def __init__(self):
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
#sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
#sys.stderr.flush()
self.config = conf.ConfObject()
self.cmds = {}
#self.profile = "--profile=Linuxcentos5_5x86"
self.vmprocessMap = {}
self.config.add_option("INFO", default = None, action = "store_true",
cache_invalidator = False,
help = "Print information about all registered objects")
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
registry.register_global_options(self.config, commands.Command)
# Reset the logging level now we know whether debug is set or not
debug.setup(self.config.DEBUG)
#pdb.set_trace()
## Try to find the first thing that looks like a module name
self.cmds = registry.get_plugin_classes(commands.Command, lower = True)
def main():
if len(sys.argv) != 4:
print "Usage: %s %s %s %s" % (sys.argv[0], "profile", "memdump", "targetprocname")
sys.exit(1)
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = sys.argv[1]
config.LOCATION = sys.argv[2]
processes = taskmods.PSList(config)
target = filter_by_name(processes, sys.argv[3])
# .text info
imagebase, va, rawsize = get_text_section_info(target)
if imagebase == None:
print "[-] Error: probably wrong .text section name"
sys.exit(1)
text_start = imagebase + va
text_end = imagebase + va + rawsize
permissions = get_vad_protect_flags(target, text_start, text_end)
print "0x%x-0x%x %s %s" % (text_start, text_end, permissions, TEXT_TAG)
# dll info
modules = get_dll_info(target)
# printing dll info
for name, info in modules.items():
dll_start = info[0]
dll_end = info[0] + info[1]
permissions = get_vad_protect_flags(target, dll_start, dll_end)
print "0x%x-0x%x %s %s" % (dll_start, dll_end, permissions, name)
# heap info
hs = get_heap_info(target)
# printing heap info
for h in hs:
heap_start = h.BaseAddress.v()
heap_end = h.LastValidEntry.v()
permissions = get_vad_protect_flags(target, heap_start, heap_end)
print "0x%x-0x%x %s %s" % (h.BaseAddress, h.LastValidEntry, permissions, HEAP_TAG)
# stack info
tebs = get_stack_info(target)
# printing stack info
for t in tebs:
stack_start = t.NtTib.StackBase.v()
stack_end = t.NtTib.StackLimit.v()
permissions = get_vad_protect_flags(target, stack_start, stack_end)
print "0x%x-0x%x %s %s" % (stack_start, stack_end, permissions, STACK_TAG)
def init_config(self):
"""
Volatility 설정 초기화
:return:
"""
if self.config is not None and self.addr_space is not None:
return self.config
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
base_conf = {
"profile": "WinXPSP2x86",
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://" + self.memdump,
"plugins": 'plugins',
"debug": 4,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
self.config.parse_options()
if self.osprofile:
base_conf["profile"] = self.osprofile
self.update_config(base_conf)
# 사용가능한 플러그인 목록 저장
# self.plugins = Dictionary
# key: 플러그인 클래스 이름
# value: 플러그인 클래스 인스턴스
self.plugins = registry.get_plugin_classes(commands.Command, lower=True)
profs = registry.get_plugin_classes(obj.Profile)
profile = profs[self.config.PROFILE]()
# self.plugins에서 플러그인 리스트 추출
for cmd_name, command in self.plugins.items():
if command.is_valid_profile(profile):
self.plugin_list.append(cmd_name)
return self.config
def get_config(profile, target_path):
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = "file://{0}".format(target_path)
return config
def main(argv=None):
setupLogging("admemanalysis.log",logging.INFO)
registry.PluginImporter()
config = conf.ConfObject()
config.add_option('OUTPUT-PATH', default=None,
help='Where to create output files',
action='store', type='str')
config.process_id = None
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
if not os.path.isfile("inputdata.json"):
raise NameError("Input file(inpudata.json) was not found")
data = None
with open("inputdata.json") as data_file:
data = json.load(data_file)
operations = data['operationdata']
sys.argv.append("-f")
sys.argv.append(data["filestreamtoanalyze"])
sys.argv.append("--profile")
profile = data["profiletypename"] or ProfileGeneratorClass().GetProfile()
logging.info('profile detected is {0}'.format(profile))
sys.argv.append(profile)
output_path = data.get('outputpath') or ''
config.parse_options(False)
sys.argv.append("--output-path")
sys.argv.append(output_path)
config.parse_options()
if utils.getConfigValue(operations,'process') == True:
adprocessesfactory.ADProcesses().execute(operations,config)
if utils.getConfigValue(operations,'drivers') == True:
addriveranddevicefactory.DriverDeviceScan().execute(config)
if utils.getConfigValue(operations,'modules') == True:
adkernelmodulesfactory.ADKernelModules().execute(config)
if utils.getConfigValue(operations,'sdts')== True:
adsdtfactory.ADSdtGenerator().execute(config)
if utils.getConfigValue(operations,'yarascan') == True:
adyarascanfactory.ADYaraScan().execute("",config)
if utils.getConfigValue(operations,'idt') == True:
processors = kpcr.doProcessors(config)
f = open(config.OUTPUT_PATH + 'processors.xml','w')
#f.write(processors.SerializeToString())
f.write(proto2xml(processors,indent=0))
if utils.getConfigValue(operations,'registry') == True:
adregistryfactory.ADRegistryExtractor().execute(config)
def init_volatility_config():
global config
global addr_space
registry.PluginImporter()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = 'Win7SP1x86'
mem_image_path = os.path.abspath(sys.argv[1])
config.LOCATION = 'file://' + mem_image_path
addr_space = utils.load_as(config)
def volmain(argv):
# Few modifications in original code
config.set_usage(usage = "Volatility - A memory forensics analysis platform.")
config.add_help_hook(list_plugins)
argv = argv.split(" ")
sys.argv = argv
#print sys.argv
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
if config.INFO:
print_info()
#sys.exit(0)
## Parse all the options now
config.parse_options(False)
# Reset the logging level now we know whether debug is set or not
debug.setup(config.DEBUG)
module = None
## Try to find the first thing that looks like a module name
cmds = registry.get_plugin_classes(commands.Command, lower = True)
for m in config.args:
if m in cmds.keys():
module = m
break
if not module:
config.parse_options()
#debug.error("You must specify something to do (try -h)")
try:
if module in cmds.keys():
command = cmds[module](config)
## Register the help cb from the command itself
config.set_help_hook(obj.Curry(command_help, command))
config.parse_options()
if not config.LOCATION:
debug.error("Please specify a location (-l) or filename (-f)")
#print config.LOCATION
command.execute()
except exceptions.VolatilityException, e:
print e
def __config(self):
"""Creates a volatility configuration."""
if self.config != None and self.addr_space != None:
return self.config
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
base_conf = {
"profile": "WinXPSP2x86",
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://" + self.memdump,
"plugins": None,
"debug": None,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
if self.osprofile:
base_conf["profile"] = self.osprofile
for key, value in base_conf.items():
self.config.update(key, value)
# Deal with Volatility support for KVM/qemu memory dump.
# See: #464.
try:
self.addr_space = utils.load_as(self.config)
except exc.AddrSpaceError as e:
if self._get_dtb():
self.addr_space = utils.load_as(self.config)
else:
raise
self.plugins = registry.get_plugin_classes(commands.Command,
lower=True)
return self.config
def __init__(self, image_path):
"""
Create a new Analyzer, with a given image_path
"""
registry.PluginImporter()
self.config = conf.ConfObject()
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
# self.config.PROFILE = "WinXPSP3x86"
self.config.LOCATION = image_path
self.config.parse_options()
def run_plugin_process(name, queue, config, cmds):
registry.PluginImporter()
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
config.parse_options()
command = cmds[name](config)
print 'running: ' + name
try:
calc = command.calculate()
command.render_sqlite(config.OUTPUT_FILE, calc)
except Exception as err:
print name + ': ' + err.message
finally:
queue.put(name)
return
def get_address_space(service_path, profile, yara_path):
log.info("Obtaining address space and generating config for volatility")
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = profile
config.LOCATION = service_path
config.YARA_FILE = yara_path
return utils.load_as(config)
def add_registry(self, config, deb):
self._config = config #conf.ConfObject()
self._debug = deb
self._debug.setup()
registry.PluginImporter()
registry.register_global_options(self._config, commands.Command)
registry.register_global_options(self._config, addrspace.BaseAddressSpace)
self._config.add_option('ENABLEDB', short_option='e',
default=False, action='store_true',
help='Enable database storage for reuse purpose')
self._config.add_option('DBPATH', short_option='m', default='mongodb://localhost:27017',
help='Specify mongodb connection url',
action='store', type='str')
self._config.parse_options()
self._debug.setup(self._config.DEBUG)
self._filename = self._config.FILENAME
def GetConfig(theFile):
#define Baseline Config
base_conf = {'profile': None,
'use_old_as': None,
'kdbg': None,
'help': False,
'kpcr': None,
'tz': None,
'pid': None,
'output_file': None,
'physical_offset': None,
'conf_file': None,
'dtb': None,
'output': 'text',
'info': None,
'location': theFile,
'plugins': None,
'debug': None,
'cache_dtb': True,
'filename': theFile,
'cache_directory': None,
'verbose': None, 'write':False}
#create volatility config object
configs = conf.ConfObject()
#set location value to file name
configs.LOCATION = theFile
#register global options for volatility functions/plugins to use
registry.register_global_options(configs, commands.Command)
registry.register_global_options(configs, addrspace.BaseAddressSpace)
#run imgageinfo plug to get extract image profile
version = GetVersion(configs)
if not version == None:
#using the base line config update our config object
for k,v in base_conf.items():
configs.update(k, v)
#set config object profile to the version extracted
configs.update('profile', version)
#return config object to be used with our plugins
return configs
else:
return None
def __init__(self, profile, kdbg, memimg):
'''
@profile: a Volatality profile string
@kdbg: a kdbg address string
@memimg: a memory image file name
'''
# volatility black magic
registry.PluginImporter()
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler(handler="resolve")
registry.register_global_options(self.config, commands.Command)
if memimg:
self.base_conf = {'profile': profile,
'use_old_as': None,
'kdbg': None if kdbg is None else int(kdbg, 16),
'help': False,
'kpcr': None,
'tz': None,
'pid': None,
'output_file': None,
'physical_offset': None,
'conf_file': None,
'dtb': None,
'output': None,
'info': None,
'location': "file://" + memimg,
'plugins': None,
'debug': None,
'cache_dtb': True,
'filename': None,
'cache_directory': None,
'verbose': None,
'write': False}
# set the default config
for k, v in self.base_conf.items():
self.config.update(k, v)
if profile == None:
profile = self.guess_profile(memimg)
sys.stderr.write("Using profile: %s\n" % profile)
def init_config(self):
"""Creates a volatility configuration."""
if self.config is not None and self.addr_space is not None:
return self.config
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
base_conf = {
"profile": "WinXPSP2x86",
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://" + self.memdump,
"plugins": None,
"debug": 4,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
if self.osprofile:
base_conf["profile"] = self.osprofile
for key, value in base_conf.items():
self.config.update(key, value)
self.plugins = registry.get_plugin_classes(commands.Command, lower=True)
return self.config
def run_plugin_process(name, queue, config, cmds):
registry.PluginImporter()
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
config.parse_options()
command = cmds[name](config)
print 'running: ' + name
errstr = ''
try:
calc = command.calculate()
command.render_sqlite(config.OUTPUT_FILE, calc)
#AddColumn(config.OUTPUT_FILE, name, 'profile', config.PROFILE)
except Exception as err:
print name + ': ' + err.message
errstr = err.message
finally:
result = {name:errstr}
queue.put(result)
#queue.put(name)
return
def _init_volatility(self):
#import sys
# for mod in sys.modules.keys():
# if 'parse' in mod:
# del sys.modules[mod]
# print "deleted",mod
#import sys
# if len(sys.argv) > 3:
# #sys.args=[sys.args[3]]
# sys.argv=[sys.argv[0],'-f',sys.argv[3]]
# print 'after modif',sys.argv
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
import volatility.utils as volutils
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
# Dying because it cannot parse argv options
# apparently, it was not required to parse options. hey.
# config.parse_options()
#addr_space = volutils.load_as(config,astype = 'any')
#print config.PROFILE
#import code
#code.interact(local=locals())
config.PROFILE = self.profile
#_target_platform.LOCATION = "file:///media/memory/private/image.dmp"
config.LOCATION = "file://%s" % self.imgname
config.PID = str(self.pid)
self.config = config
import volatility.plugins.vadinfo as vadinfo
command = vadinfo.VADWalk(config)
command.render_text = partial(my_render_text, self, command)
command.execute()
def init_volatility():
import volatility.conf as volconf
import volatility.registry as registry
import volatility.commands as commands
import volatility.addrspace as addrspace
if hasattr(volconf, "PyREBoxVolatility"):
registry.PluginImporter()
vol_config = volconf.ConfObject()
registry.register_global_options(vol_config, commands.Command)
registry.register_global_options(vol_config, addrspace.BaseAddressSpace)
vol_config.PROFILE = conf_m.vol_profile
# Set global volatility configuration
conf_m.vol_conf = vol_config
return True
else:
pp_error("""The imported volatility version is not appropriate for PyREBox:
* Your local volatility installation may be in conflict with PyREBox's volatility installation...
... set up a virtual env to avoid the conflict (see installation instructions).
* You have a virtual env for PyREBox's python dependencies, and you forgot to activate it!
... you know what to do!\n""")
return False
def _init_volatility(self):
#import sys
# for mod in sys.modules.keys():
# if 'parse' in mod:
# del sys.modules[mod]
# print "deleted",mod
#import sys
# if len(sys.argv) > 3:
# #sys.args=[sys.args[3]]
# sys.argv=[sys.argv[0],'-f',sys.argv[3]]
# print 'after modif',sys.argv
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = self.profile
#_target_platform.LOCATION = "file:///media/memory/private/image.dmp"
config.LOCATION = "file://%s" % self.imgname
config.PID = str(self.pid)
self.config = config
import volatility.plugins.vadinfo as vadinfo
#import code
#print _target_platform.__dict__
# code.interact(local=locals())
command = vadinfo.VADWalk(config)
command.render_text = partial(my_render_text, self, command)
command.execute()
def init_config(self):
"""Creates a volatility configuration."""
if self.config is not None and self.addr_space is not None:
return
if not self.osprofile:
raise CuckooOperationalError(
"Can't continue to process the VM memory dump if no OS "
"profile has been defined for it. One may define its OS "
"profile using the 'osprofile' field for the VM in its "
"machinery configuration or set a global default using "
"'guest_profile' in memory.conf"
)
if self.osprofile not in self.profiles:
raise CuckooOperationalError(
"The profile '%s' does not exist! Please pick one of the "
"following profiles for your VMs: %s" %
(self.osprofile, ", ".join(sorted(self.profiles)))
)
self.config = conf.ConfObject()
self.config.optparser.set_conflict_handler("resolve")
registry.register_global_options(self.config, commands.Command)
base_conf = {
"profile": self.osprofile,
"use_old_as": None,
"kdbg": None,
"help": False,
"kpcr": None,
"tz": None,
"pid": None,
"output_file": None,
"physical_offset": None,
"conf_file": None,
"dtb": None,
"output": None,
"info": None,
"location": "file://%s" % self.memdump,
"plugins": None,
"debug": None,
"cache_dtb": True,
"filename": None,
"cache_directory": None,
"verbose": None,
"write": False
}
for key, value in base_conf.items():
self.config.update(key, value)
# Deal with Volatility support for KVM/qemu memory dump.
# See: #464.
try:
self.addr_space = utils.load_as(self.config)
except exc.AddrSpaceError as e:
if self.get_dtb():
self.addr_space = utils.load_as(self.config)
elif "No suitable address space mapping found" in e.message:
raise CuckooOperationalError(
"An incorrect OS has been specified for this machine! "
"Please provide the correct one or Cuckoo won't be able "
"to provide Volatility-based results for analyses with "
"this VM."
)
else:
raise
self.plugins = (
registry.get_plugin_classes(commands.Command, lower=True)
)
def main():
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
sys.stderr.write("Volatility Foundation Volatility Framework {0}\n".format(constants.VERSION))
sys.stderr.flush()
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
if config.INFO:
print_info()
sys.exit(0)
## Parse all the options now
config.parse_options(False)
# Reset the logging level now we know whether debug is set or not
debug.setup(config.DEBUG)
module = None
## Try to find the first thing that looks like a module name
cmds = registry.get_plugin_classes(commands.Command, lower = True)
for m in config.args:
if m in cmds.keys():
module = m
break
if not module:
config.parse_options()
debug.error("You must specify something to do (try -h)")
try:
if module in cmds.keys():
command = cmds[module](config)
import traceback
## Register the help cb from the command itself
config.set_help_hook(obj.Curry(command_help, command))
config.parse_options()
if config.XENDOMAIN:
conn = libvirt.open("xen:///")
if conn == None:
debug.error("Failed to open connection to the hypervisor")
try:
dom = conn.lookupByName(config.XENDOMAIN)
if dom == None:
debug.error("Cannot find guest to be dumped")
print "Domain: id %d running %s" % (dom.ID(), dom.OSType())
filepath = "/tmp/" + config.XENDOMAIN
os.remove(filepath) if os.path.exists(filepath) else None
snapshot = False
if snapshot:
if dom.save(filepath) < 0:
debug.error("Unable save guest to %s" % filepath)
print "Chosen guest saved to %s" % filepath
id = conn.restore(filepath)
if id < 0:
debug.error('Unable to restore chosen guest from file %s' % filepath)
dom = conn.lookupByName(config.XENDOMAIN)
if dom == None:
debug.error("Domain wasn't restored from file %s" % filepath)
print "Guest memory snapshot complete! Location: %s" % filepath
else:
if dom.coreDump(filepath, flags = libvirt.VIR_DUMP_LIVE) < 0:
debug.error("Unable to dump guest")
print "Chosen guest dumped to %s" % filepath
if dom == None:
debug.error("Domain crashed!")
print "Guest memory dump complete! Location: %s" % filepath
conn.close()
config.LOCATION = "file://" + filepath
except:
print traceback.format_exc()
debug.error("Failed to find domain")
if not config.LOCATION and not config.XENDOMAIN:
debug.error("Please specify filename (-f) or XEN domain (-x)")
command.execute()
except exceptions.VolatilityException, e:
print e
for row in rows:
print format % tuple(row)
# imports
from filecmp import dircmp
import volatility.conf as conf
import volatility.registry as registry
import volatility.commands as commands
import volatility.addrspace as addrspace
import volatility.utils as utils
import volatility.plugins.linux as linux
# load up some pseudo data
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
# default config
base_conf = {'profile': 'LinuxUbuntu1404x64',
'use_old_as': None,
'kdbg': None,
'help': False,
'kpcr': None,
'tz': None,
'pid': None,
'output_file': None,
'physical_offset': None,
'conf_file': None,
'dtb': None,
'output': None,
def main(argv=None):
setupLogging("admemanalysis.log", logging.INFO)
registry.PluginImporter()
config = conf.ConfObject()
config.add_option('OUTPUT-PATH',
default=None,
help='Where to create output files',
action='store',
type='str')
config.process_id = None
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
if not os.path.isfile("inputdata.json"):
raise NameError("Input file(inputdata.json) was not found")
data = None
with open("inputdata.json") as data_file:
data = json.load(data_file)
operations = data['operationdata']
sys.argv.append("-f")
sys.argv.append(data["filestreamtoanalyze"])
sys.argv.append("--profile")
profile = data["profiletypename"] or ProfileGeneratorClass().GetProfile()
logging.info('profile detected is {0}'.format(profile))
sys.argv.append(profile)
output_path = data.get('outputpath') or ''
yrd = data.get('yararulesdirectory') or ''
config.parse_options(False)
sys.argv.append("--output-path")
sys.argv.append(output_path)
if os.path.isfile("kdcopydatablock.txt"):
with open("kdcopydatablock.txt") as kdfile:
kddata = kdfile.readline()
logging.debug('read from file %s', kddata)
sys.argv.append("--kdbg")
sys.argv.append(kddata)
config.parse_options()
if utils.getConfigValue(operations, 'process') == True:
adprocessesfactory.ADProcesses().execute(operations, config, yrd)
if utils.getConfigValue(operations, 'drivers') == True:
addriveranddevicefactory.DriverDeviceScan().execute(config)
if utils.getConfigValue(operations, 'modules') == True:
adkernelmodulesfactory.ADKernelModules().execute(config)
if utils.getConfigValue(operations, 'sdts') == True:
adsdtfactory.ADSdtGenerator().execute(config)
if utils.getConfigValue(operations, 'idt') == True:
processors = kpcr.doProcessors(config)
f = open(config.OUTPUT_PATH + 'processors.xml', 'w')
#f.write(processors.SerializeToString())
f.write(proto2xml(processors, indent=0))
if utils.getConfigValue(operations, 'registry') == True:
adregistryfactory.ADRegistryExtractor().execute(config)
# basic recreation of the connections
# command using Volatility Framework
# as a Library
import volatility.conf as conf
import volatility.registry as registry
import volatility.commands as commands
import volatility.win32.network as network
import volatility.utils as utils
# configure volatility
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
the_file = "file:///winxpsp3_analysis_img.bin"
# default config (note my .volatilityrc is missing some values,
# so I just used pdb to figure out which values needed setting
base_conf = {'profile': 'WinXPSP3x86',
'use_old_as': None,
'kdbg': None,
'help': False,
'kpcr': None,
'tz': None,
'pid': None,
'output_file': None,
'physical_offset': None,
'conf_file': None,
'dtb': None,
'output': None,
def __init__(self, data_buffer_in,
data_condition_in, src,
filepath, profile, memcache):
Input.__init__(self, data_buffer_in,
data_condition_in,
src)
self.name = 'Input Volatility'
self.module_id = Module.INPUT_VOLATILITY
self.machineguid = ""
self.memcache = memcache
if self.memcache:
self.console_print("Memcache is:" + self.memcache)
# WE CHECK IF THIS MEMORY HAS CACHE
cache_process = self.memcache+"_"+"process"
cache = False
if os.path.exists(cache_process):
with open (cache_process, 'r') as outfile:
vprocess = json.load(outfile)
cache = True
outfile.close()
cache_threads = self.memcache+"_"+"threads"
if os.path.exists(cache_threads):
with open (cache_threads, 'r') as outfile:
vthreads = json.load(outfile)
#cache = True
outfile.close()
cache_vads = self.memcache+"_"+"vads"
if os.path.exists(cache_vads):
with open (cache_vads, 'r') as outfile:
vvads = json.load(outfile)
#cache = True
outfile.close()
cache_tokens = self.memcache+"_"+"tokens"
if os.path.exists(cache_tokens):
with open (cache_tokens, 'r') as outfile:
vtokens = json.load(outfile)
#cache = True
outfile.close()
if cache:
self.console_print("Using process cache file: "+cache_process)
self.console_print("Using threads cache file: "+cache_threads)
self.console_print("Using vads cache file: "+cache_vads)
self.console_print("Using tokens cache file: "+cache_tokens)
self.send_message(vprocess)
self.send_message(vthreads)
self.send_message(vvads)
self.send_message(vtokens)
self.terminate()
sys.exit(0)
else:
self.console_print("Memcache is not found")
sys.exit(0)
self.console_print("Starting INPUT VOLATILITY analysis")
# Relative Path
filepath2 = ""
if filepath.find(":\\") == -1:
filepath2 = os.getcwd()+"\\"+filepath
self.filepath = filepath2
filepath = "file:///" + filepath2
else:
# Absolute path
self.filepath = filepath
filepath = "file:///" + filepath
self._config = conf.ConfObject()
self._config.PROFILE = profile
self._config.LOCATION = filepath
self._config.hive_offset = None
self._config.HIVE_OFFSET = None
registry.PluginImporter()
registry.register_global_options(self._config, commands.Command)
registry.register_global_options(self._config, addrspace.BaseAddressSpace)
def main():
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
sys.stderr.flush()
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
if config.INFO:
print_info()
sys.exit(0)
## Parse all the options now
config.parse_options(False)
# Reset the logging level now we know whether debug is set or not
debug.setup(config.DEBUG)
module = None
## Try to find the first thing that looks like a module name
cmds = registry.get_plugin_classes(commands.Command, lower = True)
for m in config.args:
if m in cmds.keys():
module = m
break
if not module:
config.parse_options()
debug.error("You must specify something to do (try -h)")
try:
if module in cmds.keys():
command = cmds[module](config)
## Register the help cb from the command itself
config.set_help_hook(obj.Curry(command_help, command))
config.parse_options()
if not config.LOCATION and not config.GDB:
debug.error("Please specify a location (-l) or filename (-f)")
# from pprint import pprint
# print "g_dict"
# pprint(config.g_dict)
# print "cnf_opts"
# pprint(config.cnf_opts)
# print "opts"
# pprint(config.opts)
# print "args"
# pprint(config.args)
# print "default_opts"
# pprint(config.default_opts)
# print "docstrings"
# pprint(config.docstrings)
# print "optparse_opts"
# pprint(config.optparse_opts)
# print "_filename"
# pprint(config._filename)
# print "_filenames"
# pprint(config._filenames)
# print "readonly"
# pprint(config.readonly)
# print "_absolute"
# pprint(config._absolute)
# print "options"
# pprint(config.options)
command.execute()
except exceptions.VolatilityException, e:
print e
sc_fd = open("cmeasure.bin","rb")
sc = sc_fd.read()
sc_fd.close()
sys.path.append("/Users/justin/Downloads/volatility-2.3.1")
import volatility.conf as conf
import volatility.registry as registry
registry.PluginImporter()
config = conf.ConfObject()
import volatility.commands as commands
import volatility.addrspace as addrspace
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)
config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://%s" % memory_file
import volatility.plugins.taskmods as taskmods
p = taskmods.PSList(config)
for process in p.calculate():
if str(process.ImageFileName) == "calc.exe":
print "[*] Found calc.exe with PID %d" % process.UniqueProcessId