def __init__(self):	

	    # Get the version information on every output from the beginning
	    # Exceptionally useful for debugging/telling people what's going on
	    #sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
	    #sys.stderr.flush()
	    self.config = conf.ConfObject()
	    self.cmds = {}
	    #self.profile = "--profile=Linuxcentos5_5x86"
	    self.vmprocessMap = {}

	    self.config.add_option("INFO", default = None, action = "store_true",
			  cache_invalidator = False,
			  help = "Print information about all registered objects")

	    # Setup the debugging format
	    debug.setup()
	    # Load up modules in case they set config options
	    registry.PluginImporter()

	    ## Register all register_options for the various classes
	    registry.register_global_options(self.config, addrspace.BaseAddressSpace)
	    registry.register_global_options(self.config, commands.Command)

	# Reset the logging level now we know whether debug is set or not
	    debug.setup(self.config.DEBUG)
	    
	    #pdb.set_trace()
	    
	    ## Try to find the first thing that looks like a module name
	    self.cmds = registry.get_plugin_classes(commands.Command, lower = True)
Esempio n. 2
0
def main():
    if len(sys.argv) != 4:
        print "Usage: %s %s %s %s" % (sys.argv[0], "profile", "memdump", "targetprocname")
        sys.exit(1)

    registry.PluginImporter()
    config = conf.ConfObject()

    registry.register_global_options(config, commands.Command)
    registry.register_global_options(config, addrspace.BaseAddressSpace)
    config.parse_options()
    
    config.PROFILE = sys.argv[1] 
    config.LOCATION = sys.argv[2]

    processes = taskmods.PSList(config)
    
    target = filter_by_name(processes, sys.argv[3])
     
    # .text info
    imagebase, va, rawsize = get_text_section_info(target)
    
    if imagebase == None:
        print "[-] Error: probably wrong .text section name"
        sys.exit(1)
    
    text_start = imagebase + va
    text_end = imagebase + va + rawsize
    permissions = get_vad_protect_flags(target, text_start, text_end)
    print "0x%x-0x%x %s %s" % (text_start, text_end, permissions, TEXT_TAG)

    # dll info
    modules = get_dll_info(target)

    # printing dll info
    for name, info in modules.items():
        dll_start = info[0]
        dll_end = info[0] + info[1]
        permissions = get_vad_protect_flags(target, dll_start, dll_end)
        print "0x%x-0x%x %s %s" % (dll_start, dll_end, permissions, name)
    
    # heap info
    hs = get_heap_info(target)
    
    # printing heap info
    for h in hs:
        heap_start = h.BaseAddress.v()
        heap_end = h.LastValidEntry.v()
        permissions = get_vad_protect_flags(target, heap_start, heap_end)
        print "0x%x-0x%x %s %s" % (h.BaseAddress, h.LastValidEntry, permissions, HEAP_TAG)

    # stack info
    tebs = get_stack_info(target)
    
    # printing stack info
    for t in tebs:
        stack_start = t.NtTib.StackBase.v()
        stack_end = t.NtTib.StackLimit.v()
        permissions = get_vad_protect_flags(target, stack_start, stack_end)
        print "0x%x-0x%x %s %s" % (stack_start, stack_end, permissions, STACK_TAG)
Esempio n. 3
0
    def init_config(self):
        """
        Volatility 설정 초기화
        :return:
        """

        if self.config is not None and self.addr_space is not None:
            return self.config

        self.config = conf.ConfObject()
        self.config.optparser.set_conflict_handler("resolve")

        registry.register_global_options(self.config, commands.Command)
        registry.register_global_options(self.config, addrspace.BaseAddressSpace)

        base_conf = {
            "profile": "WinXPSP2x86",
            "use_old_as": None,
            "kdbg": None,
            "help": False,
            "kpcr": None,
            "tz": None,
            "pid": None,
            "output_file": None,
            "physical_offset": None,
            "conf_file": None,
            "dtb": None,
            "output": None,
            "info": None,
            "location": "file://" + self.memdump,
            "plugins": 'plugins',
            "debug": 4,
            "filename": None,
            "cache_directory": None,
            "verbose": None,
            "write": False
        }

        self.config.parse_options()

        if self.osprofile:
            base_conf["profile"] = self.osprofile

        self.update_config(base_conf)
        # 사용가능한 플러그인 목록 저장
        # self.plugins = Dictionary
        #   key: 플러그인 클래스 이름
        #   value: 플러그인 클래스 인스턴스
        self.plugins = registry.get_plugin_classes(commands.Command, lower=True)

        profs = registry.get_plugin_classes(obj.Profile)
        profile = profs[self.config.PROFILE]()

        # self.plugins에서 플러그인 리스트 추출
        for cmd_name, command in self.plugins.items():
            if command.is_valid_profile(profile):
                self.plugin_list.append(cmd_name)

        return self.config
Esempio n. 4
0
def get_config(profile, target_path):
   config = conf.ConfObject()
   registry.register_global_options(config, commands.Command)
   registry.register_global_options(config, addrspace.BaseAddressSpace)
   config.parse_options()
   config.PROFILE = profile
   config.LOCATION = "file://{0}".format(target_path)
   return config 
Esempio n. 5
0
def main(argv=None):
    setupLogging("admemanalysis.log",logging.INFO)
    registry.PluginImporter()
    config = conf.ConfObject()
    config.add_option('OUTPUT-PATH', default=None,
                      help='Where to create output files',
                      action='store', type='str')
    config.process_id = None
    registry.register_global_options(config, commands.Command)
    registry.register_global_options(config, addrspace.BaseAddressSpace)

    if not os.path.isfile("inputdata.json"):
        raise NameError("Input file(inpudata.json) was not found")
    data = None

    with open("inputdata.json") as data_file:
        data = json.load(data_file)
    operations = data['operationdata']

    sys.argv.append("-f")
    sys.argv.append(data["filestreamtoanalyze"])
    sys.argv.append("--profile")
    profile = data["profiletypename"] or ProfileGeneratorClass().GetProfile()
    logging.info('profile detected is {0}'.format(profile))
    sys.argv.append(profile)

    output_path = data.get('outputpath') or ''

    config.parse_options(False)
    sys.argv.append("--output-path")
    sys.argv.append(output_path)

    config.parse_options()

    if utils.getConfigValue(operations,'process') == True:
        adprocessesfactory.ADProcesses().execute(operations,config)

    if utils.getConfigValue(operations,'drivers') == True:
        addriveranddevicefactory.DriverDeviceScan().execute(config)

    if utils.getConfigValue(operations,'modules') == True:
        adkernelmodulesfactory.ADKernelModules().execute(config)

    if utils.getConfigValue(operations,'sdts')== True:
        adsdtfactory.ADSdtGenerator().execute(config)

    if utils.getConfigValue(operations,'yarascan') == True:
        adyarascanfactory.ADYaraScan().execute("",config)

    if utils.getConfigValue(operations,'idt') == True:
        processors = kpcr.doProcessors(config)
        f = open(config.OUTPUT_PATH + 'processors.xml','w')
        #f.write(processors.SerializeToString())
        f.write(proto2xml(processors,indent=0))

    if utils.getConfigValue(operations,'registry') == True:
        adregistryfactory.ADRegistryExtractor().execute(config)
Esempio n. 6
0
def init_volatility_config():
    global config
    global addr_space
    registry.PluginImporter()
    registry.register_global_options(config, commands.Command)
    registry.register_global_options(config, addrspace.BaseAddressSpace)
    config.parse_options()
    config.PROFILE = 'Win7SP1x86'
    mem_image_path = os.path.abspath(sys.argv[1])
    config.LOCATION = 'file://' + mem_image_path
    addr_space = utils.load_as(config)
Esempio n. 7
0
def volmain(argv):
    # Few modifications in original code
    config.set_usage(usage = "Volatility - A memory forensics analysis platform.")
    config.add_help_hook(list_plugins)
    argv = argv.split(" ")
    sys.argv = argv
    #print sys.argv
    # Get the version information on every output from the beginning
    # Exceptionally useful for debugging/telling people what's going on
    sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))

    # Setup the debugging format
    debug.setup()
    # Load up modules in case they set config options
    registry.PluginImporter()	
    ## Register all register_options for the various classes
    registry.register_global_options(config, addrspace.BaseAddressSpace)
    registry.register_global_options(config, commands.Command)
    	
    if config.INFO:
        print_info()
        #sys.exit(0)

    ## Parse all the options now
    config.parse_options(False)
    # Reset the logging level now we know whether debug is set or not
    debug.setup(config.DEBUG)

    module = None
    ## Try to find the first thing that looks like a module name
    cmds = registry.get_plugin_classes(commands.Command, lower = True)
    for m in config.args:
        if m in cmds.keys():
            module = m
            break

    if not module:
        config.parse_options()
        #debug.error("You must specify something to do (try -h)")

    try:
        if module in cmds.keys():
            command = cmds[module](config)
            ## Register the help cb from the command itself
            config.set_help_hook(obj.Curry(command_help, command))
            config.parse_options()
            if not config.LOCATION:
                debug.error("Please specify a location (-l) or filename (-f)")
            #print config.LOCATION
            command.execute()
    except exceptions.VolatilityException, e:
        print e
Esempio n. 8
0
    def __config(self):
        """Creates a volatility configuration."""
        if self.config != None and self.addr_space != None:
            return self.config

        self.config = conf.ConfObject()
        self.config.optparser.set_conflict_handler("resolve")
        registry.register_global_options(self.config, commands.Command)
        base_conf = {
            "profile": "WinXPSP2x86",
            "use_old_as": None,
            "kdbg": None,
            "help": False,
            "kpcr": None,
            "tz": None,
            "pid": None,
            "output_file": None,
            "physical_offset": None,
            "conf_file": None,
            "dtb": None,
            "output": None,
            "info": None,
            "location": "file://" + self.memdump,
            "plugins": None,
            "debug": None,
            "cache_dtb": True,
            "filename": None,
            "cache_directory": None,
            "verbose": None,
            "write": False
        }

        if self.osprofile:
            base_conf["profile"] = self.osprofile

        for key, value in base_conf.items():
            self.config.update(key, value)

        # Deal with Volatility support for KVM/qemu memory dump.
        # See: #464.
        try:
          self.addr_space = utils.load_as(self.config)
        except exc.AddrSpaceError as e:
          if self._get_dtb():
              self.addr_space = utils.load_as(self.config)
          else:
              raise

        self.plugins = registry.get_plugin_classes(commands.Command,
                                                   lower=True)

        return self.config
    def __init__(self, image_path):
        """
        Create a new Analyzer, with a given image_path
        """
        registry.PluginImporter()

        self.config = conf.ConfObject()

        registry.register_global_options(self.config, commands.Command)
        registry.register_global_options(self.config, addrspace.BaseAddressSpace)

        # self.config.PROFILE = "WinXPSP3x86"
        self.config.LOCATION = image_path

        self.config.parse_options()
Esempio n. 10
0
def run_plugin_process(name, queue, config, cmds):
    registry.PluginImporter()
    registry.register_global_options(config, addrspace.BaseAddressSpace)
    registry.register_global_options(config, commands.Command)
    config.parse_options()
    command = cmds[name](config)
    print 'running: ' + name
    try:
        calc = command.calculate()
        command.render_sqlite(config.OUTPUT_FILE, calc)
    except Exception as err:
        print name + ': ' + err.message
    finally:
        queue.put(name)
    return
Esempio n. 11
0
def get_address_space(service_path, profile, yara_path):
    log.info("Obtaining address space and generating config for volatility")

    registry.PluginImporter()
    config = conf.ConfObject()

    registry.register_global_options(config, commands.Command)
    registry.register_global_options(config, addrspace.BaseAddressSpace)

    config.parse_options()
    config.PROFILE = profile
    config.LOCATION = service_path
    config.YARA_FILE = yara_path

    return utils.load_as(config)
Esempio n. 12
0
 def add_registry(self, config, deb):
     self._config = config #conf.ConfObject()
     self._debug = deb
     self._debug.setup()
     registry.PluginImporter()
     registry.register_global_options(self._config, commands.Command)
     registry.register_global_options(self._config, addrspace.BaseAddressSpace)
     self._config.add_option('ENABLEDB', short_option='e', 
                             default=False, action='store_true',
                             help='Enable database storage for reuse purpose')   
     self._config.add_option('DBPATH', short_option='m', default='mongodb://localhost:27017', 
                             help='Specify mongodb connection url', 
                             action='store', type='str')
     self._config.parse_options()
     self._debug.setup(self._config.DEBUG)
     self._filename = self._config.FILENAME
Esempio n. 13
0
def GetConfig(theFile):

#define Baseline Config
    base_conf = {'profile': None,
                 'use_old_as': None, 
                 'kdbg': None, 
                 'help': False, 
                 'kpcr': None, 
                 'tz': None, 
                 'pid': None, 
                 'output_file': None, 
                 'physical_offset': None, 
                 'conf_file': None, 
                 'dtb': None, 
                 'output': 'text', 
                 'info': None, 
                 'location': theFile, 
                 'plugins': None, 
                 'debug': None, 
                 'cache_dtb': True, 
                 'filename': theFile,
                 'cache_directory': None, 
                 'verbose': None, 'write':False}
    #create volatility config object
    configs = conf.ConfObject()
    #set location value to file name
    configs.LOCATION = theFile
    #register global options for volatility functions/plugins to use
    registry.register_global_options(configs, commands.Command)
    registry.register_global_options(configs, addrspace.BaseAddressSpace)
    
    #run imgageinfo plug to get extract image profile 
    version = GetVersion(configs) 
    if not version == None:
        #using the base line config update our config object
        for k,v in base_conf.items():
            configs.update(k, v)
        #set config object profile to the version extracted 
        configs.update('profile', version)    
        #return config object to be used with our plugins
        return configs
    else:
        return None
Esempio n. 14
0
    def __init__(self, profile, kdbg, memimg):
        '''
        @profile: a Volatality profile string
        @kdbg: a kdbg address string
        @memimg: a memory image file name
        '''
        # volatility black magic
        registry.PluginImporter()
        self.config = conf.ConfObject()
        self.config.optparser.set_conflict_handler(handler="resolve")
        registry.register_global_options(self.config, commands.Command)

        if memimg:
          
            self.base_conf = {'profile': profile,
                'use_old_as': None,
                'kdbg': None if kdbg is None else int(kdbg, 16),
                'help': False,
                'kpcr': None,
                'tz': None,
                'pid': None,
                'output_file': None,
                'physical_offset': None,
                'conf_file': None,
                'dtb': None,
                'output': None,
                'info': None,
                'location': "file://" + memimg,
                'plugins': None,
                'debug': None,
                'cache_dtb': True,
                'filename': None,
                'cache_directory': None,
                'verbose': None,
                'write': False}

            # set the default config
            for k, v in self.base_conf.items():
                self.config.update(k, v)
         
            if profile == None:
                profile = self.guess_profile(memimg)
                sys.stderr.write("Using profile: %s\n" % profile)     
Esempio n. 15
0
    def init_config(self):
        """Creates a volatility configuration."""
        if self.config is not None and self.addr_space is not None:
            return self.config

        self.config = conf.ConfObject()
        self.config.optparser.set_conflict_handler("resolve")
        registry.register_global_options(self.config, commands.Command)
        registry.register_global_options(self.config, addrspace.BaseAddressSpace)
        base_conf = {
            "profile": "WinXPSP2x86",
            "use_old_as": None,
            "kdbg": None,
            "help": False,
            "kpcr": None,
            "tz": None,
            "pid": None,
            "output_file": None,
            "physical_offset": None,
            "conf_file": None,
            "dtb": None,
            "output": None,
            "info": None,
            "location": "file://" + self.memdump,
            "plugins": None,
            "debug": 4,
            "cache_dtb": True,
            "filename": None,
            "cache_directory": None,
            "verbose": None,
            "write": False
        }

        if self.osprofile:
            base_conf["profile"] = self.osprofile

        for key, value in base_conf.items():
            self.config.update(key, value)

        self.plugins = registry.get_plugin_classes(commands.Command, lower=True)

        return self.config
Esempio n. 16
0
def run_plugin_process(name, queue, config, cmds):
    registry.PluginImporter()
    registry.register_global_options(config, addrspace.BaseAddressSpace)
    registry.register_global_options(config, commands.Command)
    config.parse_options()
    command = cmds[name](config)
    print 'running: ' + name
    errstr = ''
    try:
        calc = command.calculate()
        command.render_sqlite(config.OUTPUT_FILE, calc)
        #AddColumn(config.OUTPUT_FILE, name, 'profile', config.PROFILE)
    except Exception as err:
        print name + ': ' + err.message
        errstr = err.message
    finally:
        result = {name:errstr}
        queue.put(result)
        #queue.put(name)
    return
Esempio n. 17
0
    def _init_volatility(self):
        #import sys
        # for mod in sys.modules.keys():
        #    if 'parse' in mod:
        #        del sys.modules[mod]
        #        print "deleted",mod
        #import sys
        # if len(sys.argv) > 3:
        #    #sys.args=[sys.args[3]]
        #    sys.argv=[sys.argv[0],'-f',sys.argv[3]]
        # print 'after modif',sys.argv
        import volatility.conf as conf
        import volatility.registry as registry
        registry.PluginImporter()
        config = conf.ConfObject()
        import volatility.commands as commands
        import volatility.addrspace as addrspace
        import volatility.utils as volutils
        registry.register_global_options(config, commands.Command)
        registry.register_global_options(config, addrspace.BaseAddressSpace)
        # Dying because it cannot parse argv options
        # apparently, it was not required to parse options. hey.
        # config.parse_options()
        #addr_space = volutils.load_as(config,astype = 'any')
        #print config.PROFILE
        #import code
        #code.interact(local=locals())
        config.PROFILE = self.profile
        #_target_platform.LOCATION = "file:///media/memory/private/image.dmp"
        config.LOCATION = "file://%s" % self.imgname
        config.PID = str(self.pid)

        self.config = config

        import volatility.plugins.vadinfo as vadinfo

        command = vadinfo.VADWalk(config)
        command.render_text = partial(my_render_text, self, command)
        command.execute()
Esempio n. 18
0
def init_volatility():
    import volatility.conf as volconf
    import volatility.registry as registry
    import volatility.commands as commands
    import volatility.addrspace as addrspace

    if hasattr(volconf, "PyREBoxVolatility"):
        registry.PluginImporter()
        vol_config = volconf.ConfObject()
        registry.register_global_options(vol_config, commands.Command)
        registry.register_global_options(vol_config, addrspace.BaseAddressSpace)
        vol_config.PROFILE = conf_m.vol_profile

        # Set global volatility configuration
        conf_m.vol_conf = vol_config
        return True
    else:
        pp_error("""The imported volatility version is not appropriate for PyREBox:
    * Your local volatility installation may be in conflict with PyREBox's volatility installation...
      ... set up a virtual env to avoid the conflict (see installation instructions).
    * You have a virtual env for PyREBox's python dependencies, and you forgot to activate it!
      ... you know what to do!\n""")
        return False
Esempio n. 19
0
    def _init_volatility(self):
        #import sys
        # for mod in sys.modules.keys():
        #    if 'parse' in mod:
        #        del sys.modules[mod]
        #        print "deleted",mod
        #import sys
        # if len(sys.argv) > 3:
        #    #sys.args=[sys.args[3]]
        #    sys.argv=[sys.argv[0],'-f',sys.argv[3]]
        # print 'after modif',sys.argv
        import volatility.conf as conf
        import volatility.registry as registry
        registry.PluginImporter()
        config = conf.ConfObject()
        import volatility.commands as commands
        import volatility.addrspace as addrspace
        registry.register_global_options(config, commands.Command)
        registry.register_global_options(config, addrspace.BaseAddressSpace)
        config.parse_options()
        config.PROFILE = self.profile
        #_target_platform.LOCATION = "file:///media/memory/private/image.dmp"
        config.LOCATION = "file://%s" % self.imgname
        config.PID = str(self.pid)

        self.config = config

        import volatility.plugins.vadinfo as vadinfo

        #import code
        #print _target_platform.__dict__
        # code.interact(local=locals())

        command = vadinfo.VADWalk(config)
        command.render_text = partial(my_render_text, self, command)
        command.execute()
Esempio n. 20
0
    def init_config(self):
        """Creates a volatility configuration."""
        if self.config is not None and self.addr_space is not None:
            return

        if not self.osprofile:
            raise CuckooOperationalError(
                "Can't continue to process the VM memory dump if no OS "
                "profile has been defined for it. One may define its OS "
                "profile using the 'osprofile' field for the VM in its "
                "machinery configuration or set a global default using "
                "'guest_profile' in memory.conf"
            )

        if self.osprofile not in self.profiles:
            raise CuckooOperationalError(
                "The profile '%s' does not exist! Please pick one of the "
                "following profiles for your VMs: %s" %
                (self.osprofile, ", ".join(sorted(self.profiles)))
            )

        self.config = conf.ConfObject()
        self.config.optparser.set_conflict_handler("resolve")
        registry.register_global_options(self.config, commands.Command)

        base_conf = {
            "profile": self.osprofile,
            "use_old_as": None,
            "kdbg": None,
            "help": False,
            "kpcr": None,
            "tz": None,
            "pid": None,
            "output_file": None,
            "physical_offset": None,
            "conf_file": None,
            "dtb": None,
            "output": None,
            "info": None,
            "location": "file://%s" % self.memdump,
            "plugins": None,
            "debug": None,
            "cache_dtb": True,
            "filename": None,
            "cache_directory": None,
            "verbose": None,
            "write": False
        }

        for key, value in base_conf.items():
            self.config.update(key, value)

        # Deal with Volatility support for KVM/qemu memory dump.
        # See: #464.
        try:
            self.addr_space = utils.load_as(self.config)
        except exc.AddrSpaceError as e:
            if self.get_dtb():
                self.addr_space = utils.load_as(self.config)
            elif "No suitable address space mapping found" in e.message:
                raise CuckooOperationalError(
                    "An incorrect OS has been specified for this machine! "
                    "Please provide the correct one or Cuckoo won't be able "
                    "to provide Volatility-based results for analyses with "
                    "this VM."
                )
            else:
                raise

        self.plugins = (
            registry.get_plugin_classes(commands.Command, lower=True)
        )
Esempio n. 21
0
def main():

    # Get the version information on every output from the beginning
    # Exceptionally useful for debugging/telling people what's going on
    sys.stderr.write("Volatility Foundation Volatility Framework {0}\n".format(constants.VERSION))
    sys.stderr.flush()

    # Setup the debugging format
    debug.setup()
    # Load up modules in case they set config options
    registry.PluginImporter()

    ## Register all register_options for the various classes
    registry.register_global_options(config, addrspace.BaseAddressSpace)
    registry.register_global_options(config, commands.Command)

    if config.INFO:
        print_info()
        sys.exit(0)

    ## Parse all the options now
    config.parse_options(False)
    # Reset the logging level now we know whether debug is set or not
    debug.setup(config.DEBUG)

    module = None
    ## Try to find the first thing that looks like a module name
    cmds = registry.get_plugin_classes(commands.Command, lower = True)
    for m in config.args:
        if m in cmds.keys():
            module = m
            break

    if not module:
        config.parse_options()
        debug.error("You must specify something to do (try -h)")

    try:
        if module in cmds.keys():
            command = cmds[module](config)
            import traceback
            ## Register the help cb from the command itself
            config.set_help_hook(obj.Curry(command_help, command))
            config.parse_options()
            if config.XENDOMAIN:
                conn = libvirt.open("xen:///")
                if conn == None:
                    debug.error("Failed to open connection to the hypervisor")
                try:
                    dom = conn.lookupByName(config.XENDOMAIN)
                    if dom == None:
                        debug.error("Cannot find guest to be dumped")
                    print "Domain: id %d running %s" % (dom.ID(), dom.OSType())
                    filepath = "/tmp/" + config.XENDOMAIN
                    os.remove(filepath) if os.path.exists(filepath) else None
                    snapshot = False
                    if snapshot:
                        if dom.save(filepath) < 0:
                            debug.error("Unable save guest to %s" % filepath)
                        print "Chosen guest saved to %s" % filepath
                        id = conn.restore(filepath) 
                        if id < 0:
                            debug.error('Unable to restore chosen guest from file %s' % filepath)
                        dom = conn.lookupByName(config.XENDOMAIN)
                        if dom == None:
                            debug.error("Domain wasn't restored from file %s" % filepath)
                        print "Guest memory snapshot complete! Location: %s" % filepath
                    else:
                        if dom.coreDump(filepath, flags = libvirt.VIR_DUMP_LIVE) < 0:
                            debug.error("Unable to dump guest")
                        print "Chosen guest dumped to %s" % filepath
                        if dom == None:
                            debug.error("Domain crashed!")
                        print "Guest memory dump complete! Location: %s" % filepath
                    conn.close()
                    config.LOCATION = "file://" + filepath
                except:
                    print traceback.format_exc()
                    debug.error("Failed to find domain")
            if not config.LOCATION and not config.XENDOMAIN:
                debug.error("Please specify filename (-f) or XEN domain (-x)")

            command.execute()
    except exceptions.VolatilityException, e:
        print e
Esempio n. 22
0
    for row in rows:
      print format % tuple(row)

# imports
from filecmp import dircmp
import volatility.conf as conf
import volatility.registry as registry
import volatility.commands as commands
import volatility.addrspace as addrspace
import volatility.utils as utils
import volatility.plugins.linux as linux

# load up some pseudo data
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)

# default config 
base_conf = {'profile': 'LinuxUbuntu1404x64', 
    'use_old_as': None, 
    'kdbg': None, 
    'help': False, 
    'kpcr': None, 
    'tz': None, 
    'pid': None, 
    'output_file': None, 
    'physical_offset': None, 
    'conf_file': None, 
    'dtb': None, 
    'output': None, 
Esempio n. 23
0
def main(argv=None):
    setupLogging("admemanalysis.log", logging.INFO)
    registry.PluginImporter()
    config = conf.ConfObject()
    config.add_option('OUTPUT-PATH',
                      default=None,
                      help='Where to create output files',
                      action='store',
                      type='str')
    config.process_id = None
    registry.register_global_options(config, commands.Command)
    registry.register_global_options(config, addrspace.BaseAddressSpace)

    if not os.path.isfile("inputdata.json"):
        raise NameError("Input file(inputdata.json) was not found")
    data = None

    with open("inputdata.json") as data_file:
        data = json.load(data_file)
    operations = data['operationdata']

    sys.argv.append("-f")
    sys.argv.append(data["filestreamtoanalyze"])
    sys.argv.append("--profile")
    profile = data["profiletypename"] or ProfileGeneratorClass().GetProfile()
    logging.info('profile detected is {0}'.format(profile))
    sys.argv.append(profile)

    output_path = data.get('outputpath') or ''
    yrd = data.get('yararulesdirectory') or ''

    config.parse_options(False)
    sys.argv.append("--output-path")
    sys.argv.append(output_path)

    if os.path.isfile("kdcopydatablock.txt"):
        with open("kdcopydatablock.txt") as kdfile:
            kddata = kdfile.readline()
            logging.debug('read from file %s', kddata)
            sys.argv.append("--kdbg")
            sys.argv.append(kddata)

    config.parse_options()

    if utils.getConfigValue(operations, 'process') == True:
        adprocessesfactory.ADProcesses().execute(operations, config, yrd)

    if utils.getConfigValue(operations, 'drivers') == True:
        addriveranddevicefactory.DriverDeviceScan().execute(config)

    if utils.getConfigValue(operations, 'modules') == True:
        adkernelmodulesfactory.ADKernelModules().execute(config)

    if utils.getConfigValue(operations, 'sdts') == True:
        adsdtfactory.ADSdtGenerator().execute(config)

    if utils.getConfigValue(operations, 'idt') == True:
        processors = kpcr.doProcessors(config)
        f = open(config.OUTPUT_PATH + 'processors.xml', 'w')
        #f.write(processors.SerializeToString())
        f.write(proto2xml(processors, indent=0))

    if utils.getConfigValue(operations, 'registry') == True:
        adregistryfactory.ADRegistryExtractor().execute(config)
Esempio n. 24
0
# basic recreation of the connections 
# command using Volatility Framework 
# as a Library

import volatility.conf as conf
import volatility.registry as registry
import volatility.commands as commands
import volatility.win32.network as network
import volatility.utils as utils

# configure volatility
registry.PluginImporter()
config = conf.ConfObject()
registry.register_global_options(config, commands.Command)
the_file = "file:///winxpsp3_analysis_img.bin"

# default config (note my .volatilityrc is missing some values, 
# so I just used pdb to figure out which values needed setting

base_conf = {'profile': 'WinXPSP3x86', 
    'use_old_as': None, 
    'kdbg': None, 
    'help': False, 
    'kpcr': None, 
    'tz': None, 
    'pid': None, 
    'output_file': None, 
    'physical_offset': None, 
    'conf_file': None, 
    'dtb': None, 
    'output': None, 
Esempio n. 25
0
    def __init__(self, data_buffer_in,
                             data_condition_in, src,
                             filepath, profile, memcache):

        Input.__init__(self, data_buffer_in,
                                   data_condition_in,
                                   src)

        self.name = 'Input Volatility'
        self.module_id = Module.INPUT_VOLATILITY
        self.machineguid = ""
        self.memcache = memcache

        if self.memcache:
            self.console_print("Memcache is:" + self.memcache)
            # WE CHECK IF THIS MEMORY HAS CACHE
            cache_process = self.memcache+"_"+"process"
            cache = False
            if os.path.exists(cache_process):
                with open (cache_process, 'r') as outfile:
                    vprocess = json.load(outfile)
                    cache = True
                    outfile.close()
            cache_threads = self.memcache+"_"+"threads"
            if os.path.exists(cache_threads):
                with open (cache_threads, 'r') as outfile:
                    vthreads = json.load(outfile)
                    #cache = True
                    outfile.close()
            cache_vads = self.memcache+"_"+"vads"
            if os.path.exists(cache_vads):
                with open (cache_vads, 'r') as outfile:
                    vvads = json.load(outfile)
                    #cache = True
                    outfile.close()
            cache_tokens = self.memcache+"_"+"tokens"
            if os.path.exists(cache_tokens):
                with open (cache_tokens, 'r') as outfile:
                    vtokens = json.load(outfile)
                    #cache = True
                    outfile.close()
            if cache:
                self.console_print("Using process cache file: "+cache_process)
                self.console_print("Using threads cache file: "+cache_threads)
                self.console_print("Using vads cache file: "+cache_vads)
                self.console_print("Using tokens cache file: "+cache_tokens)
                self.send_message(vprocess)
                self.send_message(vthreads)
                self.send_message(vvads)
                self.send_message(vtokens)
                self.terminate()
                sys.exit(0)
            else:
                self.console_print("Memcache is not found")
                sys.exit(0)


        self.console_print("Starting INPUT VOLATILITY analysis")
        # Relative Path
        filepath2 = ""
        if filepath.find(":\\") == -1:
            filepath2 = os.getcwd()+"\\"+filepath
            self.filepath = filepath2
            filepath = "file:///" + filepath2
        else:
        # Absolute path
            self.filepath = filepath
            filepath = "file:///" + filepath

        self._config = conf.ConfObject()
        self._config.PROFILE = profile
        self._config.LOCATION = filepath
        self._config.hive_offset = None
        self._config.HIVE_OFFSET = None


        registry.PluginImporter()
        registry.register_global_options(self._config, commands.Command)
        registry.register_global_options(self._config, addrspace.BaseAddressSpace)
Esempio n. 26
0
def main():

    # Get the version information on every output from the beginning
    # Exceptionally useful for debugging/telling people what's going on
    sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
    sys.stderr.flush()

    # Setup the debugging format
    debug.setup()
    # Load up modules in case they set config options
    registry.PluginImporter()

    ## Register all register_options for the various classes
    registry.register_global_options(config, addrspace.BaseAddressSpace)
    registry.register_global_options(config, commands.Command)

    if config.INFO:
        print_info()
        sys.exit(0)

    ## Parse all the options now
    config.parse_options(False)
    # Reset the logging level now we know whether debug is set or not
    debug.setup(config.DEBUG)

    module = None
    ## Try to find the first thing that looks like a module name
    cmds = registry.get_plugin_classes(commands.Command, lower = True)
    for m in config.args:
        if m in cmds.keys():
            module = m
            break



    if not module:
        config.parse_options()
        debug.error("You must specify something to do (try -h)")

    try:
        if module in cmds.keys():
            command = cmds[module](config)

            ## Register the help cb from the command itself
            config.set_help_hook(obj.Curry(command_help, command))
            config.parse_options()

            if not config.LOCATION and not config.GDB:
                debug.error("Please specify a location (-l) or filename (-f)")

            # from pprint import pprint

            # print "g_dict"
            # pprint(config.g_dict)
            # print "cnf_opts"
            # pprint(config.cnf_opts) 
            # print "opts"
            # pprint(config.opts)
            # print "args"
            # pprint(config.args)
            # print "default_opts"
            # pprint(config.default_opts)
            # print "docstrings"
            # pprint(config.docstrings)
            # print "optparse_opts"
            # pprint(config.optparse_opts)
            # print "_filename"
            # pprint(config._filename)
            # print "_filenames"
            # pprint(config._filenames)
            # print "readonly"
            # pprint(config.readonly)
            # print "_absolute"
            # pprint(config._absolute)
            # print "options"
            # pprint(config.options)



            command.execute()
    except exceptions.VolatilityException, e:
        print e
Esempio n. 27
0
sc_fd = open("cmeasure.bin","rb")
sc    = sc_fd.read()
sc_fd.close()

sys.path.append("/Users/justin/Downloads/volatility-2.3.1")

import volatility.conf as conf
import volatility.registry as registry

registry.PluginImporter()
config = conf.ConfObject()

import volatility.commands as commands
import volatility.addrspace as addrspace

registry.register_global_options(config, commands.Command)
registry.register_global_options(config, addrspace.BaseAddressSpace)

config.parse_options()
config.PROFILE = "WinXPSP2x86"
config.LOCATION = "file://%s" % memory_file

import volatility.plugins.taskmods as taskmods

p = taskmods.PSList(config)

for process in p.calculate():

    if str(process.ImageFileName) == "calc.exe":

        print "[*] Found calc.exe with PID %d" % process.UniqueProcessId