def main(): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on sys.stderr.write( "Volatility Foundation Volatility Framework {0}\n".format( constants.VERSION ) ) sys.stderr.flush() # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) if config.INFO: print_info() sys.exit(0) ## Parse all the options now config.parse_options(False) # Reset the logging level now we know whether debug is set or not debug.setup(config.DEBUG) module = None ## Try to find the first thing that looks like a module name cmds = registry.get_plugin_classes(commands.Command, lower=True) for m in config.args: if m in list(cmds.keys()): module = m break if not module: config.parse_options() debug.error("You must specify something to do (try -h)") try: if module in list(cmds.keys()): command = cmds[module](config) ## Register the help cb from the command itself config.set_help_hook(obj.Curry(command_help, command)) config.parse_options() if not config.LOCATION: debug.error("Please specify a location (-l) or filename (-f)") command.execute() except exceptions.VolatilityException as e: print(e)
def determine_connections(addr_space): """Determines all connections for each module""" all_modules = win32.modules.lsmod(addr_space) version = ( addr_space.profile.metadata.get('major', 0), addr_space.profile.metadata.get('minor', 0), ) if version <= (5, 1): module_versions = module_versions_xp else: module_versions = module_versions_2003 for m in all_modules: if str(m.BaseDllName).lower() == 'tcpip.sys': for attempt in module_versions: table_size = obj.Object( "long", offset=m.DllBase + module_versions[attempt]['SizeOff'][0], vm=addr_space, ) table_addr = obj.Object( "address", offset=m.DllBase + module_versions[attempt]['TCBTableOff'][0], vm=addr_space, ) if table_size > 0: table = obj.Object( "Array", offset=table_addr, vm=addr_space, count=table_size, target=obj.Curry(obj.Pointer, '_TCPT_OBJECT'), ) if table: for entry in table: conn = entry.dereference() seen = set() while ( conn.is_valid() and conn.obj_offset not in seen ): yield conn seen.add(conn.obj_offset) conn = conn.Next.dereference()
def determine_sockets(addr_space): """Determines all sockets for each module""" all_modules = win32.modules.lsmod(addr_space) if ( addr_space.profile.metadata.get('major', 0) <= 5.1 and addr_space.profile.metadata.get('minor', 0) == 1 ): module_versions = module_versions_xp else: module_versions = module_versions_2003 for m in all_modules: if str(m.BaseDllName).lower() == 'tcpip.sys': for attempt in module_versions: table_size = obj.Object( "unsigned long", offset=m.DllBase + module_versions[attempt]['AddrObjTableSizeOffset'][0], vm=addr_space, ) table_addr = obj.Object( "address", offset=m.DllBase + module_versions[attempt]['AddrObjTableOffset'][0], vm=addr_space, ) if int(table_size) > 0 and int(table_size) < MAX_SOCKETS: table = obj.Object( "Array", offset=table_addr, vm=addr_space, count=table_size, target=obj.Curry(obj.Pointer, "_ADDRESS_OBJECT"), ) if table: for entry in table: sock = entry.dereference() seen = set() while ( sock.is_valid() and sock.obj_offset not in seen ): yield sock seen.add(sock.obj_offset) sock = sock.Next.dereference()
'MFT_FILE_RECORD': [ 0x400, { 'Signature': [ 0x0, ['unsigned int']], 'FixupArrayOffset': [ 0x4, ['unsigned short']], 'NumFixupEntries': [ 0x6, ['unsigned short']], 'LSN': [ 0x8, ['unsigned long long']], 'SequenceValue': [ 0x10, ['unsigned short']], 'LinkCount': [ 0x12, ['unsigned short']], 'FirstAttributeOffset': [0x14, ['unsigned short']], 'Flags': [0x16, ['unsigned short']], 'EntryUsedSize': [0x18, ['int']], 'EntryAllocatedSize': [0x1c, ['unsigned int']], 'FileRefBaseRecord': [0x20, ['unsigned long long']], 'NextAttributeID': [0x28, ['unsigned short']], 'RecordNumber': [0x2c, ['unsigned long']], 'FixupArray': lambda x: obj.Object("Array", offset = x.obj_offset + x.FixupArrayOffset, count = x.NumFixupEntries, vm = x.obj_vm, target = obj.Curry(obj.Object, "unsigned short")), 'ResidentAttributes': lambda x : obj.Object("RESIDENT_ATTRIBUTE", offset = x.obj_offset + x.FirstAttributeOffset, vm = x.obj_vm), 'NonResidentAttributes': lambda x : obj.Object("NON_RESIDENT_ATTRIBUTE", offset = x.obj_offset + x.FirstAttributeOffset, vm = x.obj_vm), }], 'ATTRIBUTE_HEADER': [ 0x10, { 'Type': [0x0, ['int']], 'Length': [0x4, ['int']], 'NonResidentFlag': [0x8, ['unsigned char']], 'NameLength': [0x9, ['unsigned char']], 'NameOffset': [0xa, ['unsigned short']], 'Flags': [0xc, ['unsigned short']], 'AttributeID': [0xe, ['unsigned short']], }], 'RESIDENT_ATTRIBUTE': [0x16, {