コード例 #1
0
 def get_requirements(
         cls) -> List[interfaces.configuration.RequirementInterface]:
     # Since we're calling the plugin, make sure we have the plugin's requirements
     return [
         requirements.ModuleRequirement(
             name='kernel',
             description='Windows kernel',
             architectures=["Intel32", "Intel64"]),
         requirements.VersionRequirement(name='pslist',
                                         component=pslist.PsList,
                                         version=(2, 0, 0)),
         requirements.VersionRequirement(name='info',
                                         component=info.Info,
                                         version=(1, 0, 0)),
         requirements.ListRequirement(
             name='pid',
             element_type=int,
             description=
             "Process IDs to include (all other processes are excluded)",
             optional=True),
         requirements.BooleanRequirement(name='dump',
                                         description="Extract listed DLLs",
                                         default=False,
                                         optional=True)
     ]
コード例 #2
0
ファイル: layerwriter.py プロジェクト: leohearts/volatility3
 def get_requirements(
         cls) -> List[interfaces.configuration.RequirementInterface]:
     return [
         requirements.TranslationLayerRequirement(
             name='primary',
             description='Memory layer for the kernel',
             architectures=["Intel32", "Intel64"]),
         requirements.IntRequirement(
             name='block_size',
             description="Size of blocks to copy over",
             default=cls.default_block_size,
             optional=True),
         requirements.BooleanRequirement(
             name='list',
             description='List available layers',
             default=False,
             optional=True),
         requirements.ListRequirement(
             name='layers',
             element_type=str,
             description=
             'Names of layers to write (defaults to the highest non-mapped layer)',
             default=None,
             optional=True)
     ]
コード例 #3
0
ファイル: psscan.py プロジェクト: michaelmagyar/volatility3
 def get_requirements(cls):
     return [
         requirements.ModuleRequirement(
             name='kernel',
             description='Windows kernel',
             architectures=["Intel32", "Intel64"]),
         requirements.PluginRequirement(name='pslist',
                                        plugin=pslist.PsList,
                                        version=(2, 0, 0)),
         requirements.VersionRequirement(name='info',
                                         component=info.Info,
                                         version=(1, 0, 0)),
         requirements.ListRequirement(
             name='pid',
             element_type=int,
             description=
             "Process ID to include (all other processes are excluded)",
             optional=True),
         requirements.BooleanRequirement(
             name='dump',
             description="Extract listed processes",
             default=False,
             optional=True),
         requirements.BooleanRequirement(
             name='physical',
             description="Display physical offset instead of virtual",
             default=False,
             optional=True)
     ]
コード例 #4
0
 def get_requirements(cls):
     # Since we're calling the plugin, make sure we have the plugin's requirements
     return [
         requirements.TranslationLayerRequirement(
             name='primary',
             description='Memory layer for the kernel',
             architectures=["Intel32", "Intel64"]),
         requirements.SymbolTableRequirement(
             name="nt_symbols", description="Windows kernel symbols"),
         requirements.ListRequirement(
             name='pid',
             element_type=int,
             description=
             "Process IDs to include (all other processes are excluded)",
             optional=True),
         requirements.BooleanRequirement(
             name='dump',
             description="Extract injected VADs",
             default=False,
             optional=True),
         requirements.VersionRequirement(name='pslist',
                                         component=pslist.PsList,
                                         version=(2, 0, 0)),
         requirements.VersionRequirement(name='vadinfo',
                                         component=vadinfo.VadInfo,
                                         version=(2, 0, 0))
     ]
コード例 #5
0
ファイル: vadinfo.py プロジェクト: NiklasBeierl/volatility3
 def get_requirements(
         cls) -> List[interfaces.configuration.RequirementInterface]:
     # Since we're calling the plugin, make sure we have the plugin's requirements
     return [requirements.ModuleRequirement(name = 'kernel', description = 'Windows kernel',
                                            architectures = ["Intel32", "Intel64"]),
             # TODO: Convert this to a ListRequirement so that people can filter on sets of ranges
             requirements.IntRequirement(name = 'address',
                                         description = "Process virtual memory address to include " \
                                                       "(all other address ranges are excluded). This must be " \
                                                       "a base address, not an address within the desired range.",
                                         optional = True),
             requirements.ListRequirement(name = 'pid',
                                          description = 'Filter on specific process IDs',
                                          element_type = int,
                                          optional = True),
             requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (2, 0, 0)),
             requirements.BooleanRequirement(name = 'dump',
                                             description = "Extract listed memory ranges",
                                             default = False,
                                             optional = True),
             requirements.IntRequirement(name = 'maxsize',
                                         description = "Maximum size for dumped VAD sections " \
                                                       "(all the bigger sections will be ignored)",
                                         default = cls.MAXSIZE_DEFAULT,
                                         optional = True),
             ]
コード例 #6
0
 def get_requirements(cls):
     return [
         requirements.TranslationLayerRequirement(
             name='primary',
             description='Memory layer for the kernel',
             architectures=["Intel32", "Intel64"]),
         requirements.SymbolTableRequirement(
             name="nt_symbols", description="Windows kernel symbols"),
         requirements.PluginRequirement(name='pslist',
                                        plugin=pslist.PsList,
                                        version=(2, 0, 0)),
         requirements.VersionRequirement(name='info',
                                         component=info.Info,
                                         version=(1, 0, 0)),
         requirements.ListRequirement(
             name='pid',
             element_type=int,
             description=
             "Process ID to include (all other processes are excluded)",
             optional=True),
         requirements.BooleanRequirement(
             name='dump',
             description="Extract listed processes",
             default=False,
             optional=True)
     ]
コード例 #7
0
ファイル: pslist.py プロジェクト: namishelex01/volatility3
 def get_requirements(cls):
     return [
         requirements.TranslationLayerRequirement(
             name='primary',
             description='Memory layer for the kernel',
             architectures=["Intel32", "Intel64"]),
         requirements.SymbolTableRequirement(
             name="nt_symbols", description="Windows kernel symbols"),
         requirements.BooleanRequirement(
             name='physical',
             description='Display physical offsets instead of virtual',
             default=cls.PHYSICAL_DEFAULT,
             optional=True),
         requirements.ListRequirement(
             name='pid',
             element_type=int,
             description=
             "Process ID to include (all other processes are excluded)",
             optional=True),
         requirements.BooleanRequirement(
             name='dump',
             description="Extract listed processes",
             default=False,
             optional=True)
     ]
コード例 #8
0
ファイル: timeliner.py プロジェクト: NiklasBeierl/volatility3
 def get_requirements(
         cls) -> List[interfaces.configuration.RequirementInterface]:
     return [
         requirements.StringRequirement(
             name='plugins',
             description="Comma separated list of plugins to run",
             optional=True,
             default=None),
         requirements.BooleanRequirement(
             name='record-config',
             description=
             "Whether to record the state of all the plugins once complete",
             optional=True,
             default=False),
         requirements.ListRequirement(
             name='plugin-filter',
             description="Only run plugins featuring this substring",
             element_type=str,
             optional=True,
             default=[]),
         requirements.BooleanRequirement(
             name='create-bodyfile',
             description=
             "Whether to create a body file whilst producing results",
             optional=True,
             default=False)
     ]
コード例 #9
0
ファイル: pslist.py プロジェクト: michaelmagyar/volatility3
 def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
     return [
         requirements.ModuleRequirement(name = 'kernel', description = 'Linux kernel',
                                        architectures = ["Intel32", "Intel64"]),
         requirements.ListRequirement(name = 'pid',
                                      description = 'Filter on specific process IDs',
                                      element_type = int,
                                      optional = True)
     ]
コード例 #10
0
 def get_requirements(
         cls) -> List[interfaces.configuration.RequirementInterface]:
     return [
         requirements.ListRequirement(name='pages',
                                      element_type=int,
                                      min_elements=1),
         requirements.TranslationLayerRequirement(name='base_layer'),
         requirements.IntRequirement(name='maximum_size')
     ]
コード例 #11
0
ファイル: psaux.py プロジェクト: michaelmagyar/volatility3
 def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
     return [
         requirements.ModuleRequirement(name = 'kernel', description = 'Kernel module for the OS',
                                        architectures = ["Intel32", "Intel64"]),
         requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (3, 0, 0)),
         requirements.ListRequirement(name = 'pid',
                                      description = 'Filter on specific process IDs',
                                      element_type = int,
                                      optional = True)
     ]
コード例 #12
0
 def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
     return [
         requirements.ModuleRequirement(name = 'kernel', description = 'Windows kernel',
                                        architectures = ["Intel32", "Intel64"]),
         requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (2, 0, 0)),
         requirements.ListRequirement(name = 'pid',
                                      element_type = int,
                                      description = "Process ID to include (all other processes are excluded)",
                                      optional = True),
         requirements.URIRequirement(name = "strings_file", description = "Strings file")
     ]
コード例 #13
0
ファイル: lsof.py プロジェクト: NiklasBeierl/volatility3
 def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
     return [
         requirements.ModuleRequirement(name = 'kernel', description = 'Linux kernel',
                                        architectures = ["Intel32", "Intel64"]),
         requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (2, 0, 0)),
         requirements.VersionRequirement(name = 'linuxutils', component = linux.LinuxUtilities, version = (2, 0, 0)),
         requirements.ListRequirement(name = 'pid',
                                      description = 'Filter on specific process IDs',
                                      element_type = int,
                                      optional = True)
     ]
コード例 #14
0
 def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
     """Returns the requirements of this plugin."""
     return [
         requirements.ListRequirement(
             name = "single_swap_locations",
             element_type = str,
             min_elements = 0,
             max_elements = 16,
             description = "Specifies a list of swap layer URIs for use with single-location",
             optional = True)
     ]
コード例 #15
0
ファイル: cmdline.py プロジェクト: NiklasBeierl/volatility3
 def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
     # Since we're calling the plugin, make sure we have the plugin's requirements
     return [
         requirements.ModuleRequirement(name = 'kernel', description = 'Windows kernel',
                                        architectures = ["Intel32", "Intel64"]),
         requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (2, 0, 0)),
         requirements.ListRequirement(name = 'pid',
                                      element_type = int,
                                      description = "Process IDs to include (all other processes are excluded)",
                                      optional = True)
     ]
コード例 #16
0
 def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
     return [
         requirements.TranslationLayerRequirement(name = 'primary',
                                                  description = 'Memory layer for the kernel',
                                                  architectures = ["Intel32", "Intel64"]),
         requirements.SymbolTableRequirement(name = "vmlinux", description = "Linux kernel symbols"),
         requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (1, 0, 0)),
         requirements.ListRequirement(name = 'pid',
                                      description = 'Filter on specific process IDs',
                                      element_type = int,
                                      optional = True)
     ]
コード例 #17
0
 def get_requirements(
         cls) -> List[interfaces.configuration.RequirementInterface]:
     # This is not optional for the stacker to run, so optional must be marked as False
     return [
         requirements.URIRequirement(
             name="single_location",
             description="Specifies a base location on which to stack",
             optional=True),
         requirements.ListRequirement(name="stackers",
                                      description="List of stackers",
                                      optional=True)
     ]
コード例 #18
0
ファイル: proc.py プロジェクト: japhlange/volatility3
 def get_requirements(cls):
     # Since we're calling the plugin, make sure we have the plugin's requirements
     return [
         requirements.TranslationLayerRequirement(name = 'primary',
                                                  description = 'Memory layer for the kernel',
                                                  architectures = ["Intel32", "Intel64"]),
         requirements.SymbolTableRequirement(name = "vmlinux", description = "Linux kernel symbols"),
         requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (1, 0, 0)),
         requirements.ListRequirement(name = 'pid',
                                      description = 'Filter on specific process IDs',
                                      element_type = int,
                                      optional = True)
     ]
コード例 #19
0
ファイル: pstree.py プロジェクト: michaelmagyar/volatility3
 def get_requirements(cls):
     return [
         requirements.ModuleRequirement(name = 'kernel', description = 'Windows kernel',
                                                  architectures = ["Intel32", "Intel64"]),
         requirements.BooleanRequirement(name = 'physical',
                                         description = 'Display physical offsets instead of virtual',
                                         default = pslist.PsList.PHYSICAL_DEFAULT,
                                         optional = True),
         requirements.VersionRequirement(name = 'pslist', component = pslist.PsList, version = (2, 0, 0)),
         requirements.ListRequirement(name = 'pid',
                                      element_type = int,
                                      description = "Process ID to include (all other processes are excluded)",
                                      optional = True)
     ]
コード例 #20
0
ファイル: proc.py プロジェクト: NiklasBeierl/volatility3
 def get_requirements(cls):
     # Since we're calling the plugin, make sure we have the plugin's requirements
     return [
         requirements.ModuleRequirement(
             name='kernel',
             description='Linux kernel',
             architectures=["Intel32", "Intel64"]),
         requirements.PluginRequirement(name='pslist',
                                        plugin=pslist.PsList,
                                        version=(2, 0, 0)),
         requirements.ListRequirement(
             name='pid',
             description='Filter on specific process IDs',
             element_type=int,
             optional=True)
     ]
コード例 #21
0
 def get_requirements(cls):
     return [
         requirements.ModuleRequirement(
             name='kernel',
             description='Windows kernel',
             architectures=["Intel32", "Intel64"]),
         requirements.PluginRequirement(name='pslist',
                                        plugin=pslist.PsList,
                                        version=(2, 0, 0)),
         requirements.ListRequirement(
             name='pid',
             element_type=int,
             description=
             "Process IDs to include (all other processes are excluded)",
             optional=True)
     ]
コード例 #22
0
 def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
     # Since we're calling the plugin, make sure we have the plugin's requirements
     return [
         requirements.TranslationLayerRequirement(name = 'primary',
                                                  description = 'Memory layer for the kernel',
                                                  architectures = ["Intel32", "Intel64"]),
         requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
         requirements.ListRequirement(name = 'pid',
                                      description = 'Filter on specific process IDs',
                                      element_type = int,
                                      optional = True),
         requirements.BooleanRequirement(name = 'silent',
                                         description = 'Suppress common and non-persistent variables',
                                         optional = True),
         requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (2, 0, 0)),
         requirements.PluginRequirement(name = 'hivelist', plugin = hivelist.HiveList, version = (1, 0, 0))
     ]
コード例 #23
0
ファイル: pslist.py プロジェクト: NiklasBeierl/volatility3
 def get_requirements(cls):
     return [
         requirements.ModuleRequirement(name = 'kernel', description = 'Windows kernel',
                                        architectures = ["Intel32", "Intel64"]),
         requirements.BooleanRequirement(name = 'physical',
                                         description = 'Display physical offsets instead of virtual',
                                         default = cls.PHYSICAL_DEFAULT,
                                         optional = True),
         requirements.ListRequirement(name = 'pid',
                                      element_type = int,
                                      description = "Process ID to include (all other processes are excluded)",
                                      optional = True),
         requirements.BooleanRequirement(name = 'dump',
                                         description = "Extract listed processes",
                                         default = False,
                                         optional = True)
     ]
コード例 #24
0
 def get_requirements(cls):
     return [
         requirements.TranslationLayerRequirement(
             name='primary',
             description='Memory layer for the kernel',
             architectures=["Intel32", "Intel64"]),
         requirements.SymbolTableRequirement(name="darwin",
                                             description="Mac kernel"),
         requirements.PluginRequirement(name='pslist',
                                        plugin=pslist.PsList,
                                        version=(2, 0, 0)),
         requirements.ListRequirement(
             name='pid',
             description='Filter on specific process IDs',
             element_type=int,
             optional=True)
     ]
コード例 #25
0
ファイル: pslist.py プロジェクト: gcmoreira/volatility3
 def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
     return [
         requirements.ModuleRequirement(name = 'kernel', description = 'Linux kernel',
                                        architectures = ["Intel32", "Intel64"]),
         requirements.ListRequirement(name = 'pid',
                                      description = 'Filter on specific process IDs',
                                      element_type = int,
                                      optional = True),
         requirements.BooleanRequirement(name="threads",
                                         description="Include user threads",
                                         optional=True,
                                         default=False),
         requirements.BooleanRequirement(name="decorate_comm",
                                         description="Show `user threads` comm in curly brackets, and `kernel threads` comm in square brackets",
                                         optional=True,
                                         default=False),
     ]
コード例 #26
0
 def get_requirements(
         cls) -> List[interfaces.configuration.RequirementInterface]:
     return [
         requirements.TranslationLayerRequirement(
             name='primary',
             description="Memory layer for the kernel",
             architectures=["Intel32", "Intel64"]),
         requirements.SymbolTableRequirement(
             name="nt_symbols", description="Windows kernel symbols"),
         requirements.BooleanRequirement(
             name="wide",
             description="Match wide (unicode) strings",
             default=False,
             optional=True),
         requirements.StringRequirement(
             name="yara_rules",
             description="Yara rules (as a string)",
             optional=True),
         requirements.URIRequirement(name="yara_file",
                                     description="Yara rules (as a file)",
                                     optional=True),
         # This additional requirement is to follow suit with upstream, who feel that compiled rules could potentially be used to execute malicious code
         # As such, there's a separate option to run compiled files, as happened with yara-3.9 and later
         requirements.URIRequirement(
             name="yara_compiled_file",
             description="Yara compiled rules (as a file)",
             optional=True),
         requirements.IntRequirement(
             name="max_size",
             default=0x40000000,
             description="Set the maximum size (default is 1GB)",
             optional=True),
         requirements.PluginRequirement(name='pslist',
                                        plugin=pslist.PsList,
                                        version=(2, 0, 0)),
         requirements.VersionRequirement(name='yarascanner',
                                         component=yarascan.YaraScanner,
                                         version=(2, 0, 0)),
         requirements.ListRequirement(
             name='pid',
             element_type=int,
             description=
             "Process IDs to include (all other processes are excluded)",
             optional=True)
     ]
コード例 #27
0
 def get_requirements(cls):
     return [
         requirements.ModuleRequirement(
             name='kernel',
             description='Kernel module for the OS',
             architectures=["Intel32", "Intel64"]),
         requirements.VersionRequirement(name='macutils',
                                         component=mac.MacUtilities,
                                         version=(1, 0, 0)),
         requirements.PluginRequirement(name='pslist',
                                        plugin=pslist.PsList,
                                        version=(3, 0, 0)),
         requirements.ListRequirement(
             name='pid',
             description='Filter on specific process IDs',
             element_type=int,
             optional=True)
     ]
コード例 #28
0
 def get_requirements(
         cls) -> List[interfaces.configuration.RequirementInterface]:
     # Since we're calling the plugin, make sure we have the plugin's requirements
     return [
         requirements.TranslationLayerRequirement(
             name='primary',
             description='Memory layer for the kernel',
             architectures=["Intel32", "Intel64"]),
         requirements.SymbolTableRequirement(
             name="nt_symbols", description="Windows kernel symbols"),
         requirements.ListRequirement(
             name='pid',
             element_type=int,
             description=
             "Process IDs to include (all other processes are excluded)",
             optional=True),
         requirements.PluginRequirement(name='pslist',
                                        plugin=pslist.PsList,
                                        version=(2, 0, 0))
     ]
コード例 #29
0
ファイル: isfinfo.py プロジェクト: japhlange/volatility3
 def get_requirements(
         cls) -> List[interfaces.configuration.RequirementInterface]:
     return [
         requirements.ListRequirement(
             name='filter',
             description=
             'String that must be present in the file URI to display the ISF',
             optional=True,
             default=[]),
         requirements.URIRequirement(
             name='isf',
             description="Specific ISF file to process",
             default=None,
             optional=True),
         requirements.BooleanRequirement(
             name='validate',
             description='Validate against schema if possible',
             default=False,
             optional=True)
     ]
コード例 #30
0
 def get_requirements(cls):
     return [
         requirements.TranslationLayerRequirement(
             name='primary',
             description='Kernel Address Space',
             architectures=["Intel32", "Intel64"]),
         requirements.SymbolTableRequirement(name="darwin",
                                             description="Mac Kernel"),
         requirements.PluginRequirement(name='pslist',
                                        plugin=pslist.PsList,
                                        version=(2, 0, 0)),
         requirements.VersionRequirement(name='macutils',
                                         component=mac.MacUtilities,
                                         version=(1, 0, 0)),
         requirements.ListRequirement(
             name='pid',
             description='Filter on specific process IDs',
             element_type=int,
             optional=True)
     ]