def run(self):
return renderers.TreeGrid([
('Allocation', format_hints.Hex),
('Tag', str),
('PoolType', str),
('NumberOfBytes', format_hints.Hex),
], self._generator())
def run(self):
return renderers.TreeGrid([("Function", format_hints.Hex),
("Param 0", format_hints.Hex),
("Param 1", format_hints.Hex),
("Deadline", int), ("Entry Time", int),
("Module", str), ("Symbol", str)],
self._generator())
def run(self):
offset = self.config.get('offset', None)
syshive = sechive = None
for hive in hivelist.HiveList.list_hives(
self.context,
self.config_path,
self.config['primary'],
self.config['nt_symbols'],
hive_offsets=None if offset is None else [offset]):
if hive.get_name().split('\\')[-1].upper() == 'SYSTEM':
syshive = hive
if hive.get_name().split('\\')[-1].upper() == 'SECURITY':
sechive = hive
if syshive is None:
raise exceptions.VolatilityException(
'Unable to locate SYSTEM hive')
if sechive is None:
raise exceptions.VolatilityException(
'Unable to locate SECURITY hive')
return renderers.TreeGrid([("Username", str), ("Domain", str),
("Domain name", str), ('Hashh', bytes)],
self._generator(syshive, sechive))
def run(self):
return renderers.TreeGrid([("Filter", format_hints.Hex), ("Name", str),
("Member", str),
("Socket", format_hints.Hex),
("Handler", format_hints.Hex),
("Module", str), ("Symbol", str)],
self._generator())
def run(self):
if not has_pefile:
vollog.info(
"Python pefile module not found, plugin (and dependent plugins) not available"
)
raise
filter_func = pslist.PsList.create_pid_filter(
[self.config.get('pid', None)])
hashlist = []
if self.config.get('imphash', None) is not None:
hashlist.append(self.config['imphash'])
elif self.config.get('imphashlist', None) is not None:
rf = open(self.config['imphashlist'], "r")
lines = rf.readlines()
for line in lines:
hashlist.append(line.rstrip())
return renderers.TreeGrid(
[("PID", int), ("ImageFileName", str),
("Module Base", format_hints.Hex), ("Module Name", str),
("imphash", str)],
self._generator(
pslist.PsList.list_processes(
context=self.context,
layer_name=self.config['primary'],
symbol_table=self.config['nt_symbols'],
filter_func=filter_func), hashlist))
def run(self):
return renderers.TreeGrid([
("Offset", format_hints.Hex),
("CreateTime", datetime.datetime),
("From Name", str),
("To Name", str),
], self._generator())
def run(self):
return renderers.TreeGrid([("Session ID", int), ('Session Type', str),
("Process ID", int), ("Process", str),
("User Name", str),
("Create Time", datetime.datetime)],
self._generator())
def run(self):
crash_layer = None
for layer_name in self._context.layers:
layer = self._context.layers[layer_name]
if isinstance(layer, crash.WindowsCrashDump32Layer):
crash_layer = layer
break
if crash_layer is None:
vollog.error("This plugin requires a Windows crash dump")
raise
return renderers.TreeGrid([
("Signature", str),
("MajorVersion", int),
("MinorVersion", int),
("DirectoryTableBase", format_hints.Hex),
("PfnDataBase", format_hints.Hex),
("PsLoadedModuleList", format_hints.Hex),
("PsActiveProcessHead", format_hints.Hex),
("MachineImageType", int),
("NumberProcessors", int),
("KdDebuggerDataBlock", format_hints.Hex),
("DumpType", str),
("SystemUpTime", str),
("Comment", str),
("SystemTime", datetime.datetime),
("BitmapHeaderSize", format_hints.Hex),
("BitmapSize", format_hints.Hex),
("BitmapPages", format_hints.Hex),
], self._generator(crash_layer))
def run(self):
offset = self.config.get('offset', None)
syshive = sechive = None
kernel = self.context.modules[self.config['kernel']]
for hive in hivelist.HiveList.list_hives(
self.context,
self.config_path,
kernel.layer_name,
kernel.symbol_table_name,
hive_offsets=None if offset is None else [offset]):
if hive.get_name().split('\\')[-1].upper() == 'SYSTEM':
syshive = hive
if hive.get_name().split('\\')[-1].upper() == 'SECURITY':
sechive = hive
if syshive is None or sechive is None:
if syshive is None:
vollog.warning('Unable to locate SYSTEM hive')
if sechive is None:
vollog.warning('Unable to locate SECURITY hive')
return
return renderers.TreeGrid([("Username", str), ("Domain", str),
("Domain name", str), ('Hash', bytes)],
self._generator(syshive, sechive))
def run(self):
offsettype = "(V)" if not self.config.get('physical', self.PHYSICAL_DEFAULT) else "(P)"
return renderers.TreeGrid([("PID", int), ("PPID", int), ("ImageFileName", str),
("Offset{0}".format(offsettype), format_hints.Hex), ("Threads", int),
("Handles", int), ("SessionId", int), ("Wow64", bool),
("CreateTime", datetime.datetime), ("ExitTime", datetime.datetime),
("File output", str)], self._generator())
def run(self):
filter_func = pslist.PsList.create_pid_filter(self.config.get('pid', None))
return renderers.TreeGrid([("PID", int), ("Process", str), ("FD", int), ("Path", str)],
self._generator(
pslist.PsList.list_tasks(self.context,
self.config['kernel'],
filter_func = filter_func)))
def run(self):
pids = self.config.get('pid')
include_threads = self.config.get('threads')
decorate_comm = self.config.get('decorate_comm')
filter_func = self.create_pid_filter(pids)
columns = [("OFFSET (V)", format_hints.Hex), ("PID", int), ("TID", int), ("PPID", int), ("COMM", str)]
return renderers.TreeGrid(columns, self._generator(filter_func, include_threads, decorate_comm))
def run(self):
self._reg_table_name = intermed.IntermediateSymbolTable.create(self.context, self._config_path, 'windows',
'registry')
return renderers.TreeGrid([("Hive Offset", renderers.format_hints.Hex), ("Hive Name", str), ("Path", str),
("Last Write Time", datetime.datetime), ("Type", str), ("Name", str), ("ID", int),
("Count", int), ("Focus Count", int), ("Time Focused", str),
("Last Updated", datetime.datetime), ("Raw Data", format_hints.HexBytes)],
self._generator())
def run(self) -> renderers.TreeGrid:
filter_func = pslist.PsList.create_pid_filter(self.config.get('pid', None))
list_tasks = pslist.PsList.get_list_tasks(self.config.get('pslist_method', pslist.PsList.pslist_methods[0]))
return renderers.TreeGrid([("PID", int), ("Process", str), ("Argc", int), ("Arguments", str)],
self._generator(
list_tasks(self.context,
self.config['kernel'],
filter_func = filter_func)))
def run(self):
return renderers.TreeGrid([("Valid pages (all)", int),
("Valid pages (large)", int),
("Swapped Pages (all)", int),
("Swapped Pages (large)", int),
("Invalid Pages (all)", int),
("Invalid Pages (large)", int),
("Other Invalid Pages (all)", int)],
self._generator())
def run(self):
return renderers.TreeGrid([("Member", str), ("Policy Name", str),
("Handler Address", format_hints.Hex),
("Handler Module", str),
("Handler Symbol", str)],
self._generator(
lsmod.Lsmod.list_modules(
self.context,
self.config['kernel'])))
def run(self):
return renderers.TreeGrid([("PID", int), ("PPID", int),
("ImageFileName", str),
("Offset", format_hints.Hex),
("Threads", int), ("Handles", int),
("SessionId", int), ("Wow64", bool),
("CreateTime", datetime.datetime),
("ExitTime", datetime.datetime),
("File output", str)], self._generator())
def run(self):
return renderers.TreeGrid([("URI", str), ("Valid", str),
("Number of base_types", int),
("Number of types", int),
("Number of symbols", int),
("Number of enums", int),
("Windows info", str),
("Linux banner", str), ("Mac banner", str)],
self._generator())
def run(self) -> renderers.TreeGrid:
return renderers.TreeGrid([
("Offset", format_hints.Hex),
("Type", str),
("DriverName", str),
("DeviceName", str),
("DriverNameOfAttDevice", str),
("DeviceType", str),
], self._generator())
def run(self):
filter_func = pslist.PsList.create_pid_filter(self.config.get('pid', None))
return renderers.TreeGrid([("PID", int), ("Process", str), ("Start", format_hints.Hex),
("End", format_hints.Hex), ("File Path", str)],
self._generator(
pslist.PsList.list_tasks(self.context,
self.config['primary'],
self.config['vmlinux'],
filter_func = filter_func)))
def run(self):
return renderers.TreeGrid([
("Offset", format_hints.Hex),
("Driver Name", str),
("IRP", str),
("Address", format_hints.Hex),
("Module", str),
("Symbol", str),
], self._generator())
def run(self):
filter_func = pslist.PsList.create_pid_filter(self.config.get('pid', None))
return renderers.TreeGrid([("PID", int), ("Process", str), ("Block", str), ("Variable", str), ("Value", str)],
self._generator(
pslist.PsList.list_processes(context = self.context,
layer_name = self.config['primary'],
symbol_table = self.config['nt_symbols'],
filter_func = filter_func)))
def run(self):
"""Isolate each plugin and run it."""
# Use all the plugins if there's no filter
self.usable_plugins = self.usable_plugins or self.get_usable_plugins()
self.automagics = self.automagics or automagic.available(self._context)
plugins_to_run = []
requirement_configs = {}
filter_list = self.config['plugin-filter']
# Identify plugins that we can run which output datetimes
for plugin_class in self.usable_plugins:
try:
automagics = automagic.choose_automagic(self.automagics, plugin_class)
for requirement in plugin_class.get_requirements():
if requirement.name in requirement_configs:
config_req, config_value = requirement_configs[requirement.name]
if requirement == config_req:
self.context.config[interfaces.configuration.path_join(
self.config_path, plugin_class.__name__)] = config_value
plugin = plugins.construct_plugin(self.context, automagics, plugin_class, self.config_path,
self._progress_callback, self.open)
for requirement in plugin.get_requirements():
if requirement.name not in requirement_configs:
config_value = plugin.config.get(requirement.name, None)
if config_value:
requirement_configs[requirement.name] = (requirement, config_value)
if isinstance(plugin, TimeLinerInterface):
if not len(filter_list) or any(
[filter in plugin.__module__ + '.' + plugin.__class__.__name__ for filter in filter_list]):
plugins_to_run.append(plugin)
except exceptions.UnsatisfiedException as excp:
# Remove the failed plugin from the list and continue
vollog.debug(f"Unable to satisfy {plugin_class.__name__}: {excp.unsatisfied}")
continue
if self.config.get('record-config', False):
total_config = {}
for plugin in plugins_to_run:
old_dict = dict(plugin.build_configuration())
for entry in old_dict:
total_config[interfaces.configuration.path_join(plugin.__class__.__name__, entry)] = old_dict[entry]
with self.open("config.json") as file_data:
with io.TextIOWrapper(file_data, write_through = True) as fp:
json.dump(total_config, fp, sort_keys = True, indent = 2)
return renderers.TreeGrid(columns = [("Plugin", str), ("Description", str), ("Created Date", datetime.datetime),
("Modified Date", datetime.datetime), ("Accessed Date", datetime.datetime),
("Changed Date", datetime.datetime)],
generator = self._generator(plugins_to_run))
def run(self):
filter_func = pslist.PsList.create_pid_filter(self.config.get('pid', None))
return renderers.TreeGrid([("PID", int), ("Process", str), ("Start VPN", format_hints.Hex),
("End VPN", format_hints.Hex), ("Tag", str), ("Protection", str),
("CommitCharge", int), ("PrivateMemory", int), ("File output", str),
("Hexdump", format_hints.HexBytes), ("Disasm", interfaces.renderers.Disassembly)],
self._generator(
pslist.PsList.list_processes(context = self.context,
layer_name = self.config['primary'],
symbol_table = self.config['nt_symbols'],
filter_func = filter_func)))
def run(self):
return renderers.TreeGrid([
('Offset', format_hints.Hex),
('Order', int),
('PID', int),
('Start', str),
('State', str),
('Type', str),
('Name', str),
('Display', str),
('Binary', str),
], self._generator())
def run(self):
kernel = self.context.modules[self.config['kernel']]
filter_func = pslist.PsList.create_pid_filter(self.config.get('pid', None))
return renderers.TreeGrid([("PID", int), ("Process", str), ("Args", str)],
self._generator(
pslist.PsList.list_processes(context = self.context,
layer_name = kernel.layer_name,
symbol_table = kernel.symbol_table_name,
filter_func = filter_func)))
def run(self):
filter_func = pslist.PsList.create_pid_filter(
self.config.get('pid', None))
list_tasks = pslist.PsList.get_list_tasks(
self.config.get('pslist_method', pslist.PsList.pslist_methods[0]))
return renderers.TreeGrid([("PID", int), ("File Descriptor", int),
("File Path", str)],
self._generator(
list_tasks(self.context,
self.config['kernel'],
filter_func=filter_func)))
def run(self):
filter_func = pslist.PsList.create_pid_filter(
self.config.get('pid', None))
return renderers.TreeGrid([("PID", int), ("Process", str),
("CommandTime", datetime.datetime),
("Command", str)],
self._generator(
pslist.PsList.list_tasks(
self.context,
self.config['primary'],
self.config['vmlinux'],
filter_func=filter_func)))
def run(self):
kernel = self.context.modules[self.config['kernel']]
return renderers.TreeGrid(
[("PID", int), ("Process", str), ("Skeleton Key Found", bool),
("rc4HmacInitialize", format_hints.Hex),
("rc4HmacDecrypt", format_hints.Hex)],
self._generator(
pslist.PsList.list_processes(
context=self.context,
layer_name=kernel.layer_name,
symbol_table=kernel.symbol_table_name,
filter_func=self._lsass_proc_filter)))
def run(self):
filter_func = pslist.PsList.create_pid_filter(
self.config.get('pid', None))
return renderers.TreeGrid(
[("PID", int), ("Process", str), ("Start", format_hints.Hex),
("End", format_hints.Hex), ("Protection", str),
("Hexdump", format_hints.HexBytes),
("Disasm", interfaces.renderers.Disassembly)],
self._generator(
pslist.PsList.list_tasks(self.context,
self.config['kernel'],
filter_func=filter_func)))
