def _init_volatility_config(self): """ Creates a new Volatility ConfObject with its own storage """ import volatility.conf as conf # @UnresolvedImport if not self.volatility_config: config = conf.ConfObject() # Set all of our static settings config.update('DONOTLOADADDRSPACE', True) config.update('LOCATION', self.uri) config.update('DTB', None) config.update('KDBG', None) config.update('NO_CACHE', True) # IMPORTANT: No Cache! # config.update("OUTPUT", OUTPUT_TYPE) config.update("CACHE_DTB", False) # LOPHI Addrspace stuff config.update("RAM_SIZE", self.memory_size) # config.update('RETRIES', LOPHI_RETRIES) # config.update('TIMEOUT', LOPHI_TIMEOUT) # Ensure our profile is valid and assign it if self._is_valid_profile(self.profile): config.update('PROFILE', self.profile) else: logger.error("Unrecognized Profile (%s)." % self.profile) return False self.volatility_config = config self.config = property(self.volatility_config) return True
def init_volatility(): import volatility.conf as volconf import volatility.registry as registry import volatility.commands as commands import volatility.addrspace as addrspace if hasattr(volconf, "PyREBoxVolatility"): registry.PluginImporter() vol_config = volconf.ConfObject() registry.register_global_options(vol_config, commands.Command) registry.register_global_options(vol_config, addrspace.BaseAddressSpace) vol_config.PROFILE = conf_m.vol_profile # Set global volatility configuration conf_m.vol_conf = vol_config return True else: pp_error( """The imported volatility version is not appropriate for PyREBox: * Your local volatility installation may be in conflict with PyREBox's volatility installation... ... set up a virtual env to avoid the conflict (see installation instructions). * You have a virtual env for PyREBox's python dependencies, and you forgot to activate it! ... you know what to do!\n""") return False
def build_dump_conf(self): # Create conf obj procdump_conf = conf.ConfObject() # TMP Folder tmp_folder = tempfile.mkdtemp( ) if not self._config.TMP_FOLDER else self._config.TMP_FOLDER # Define conf procdump_conf.readonly = {} procdump_conf.PROFILE = self._config.PROFILE procdump_conf.LOCATION = self._config.LOCATION procdump_conf.DUMP_DIR = tmp_folder procdump_conf.MEMORY = True # Single, multiple or all PIDs (all PIDs == No PID specified) if self._config.PROC_PID: procdump_conf.PID = self._config.PROC_PID elif self._config.PROC_NAME or self._config.PROC_NAME_MATCH: procdump_conf.PID = self.build_pids() # Safety check if not os.path.exists(procdump_conf.DUMP_DIR): os.mkdir(procdump_conf.DUMP_DIR) # Remove outputfile conf procdump_conf.OUTPUT = 'text' procdump_conf.OUTPUT_FILE = None return procdump_conf
def main(): if len(sys.argv) != 4: print "Usage: %s %s %s %s" % (sys.argv[0], "profile", "memdump", "targetprocname") sys.exit(1) registry.PluginImporter() config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = sys.argv[1] config.LOCATION = sys.argv[2] processes = taskmods.PSList(config) target = filter_by_name(processes, sys.argv[3]) # .text info imagebase, va, rawsize = get_text_section_info(target) if imagebase == None: print "[-] Error: probably wrong .text section name" sys.exit(1) text_start = imagebase + va text_end = imagebase + va + rawsize permissions = get_vad_protect_flags(target, text_start, text_end) print "0x%x-0x%x %s %s" % (text_start, text_end, permissions, TEXT_TAG) # dll info modules = get_dll_info(target) # printing dll info for name, info in modules.items(): dll_start = info[0] dll_end = info[0] + info[1] permissions = get_vad_protect_flags(target, dll_start, dll_end) print "0x%x-0x%x %s %s" % (dll_start, dll_end, permissions, name) # heap info hs = get_heap_info(target) # printing heap info for h in hs: heap_start = h.BaseAddress.v() heap_end = h.LastValidEntry.v() permissions = get_vad_protect_flags(target, heap_start, heap_end) print "0x%x-0x%x %s %s" % (h.BaseAddress, h.LastValidEntry, permissions, HEAP_TAG) # stack info tebs = get_stack_info(target) # printing stack info for t in tebs: stack_start = t.NtTib.StackBase.v() stack_end = t.NtTib.StackLimit.v() permissions = get_vad_protect_flags(target, stack_start, stack_end) print "0x%x-0x%x %s %s" % (stack_start, stack_end, permissions, STACK_TAG)
def __init__(self): self.params = { "rating_whitelist": 0.5, "rating_services": 0.5, "rating_hidden": 1.5, "rating_orphan": 1.5, "rating_api_unknown": 1.5, "rating_api_known": 0.5, "rating_malfind_pe": 1.5, "rating_malfind": 0.5, "none": 0 } self.tagToRating = { "connected_processes": "rating_whitelist", "running_services": "rating_services", "hidden_processes": "rating_hidden", "orphan_threads": "rating_orphan", "api_hooks_unknown": "rating_api_unknown", "api_hooks_known": "rating_api_known", "malfind_executable": "rating_malfind_pe", "malfind_no_executable": "rating_malfind", "none": "none" } self.rules = {} self.volatilityConfig = conf.ConfObject() self.volatilityConfig.final = True self.volatilityConfig.verbose = False cache.disable_caching(None, None, None, None) MemoryRegistry.Init() self.key = "volatility"
def main(argv=None): setupLogging("admemanalysis.log", logging.INFO) registry.PluginImporter() config = conf.ConfObject() config.add_option('OUTPUT-PATH', default=None, help='Where to create output files', action='store', type='str') config.process_id = None registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) if not os.path.isfile("inputdata.json"): raise NameError("Input file(inpudata.json) was not found") data = None with open("inputdata.json") as data_file: data = json.load(data_file) operations = data['operationdata'] sys.argv.append("-f") sys.argv.append(data["filestreamtoanalyze"]) sys.argv.append("--profile") profile = data["profiletypename"] or ProfileGeneratorClass().GetProfile() logging.info('profile detected is {0}'.format(profile)) sys.argv.append(profile) output_path = data.get('outputpath') or '' config.parse_options(False) sys.argv.append("--output-path") sys.argv.append(output_path) config.parse_options() if utils.getConfigValue(operations, 'process') == True: adprocessesfactory.ADProcesses().execute(operations, config) if utils.getConfigValue(operations, 'drivers') == True: addriveranddevicefactory.DriverDeviceScan().execute(config) if utils.getConfigValue(operations, 'modules') == True: adkernelmodulesfactory.ADKernelModules().execute(config) if utils.getConfigValue(operations, 'sdts') == True: adsdtfactory.ADSdtGenerator().execute(config) if utils.getConfigValue(operations, 'yarascan') == True: adyarascanfactory.ADYaraScan().execute("", config) if utils.getConfigValue(operations, 'idt') == True: processors = kpcr.doProcessors(config) f = open(config.OUTPUT_PATH + 'processors.xml', 'w') #f.write(processors.SerializeToString()) f.write(proto2xml(processors, indent=0)) if utils.getConfigValue(operations, 'registry') == True: adregistryfactory.ADRegistryExtractor().execute(config)
def _section_chunks(self, sec_name): """Get the win32k.sys section as an array of 32-bit unsigned longs. @param sec_name: name of the PE section in win32k.sys to search for. @returns all chunks on a 4-byte boundary. """ dos_header = obj.Object("_IMAGE_DOS_HEADER", offset=self.Win32KBase, vm=self.obj_vm) if dos_header: try: nt_header = dos_header.get_nt_header() sections = [ sec for sec in nt_header.get_sections() if str(sec.Name) == sec_name ] # There should be exactly one section if sections: desired_section = sections[0] return obj.Object("Array", targetType="unsigned long", offset=desired_section.VirtualAddress + dos_header.obj_offset, count=desired_section.Misc.VirtualSize / 4, vm=self.obj_vm) except ValueError: ## This catches PE header parsing exceptions pass ## Don't try to read an address that doesn't exist if not self.Win32KBase: return [] ## In the rare case when win32k.sys PE header is paged or corrupted ## thus preventing us from parsing the sections, use the fallback ## mechanism of just reading 5 MB (max size of win32k.sys) from the ## base of the kernel module. data = self.obj_vm.zread(self.Win32KBase, 0x500000) ## Fill a Buffer AS with the zread data and set its base to win32k.sys ## so we can still instantiate an Array and have each chunk at the ## correct offset in virtual memory. buffer_as = addrspace.BufferAddressSpace(conf.ConfObject(), data=data, base_offset=self.Win32KBase) return obj.Object("Array", targetType="unsigned long", offset=self.Win32KBase, count=len(data) / 4, vm=buffer_as)
def hooked_funcs(plugin_obj, proc_id): plugin_conf = conf.ConfObject() plugin_conf.PROFILE = plugin_obj._config.PROFILE plugin_conf.PID = proc_id common.set_plugin_members(plugin_obj) hook_plugin = plthook.linux_plthook(plugin_conf) hooks = hook_plugin.calculate() return hooks
def get_config(profile, target_path): config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = profile config.LOCATION = "file://{0}".format(target_path) return config
def build_conf(self): '''Creates a configuration object for memdump''' memdump_conf = conf.ConfObject() memdump_conf.readonly = {} memdump_conf.PROFILE = self._config.PROFILE memdump_conf.LOCATION = self._config.LOCATION memdump_conf.NAME = "i2p.exe" memdump_conf.DUMP_DIR = tempfile.mkdtemp() return memdump_conf
def build_conf(self): # Create conf obj plugin_conf = conf.ConfObject() # Define conf plugin_conf.readonly = {} plugin_conf.PROFILE = self._config.PROFILE plugin_conf.DUMP_DIR = self._config.DUMP_DIR plugin_conf.PID = self._config.PID return plugin_conf
def __init__(self, dump, apps, syst, out_dir="files", plugins_dir=None, from_cache=True): """ Determines the profile, retrieves the list of processes and creates the list of application dumpers. :param dump: Volatility memory dump filename :param apps: list of the application dumper classes to be handled :param syst: list of the system dumper classes to be handled :param out_dir: output directory for retrieved resources :param plugins_dir: Volatility custom plugins directory :param from_cache: boolean indicating if the profile must be retrieved from a cache file in /tmp or found by Volatility """ short = dump dump = abspath(dump) assert isfile(dump), "{} is not a dump file".format(dump) assert all(x in APPDUMPERS for x in apps), "Unknown application dumper(s)" assert all(x in SYSDUMPERS for x in syst), "Unknown system dumper(s)" assert plugins_dir is None or isdir(plugins_dir), "Bad plugins dir" assert isinstance(from_cache, bool) self._artifacts = [] self._cache = {} self._selected_apps = apps self._selected_syst = syst if len(self._selected_apps) == 0 and len(self._selected_syst) == 0: logger.warning("No dumper selected") sys.exit(0) logger.debug("Setting output directory to '{}'...".format(out_dir)) self.out_dir = abspath(out_dir) if not exists(self.out_dir): os.makedirs(self.out_dir) self._cachefile = join(self.out_dir, ".cache") # initialize dump opening registry.PluginImporter() self.__is_profile_tested = False self.config = conf.ConfObject() if plugins_dir is not None: plugins_dir = expanduser(plugins_dir) logger.debug( "Setting plugins directory to '{}'...".format(plugins_dir)) self.config.plugins = abspath(plugins_dir) for cls in [commands.Command, addrspace.BaseAddressSpace]: registry.register_global_options(self.config, cls) self.__commands = {k.lower(): v for k, v in \ registry.get_plugin_classes(commands.Command).items()} self.config.LOCATION = "file://{}".format(dump) # get the right dump profile and test it while getting processes logger.info("Opening dump file '{}'...".format(short)) self.__is_profile_tested = self.__get_profile(from_cache)
def get_IO_conns(plugin_obj): #setup for passing obj to outside plugin plugin_conf = conf.ConfObject() plugin_conf.PROFILE = plugin_obj._config.PROFILE common.set_plugin_members(plugin_obj) net_plugin = linux_netstat.linux_netstat(plugin_conf) data = net_plugin.calculate() filtered_conns = Open_plc_modbusTCP.filter_for_targets(plugin_obj, data) return filtered_conns
def __config(self): """Creates a volatility configuration.""" if self.config != None and self.addr_space != None: return self.config self.config = conf.ConfObject() self.config.optparser.set_conflict_handler("resolve") registry.register_global_options(self.config, commands.Command) base_conf = { "profile": "WinXPSP2x86", "use_old_as": None, "kdbg": None, "help": False, "kpcr": None, "tz": None, "pid": None, "output_file": None, "physical_offset": None, "conf_file": None, "dtb": None, "output": None, "info": None, "location": "file://" + self.memdump, "plugins": None, "debug": None, "cache_dtb": True, "filename": None, "cache_directory": None, "verbose": None, "write": False } if self.osprofile: base_conf["profile"] = self.osprofile if self.kdbg: base_conf["kdbg"] = long(self.kdbg, 16) for key, value in base_conf.items(): self.config.update(key, value) # Deal with Volatility support for KVM/qemu memory dump. # See: #464. try: self.addr_space = utils.load_as(self.config) except exc.AddrSpaceError as e: if self._get_dtb(): self.addr_space = utils.load_as(self.config) else: raise self.plugins = registry.get_plugin_classes(commands.Command, lower=True) return self.config
def BuildConfigOpts(plugin='', getDiff=False): optsList = BuildConfigOptsList(config) if plugin.__len__() > 0: config2 = conf.ConfObject() cmds[plugin](config2) optsList2 = BuildConfigOptsList(config2) #set(optsList) #set(optsList2) return [x for x in optsList2 if x not in optsList] else: return optsList
def __init__(self, path, profile='WinXPSP2x86'): self.config = conf.ConfObject() registry.PluginImporter() registry.register_global_options(self.config, commands.Command) registry.register_global_options(self.config, addrspace.BaseAddressSpace) # self.config.parse_options() self.config.PROFILE = profile self.config.LOCATION = "file://" + path self.Memory = utils.load_as(self.config) self.Processes = self.__getProcesses() self.Threads = self.__getThreads()
def initialize(self): # Check dependencies if not HAVE_VOLATILITY: raise ModuleInitializationError(self, "Missing dependency: volatility") # Default configuration base_conf = { "profile": self.volatility.profile, "use_old_as": None, "kdbg": None, "help": False, "kpcr": None, "tz": None, "pid": None, "output_file": None, "physical_offset": None, "conf_file": None, "dtb": None, "output": None, "info": None, "plugins": self.volatility.plugins, "debug": None, "cache_dtb": True, "filename": None, "cache_directory": None, "verbose": None, "write": False } # Create Volatility API configuration self._volconfig = conf.ConfObject() self._volconfig.optparser.set_conflict_handler("resolve") for key, value in base_conf.items(): self._volconfig.update(key, value) # Get all available plugins # These two imports must occur after configuration init # Else, 'plugins' configuration will not be effective self._volcommands = import_module("volatility.commands") self._volregistry = import_module("volatility.registry") self._volutils = import_module("volatility.utils") self._volregistry.PluginImporter() self.plugins = self._volregistry.get_plugin_classes( self._volcommands.Command, lower=True) # Check if we have the right volatility plugins for this module if self.plugin_name is not None: self.needs_plugin(self.plugin_name)
def init_volatility(conf): import volatility.conf as volconf import volatility.registry as registry import volatility.commands as commands import volatility.addrspace as addrspace registry.PluginImporter() vol_config = volconf.ConfObject() registry.register_global_options(vol_config, commands.Command) registry.register_global_options(vol_config, addrspace.BaseAddressSpace) vol_config.PROFILE = conf.vol_profile # Set global volatility configuration conf_m.vol_conf = vol_config
def main(): parser = argparse.ArgumentParser(description = "Hashed password grabber") parser.add_argument("-mf",action="store",dest="file",help="memory file(.vmem)") parser.add_argument("-p",action="store",dest="path",type=int,help="path to volatility") results = parser.parse_args() if results.file is None or results.path is None: parser.print_help() exit(0) memory_file = results.file #.vmem sys.path.append(results.path) registry.PluginImporter() config = conf.ConfObject() config.parse_options() config.PROFILE = "WinXPSP2x86" config.LOCATION = "file://{0}".format(memory_file) registry.register_global_options(config,commands.Command) registry.register_global_options(config,addrspace.BaseAddressSpace) registry = RegistryApi(config) registry.populate_offsets() sam_offset = None sys_offset = None for offset in registry.all_offsets: if registry.all_offsets[offset].endswith("\\SAM"): sam_offset = offset print("[*]SAM: 0x%08x".format(offset)) if registry.all_offsets[offset].endswith("\\system"): sys_offset = offset print("[*]System: 0x%08x".format(offset)) if sam_offset is not None and sys_offset is not None: config.sys_offset = sys_offset config.sam_offset = sam_offset hashdump = HashDump(config) for hash in hashdump.calculate(): print(hash) break if sam_offset is None or sys_offset is None: print("[*]Failed to find the system or SAM offset.")
def get_address_space(service_path, profile, yara_path): log.info("Obtaining address space and generating config for volatility") registry.PluginImporter() config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = profile config.LOCATION = service_path config.YARA_FILE = yara_path return utils.load_as(config)
def __init__(self, image_path): """ Create a new Analyzer, with a given image_path """ registry.PluginImporter() self.config = conf.ConfObject() registry.register_global_options(self.config, commands.Command) registry.register_global_options(self.config, addrspace.BaseAddressSpace) # self.config.PROFILE = "WinXPSP3x86" self.config.LOCATION = image_path self.config.parse_options()
def __init__(self, profile, kdbg, memimg): ''' @profile: a Volatality profile string @kdbg: a kdbg address string @memimg: a memory image file name ''' # volatility black magic registry.PluginImporter() self.config = conf.ConfObject() self.config.optparser.set_conflict_handler(handler="resolve") registry.register_global_options(self.config, commands.Command) if memimg: self.base_conf = { 'profile': profile, 'use_old_as': None, 'kdbg': None if kdbg is None else int(kdbg, 16), 'help': False, 'kpcr': None, 'tz': None, 'pid': None, 'output_file': None, 'physical_offset': None, 'conf_file': None, 'dtb': None, 'output': None, 'info': None, 'location': "file://" + memimg, 'plugins': None, 'debug': None, 'cache_dtb': True, 'filename': None, 'cache_directory': None, 'verbose': None, 'write': False } # set the default config for k, v in self.base_conf.items(): self.config.update(k, v) if profile == None: profile = self.guess_profile(memimg) sys.stderr.write("Using profile: %s\n" % profile)
def init_config(self): """Creates a volatility configuration.""" if self.config is not None and self.addr_space is not None: return self.config self.config = conf.ConfObject() self.config.optparser.set_conflict_handler("resolve") registry.register_global_options(self.config, commands.Command) registry.register_global_options(self.config, addrspace.BaseAddressSpace) base_conf = { "profile": "WinXPSP2x86", "use_old_as": None, "kdbg": None, "help": False, "kpcr": None, "tz": None, "pid": None, "output_file": None, "physical_offset": None, "conf_file": None, "dtb": None, "output": None, "info": None, "location": "file://" + self.memdump, "plugins": None, "debug": 4, "cache_dtb": True, "filename": None, "cache_directory": None, "verbose": None, "write": False } if self.osprofile: base_conf["profile"] = self.osprofile for key, value in base_conf.items(): self.config.update(key, value) self.plugins = registry.get_plugin_classes(commands.Command, lower=True) return self.config
def init_config(): sys.path.append("/usr/src/volatility") origargv = sys.argv sys.argv = [sys.argv[0], "-f", "/mnt/mem", "--profile", "LinuxDebian8x64"] config = conf.ConfObject() registry.PluginImporter() registry.register_global_options(config, addrspace.BaseAddressSpace) # Initialize address space (same as a=addrspace() in linux_volshell) global a a = utils.load_as(config) global p p = a.profile print("in init.. p = ", p) # Lookup kernel symbol pointing to first module global init_task_addr i = p.get_symbol("init_task") init = obj.Object("task_struct", vm=a, offset=i)
def __init__(self, queueObj): self.config = conf.ConfObject() self.path = queueObj.filename self.profile = queueObj.profile registry.PluginImporter() registry.register_global_options(self.config, commands.Command) registry.register_global_options(self.config, addrspace.BaseAddressSpace) self.config.parse_options(False) profs = registry.get_plugin_classes(obj.Profile) if self.profile != "Use Imageinfo": self.config.PROFILE = self.profile self.config.LOCATION = 'file://' + self.path self.config.OUTPUT = 'sqlite' self.config.OUTPUT_FILE = queueObj.output_path self.config.parse_options(False) self.config.YARA_FILE = queueObj.yara_rule self.config.DUMP_DIR = queueObj.dump_dir self.config.PID = queueObj.pid
def _init_volatility(self): #import sys # for mod in sys.modules.keys(): # if 'parse' in mod: # del sys.modules[mod] # print "deleted",mod #import sys # if len(sys.argv) > 3: # #sys.args=[sys.args[3]] # sys.argv=[sys.argv[0],'-f',sys.argv[3]] # print 'after modif',sys.argv import volatility.conf as conf import volatility.registry as registry registry.PluginImporter() config = conf.ConfObject() import volatility.commands as commands import volatility.addrspace as addrspace import volatility.utils as volutils registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) # Dying because it cannot parse argv options # apparently, it was not required to parse options. hey. # config.parse_options() #addr_space = volutils.load_as(config,astype = 'any') #print config.PROFILE #import code #code.interact(local=locals()) config.PROFILE = self.profile #_target_platform.LOCATION = "file:///media/memory/private/image.dmp" config.LOCATION = "file://%s" % self.imgname config.PID = str(self.pid) self.config = config import volatility.plugins.vadinfo as vadinfo command = vadinfo.VADWalk(config) command.render_text = partial(my_render_text, self, command) command.execute()
def _init_volatility(self): #import sys # for mod in sys.modules.keys(): # if 'parse' in mod: # del sys.modules[mod] # print "deleted",mod #import sys # if len(sys.argv) > 3: # #sys.args=[sys.args[3]] # sys.argv=[sys.argv[0],'-f',sys.argv[3]] # print 'after modif',sys.argv import volatility.conf as conf import volatility.registry as registry registry.PluginImporter() config = conf.ConfObject() import volatility.commands as commands import volatility.addrspace as addrspace registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = self.profile #_target_platform.LOCATION = "file:///media/memory/private/image.dmp" config.LOCATION = "file://%s" % self.imgname config.PID = str(self.pid) self.config = config import volatility.plugins.vadinfo as vadinfo #import code #print _target_platform.__dict__ # code.interact(local=locals()) command = vadinfo.VADWalk(config) command.render_text = partial(my_render_text, self, command) command.execute()
import sys import struct memory_file = "WinXPSP2.vmem" sys.path.append("/Downloads/volatility-2.3.1") import volatility.conf as conf import volatility.registry as registry registry.PluginImporter() config = conf.ConfObject() import volatility.commands as commands import volatility.addrspace as addrspace config.parse_options() config.PROFILE = "WinXPSP2x86" config.LOCATION = "file://%s" % memory_file registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) from volatility.plugins.registry.registryapi import RegistryApi from volatility.plugins.registry.lsadump import HashDump registry = RegistryApi(config) registry.populate_offsets() sam_offset = None sys_offset = None
class Volatility(object): config = conf.ConfObject() cmds = {} profile = "--profile=Linuxcentos5_5x86" def Is_SystemCallHooked(self, vmname): data = self.Check_SystemCall( vmname) for ( table_name, i, call_addr, hooked) in data: if hooked != 0: return True return False def Check_SystemCall(self, vmname): #for (table_name, i, call_addr, hooked) in data: #if hooked == 0: return self.ExecuteCommand(vmname, "linux_check_syscall") def Check_ProcessName(self, vmname): data = self.ExecuteCommand(vmname, "linux_pslist") list = [] for task in data: list.append(str(task.comm)) return list def Check_Process(self, vmname): return self.ExecuteCommand(vmname, "linux_pslist") def Check_ProcessDump(self, vmname, pname): outfile = "./tmp/"+pname+".2" if not os.path.exists("./tmp"): os.makedirs("./tmp") self.ExecuteCommand(vmname, "linux_dump_proc_map",pname, outfile ) def ExecuteCommand(self, vmname, command, pname = None, outfile=None): location = "-l vmi://"+vmname; argv = self.profile+" "+location+" "; if pname : argv+="-n "+pname+" " if outfile : argv+="-O "+outfile+" " argv+=command #pdb.set_trace() self.config.parse_options_from_string(argv, False) module = self.GetModule(self.config) return self.ExecuteModule(module, argv) def GetModule(self, config): for m in config.args: if m in self.cmds.keys(): module = m return module if not module: #config.parse_options() debug.error("You must specify something to do (try -h)") def ExecuteModule(self, module, argv): if not module: debug.error("You must specify something to do (try -h)") try: if module in self.cmds.keys(): command = self.cmds[module](self.config) #print dir(config) #print config.args ## Register the help cb from the command itself #self.config.set_help_hook(obj.Curry(command_help, command)) #config.parse_options() self.config.parse_options_from_string(argv) #pdb.set_trace() if not self.config.LOCATION: debug.error("Please specify a location (-l) or filename (-f)") data = command.execute_call() return data #for task in data: # print str(task.comm)+"\t"+str(task.pid) except exceptions.AddrSpaceError, e: print e
def init_config(self): """Create a volatility configuration.""" if self.config is not None and self.addr_space is not None: return if not self.osprofile: raise CuckooOperationalError( "Can't continue to process the VM memory dump if no OS " "profile has been defined for it. One may define its OS " "profile using the 'osprofile' field for the VM in its " "machinery configuration or set a global default using " "'guest_profile' in memory.conf") if self.osprofile not in self.profiles: raise CuckooOperationalError( "The profile '%s' does not exist! Please pick one of the " "following profiles for your VMs: %s" % (self.osprofile, ", ".join(sorted(self.profiles)))) self.config = conf.ConfObject() self.config.optparser.set_conflict_handler("resolve") registry.register_global_options(self.config, commands.Command) base_conf = { "profile": self.osprofile, "use_old_as": None, "kdbg": None, "help": False, "kpcr": None, "tz": None, "pid": None, "output_file": None, "physical_offset": None, "conf_file": None, "dtb": None, "output": None, "info": None, "location": "file://%s" % self.memdump, "plugins": None, "debug": None, "cache_dtb": True, "filename": None, "cache_directory": None, "verbose": None, "write": False } for key, value in base_conf.items(): self.config.update(key, value) # Deal with Volatility support for KVM/qemu memory dump. # See: #464. try: self.addr_space = utils.load_as(self.config) except exc.AddrSpaceError as e: if self.get_dtb(): self.addr_space = utils.load_as(self.config) elif "No suitable address space mapping found" in e.message: raise CuckooOperationalError( "An incorrect OS has been specified for this machine! " "Please provide the correct one or Cuckoo won't be able " "to provide Volatility-based results for analyses with " "this VM.") else: raise self.plugins = (registry.get_plugin_classes(commands.Command, lower=True))