (try -h)") if module not in MemoryRegistry.PLUGIN_COMMANDS.commands: config.parse_options() debug.error("Invalid module [{0}].".format(module)) try: if module in MemoryRegistry.PLUGIN_COMMANDS.commands: command = MemoryRegistry.PLUGIN_COMMANDS[module](config) ## Register the help cb from the command itself config.set_help_hook(obj.Curry(command_help, command)) config.parse_options() if not config.LOCATION: debug.error("Please specify a location (-l) or filename (-f)") command.execute() except utils.VolatilityException, e: print e
def __init__(self, profile='WinXPSP2x86', mem_path=''): """ Volatility 기본 설정 초기화 :param profile: :param mem_path: """ # Volatility 디버그 모듈 설정 debug.setup() # 사용 가능한 플러그인 모듈 임포트 registry.PluginImporter() self.memdump = mem_path self.osprofile = profile self.config = None self.addr_space = None self.plugins = None self.plugin_list = [] self.init_config()
def main(): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on sys.stderr.write("Volatility Foundation Volatility Framework {0}\n".format(constants.VERSION)) sys.stderr.flush() # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) if config.INFO: print_info() sys.exit(0) ## Parse all the options now config.parse_options(False) # Reset the logging level now we know whether debug is set or not debug.setup(config.DEBUG) module = None ## Try to find the first thing that looks like a module name cmds = registry.get_plugin_classes(commands.Command, lower = True) for m in config.args: if m in cmds.keys(): module = m break if not module: config.parse_options() debug.error("You must specify something to do (try -h)") try: if module in cmds.keys(): command = cmds[module](config) import traceback ## Register the help cb from the command itself config.set_help_hook(obj.Curry(command_help, command)) config.parse_options() if config.XENDOMAIN: conn = libvirt.open("xen:///") if conn == None: debug.error("Failed to open connection to the hypervisor") try: dom = conn.lookupByName(config.XENDOMAIN) if dom == None: debug.error("Cannot find guest to be dumped") print "Domain: id %d running %s" % (dom.ID(), dom.OSType()) filepath = "/tmp/" + config.XENDOMAIN os.remove(filepath) if os.path.exists(filepath) else None snapshot = False if snapshot: if dom.save(filepath) < 0: debug.error("Unable save guest to %s" % filepath) print "Chosen guest saved to %s" % filepath id = conn.restore(filepath) if id < 0: debug.error('Unable to restore chosen guest from file %s' % filepath) dom = conn.lookupByName(config.XENDOMAIN) if dom == None: debug.error("Domain wasn't restored from file %s" % filepath) print "Guest memory snapshot complete! Location: %s" % filepath else: if dom.coreDump(filepath, flags = libvirt.VIR_DUMP_LIVE) < 0: debug.error("Unable to dump guest") print "Chosen guest dumped to %s" % filepath if dom == None: debug.error("Domain crashed!") print "Guest memory dump complete! Location: %s" % filepath conn.close() config.LOCATION = "file://" + filepath except: print traceback.format_exc() debug.error("Failed to find domain") if not config.LOCATION and not config.XENDOMAIN: debug.error("Please specify filename (-f) or XEN domain (-x)") command.execute() except exceptions.VolatilityException, e: print e
def main(): args = get_parser().parse_args() sys.argv = [sys.argv[0]] import volatility.plugins.taskmods as taskmods import volatility.plugins.malware.malfind as malfind import volatility.plugins.volshell as volshell import volatility.commands as commands import volatility.registry as registry import volatility.obj as obj import volatility.conf as conf import volatility.constants as constants import volatility.exceptions as exceptions import volatility.debug as debug import volatility.addrspace as addrspace import volatility.scan as scan try: debug.setup() except: pass service_name = "pmem" unload = args.unload load = args.load plugins = args.plugins output = "text" out = sys.stdout debugg = args.debug dump = args.dumpdir kdbg = args.kdbg if args.output: output = args.output if args.service: service_name = args.service if args.outfile: try: out = open(args.outfile, "wb") except: print "Unable to open file: {}\nUsing stdout".format(args.outfile) pass if not unload and not load and plugins == None: print "You must specify a plugin (or list of plugins) to run!" get_parser().print_help() out.close() return if plugins: plugins = plugins.split(",") profs = registry.get_plugin_classes(obj.Profile) if platform.system() != "Windows": print "cannot run on a non-Windows machine" out.close() return profile = "Win10x64_18362" version = get_version_number("ntdll.dll") if platform.machine() == "AMD64": driver = "winpmem_x64.sys" profile = WindowsVersionsX64.get(version, "UNKNOWN") else: driver = "winpmem_x86.sys" profile = WindowsVersionsX86.get(version, "UNKNOWN") if profile == "UNKNOWN": profile = first_try_brute_force(debugg, version) if profile == "UNKNOWN": profile = brute_force_profile(version) if profile not in profs: if debugg: print "Incorrect profile found: {0}, version: {1}".format( profile, version) profile = "Win10x64_18362" if debugg: print "Trying profile", profile if debugg: print "Suggested profile: {0}".format(profile) driver = resource_path(driver) if not service_name or not os.access(driver, os.R_OK): out.write("Make sure the driver is in place: {0}".format(driver)) sys.exit(-1) pmem_service = Service(driver=driver, service=service_name, debug=debugg) if not service_running(service_name): setup(driver, service_name, pmem_service, debugg) try: pmem_service.start() except: print "Unable to start winpmem service" out.close() return if unload: setup(driver, service_name, pmem_service, debugg) out.close() return if load: return myconfigs = Configs(path="\\\\.\\" + service_name, kdbg=kdbg, profile=profile, debug_enabled=debugg) if myconfigs.config.KDBG == None: print "Unable to find valid KDBG value... quitting" if not load: setup(driver, service_name, pmem_service, debugg) out.close() return dovolshell = False cmds = registry.get_plugin_classes(commands.Command, lower=True) if dump: import errno if not os.path.isdir(dump): try: os.makedirs(dump) except OSError as e: if e.errno != errno.EEXIST: print "Unable to create directory", dump out.close() return for p in plugins: items = plugin_cols.get(p.strip(), None) if items == None: print "Unable to process plugin", p continue cols = items["cols"] myconfigs.config.DUMP_DIR = None if p.strip() == "volshell": dovolshell = True continue if "YARA_RULES" not in items["options"]: myconfigs.config.YARA_RULES = None else: myconfigs.config.YARA_RULES = str(args.yararules) if "YARA_FILE" not in items["options"]: myconfigs.config.YARA_FILE = None else: myconfigs.config.YARA_FILE = args.yarafile if "KERNEL" not in items["options"]: myconfigs.config.KERNEL = None else: myconfigs.config.KERNEL = args.kernel if "ALL" not in items["options"]: myconfigs.config.ALL = None else: myconfigs.config.ALL = args.all if "CASE" not in items["options"]: myconfigs.config.CASE = None else: myconfigs.config.CASE = args.case if "WIDE" not in items["options"]: myconfigs.config.WIDE = None else: myconfigs.config.WIDE = args.case if "SIZE" not in items["options"]: myconfigs.config.SIZE = None elif not args.size: myconfigs.config.SIZE = 256 else: try: myconfigs.config.SIZE = int(args.size) except ValueError: try: myconfigs.config.SIZE = int(args.size, 16) except TypeError: myconfigs.config.SIZE = None if "REVERSE" not in items["options"]: myconfigs.config.REVERSE = None elif not args.reverse: myconfigs.config.REVERSE = 0 else: try: myconfigs.config.REVERSE = int(args.reverse) except ValueError: try: myconfigs.config.REVERSE = int(args.reverse, 16) except TypeError: myconfigs.config.REVERSE = None if "BASE" not in items["options"]: myconfigs.config.BASE = None else: myconfigs.config.BASE = args.base if "MEMORY" not in items["options"]: myconfigs.config.MEMORY = None else: myconfigs.config.MEMORY = args.memory if "REGEX" not in items["options"]: myconfigs.config.REGEX = None else: myconfigs.config.REGEX = args.regex if "PID" not in items["options"]: myconfigs.config.PID = None else: myconfigs.config.PID = args.pid if "OFFSET" not in items["options"]: myconfigs.config.OFFSET = None else: try: myconfigs.config.OFFSET = int(args.offset) except ValueError: try: myconfigs.config.OFFSET = int(args.offset, 16) except: print "Unable to use offset: {0}".format(args.offset) except TypeError: myconfigs.config.OFFSET = None if "NAME" not in items["options"]: myconfigs.config.NAME = None else: myconfigs.config.NAME = args.name if "KEEPNAME" not in items["options"]: myconfigs.config.NAME = None else: myconfigs.config.NAME = args.keepname if "GET_DICT" not in items["options"]: myconfigs.config.GET_DICT = 'no' else: myconfigs.config.GET_DICT = str(args.getdict) if "ADDR" not in items["options"]: myconfigs.config.ADDR = None else: myconfigs.config.ADDR = str(args.addr) if "STRUCT" not in items["options"]: myconfigs.config.STRUCT = None else: myconfigs.config.STRUCT = str(args.struct) if "PHYSOFFSET" not in items["options"]: myconfigs.config.PHYSOFFSET = None else: try: myconfigs.config.PHYSOFFSET = hex(int(args.physoffset)) except: myconfigs.config.PHYSOFFSET = args.physoffset if "PHYSICAL_OFFSET" not in items["options"] or not args.physical: myconfigs.config.PHYSICAL_OFFSET = None else: myconfigs.config.PHYSICAL_OFFSET = args.physical cols[0] = cols[0].replace("V", "P") if "IGNORE_CASE" not in items["options"]: myconfigs.config.IGNORE_CASE = None else: myconfigs.config.IGNORE_CASE = args.ignore if p.strip() in dumpers and dump: myconfigs.config.DUMP_DIR = dump elif p.strip() in dumpers and not dump and p.strip() not in [ "malfind", "yarascan" ]: print "You must supply a dump directory (--dumpdir=DIRECTORY) to dump to" print "Skipping plugin", p continue myconfigs.config.parse_options() if p.strip() == "yarascan": if output == "text": out.write("{1}Plugin: {0}{1}\n".format(p.strip(), "*" * 20)) parse_yarascan_data(myconfigs.getdata(malfind.YaraScan), out, output=output) if output == "text": out.write("{0}\n\n".format("*" * 60)) else: out.write("\n\n") continue if p.strip() == "malfind": if output == "text": out.write("{1}Plugin: {0}{1}\n".format(p.strip(), "*" * 20)) parse_malfind_data(myconfigs.getdata(malfind.Malfind), out, output=output) if output == "text": out.write("{0}\n\n".format("*" * 60)) else: out.write("\n\n") continue data = myconfigs.getdata(cmds.get(p.strip(), None)) if data == None: print "Plugin", p, "not found" continue if output == "text": out.write("{1}Plugin: {0}{1}\n".format(p.strip(), "*" * 20)) printinfos(data, out, cols, output=output) if output == "text": out.write("{0}\n\n".format("*" * 60)) else: out.write("\n\n") if dovolshell: for option in all_options: setattr(myconfigs.config, option, None) myconfigs.config.parse_options() myconfigs.gettext(volshell.volshell) if not args.leave: setup(driver, service_name, pmem_service, debugg) out.close()
def main(): args = get_parser().parse_args() sys.argv = [sys.argv[0]] import volatility.plugins.taskmods as taskmods import volatility.plugins.malware.malfind as malfind import volatility.plugins.volshell as volshell import volatility.commands as commands import volatility.registry as registry import volatility.obj as obj import volatility.conf as conf import volatility.constants as constants import volatility.exceptions as exceptions import volatility.debug as debug import volatility.addrspace as addrspace import volatility.scan as scan try: debug.setup() except: pass service_name = "pmem" unload = args.unload load = args.load plugins = args.plugins output = "text" out = sys.stdout debugg = args.debug dump = args.dumpdir if args.output: output = args.output if args.service: service_name = args.service if args.outfile: try: out = open(args.outfile, "wb") except: print "Unable to open file: {}\nUsing stdout".format(args.outfile) pass if not unload and not load and plugins == None: print "You must specify a plugin (or list of plugins) to run!" get_parser().print_help() out.close() return if plugins: plugins = plugins.split(",") profs = registry.get_plugin_classes(obj.Profile) if platform.system() != "Windows": print "cannot run on a non-Windows machine" out.close() return profile = "Win10x64_16299" version = get_version_number("ntdll.dll") if platform.machine() == "AMD64": driver = "winpmem_x64.sys" profile = WindowsVersionsX64.get(version, "UNKNOWN") else: driver = "winpmem_x86.sys" profile = WindowsVersionsX86.get(version, "UNKNOWN") if profile == "UNKNOWN": profile = brute_force_profile(version) if profile not in profs: if debugg: print "Incorrect profile found: {0}, version: {1}".format(profile, version) profile = "Win10x64_16299" if debugg: print "Trying profile", profile if debugg: print "Suggested profile: {0}".format(profile) driver = resource_path(driver) if not service_name or not os.access(driver, os.R_OK): out.write("Make sure the driver is in place: {0}".format(driver)) sys.exit(-1) pmem_service = Service(driver = driver, service = service_name, debug = debugg) if not service_running(service_name): setup(driver, service_name, pmem_service, debugg) try: pmem_service.start() except: print "Unable to start winpmem service" out.close() return if unload: setup(driver, service_name, pmem_service, debugg) out.close() return if load: return myconfigs = Configs(path = "\\\\.\\" + service_name, profile = profile, debug = debugg) if myconfigs.kdbg == None: print "Unable to find valid KDBG value... quitting" setup(driver, service_name, pmem_service, debugg) out.close() return dovolshell = False cmds = registry.get_plugin_classes(commands.Command, lower = True) if dump: import errno if not os.path.isdir(dump): try: os.makedirs(dump) except OSError as e: if e.errno != errno.EEXIST: print "Unable to create directory", dump out.close() return for p in plugins: items = plugin_cols.get(p.strip(), None) if items == None: print "Unable to process plugin", p continue cols = items["cols"] myconfigs.config.DUMP_DIR = None if p.strip() == "volshell": dovolshell = True continue if "BASE" not in items["options"]: myconfigs.config.BASE = None else: myconfigs.config.BASE = args.base if "MEMORY" not in items["options"]: myconfigs.config.MEMORY = None else: myconfigs.config.MEMORY = args.memory if "REGEX" not in items["options"]: myconfigs.config.REGEX = None else: myconfigs.config.REGEX = args.regex if "PID" not in items["options"]: myconfigs.config.PID = None else: myconfigs.config.PID = args.pid if "OFFSET" not in items["options"]: myconfigs.config.OFFSET = None else: try: myconfigs.config.OFFSET = int(args.offset) except ValueError: try: myconfigs.config.OFFSET = int(args.offset, 16) except: print "Unable to use offset: {0}".format(args.offset) except TypeError: myconfigs.config.OFFSET = None if "NAME" not in items["options"]: myconfigs.config.NAME = None else: myconfigs.config.NAME = args.name if "KEEPNAME" not in items["options"]: myconfigs.config.NAME = None else: myconfigs.config.NAME = args.keepname if "PHYSOFFSET" not in items["options"]: myconfigs.config.PHYSOFFSET = None else: try: myconfigs.config.PHYSOFFSET = hex(int(args.physoffset)) except: myconfigs.config.PHYSOFFSET = args.physoffset if "PHYSICAL_OFFSET" not in items["options"] or not args.physical: myconfigs.config.PHYSICAL_OFFSET = None else: myconfigs.config.PHYSICAL_OFFSET = args.physical cols[0] = cols[0].replace("V", "P") if "IGNORE_CASE" not in items["options"]: myconfigs.config.IGNORE_CASE = None else: myconfigs.config.IGNORE_CASE = args.ignore if p.strip() in dumpers and dump: myconfigs.config.DUMP_DIR = dump elif p.strip() in dumpers and not dump and p.strip() != "malfind": print "You must supply a dump directory (--dumpdir=DIRECTORY) to dump to" print "Skipping plugin", p continue myconfigs.config.parse_options() if p.strip() == "malfind": if output == "text": out.write("{1}Plugin: {0}{1}\n".format(p.strip(), "*" * 20)) parse_malfind_data(myconfigs.getdata(malfind.Malfind), out, output = output) if output == "text": out.write("{0}\n\n".format("*" * 60)) else: out.write("\n\n") continue data = myconfigs.getdata(cmds.get(p.strip(), None)) if data == None: print "Plugin", p, "not found" continue if output == "text": out.write("{1}Plugin: {0}{1}\n".format(p.strip(), "*" * 20)) printinfos(data, out, cols, output = output) if output == "text": out.write("{0}\n\n".format("*" * 60)) else: out.write("\n\n") if dovolshell: for option in all_options: setattr(myconfigs.config, option, None) myconfigs.config.parse_options() myconfigs.gettext(volshell.volshell) if not args.leave: setup(driver, service_name, pmem_service, debugg) out.close()