def get_requirements(cls):
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.IntRequirement(
name='pid',
description=
"Process ID to include (all other processes are excluded)",
optional=True),
requirements.StringRequirement(
name="imphash",
description="Search single imphash value",
optional=True),
requirements.StringRequirement(
name="imphashlist",
description="Search imphash list file",
optional=True),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(2, 0, 0)),
requirements.PluginRequirement(name='vadinfo',
plugin=vadinfo.VadInfo,
version=(2, 0, 0)),
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = "Memory layer for the kernel",
architectures = ["Intel32", "Intel64"]),
requirements.BooleanRequirement(name = "insensitive",
description = "Makes the search case insensitive",
default = False,
optional = True),
requirements.BooleanRequirement(name = "wide",
description = "Match wide (unicode) strings",
default = False,
optional = True),
requirements.StringRequirement(name = "yara_rules",
description = "Yara rules (as a string)",
optional = True),
requirements.URIRequirement(name = "yara_file", description = "Yara rules (as a file)", optional = True),
# This additional requirement is to follow suit with upstream, who feel that compiled rules could potentially be used to execute malicious code
# As such, there's a separate option to run compiled files, as happened with yara-3.9 and later
requirements.URIRequirement(name = "yara_compiled_file",
description = "Yara compiled rules (as a file)",
optional = True),
requirements.IntRequirement(name = "max_size",
default = 0x40000000,
description = "Set the maximum size (default is 1GB)",
optional = True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.StringRequirement(
name='plugins',
description="Comma separated list of plugins to run",
optional=True,
default=None),
requirements.BooleanRequirement(
name='record-config',
description=
"Whether to record the state of all the plugins once complete",
optional=True,
default=False),
requirements.ListRequirement(
name='plugin-filter',
description="Only run plugins featuring this substring",
element_type=str,
optional=True,
default=[]),
requirements.BooleanRequirement(
name='create-bodyfile',
description=
"Whether to create a body file whilst producing results",
optional=True,
default=False)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.PluginRequirement(name='hivelist',
plugin=hivelist.HiveList,
version=(1, 0, 0)),
requirements.IntRequirement(name='offset',
description="Hive Offset",
default=None,
optional=True),
requirements.StringRequirement(name='key',
description="Key to start from",
default=None,
optional=True),
requirements.BooleanRequirement(
name='recurse',
description='Recurses through keys',
default=False,
optional=True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description="Memory layer for the kernel",
architectures=["Intel32", "Intel64"]),
requirements.BooleanRequirement(
name="insensitive",
description="Makes the search case insensitive",
default=False,
optional=True),
requirements.BooleanRequirement(
name="wide",
description="Match wide (unicode) strings",
default=False,
optional=True),
requirements.StringRequirement(
name="yara_rules",
description="Yara rules (as a string)",
optional=True),
requirements.URIRequirement(name="yara_file",
description="Yara rules (as a file)",
optional=True),
requirements.IntRequirement(
name="max_size",
default=0x40000000,
description="Set the maximum size (default is 1GB)",
optional=True)
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'memory_layer', optional = False),
requirements.LayerListRequirement(name = 'swap_layers', optional = True),
requirements.IntRequirement(name = 'page_map_offset', optional = False),
requirements.IntRequirement(name = 'kernel_virtual_offset', optional = True),
requirements.StringRequirement(name = 'kernel_banner', optional = True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return super().get_requirements() + [
requirements.StringRequirement(
"isf_url",
description=
"JSON file containing the symbols encoded in the Intermediate Symbol Format"
),
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.StringRequirement(name = 'tags',
description = "Comma separated list of pool tags to filter pools returned",
optional = True,
default = None)
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.ModuleRequirement(name = 'kernel', description = 'Windows kernel',
architectures = ["Intel32", "Intel64"]),
requirements.StringRequirement(name = 'filter',
description = "String to filter hive names returned",
optional = True,
default = None),
requirements.PluginRequirement(name = 'hivescan', plugin = hivescan.HiveScan, version = (1, 0, 0)),
requirements.BooleanRequirement(name = 'dump',
description = "Extract listed registry hives",
default = False,
optional = True)
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.ModuleRequirement(name = 'kernel', description = 'Windows kernel',
architectures = ["Intel32", "Intel64"]),
requirements.StringRequirement(name = 'tags',
description = "Comma separated list of pool tags to filter pools returned",
optional = True,
default = None),
requirements.BooleanRequirement(name = 'show-free',
description = 'Show freed regions (otherwise only show allocations in use)',
default = False,
optional = True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.ModuleRequirement(
name='kernel',
description='Windows kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.BooleanRequirement(
name='PARSE_ALL',
description='Parse every directory under the root dir',
optional=True),
requirements.StringRequirement(
name='SUPPLY_ADDR',
description='Parse directories under specific addresses',
optional=True),
requirements.StringRequirement(
name='FULL_PATH',
description='Parse a directory found by full path location',
optional=True),
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.ModuleRequirement(
name='kernel',
description='Windows kernel',
architectures=["Intel32", "Intel64"]),
requirements.StringRequirement(
name='tags',
description=
"Comma separated list of pool tags to filter pools returned",
optional=True,
default=None)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description="Memory layer for the kernel",
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.BooleanRequirement(
name="wide",
description="Match wide (unicode) strings",
default=False,
optional=True),
requirements.StringRequirement(
name="yara_rules",
description="Yara rules (as a string)",
optional=True),
requirements.URIRequirement(name="yara_file",
description="Yara rules (as a file)",
optional=True),
# This additional requirement is to follow suit with upstream, who feel that compiled rules could potentially be used to execute malicious code
# As such, there's a separate option to run compiled files, as happened with yara-3.9 and later
requirements.URIRequirement(
name="yara_compiled_file",
description="Yara compiled rules (as a file)",
optional=True),
requirements.IntRequirement(
name="max_size",
default=0x40000000,
description="Set the maximum size (default is 1GB)",
optional=True),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(2, 0, 0)),
requirements.VersionRequirement(name='yarascanner',
component=yarascan.YaraScanner,
version=(2, 0, 0)),
requirements.ListRequirement(
name='pid',
element_type=int,
description=
"Process IDs to include (all other processes are excluded)",
optional=True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description="Memory layer for the kernel",
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.BooleanRequirement(
name="wide",
description="Match wide (unicode) strings",
default=False,
optional=True),
requirements.StringRequirement(
name="yara_rules",
description="Yara rules (as a string)",
optional=True),
requirements.URIRequirement(name="yara_file",
description="Yara rules (as a file)",
optional=True),
requirements.IntRequirement(
name="max_size",
default=0x40000000,
description="Set the maximum size (default is 1GB)",
optional=True),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(2, 0, 0)),
requirements.VersionRequirement(name='yarascanner',
component=yarascan.YaraScanner,
version=(2, 0, 0)),
requirements.ListRequirement(
name='pid',
element_type=int,
description=
"Process IDs to include (all other processes are excluded)",
optional=True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.StringRequirement(
name='filter',
description="String to filter hive names returned",
optional=True,
default=None),
requirements.PluginRequirement(name='hivescan',
plugin=hivescan.HiveScan,
version=(1, 0, 0)),
requirements.BooleanRequirement(
name='dump',
description="Extract listed registry hives",
default=False,
optional=True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.StringRequirement(name='location', optional=False)
]
