def run(self): automagics = automagic.choose_automagic( automagic.available(self._context), netscan.NetScan) plugin_netscan = plugins.construct_plugin(self.context, automagics, netscan.NetScan, self.config_path, self._progress_callback, self._file_consumer) output_netscan = plugin_netscan._generator() filter_func = pslist.PsList.create_pid_filter( [self.config.get('pid', None)]) automagics = automagic.choose_automagic( automagic.available(self._context), malfind.Malfind) plugin_malfind = plugins.construct_plugin(self.context, automagics, malfind.Malfind, self.config_path, self._progress_callback, self._file_consumer) output_malfind = plugin_malfind._generator( pslist.PsList.list_processes( context=self.context, layer_name=self.config['primary'], symbol_table=self.config['nt_symbols'], filter_func=filter_func)) malfind_pids = [] for row in output_malfind: _depth, row_data = row row_data = [ "N/A" if isinstance(i, renderers.UnreadableValue) or isinstance(i, renderers.UnparsableValue) else i for i in row_data ] malfind_pids.append(int(row_data[0])) filter_func = pslist.PsList.create_pid_filter(malfind_pids) return renderers.TreeGrid( [("PID", int), ("PPID", int), ("Process", str), ("Name", str), ("Path", str), ("PEHeader", str), ("MD5", str), ("VirusTotal", str), ("LocalAddr", str), ("ForeignAddr", str), ("State", str), ("SuspiciousIP", str)], self._generator( pslist.PsList.list_processes( context=self.context, layer_name=self.config['primary'], symbol_table=self.config['nt_symbols'], filter_func=filter_func), output_netscan))
def generate_treegrid(self, plugin: Type[interfaces.plugins.PluginInterface], **kwargs) -> interfaces.renderers.TreeGrid: """Generates a TreeGrid based on a specific plugin passing in kwarg configuration values""" path_join = interfaces.configuration.path_join # Generate a temporary configuration path plugin_config_suffix = ''.join( random.choice(string.ascii_uppercase + string.digits) for _ in range(32)) plugin_path = path_join(self.config_path, plugin_config_suffix) # Populate the configuration for name, value in kwargs.items(): self.config[path_join(plugin_config_suffix, plugin.__name__, name)] = value try: constructed = plugins.construct_plugin(self.context, [], plugin, plugin_path, None, NullFileConsumer()) return constructed.run() except exceptions.UnsatisfiedException as excp: print("Unable to validate the plugin requirements: {}\n".format( [x for x in excp.unsatisfied]))
def extract_syscall_table(self, event): ctx = event.context automagics = event.automagics plugin_list = event.plugin_list self.logger.info('Extracting the NT syscall table') try: plugin = plugin_list['windows.ssdt.SSDT'] except KeyError as e: raise RuntimeError("Plugin not found") from e automagics = automagic.choose_automagic(automagics, plugin) constructed = plugins.construct_plugin(ctx, automagics, plugin, BASE_CONFIG_PATH, None, None) treegrid = constructed.run() renderer = JsonRenderer() renderer.render(treegrid) result = renderer.get_result() sdt = self.parse_ssdt_output(result) if self.neo4j_enabled: self.insert_neo4j_db(sdt) if self.debug: # print syscalls on debug output for table_name, table in sdt.items(): self.logger.debug('Displaying table %s', table_name) for syscall in table: self.logger.debug('[%s]: %s %s', syscall['Index'], syscall['Symbol'], hex(syscall['Address']))
def configure_plugin(self, plugin_name, **kwargs): """Configure and return a plugin Args: plugin_name: name of the plugin to configure, as a string. **kwargs: configuration options passed to the plugin Returns: The instantiated and configure volatility plugin. """ plugin = self.plugins[plugin_name] # Set arguments for key, value in kwargs.items(): config_path = path_join("plugins", plugin.__name__, key) self.vol_ctx.config[config_path] = value # Filter automagics available_automagics = automagic.available(self.vol_ctx) automagics = automagic.choose_automagic(available_automagics, plugin) # Instantiate the plugin return volplugins.construct_plugin( self.vol_ctx, automagics, plugin, "plugins", MuteProgress(), FileHandlerInterface, )
def run(self): automagics = automagic.choose_automagic( automagic.available(self._context), malfind.Malfind) plugin_malfind = plugins.construct_plugin(self.context, automagics, malfind.Malfind, self.config_path, self._progress_callback, self._file_consumer) output_malfind = plugin_malfind._generator( pslist.PsList.list_processes( context=self.context, layer_name=self.config['primary'], symbol_table=self.config['nt_symbols'])) malfind_pids = [] for row in output_malfind: _depth, row_data = row row_data = [ "N/A" if isinstance(i, renderers.UnreadableValue) or isinstance(i, renderers.UnparsableValue) else i for i in row_data ] malfind_pids.append(str(row_data[0])) return renderers.TreeGrid([("Offset", str), ("EventID", str), ("Valid", str), ("Time", datetime.datetime), ("PID", str), ("ThreadID", str), ("EventRecordID", str), ("Channel", str), ("Provider", str), ("Sec-UserID", str), ("Data", str)], self._generator(show_corrupt_results=True, pids=malfind_pids))
def run(self): """Isolate each plugin and run it.""" # Use all the plugins if there's no filter self.usable_plugins = self.usable_plugins or self.get_usable_plugins() self.automagics = self.automagics or automagic.available(self._context) plugins_to_run = [] filter_list = self.config['plugin-filter'] # Identify plugins that we can run which output datetimes for plugin_class in self.usable_plugins: try: automagics = automagic.choose_automagic( self.automagics, plugin_class) plugin = plugins.construct_plugin(self.context, automagics, plugin_class, self.config_path, self._progress_callback, self._file_consumer) if isinstance(plugin, TimeLinerInterface): if not len(filter_list) or any([ filter in plugin.__module__ + '.' + plugin.__class__.__name__ for filter in filter_list ]): plugins_to_run.append(plugin) except exceptions.UnsatisfiedException as excp: # Remove the failed plugin from the list and continue vollog.debug("Unable to satisfy {}: {}".format( plugin_class.__name__, excp.unsatisfied)) continue if self.config.get('record-config', False): total_config = {} for plugin in plugins_to_run: old_dict = dict(plugin.build_configuration()) for entry in old_dict: total_config[interfaces.configuration.path_join( plugin.__class__.__name__, entry)] = old_dict[entry] filedata = interfaces.plugins.FileInterface("config.json") with io.TextIOWrapper(filedata.data, write_through=True) as fp: json.dump(total_config, fp, sort_keys=True, indent=2) self.produce_file(filedata) return renderers.TreeGrid(columns=[ ("Plugin", str), ("Description", str), ("Created Date", datetime.datetime), ("Modified Date", datetime.datetime), ("Accessed Date", datetime.datetime), ("Changed Date", datetime.datetime) ], generator=self._generator(plugins_to_run))
def extract_process_list(self, event): ctx = event.context automagics = event.automagics plugin_list = event.plugin_list self.logger.info('Extracting the process list') try: plugin = plugin_list['windows.pslist.PsList'] except KeyError as e: raise RuntimeError("Plugin not found") from e automagics = automagic.choose_automagic(automagics, plugin) constructed = plugins.construct_plugin(ctx, automagics, plugin, BASE_CONFIG_PATH, None, None) treegrid = constructed.run() renderer = JsonRenderer() renderer.render(treegrid) result = renderer.get_result() processes = self.parse_plugin_output(result) if self.neo4j_enabled: self.insert_neo4j_db(processes) else: # print them on debug output for p in processes: self.logger.debug(p)
def run(self): automagics = automagic.choose_automagic( automagic.available(self._context), netscan.NetScan) plugin_netscan = plugins.construct_plugin(self.context, automagics, netscan.NetScan, self.config_path, self._progress_callback, self._file_consumer) output_netscan = plugin_netscan._generator() filter_func = pslist.PsList.create_pid_filter( [self.config.get('pid', None)]) return renderers.TreeGrid( [("PID", int), ("PPID", int), ("Process", str), ("Name", str), ("Path", str), ("LocalAddr", str), ("ForeignAddr", str), ("State", str), ("SuspiciousIP", str)], self._generator( pslist.PsList.list_processes( context=self.context, layer_name=self.config['primary'], symbol_table=self.config['nt_symbols'], filter_func=filter_func), output_netscan))
pluginname = str(config["plugin"]["value"]) filename = str(config["location"]["file"]) framework.import_files(volatility.plugins, True) renderers = dict([ (x.name.lower(), x) for x in framework.class_subclasses(text_renderer.CLIRenderer) ]) ctx = contexts.Context() single_location = "file:" + request.pathname2url(filename) ctx.config['automagic.LayerStacker.single_location'] = single_location automagics = automagic.available(ctx) plugin_list = framework.list_plugins() plugin = plugin_list[pluginname] automagics = automagic.choose_automagic(automagics, plugin) if ctx.config.get('automagic.LayerStacker.stackers', None) is None: ctx.config['automagic.LayerStacker.stackers'] = stacker.choose_os_stackers( plugin) base_config_path = "plugins" plugin_config_path = interfaces.configuration.path_join( base_config_path, plugin.__name__) progress_callback = volatility.cli.MuteProgress() constructed = plugins.construct_plugin(ctx, automagics, plugin, base_config_path, progress_callback, volatility.cli) renderers["syslog"]().render(constructed.run())