def __init__(self):
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
#sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
#sys.stderr.flush()
self.config.add_option("INFO", default = None, action = "store_true",
cache_invalidator = False,
help = "Print information about all registered objects")
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
registry.register_global_options(self.config, commands.Command)
# Reset the logging level now we know whether debug is set or not
debug.setup(self.config.DEBUG)
#pdb.set_trace()
## Try to find the first thing that looks like a module name
self.cmds = registry.get_plugin_classes(commands.Command, lower = True)
def main():
if len(sys.argv) != 4:
print "Usage: %s %s %s %s" % (sys.argv[0], "profile", "memdump", "targetprocname")
sys.exit(1)
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = sys.argv[1]
config.LOCATION = sys.argv[2]
processes = taskmods.PSList(config)
target = filter_by_name(processes, sys.argv[3])
# .text info
imagebase, va, rawsize = get_text_section_info(target)
if imagebase == None:
print "[-] Error: probably wrong .text section name"
sys.exit(1)
text_start = imagebase + va
text_end = imagebase + va + rawsize
permissions = get_vad_protect_flags(target, text_start, text_end)
print "0x%x-0x%x %s %s" % (text_start, text_end, permissions, TEXT_TAG)
# dll info
modules = get_dll_info(target)
# printing dll info
for name, info in modules.items():
dll_start = info[0]
dll_end = info[0] + info[1]
permissions = get_vad_protect_flags(target, dll_start, dll_end)
print "0x%x-0x%x %s %s" % (dll_start, dll_end, permissions, name)
# heap info
hs = get_heap_info(target)
# printing heap info
for h in hs:
heap_start = h.BaseAddress.v()
heap_end = h.LastValidEntry.v()
permissions = get_vad_protect_flags(target, heap_start, heap_end)
print "0x%x-0x%x %s %s" % (h.BaseAddress, h.LastValidEntry, permissions, HEAP_TAG)
# stack info
tebs = get_stack_info(target)
# printing stack info
for t in tebs:
stack_start = t.NtTib.StackBase.v()
stack_end = t.NtTib.StackLimit.v()
permissions = get_vad_protect_flags(target, stack_start, stack_end)
print "0x%x-0x%x %s %s" % (stack_start, stack_end, permissions, STACK_TAG)
def init_volatility():
import volatility.conf as volconf
import volatility.registry as registry
import volatility.commands as commands
import volatility.addrspace as addrspace
if hasattr(volconf, "PyREBoxVolatility"):
registry.PluginImporter()
vol_config = volconf.ConfObject()
registry.register_global_options(vol_config, commands.Command)
registry.register_global_options(vol_config,
addrspace.BaseAddressSpace)
vol_config.PROFILE = conf_m.vol_profile
# Set global volatility configuration
conf_m.vol_conf = vol_config
return True
else:
pp_error(
"""The imported volatility version is not appropriate for PyREBox:
* Your local volatility installation may be in conflict with PyREBox's volatility installation...
... set up a virtual env to avoid the conflict (see installation instructions).
* You have a virtual env for PyREBox's python dependencies, and you forgot to activate it!
... you know what to do!\n""")
return False
def main(argv=None):
setupLogging("admemanalysis.log", logging.INFO)
registry.PluginImporter()
config = conf.ConfObject()
config.add_option('OUTPUT-PATH',
default=None,
help='Where to create output files',
action='store',
type='str')
config.process_id = None
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
if not os.path.isfile("inputdata.json"):
raise NameError("Input file(inpudata.json) was not found")
data = None
with open("inputdata.json") as data_file:
data = json.load(data_file)
operations = data['operationdata']
sys.argv.append("-f")
sys.argv.append(data["filestreamtoanalyze"])
sys.argv.append("--profile")
profile = data["profiletypename"] or ProfileGeneratorClass().GetProfile()
logging.info('profile detected is {0}'.format(profile))
sys.argv.append(profile)
output_path = data.get('outputpath') or ''
config.parse_options(False)
sys.argv.append("--output-path")
sys.argv.append(output_path)
config.parse_options()
if utils.getConfigValue(operations, 'process') == True:
adprocessesfactory.ADProcesses().execute(operations, config)
if utils.getConfigValue(operations, 'drivers') == True:
addriveranddevicefactory.DriverDeviceScan().execute(config)
if utils.getConfigValue(operations, 'modules') == True:
adkernelmodulesfactory.ADKernelModules().execute(config)
if utils.getConfigValue(operations, 'sdts') == True:
adsdtfactory.ADSdtGenerator().execute(config)
if utils.getConfigValue(operations, 'yarascan') == True:
adyarascanfactory.ADYaraScan().execute("", config)
if utils.getConfigValue(operations, 'idt') == True:
processors = kpcr.doProcessors(config)
f = open(config.OUTPUT_PATH + 'processors.xml', 'w')
#f.write(processors.SerializeToString())
f.write(proto2xml(processors, indent=0))
if utils.getConfigValue(operations, 'registry') == True:
adregistryfactory.ADRegistryExtractor().execute(config)
def vol_profiles(self):
# Load available volatility profiles
prof = obj.Profile
registry.PluginImporter()
profList = sorted(
[i.__name__.split('.')[-1] for i in prof.__subclasses__()])
return profList
def __init__(self, memdump, osprofile=None):
"""@param memdump: the memdump file path
@param osprofile: the profile (OS type)
"""
registry.PluginImporter()
self.memdump = memdump
self.osprofile = osprofile
self.config = None
self.__config()
def __init__(self,
dump,
apps,
syst,
out_dir="files",
plugins_dir=None,
from_cache=True):
"""
Determines the profile, retrieves the list of processes and creates the
list of application dumpers.
:param dump: Volatility memory dump filename
:param apps: list of the application dumper classes to be handled
:param syst: list of the system dumper classes to be handled
:param out_dir: output directory for retrieved resources
:param plugins_dir: Volatility custom plugins directory
:param from_cache: boolean indicating if the profile must be retrieved
from a cache file in /tmp or found by Volatility
"""
short = dump
dump = abspath(dump)
assert isfile(dump), "{} is not a dump file".format(dump)
assert all(x in APPDUMPERS
for x in apps), "Unknown application dumper(s)"
assert all(x in SYSDUMPERS for x in syst), "Unknown system dumper(s)"
assert plugins_dir is None or isdir(plugins_dir), "Bad plugins dir"
assert isinstance(from_cache, bool)
self._artifacts = []
self._cache = {}
self._selected_apps = apps
self._selected_syst = syst
if len(self._selected_apps) == 0 and len(self._selected_syst) == 0:
logger.warning("No dumper selected")
sys.exit(0)
logger.debug("Setting output directory to '{}'...".format(out_dir))
self.out_dir = abspath(out_dir)
if not exists(self.out_dir):
os.makedirs(self.out_dir)
self._cachefile = join(self.out_dir, ".cache")
# initialize dump opening
registry.PluginImporter()
self.__is_profile_tested = False
self.config = conf.ConfObject()
if plugins_dir is not None:
plugins_dir = expanduser(plugins_dir)
logger.debug(
"Setting plugins directory to '{}'...".format(plugins_dir))
self.config.plugins = abspath(plugins_dir)
for cls in [commands.Command, addrspace.BaseAddressSpace]:
registry.register_global_options(self.config, cls)
self.__commands = {k.lower(): v for k, v in \
registry.get_plugin_classes(commands.Command).items()}
self.config.LOCATION = "file://{}".format(dump)
# get the right dump profile and test it while getting processes
logger.info("Opening dump file '{}'...".format(short))
self.__is_profile_tested = self.__get_profile(from_cache)
def __init__(self, profile, mem_path):
# Setup Vol Debugger
debug.setup()
registry.PluginImporter()
self.memdump = mem_path
self.osprofile = profile
self.config = None
self.addr_space = None
self.init_config()
def main():
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
sys.stderr.write(
"Volatility Foundation Volatility Framework {0}\n".format(
constants.VERSION
)
)
sys.stderr.flush()
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
if config.INFO:
print_info()
sys.exit(0)
## Parse all the options now
config.parse_options(False)
# Reset the logging level now we know whether debug is set or not
debug.setup(config.DEBUG)
module = None
## Try to find the first thing that looks like a module name
cmds = registry.get_plugin_classes(commands.Command, lower=True)
for m in config.args:
if m in list(cmds.keys()):
module = m
break
if not module:
config.parse_options()
debug.error("You must specify something to do (try -h)")
try:
if module in list(cmds.keys()):
command = cmds[module](config)
## Register the help cb from the command itself
config.set_help_hook(obj.Curry(command_help, command))
config.parse_options()
if not config.LOCATION:
debug.error("Please specify a location (-l) or filename (-f)")
command.execute()
except exceptions.VolatilityException as e:
print(e)
def vol_profiles(self):
'''
Load available Volatility profiles
@return: the list of loaded Volatility profiles
'''
prof = obj.Profile
registry.PluginImporter()
profList = sorted(
[i.__name__.split('.')[-1] for i in prof.__subclasses__()])
return profList
def __init__(self, memdump, osprofile):
"""@param memdump: the memdump file path
@param osprofile: the profile (OS type)
"""
registry.PluginImporter()
self.memdump = memdump
self.osprofile = osprofile
self.config = None
self.addr_space = None
self.profiles = registry.get_plugin_classes(obj.Profile).keys()
self.init_config()
def __init__(self, path, profile='WinXPSP2x86'):
self.config = conf.ConfObject()
registry.PluginImporter()
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config,
addrspace.BaseAddressSpace)
# self.config.parse_options()
self.config.PROFILE = profile
self.config.LOCATION = "file://" + path
self.Memory = utils.load_as(self.config)
self.Processes = self.__getProcesses()
self.Threads = self.__getThreads()
def init_volatility(conf):
import volatility.conf as volconf
import volatility.registry as registry
import volatility.commands as commands
import volatility.addrspace as addrspace
registry.PluginImporter()
vol_config = volconf.ConfObject()
registry.register_global_options(vol_config, commands.Command)
registry.register_global_options(vol_config, addrspace.BaseAddressSpace)
vol_config.PROFILE = conf.vol_profile
# Set global volatility configuration
conf_m.vol_conf = vol_config
def __init__(self, profile, mem_path):
"""
setup base config
:param profile:
:param mem_path:
:return:
"""
debug.setup()
registry.PluginImporter()
self.memdump = mem_path
self.osprofile = profile
self.config = None
self.addr_space = None
self.init_config()
def main():
parser = argparse.ArgumentParser(description = "Hashed password grabber")
parser.add_argument("-mf",action="store",dest="file",help="memory file(.vmem)")
parser.add_argument("-p",action="store",dest="path",type=int,help="path to volatility")
results = parser.parse_args()
if results.file is None or results.path is None:
parser.print_help()
exit(0)
memory_file = results.file #.vmem
sys.path.append(results.path)
registry.PluginImporter()
config = conf.ConfObject()
config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://{0}".format(memory_file)
registry.register_global_options(config,commands.Command)
registry.register_global_options(config,addrspace.BaseAddressSpace)
registry = RegistryApi(config)
registry.populate_offsets()
sam_offset = None
sys_offset = None
for offset in registry.all_offsets:
if registry.all_offsets[offset].endswith("\\SAM"):
sam_offset = offset
print("[*]SAM: 0x%08x".format(offset))
if registry.all_offsets[offset].endswith("\\system"):
sys_offset = offset
print("[*]System: 0x%08x".format(offset))
if sam_offset is not None and sys_offset is not None:
config.sys_offset = sys_offset
config.sam_offset = sam_offset
hashdump = HashDump(config)
for hash in hashdump.calculate():
print(hash)
break
if sam_offset is None or sys_offset is None:
print("[*]Failed to find the system or SAM offset.")
def run_plugin_process(name, queue, config, cmds):
registry.PluginImporter()
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
config.parse_options()
command = cmds[name](config)
print 'running: ' + name
try:
calc = command.calculate()
command.render_sqlite(config.OUTPUT_FILE, calc)
except Exception as err:
print name + ': ' + err.message
finally:
queue.put(name)
return
def get_address_space(service_path, profile, yara_path):
log.info("Obtaining address space and generating config for volatility")
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = service_path
config.YARA_FILE = yara_path
return utils.load_as(config)
def __init__(self, image_path):
"""
Create a new Analyzer, with a given image_path
"""
registry.PluginImporter()
self.config = conf.ConfObject()
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config,
addrspace.BaseAddressSpace)
# self.config.PROFILE = "WinXPSP3x86"
self.config.LOCATION = image_path
self.config.parse_options()
def __init__(self, profile, kdbg, memimg):
'''
@profile: a Volatality profile string
@kdbg: a kdbg address string
@memimg: a memory image file name
'''
# volatility black magic
registry.PluginImporter()
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler(handler="resolve")
registry.register_global_options(self.config, commands.Command)
if memimg:
self.base_conf = {
'profile': profile,
'use_old_as': None,
'kdbg': None if kdbg is None else int(kdbg, 16),
'help': False,
'kpcr': None,
'tz': None,
'pid': None,
'output_file': None,
'physical_offset': None,
'conf_file': None,
'dtb': None,
'output': None,
'info': None,
'location': "file://" + memimg,
'plugins': None,
'debug': None,
'cache_dtb': True,
'filename': None,
'cache_directory': None,
'verbose': None,
'write': False
}
# set the default config
for k, v in self.base_conf.items():
self.config.update(k, v)
if profile == None:
profile = self.guess_profile(memimg)
sys.stderr.write("Using profile: %s\n" % profile)
def init_config():
sys.path.append("/usr/src/volatility")
origargv = sys.argv
sys.argv = [sys.argv[0], "-f", "/mnt/mem", "--profile", "LinuxDebian8x64"]
config = conf.ConfObject()
registry.PluginImporter()
registry.register_global_options(config, addrspace.BaseAddressSpace)
# Initialize address space (same as a=addrspace() in linux_volshell)
global a
a = utils.load_as(config)
global p
p = a.profile
print("in init.. p = ", p)
# Lookup kernel symbol pointing to first module
global init_task_addr
i = p.get_symbol("init_task")
init = obj.Object("task_struct", vm=a, offset=i)
def run_plugin_process(name, queue, config, cmds):
registry.PluginImporter()
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
config.parse_options()
command = cmds[name](config)
print 'running: ' + name
errstr = ''
try:
calc = command.calculate()
command.render_sqlite(config.OUTPUT_FILE, calc)
#AddColumn(config.OUTPUT_FILE, name, 'profile', config.PROFILE)
except Exception as err:
print name + ': ' + err.message
errstr = err.message
finally:
result = {name:errstr}
queue.put(result)
#queue.put(name)
return
def __init__(self, queueObj):
self.config = conf.ConfObject()
self.path = queueObj.filename
self.profile = queueObj.profile
registry.PluginImporter()
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config,
addrspace.BaseAddressSpace)
self.config.parse_options(False)
profs = registry.get_plugin_classes(obj.Profile)
if self.profile != "Use Imageinfo":
self.config.PROFILE = self.profile
self.config.LOCATION = 'file://' + self.path
self.config.OUTPUT = 'sqlite'
self.config.OUTPUT_FILE = queueObj.output_path
self.config.parse_options(False)
self.config.YARA_FILE = queueObj.yara_rule
self.config.DUMP_DIR = queueObj.dump_dir
self.config.PID = queueObj.pid
def _init_volatility(self):
#import sys
# for mod in sys.modules.keys():
# if 'parse' in mod:
# del sys.modules[mod]
# print "deleted",mod
#import sys
# if len(sys.argv) > 3:
# #sys.args=[sys.args[3]]
# sys.argv=[sys.argv[0],'-f',sys.argv[3]]
# print 'after modif',sys.argv
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
import volatility.utils as volutils
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
# Dying because it cannot parse argv options
# apparently, it was not required to parse options. hey.
# config.parse_options()
#addr_space = volutils.load_as(config,astype = 'any')
#print config.PROFILE
#import code
#code.interact(local=locals())
config.PROFILE = self.profile
#_target_platform.LOCATION = "file:///media/memory/private/image.dmp"
config.LOCATION = "file://%s" % self.imgname
config.PID = str(self.pid)
self.config = config
import volatility.plugins.vadinfo as vadinfo
command = vadinfo.VADWalk(config)
command.render_text = partial(my_render_text, self, command)
command.execute()
def _init_volatility(self):
#import sys
# for mod in sys.modules.keys():
# if 'parse' in mod:
# del sys.modules[mod]
# print "deleted",mod
#import sys
# if len(sys.argv) > 3:
# #sys.args=[sys.args[3]]
# sys.argv=[sys.argv[0],'-f',sys.argv[3]]
# print 'after modif',sys.argv
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = self.profile
#_target_platform.LOCATION = "file:///media/memory/private/image.dmp"
config.LOCATION = "file://%s" % self.imgname
config.PID = str(self.pid)
self.config = config
import volatility.plugins.vadinfo as vadinfo
#import code
#print _target_platform.__dict__
# code.interact(local=locals())
command = vadinfo.VADWalk(config)
command.render_text = partial(my_render_text, self, command)
command.execute()
import sys
import struct
memory_file = "WinXPSP2.vmem"
sys.path.append("/Downloads/volatility-2.3.1")
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://%s" % memory_file
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
from volatility.plugins.registry.registryapi import RegistryApi
from volatility.plugins.registry.lsadump import HashDump
registry = RegistryApi(config)
registry.populate_offsets()
sam_offset = None
sys_offset = None
def __init__(self, data_buffer_in,
data_condition_in, src,
filepath, profile, memcache):
Input.__init__(self, data_buffer_in,
data_condition_in,
src)
self.name = 'Input Volatility'
self.module_id = Module.INPUT_VOLATILITY
self.machineguid = ""
self.memcache = memcache
if self.memcache:
self.console_print("Memcache is:" + self.memcache)
# WE CHECK IF THIS MEMORY HAS CACHE
cache_process = self.memcache+"_"+"process"
cache = False
if os.path.exists(cache_process):
with open (cache_process, 'r') as outfile:
vprocess = json.load(outfile)
cache = True
outfile.close()
cache_threads = self.memcache+"_"+"threads"
if os.path.exists(cache_threads):
with open (cache_threads, 'r') as outfile:
vthreads = json.load(outfile)
#cache = True
outfile.close()
cache_vads = self.memcache+"_"+"vads"
if os.path.exists(cache_vads):
with open (cache_vads, 'r') as outfile:
vvads = json.load(outfile)
#cache = True
outfile.close()
cache_tokens = self.memcache+"_"+"tokens"
if os.path.exists(cache_tokens):
with open (cache_tokens, 'r') as outfile:
vtokens = json.load(outfile)
#cache = True
outfile.close()
if cache:
self.console_print("Using process cache file: "+cache_process)
self.console_print("Using threads cache file: "+cache_threads)
self.console_print("Using vads cache file: "+cache_vads)
self.console_print("Using tokens cache file: "+cache_tokens)
self.send_message(vprocess)
self.send_message(vthreads)
self.send_message(vvads)
self.send_message(vtokens)
self.terminate()
sys.exit(0)
else:
self.console_print("Memcache is not found")
sys.exit(0)
self.console_print("Starting INPUT VOLATILITY analysis")
# Relative Path
filepath2 = ""
if filepath.find(":\\") == -1:
filepath2 = os.getcwd()+"\\"+filepath
self.filepath = filepath2
filepath = "file:///" + filepath2
else:
# Absolute path
self.filepath = filepath
filepath = "file:///" + filepath
self._config = conf.ConfObject()
self._config.PROFILE = profile
self._config.LOCATION = filepath
self._config.hive_offset = None
self._config.HIVE_OFFSET = None
registry.PluginImporter()
registry.register_global_options(self._config, commands.Command)
registry.register_global_options(self._config, addrspace.BaseAddressSpace)
