def _init_volatility_config(self):
"""
Creates a new Volatility ConfObject with its own storage
"""
import volatility.conf as conf # @UnresolvedImport
if not self.volatility_config:
config = conf.ConfObject()
# Set all of our static settings
config.update('DONOTLOADADDRSPACE', True)
config.update('LOCATION', self.uri)
config.update('DTB', None)
config.update('KDBG', None)
config.update('NO_CACHE', True) # IMPORTANT: No Cache!
# config.update("OUTPUT", OUTPUT_TYPE)
config.update("CACHE_DTB", False)
# LOPHI Addrspace stuff
config.update("RAM_SIZE", self.memory_size)
# config.update('RETRIES', LOPHI_RETRIES)
# config.update('TIMEOUT', LOPHI_TIMEOUT)
# Ensure our profile is valid and assign it
if self._is_valid_profile(self.profile):
config.update('PROFILE', self.profile)
else:
logger.error("Unrecognized Profile (%s)." % self.profile)
return False
self.volatility_config = config
self.config = property(self.volatility_config)
return True
def init_volatility():
import volatility.conf as volconf
import volatility.registry as registry
import volatility.commands as commands
import volatility.addrspace as addrspace
if hasattr(volconf, "PyREBoxVolatility"):
registry.PluginImporter()
vol_config = volconf.ConfObject()
registry.register_global_options(vol_config, commands.Command)
registry.register_global_options(vol_config,
addrspace.BaseAddressSpace)
vol_config.PROFILE = conf_m.vol_profile
# Set global volatility configuration
conf_m.vol_conf = vol_config
return True
else:
pp_error(
"""The imported volatility version is not appropriate for PyREBox:
* Your local volatility installation may be in conflict with PyREBox's volatility installation...
... set up a virtual env to avoid the conflict (see installation instructions).
* You have a virtual env for PyREBox's python dependencies, and you forgot to activate it!
... you know what to do!\n""")
return False
def build_dump_conf(self):
# Create conf obj
procdump_conf = conf.ConfObject()
# TMP Folder
tmp_folder = tempfile.mkdtemp(
) if not self._config.TMP_FOLDER else self._config.TMP_FOLDER
# Define conf
procdump_conf.readonly = {}
procdump_conf.PROFILE = self._config.PROFILE
procdump_conf.LOCATION = self._config.LOCATION
procdump_conf.DUMP_DIR = tmp_folder
procdump_conf.MEMORY = True
# Single, multiple or all PIDs (all PIDs == No PID specified)
if self._config.PROC_PID:
procdump_conf.PID = self._config.PROC_PID
elif self._config.PROC_NAME or self._config.PROC_NAME_MATCH:
procdump_conf.PID = self.build_pids()
# Safety check
if not os.path.exists(procdump_conf.DUMP_DIR):
os.mkdir(procdump_conf.DUMP_DIR)
# Remove outputfile conf
procdump_conf.OUTPUT = 'text'
procdump_conf.OUTPUT_FILE = None
return procdump_conf
def main():
if len(sys.argv) != 4:
print "Usage: %s %s %s %s" % (sys.argv[0], "profile", "memdump", "targetprocname")
sys.exit(1)
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = sys.argv[1]
config.LOCATION = sys.argv[2]
processes = taskmods.PSList(config)
target = filter_by_name(processes, sys.argv[3])
# .text info
imagebase, va, rawsize = get_text_section_info(target)
if imagebase == None:
print "[-] Error: probably wrong .text section name"
sys.exit(1)
text_start = imagebase + va
text_end = imagebase + va + rawsize
permissions = get_vad_protect_flags(target, text_start, text_end)
print "0x%x-0x%x %s %s" % (text_start, text_end, permissions, TEXT_TAG)
# dll info
modules = get_dll_info(target)
# printing dll info
for name, info in modules.items():
dll_start = info[0]
dll_end = info[0] + info[1]
permissions = get_vad_protect_flags(target, dll_start, dll_end)
print "0x%x-0x%x %s %s" % (dll_start, dll_end, permissions, name)
# heap info
hs = get_heap_info(target)
# printing heap info
for h in hs:
heap_start = h.BaseAddress.v()
heap_end = h.LastValidEntry.v()
permissions = get_vad_protect_flags(target, heap_start, heap_end)
print "0x%x-0x%x %s %s" % (h.BaseAddress, h.LastValidEntry, permissions, HEAP_TAG)
# stack info
tebs = get_stack_info(target)
# printing stack info
for t in tebs:
stack_start = t.NtTib.StackBase.v()
stack_end = t.NtTib.StackLimit.v()
permissions = get_vad_protect_flags(target, stack_start, stack_end)
print "0x%x-0x%x %s %s" % (stack_start, stack_end, permissions, STACK_TAG)
def __init__(self):
self.params = {
"rating_whitelist": 0.5,
"rating_services": 0.5,
"rating_hidden": 1.5,
"rating_orphan": 1.5,
"rating_api_unknown": 1.5,
"rating_api_known": 0.5,
"rating_malfind_pe": 1.5,
"rating_malfind": 0.5,
"none": 0
}
self.tagToRating = {
"connected_processes": "rating_whitelist",
"running_services": "rating_services",
"hidden_processes": "rating_hidden",
"orphan_threads": "rating_orphan",
"api_hooks_unknown": "rating_api_unknown",
"api_hooks_known": "rating_api_known",
"malfind_executable": "rating_malfind_pe",
"malfind_no_executable": "rating_malfind",
"none": "none"
}
self.rules = {}
self.volatilityConfig = conf.ConfObject()
self.volatilityConfig.final = True
self.volatilityConfig.verbose = False
cache.disable_caching(None, None, None, None)
MemoryRegistry.Init()
self.key = "volatility"
def main(argv=None):
setupLogging("admemanalysis.log", logging.INFO)
registry.PluginImporter()
config = conf.ConfObject()
config.add_option('OUTPUT-PATH',
default=None,
help='Where to create output files',
action='store',
type='str')
config.process_id = None
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
if not os.path.isfile("inputdata.json"):
raise NameError("Input file(inpudata.json) was not found")
data = None
with open("inputdata.json") as data_file:
data = json.load(data_file)
operations = data['operationdata']
sys.argv.append("-f")
sys.argv.append(data["filestreamtoanalyze"])
sys.argv.append("--profile")
profile = data["profiletypename"] or ProfileGeneratorClass().GetProfile()
logging.info('profile detected is {0}'.format(profile))
sys.argv.append(profile)
output_path = data.get('outputpath') or ''
config.parse_options(False)
sys.argv.append("--output-path")
sys.argv.append(output_path)
config.parse_options()
if utils.getConfigValue(operations, 'process') == True:
adprocessesfactory.ADProcesses().execute(operations, config)
if utils.getConfigValue(operations, 'drivers') == True:
addriveranddevicefactory.DriverDeviceScan().execute(config)
if utils.getConfigValue(operations, 'modules') == True:
adkernelmodulesfactory.ADKernelModules().execute(config)
if utils.getConfigValue(operations, 'sdts') == True:
adsdtfactory.ADSdtGenerator().execute(config)
if utils.getConfigValue(operations, 'yarascan') == True:
adyarascanfactory.ADYaraScan().execute("", config)
if utils.getConfigValue(operations, 'idt') == True:
processors = kpcr.doProcessors(config)
f = open(config.OUTPUT_PATH + 'processors.xml', 'w')
#f.write(processors.SerializeToString())
f.write(proto2xml(processors, indent=0))
if utils.getConfigValue(operations, 'registry') == True:
adregistryfactory.ADRegistryExtractor().execute(config)
def _section_chunks(self, sec_name):
"""Get the win32k.sys section as an array of
32-bit unsigned longs.
@param sec_name: name of the PE section in win32k.sys
to search for.
@returns all chunks on a 4-byte boundary.
"""
dos_header = obj.Object("_IMAGE_DOS_HEADER",
offset=self.Win32KBase,
vm=self.obj_vm)
if dos_header:
try:
nt_header = dos_header.get_nt_header()
sections = [
sec for sec in nt_header.get_sections()
if str(sec.Name) == sec_name
]
# There should be exactly one section
if sections:
desired_section = sections[0]
return obj.Object("Array",
targetType="unsigned long",
offset=desired_section.VirtualAddress +
dos_header.obj_offset,
count=desired_section.Misc.VirtualSize /
4,
vm=self.obj_vm)
except ValueError:
## This catches PE header parsing exceptions
pass
## Don't try to read an address that doesn't exist
if not self.Win32KBase:
return []
## In the rare case when win32k.sys PE header is paged or corrupted
## thus preventing us from parsing the sections, use the fallback
## mechanism of just reading 5 MB (max size of win32k.sys) from the
## base of the kernel module.
data = self.obj_vm.zread(self.Win32KBase, 0x500000)
## Fill a Buffer AS with the zread data and set its base to win32k.sys
## so we can still instantiate an Array and have each chunk at the
## correct offset in virtual memory.
buffer_as = addrspace.BufferAddressSpace(conf.ConfObject(),
data=data,
base_offset=self.Win32KBase)
return obj.Object("Array",
targetType="unsigned long",
offset=self.Win32KBase,
count=len(data) / 4,
vm=buffer_as)
def hooked_funcs(plugin_obj, proc_id):
plugin_conf = conf.ConfObject()
plugin_conf.PROFILE = plugin_obj._config.PROFILE
plugin_conf.PID = proc_id
common.set_plugin_members(plugin_obj)
hook_plugin = plthook.linux_plthook(plugin_conf)
hooks = hook_plugin.calculate()
return hooks
def get_config(profile, target_path):
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = "file://{0}".format(target_path)
return config
def build_conf(self):
'''Creates a configuration object for memdump'''
memdump_conf = conf.ConfObject()
memdump_conf.readonly = {}
memdump_conf.PROFILE = self._config.PROFILE
memdump_conf.LOCATION = self._config.LOCATION
memdump_conf.NAME = "i2p.exe"
memdump_conf.DUMP_DIR = tempfile.mkdtemp()
return memdump_conf
def build_conf(self):
# Create conf obj
plugin_conf = conf.ConfObject()
# Define conf
plugin_conf.readonly = {}
plugin_conf.PROFILE = self._config.PROFILE
plugin_conf.DUMP_DIR = self._config.DUMP_DIR
plugin_conf.PID = self._config.PID
return plugin_conf
def __init__(self,
dump,
apps,
syst,
out_dir="files",
plugins_dir=None,
from_cache=True):
"""
Determines the profile, retrieves the list of processes and creates the
list of application dumpers.
:param dump: Volatility memory dump filename
:param apps: list of the application dumper classes to be handled
:param syst: list of the system dumper classes to be handled
:param out_dir: output directory for retrieved resources
:param plugins_dir: Volatility custom plugins directory
:param from_cache: boolean indicating if the profile must be retrieved
from a cache file in /tmp or found by Volatility
"""
short = dump
dump = abspath(dump)
assert isfile(dump), "{} is not a dump file".format(dump)
assert all(x in APPDUMPERS
for x in apps), "Unknown application dumper(s)"
assert all(x in SYSDUMPERS for x in syst), "Unknown system dumper(s)"
assert plugins_dir is None or isdir(plugins_dir), "Bad plugins dir"
assert isinstance(from_cache, bool)
self._artifacts = []
self._cache = {}
self._selected_apps = apps
self._selected_syst = syst
if len(self._selected_apps) == 0 and len(self._selected_syst) == 0:
logger.warning("No dumper selected")
sys.exit(0)
logger.debug("Setting output directory to '{}'...".format(out_dir))
self.out_dir = abspath(out_dir)
if not exists(self.out_dir):
os.makedirs(self.out_dir)
self._cachefile = join(self.out_dir, ".cache")
# initialize dump opening
registry.PluginImporter()
self.__is_profile_tested = False
self.config = conf.ConfObject()
if plugins_dir is not None:
plugins_dir = expanduser(plugins_dir)
logger.debug(
"Setting plugins directory to '{}'...".format(plugins_dir))
self.config.plugins = abspath(plugins_dir)
for cls in [commands.Command, addrspace.BaseAddressSpace]:
registry.register_global_options(self.config, cls)
self.__commands = {k.lower(): v for k, v in \
registry.get_plugin_classes(commands.Command).items()}
self.config.LOCATION = "file://{}".format(dump)
# get the right dump profile and test it while getting processes
logger.info("Opening dump file '{}'...".format(short))
self.__is_profile_tested = self.__get_profile(from_cache)
def get_IO_conns(plugin_obj):
#setup for passing obj to outside plugin
plugin_conf = conf.ConfObject()
plugin_conf.PROFILE = plugin_obj._config.PROFILE
common.set_plugin_members(plugin_obj)
net_plugin = linux_netstat.linux_netstat(plugin_conf)
data = net_plugin.calculate()
filtered_conns = Open_plc_modbusTCP.filter_for_targets(plugin_obj, data)
return filtered_conns
def __config(self):
"""Creates a volatility configuration."""
if self.config != None and self.addr_space != None:
return self.config
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
base_conf = {
"profile": "WinXPSP2x86",
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://" + self.memdump,
"plugins": None,
"debug": None,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
if self.osprofile:
base_conf["profile"] = self.osprofile
if self.kdbg:
base_conf["kdbg"] = long(self.kdbg, 16)
for key, value in base_conf.items():
self.config.update(key, value)
# Deal with Volatility support for KVM/qemu memory dump.
# See: #464.
try:
self.addr_space = utils.load_as(self.config)
except exc.AddrSpaceError as e:
if self._get_dtb():
self.addr_space = utils.load_as(self.config)
else:
raise
self.plugins = registry.get_plugin_classes(commands.Command,
lower=True)
return self.config
def BuildConfigOpts(plugin='', getDiff=False):
optsList = BuildConfigOptsList(config)
if plugin.__len__() > 0:
config2 = conf.ConfObject()
cmds[plugin](config2)
optsList2 = BuildConfigOptsList(config2)
#set(optsList)
#set(optsList2)
return [x for x in optsList2 if x not in optsList]
else:
return optsList
def __init__(self, path, profile='WinXPSP2x86'):
self.config = conf.ConfObject()
registry.PluginImporter()
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config,
addrspace.BaseAddressSpace)
# self.config.parse_options()
self.config.PROFILE = profile
self.config.LOCATION = "file://" + path
self.Memory = utils.load_as(self.config)
self.Processes = self.__getProcesses()
self.Threads = self.__getThreads()
def initialize(self):
# Check dependencies
if not HAVE_VOLATILITY:
raise ModuleInitializationError(self,
"Missing dependency: volatility")
# Default configuration
base_conf = {
"profile": self.volatility.profile,
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"plugins": self.volatility.plugins,
"debug": None,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
# Create Volatility API configuration
self._volconfig = conf.ConfObject()
self._volconfig.optparser.set_conflict_handler("resolve")
for key, value in base_conf.items():
self._volconfig.update(key, value)
# Get all available plugins
# These two imports must occur after configuration init
# Else, 'plugins' configuration will not be effective
self._volcommands = import_module("volatility.commands")
self._volregistry = import_module("volatility.registry")
self._volutils = import_module("volatility.utils")
self._volregistry.PluginImporter()
self.plugins = self._volregistry.get_plugin_classes(
self._volcommands.Command, lower=True)
# Check if we have the right volatility plugins for this module
if self.plugin_name is not None:
self.needs_plugin(self.plugin_name)
def init_volatility(conf):
import volatility.conf as volconf
import volatility.registry as registry
import volatility.commands as commands
import volatility.addrspace as addrspace
registry.PluginImporter()
vol_config = volconf.ConfObject()
registry.register_global_options(vol_config, commands.Command)
registry.register_global_options(vol_config, addrspace.BaseAddressSpace)
vol_config.PROFILE = conf.vol_profile
# Set global volatility configuration
conf_m.vol_conf = vol_config
def main():
parser = argparse.ArgumentParser(description = "Hashed password grabber")
parser.add_argument("-mf",action="store",dest="file",help="memory file(.vmem)")
parser.add_argument("-p",action="store",dest="path",type=int,help="path to volatility")
results = parser.parse_args()
if results.file is None or results.path is None:
parser.print_help()
exit(0)
memory_file = results.file #.vmem
sys.path.append(results.path)
registry.PluginImporter()
config = conf.ConfObject()
config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://{0}".format(memory_file)
registry.register_global_options(config,commands.Command)
registry.register_global_options(config,addrspace.BaseAddressSpace)
registry = RegistryApi(config)
registry.populate_offsets()
sam_offset = None
sys_offset = None
for offset in registry.all_offsets:
if registry.all_offsets[offset].endswith("\\SAM"):
sam_offset = offset
print("[*]SAM: 0x%08x".format(offset))
if registry.all_offsets[offset].endswith("\\system"):
sys_offset = offset
print("[*]System: 0x%08x".format(offset))
if sam_offset is not None and sys_offset is not None:
config.sys_offset = sys_offset
config.sam_offset = sam_offset
hashdump = HashDump(config)
for hash in hashdump.calculate():
print(hash)
break
if sam_offset is None or sys_offset is None:
print("[*]Failed to find the system or SAM offset.")
def get_address_space(service_path, profile, yara_path):
log.info("Obtaining address space and generating config for volatility")
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = service_path
config.YARA_FILE = yara_path
return utils.load_as(config)
def __init__(self, image_path):
"""
Create a new Analyzer, with a given image_path
"""
registry.PluginImporter()
self.config = conf.ConfObject()
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config,
addrspace.BaseAddressSpace)
# self.config.PROFILE = "WinXPSP3x86"
self.config.LOCATION = image_path
self.config.parse_options()
def __init__(self, profile, kdbg, memimg):
'''
@profile: a Volatality profile string
@kdbg: a kdbg address string
@memimg: a memory image file name
'''
# volatility black magic
registry.PluginImporter()
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler(handler="resolve")
registry.register_global_options(self.config, commands.Command)
if memimg:
self.base_conf = {
'profile': profile,
'use_old_as': None,
'kdbg': None if kdbg is None else int(kdbg, 16),
'help': False,
'kpcr': None,
'tz': None,
'pid': None,
'output_file': None,
'physical_offset': None,
'conf_file': None,
'dtb': None,
'output': None,
'info': None,
'location': "file://" + memimg,
'plugins': None,
'debug': None,
'cache_dtb': True,
'filename': None,
'cache_directory': None,
'verbose': None,
'write': False
}
# set the default config
for k, v in self.base_conf.items():
self.config.update(k, v)
if profile == None:
profile = self.guess_profile(memimg)
sys.stderr.write("Using profile: %s\n" % profile)
def init_config(self):
"""Creates a volatility configuration."""
if self.config is not None and self.addr_space is not None:
return self.config
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config,
addrspace.BaseAddressSpace)
base_conf = {
"profile": "WinXPSP2x86",
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://" + self.memdump,
"plugins": None,
"debug": 4,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
if self.osprofile:
base_conf["profile"] = self.osprofile
for key, value in base_conf.items():
self.config.update(key, value)
self.plugins = registry.get_plugin_classes(commands.Command,
lower=True)
return self.config
def init_config():
sys.path.append("/usr/src/volatility")
origargv = sys.argv
sys.argv = [sys.argv[0], "-f", "/mnt/mem", "--profile", "LinuxDebian8x64"]
config = conf.ConfObject()
registry.PluginImporter()
registry.register_global_options(config, addrspace.BaseAddressSpace)
# Initialize address space (same as a=addrspace() in linux_volshell)
global a
a = utils.load_as(config)
global p
p = a.profile
print("in init.. p = ", p)
# Lookup kernel symbol pointing to first module
global init_task_addr
i = p.get_symbol("init_task")
init = obj.Object("task_struct", vm=a, offset=i)
def __init__(self, queueObj):
self.config = conf.ConfObject()
self.path = queueObj.filename
self.profile = queueObj.profile
registry.PluginImporter()
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config,
addrspace.BaseAddressSpace)
self.config.parse_options(False)
profs = registry.get_plugin_classes(obj.Profile)
if self.profile != "Use Imageinfo":
self.config.PROFILE = self.profile
self.config.LOCATION = 'file://' + self.path
self.config.OUTPUT = 'sqlite'
self.config.OUTPUT_FILE = queueObj.output_path
self.config.parse_options(False)
self.config.YARA_FILE = queueObj.yara_rule
self.config.DUMP_DIR = queueObj.dump_dir
self.config.PID = queueObj.pid
def _init_volatility(self):
#import sys
# for mod in sys.modules.keys():
# if 'parse' in mod:
# del sys.modules[mod]
# print "deleted",mod
#import sys
# if len(sys.argv) > 3:
# #sys.args=[sys.args[3]]
# sys.argv=[sys.argv[0],'-f',sys.argv[3]]
# print 'after modif',sys.argv
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
import volatility.utils as volutils
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
# Dying because it cannot parse argv options
# apparently, it was not required to parse options. hey.
# config.parse_options()
#addr_space = volutils.load_as(config,astype = 'any')
#print config.PROFILE
#import code
#code.interact(local=locals())
config.PROFILE = self.profile
#_target_platform.LOCATION = "file:///media/memory/private/image.dmp"
config.LOCATION = "file://%s" % self.imgname
config.PID = str(self.pid)
self.config = config
import volatility.plugins.vadinfo as vadinfo
command = vadinfo.VADWalk(config)
command.render_text = partial(my_render_text, self, command)
command.execute()
def _init_volatility(self):
#import sys
# for mod in sys.modules.keys():
# if 'parse' in mod:
# del sys.modules[mod]
# print "deleted",mod
#import sys
# if len(sys.argv) > 3:
# #sys.args=[sys.args[3]]
# sys.argv=[sys.argv[0],'-f',sys.argv[3]]
# print 'after modif',sys.argv
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = self.profile
#_target_platform.LOCATION = "file:///media/memory/private/image.dmp"
config.LOCATION = "file://%s" % self.imgname
config.PID = str(self.pid)
self.config = config
import volatility.plugins.vadinfo as vadinfo
#import code
#print _target_platform.__dict__
# code.interact(local=locals())
command = vadinfo.VADWalk(config)
command.render_text = partial(my_render_text, self, command)
command.execute()
import sys
import struct
memory_file = "WinXPSP2.vmem"
sys.path.append("/Downloads/volatility-2.3.1")
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://%s" % memory_file
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
from volatility.plugins.registry.registryapi import RegistryApi
from volatility.plugins.registry.lsadump import HashDump
registry = RegistryApi(config)
registry.populate_offsets()
sam_offset = None
sys_offset = None
class Volatility(object):
config = conf.ConfObject()
cmds = {}
profile = "--profile=Linuxcentos5_5x86"
def Is_SystemCallHooked(self, vmname):
data = self.Check_SystemCall( vmname)
for ( table_name, i, call_addr, hooked) in data:
if hooked != 0:
return True
return False
def Check_SystemCall(self, vmname):
#for (table_name, i, call_addr, hooked) in data:
#if hooked == 0:
return self.ExecuteCommand(vmname, "linux_check_syscall")
def Check_ProcessName(self, vmname):
data = self.ExecuteCommand(vmname, "linux_pslist")
list = []
for task in data:
list.append(str(task.comm))
return list
def Check_Process(self, vmname):
return self.ExecuteCommand(vmname, "linux_pslist")
def Check_ProcessDump(self, vmname, pname):
outfile = "./tmp/"+pname+".2"
if not os.path.exists("./tmp"):
os.makedirs("./tmp")
self.ExecuteCommand(vmname, "linux_dump_proc_map",pname, outfile )
def ExecuteCommand(self, vmname, command, pname = None, outfile=None):
location = "-l vmi://"+vmname;
argv = self.profile+" "+location+" ";
if pname :
argv+="-n "+pname+" "
if outfile :
argv+="-O "+outfile+" "
argv+=command
#pdb.set_trace()
self.config.parse_options_from_string(argv, False)
module = self.GetModule(self.config)
return self.ExecuteModule(module, argv)
def GetModule(self, config):
for m in config.args:
if m in self.cmds.keys():
module = m
return module
if not module:
#config.parse_options()
debug.error("You must specify something to do (try -h)")
def ExecuteModule(self, module, argv):
if not module:
debug.error("You must specify something to do (try -h)")
try:
if module in self.cmds.keys():
command = self.cmds[module](self.config)
#print dir(config)
#print config.args
## Register the help cb from the command itself
#self.config.set_help_hook(obj.Curry(command_help, command))
#config.parse_options()
self.config.parse_options_from_string(argv)
#pdb.set_trace()
if not self.config.LOCATION:
debug.error("Please specify a location (-l) or filename (-f)")
data = command.execute_call()
return data
#for task in data:
# print str(task.comm)+"\t"+str(task.pid)
except exceptions.AddrSpaceError, e:
print e
def init_config(self):
"""Create a volatility configuration."""
if self.config is not None and self.addr_space is not None:
return
if not self.osprofile:
raise CuckooOperationalError(
"Can't continue to process the VM memory dump if no OS "
"profile has been defined for it. One may define its OS "
"profile using the 'osprofile' field for the VM in its "
"machinery configuration or set a global default using "
"'guest_profile' in memory.conf")
if self.osprofile not in self.profiles:
raise CuckooOperationalError(
"The profile '%s' does not exist! Please pick one of the "
"following profiles for your VMs: %s" %
(self.osprofile, ", ".join(sorted(self.profiles))))
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
base_conf = {
"profile": self.osprofile,
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://%s" % self.memdump,
"plugins": None,
"debug": None,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
for key, value in base_conf.items():
self.config.update(key, value)
# Deal with Volatility support for KVM/qemu memory dump.
# See: #464.
try:
self.addr_space = utils.load_as(self.config)
except exc.AddrSpaceError as e:
if self.get_dtb():
self.addr_space = utils.load_as(self.config)
elif "No suitable address space mapping found" in e.message:
raise CuckooOperationalError(
"An incorrect OS has been specified for this machine! "
"Please provide the correct one or Cuckoo won't be able "
"to provide Volatility-based results for analyses with "
"this VM.")
else:
raise
self.plugins = (registry.get_plugin_classes(commands.Command,
lower=True))
