def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
"""This vmware translation layer always requires a separate metadata
layer."""
return [
requirements.TranslationLayerRequirement(name = 'base_layer', optional = False),
requirements.TranslationLayerRequirement(name = 'meta_layer', optional = False)
]
def get_requirements(cls):
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.IntRequirement(
name='pid',
description=
"Process ID to include (all other processes are excluded)",
optional=True),
requirements.StringRequirement(
name="imphash",
description="Search single imphash value",
optional=True),
requirements.StringRequirement(
name="imphashlist",
description="Search imphash list file",
optional=True),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(2, 0, 0)),
requirements.PluginRequirement(name='vadinfo',
plugin=vadinfo.VadInfo,
version=(2, 0, 0)),
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
# TODO: Convert this to a ListRequirement so that people can filter on sets of ranges
requirements.IntRequirement(name = 'address',
description = "Process virtual memory address to include " \
"(all other address ranges are excluded). This must be " \
"a base address, not an address within the desired range.",
optional = True),
requirements.ListRequirement(name = 'pid',
description = 'Filter on specific process IDs',
element_type = int,
optional = True),
requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (2, 0, 0)),
requirements.BooleanRequirement(name = 'dump',
description = "Extract listed memory ranges",
default = False,
optional = True),
requirements.IntRequirement(name = 'maxsize',
description = "Maximum size for dumped VAD sections " \
"(all the bigger sections will be ignored)",
default = cls.MAXSIZE_DEFAULT,
optional = True),
]
def get_requirements(cls):
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.ListRequirement(
name='pid',
element_type=int,
description=
"Process IDs to include (all other processes are excluded)",
optional=True),
requirements.BooleanRequirement(
name='dump',
description="Extract injected VADs",
default=False,
optional=True),
requirements.VersionRequirement(name='pslist',
component=pslist.PsList,
version=(2, 0, 0)),
requirements.VersionRequirement(name='vadinfo',
component=vadinfo.VadInfo,
version=(2, 0, 0))
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(2, 0, 0)),
requirements.VersionRequirement(name='info',
component=info.Info,
version=(1, 0, 0)),
requirements.ListRequirement(
name='pid',
element_type=int,
description=
"Process ID to include (all other processes are excluded)",
optional=True),
requirements.BooleanRequirement(
name='dump',
description="Extract listed processes",
default=False,
optional=True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.IntRequirement(
name='pid',
description=
"Process ID to include (all other processes are excluded)",
optional=True),
requirements.IntRequirement(
name='virtaddr',
description=
"Dump a single _FILE_OBJECT at this virtual address",
optional=True),
requirements.IntRequirement(
name='physaddr',
description=
"Dump a single _FILE_OBJECT at this physical address",
optional=True),
requirements.VersionRequirement(name='pslist',
component=pslist.PsList,
version=(2, 0, 0)),
requirements.VersionRequirement(name='handles',
component=handles.Handles,
version=(1, 0, 0))
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "darwin", description = "Mac kernel"),
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description="Memory layer for the kernel",
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.IntRequirement(
name="max_size",
default=0x40000000,
description="Set the maximum size (default is 1GB)",
optional=True),
requirements.VersionRequirement(name='pslist',
component=pslist.PsList,
version=(2, 0, 0)),
requirements.IntRequirement(
name='pid',
description=
"Process ID to include (all other processes are excluded)",
optional=True),
requirements.URIRequirement(name="yara_file",
description="Yara rules (as a file)",
optional=True),
requirements.PluginRequirement(name='vadyarascan',
plugin=vadyarascan.VadYaraScan,
version=(1, 0, 0)),
requirements.VersionRequirement(name='vadinfo',
component=vadinfo.VadInfo,
version=(2, 0, 0)),
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.PluginRequirement(name='hivelist',
plugin=hivelist.HiveList,
version=(1, 0, 0)),
requirements.IntRequirement(name='offset',
description="Hive Offset",
default=None,
optional=True),
requirements.StringRequirement(name='key',
description="Key to start from",
default=None,
optional=True),
requirements.BooleanRequirement(
name='recurse',
description='Recurses through keys',
default=False,
optional=True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description="Memory layer for the kernel",
architectures=["Intel32", "Intel64"]),
requirements.BooleanRequirement(
name="insensitive",
description="Makes the search case insensitive",
default=False,
optional=True),
requirements.BooleanRequirement(
name="wide",
description="Match wide (unicode) strings",
default=False,
optional=True),
requirements.StringRequirement(
name="yara_rules",
description="Yara rules (as a string)",
optional=True),
requirements.URIRequirement(name="yara_file",
description="Yara rules (as a file)",
optional=True),
requirements.IntRequirement(
name="max_size",
default=0x40000000,
description="Set the maximum size (default is 1GB)",
optional=True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
## TODO: we might add a regex option on the name later, but otherwise we're good
## TODO: and we don't want any CLI options from pslist, modules, or moddump
return [
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(2, 0, 0)),
requirements.PluginRequirement(name='modules',
plugin=modules.Modules,
version=(1, 0, 0)),
requirements.VersionRequirement(name='dlllist',
component=dlllist.DllList,
version=(2, 0, 0)),
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.BooleanRequirement(
name="extensive",
description="Search physical layer for version information",
optional=True,
default=False),
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.IntRequirement(
name='block_size',
description="Size of blocks to copy over",
default=cls.default_block_size,
optional=True),
requirements.BooleanRequirement(
name='list',
description='List available layers',
default=False,
optional=True),
requirements.ListRequirement(
name='layers',
element_type=str,
description=
'Names of layers to write (defaults to the highest non-mapped layer)',
default=None,
optional=True)
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = "Memory layer for the kernel",
architectures = ["Intel32", "Intel64"]),
requirements.BooleanRequirement(name = "insensitive",
description = "Makes the search case insensitive",
default = False,
optional = True),
requirements.BooleanRequirement(name = "wide",
description = "Match wide (unicode) strings",
default = False,
optional = True),
requirements.StringRequirement(name = "yara_rules",
description = "Yara rules (as a string)",
optional = True),
requirements.URIRequirement(name = "yara_file", description = "Yara rules (as a file)", optional = True),
# This additional requirement is to follow suit with upstream, who feel that compiled rules could potentially be used to execute malicious code
# As such, there's a separate option to run compiled files, as happened with yara-3.9 and later
requirements.URIRequirement(name = "yara_compiled_file",
description = "Yara compiled rules (as a file)",
optional = True),
requirements.IntRequirement(name = "max_size",
default = 0x40000000,
description = "Set the maximum size (default is 1GB)",
optional = True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.BooleanRequirement(
name='physical',
description='Display physical offsets instead of virtual',
default=cls.PHYSICAL_DEFAULT,
optional=True),
requirements.ListRequirement(
name='pid',
element_type=int,
description=
"Process ID to include (all other processes are excluded)",
optional=True),
requirements.BooleanRequirement(
name='dump',
description="Extract listed processes",
default=False,
optional=True)
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols")
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'memory_layer', optional = False),
requirements.LayerListRequirement(name = 'swap_layers', optional = True),
requirements.IntRequirement(name = 'page_map_offset', optional = False),
requirements.IntRequirement(name = 'kernel_virtual_offset', optional = True),
requirements.StringRequirement(name = 'kernel_banner', optional = True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.PluginRequirement(name = 'hivelist', plugin = hivelist.HiveList, version = (1, 0, 0))
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"])
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "vmlinux", description = "Linux kernel symbols"),
requirements.VersionRequirement(name = 'linuxutils', component = linux.LinuxUtilities, version = (1, 0, 0)),
requirements.PluginRequirement(name = 'lsmod', plugin = lsmod.Lsmod, version = (1, 0, 0))
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.ListRequirement(name='pages',
element_type=int,
min_elements=1),
requirements.TranslationLayerRequirement(name='base_layer'),
requirements.IntRequirement(name='maximum_size')
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.BooleanRequirement(name = 'extra',
description = 'Outputs whole configuration tree',
default = False,
optional = True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.VersionRequirement(name='yarascanner',
component=yarascan.YaraScanner,
version=(2, 0, 0)),
]
def __call__(self,
context: interfaces.context.ContextInterface,
config_path: str,
requirement: interfaces.configuration.RequirementInterface,
progress_callback: constants.ProgressCallback = None) -> None:
"""Finds translation layers that can have swap layers added."""
path_join = interfaces.configuration.path_join
self._translation_requirement = self.find_requirements(
context,
config_path,
requirement,
requirements.TranslationLayerRequirement,
shortcut=False)
for trans_sub_config, trans_req in self._translation_requirement:
if not isinstance(trans_req,
requirements.TranslationLayerRequirement):
# We need this so the type-checker knows we're a TranslationLayerRequirement
continue
swap_sub_config, swap_req = self.find_swap_requirement(
trans_sub_config, trans_req)
counter = 0
swap_config = interfaces.configuration.parent_path(swap_sub_config)
if swap_req and swap_req.unsatisfied(context, swap_config):
# See if any of them need constructing
for swap_location in self.config.get('single_swap_locations',
[]):
# Setup config locations/paths
current_layer_name = swap_req.name + str(counter)
current_layer_path = path_join(swap_sub_config,
current_layer_name)
layer_loc_path = path_join(current_layer_path, "location")
layer_class_path = path_join(current_layer_path, "class")
counter += 1
# Fill in the config
if swap_location:
context.config[current_layer_path] = current_layer_name
context.config[layer_loc_path] = swap_location
context.config[
layer_class_path] = 'volatility3.framework.layers.physical.FileLayer'
# Add the requirement
new_req = requirements.TranslationLayerRequirement(
name=current_layer_name,
description="Swap Layer",
optional=False)
swap_req.add_requirement(new_req)
context.config[path_join(swap_sub_config,
'number_of_elements')] = counter
context.config[swap_sub_config] = True
swap_req.construct(context, swap_config)
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Kernel Address Space',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name="darwin",
description="Mac Kernel"),
requirements.PluginRequirement(name='mount',
plugin=mount.Mount,
version=(1, 0, 0)),
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "vmlinux", description = "Linux kernel symbols"),
requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (1, 0, 0)),
requirements.ListRequirement(name = 'pid',
description = 'Filter on specific process IDs',
element_type = int,
optional = True)
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.StringRequirement(name = 'tags',
description = "Comma separated list of pool tags to filter pools returned",
optional = True,
default = None)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="vmlinux", description="Linux kernel symbols"),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(1, 0, 0))
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
reqs: List[interfaces.configuration.RequirementInterface] = []
if cls == Volshell:
reqs = [
requirements.URIRequirement(name = 'script',
description = 'File to load and execute at start',
default = None,
optional = True)
]
return reqs + [
requirements.TranslationLayerRequirement(name = 'primary', description = 'Memory layer for the kernel'),
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.VersionRequirement(name='macutils',
component=mac.MacUtilities,
version=(1, 0, 0)),
requirements.SymbolTableRequirement(
name="darwin", description="Mac kernel symbols")
]
