def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.VersionRequirement(name = 'poolscanner',
component = poolscanner.PoolScanner,
version = (1, 0, 0)),
requirements.VersionRequirement(name = 'info', component = info.Info, version = (1, 0, 0)),
requirements.BooleanRequirement(
name = 'include-corrupt',
description =
"Radically eases result validation. This will show partially overwritten data. WARNING: the results are likely to include garbage and/or corrupt data. Be cautious!",
default = False,
optional = True),
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.PluginRequirement(name = 'hivelist', plugin = hivelist.HiveList, version = (1, 0, 0)),
requirements.IntRequirement(name = 'offset', description = "Hive Offset", default = None, optional = True),
requirements.StringRequirement(name = 'key',
description = "Key to start from",
default = None,
optional = True),
requirements.BooleanRequirement(name = 'recurse',
description = 'Recurses through keys',
default = False,
optional = True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Kernel Address Space',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name="darwin",
description="Mac Kernel"),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(2, 0, 0)),
requirements.ListRequirement(
name='pid',
description='Filter on specific process IDs',
element_type=int,
optional=True)
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.StringRequirement(name = 'filter',
description = "String to filter hive names returned",
optional = True,
default = None),
requirements.PluginRequirement(name = 'hivescan', plugin = hivescan.HiveScan, version = (1, 0, 0)),
requirements.BooleanRequirement(name = 'dump',
description = "Extract listed registry hives",
default = False,
optional = True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(1, 0, 0)),
requirements.PluginRequirement(name='netscan',
plugin=pslist.PsList,
version=(1, 0, 0)),
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "darwin", description = "Mac kernel symbols"),
requirements.VersionRequirement(name = 'macutils', component = mac.MacUtilities, version = (1, 1, 0)),
requirements.ChoiceRequirement(name = 'pslist_method',
description = 'Method to determine for processes',
choices = cls.pslist_methods,
default = cls.pslist_methods[0],
optional = True),
requirements.ListRequirement(name = 'pid',
description = 'Filter on specific process IDs',
element_type = int,
optional = True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.StringRequirement(
name='tags',
description=
"Comma separated list of pool tags to filter pools returned",
optional=True,
default=None)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
# Reuse the requirements from the plugins we use
return [
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(1, 0, 0)),
requirements.PluginRequirement(name='modules',
plugin=modules.Modules,
version=(1, 0, 0)),
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols")
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary', description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.PluginRequirement(
name='pslist', plugin=pslist.PsList, version=(1, 0, 0)),
requirements.ListRequirement(name = 'pid',
element_type = int, description = "Process ID to include (all other processes are excluded)",
optional = True),
]
def get_requirements(cls):
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.ListRequirement(name = 'pid',
element_type = int,
description = "Process IDs to include (all other processes are excluded)",
optional = True),
requirements.BooleanRequirement(name = 'dump',
description = "Extract injected VADs",
default = False,
optional = True),
requirements.VersionRequirement(name = 'pslist', component = pslist.PsList, version = (2, 0, 0)),
requirements.VersionRequirement(name = 'vadinfo', component = vadinfo.VadInfo, version = (2, 0, 0))
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
# TODO: Convert this to a ListRequirement so that people can filter on sets of ranges
requirements.IntRequirement(name = 'address',
description = "Process virtual memory address to include " \
"(all other address ranges are excluded). This must be " \
"a base address, not an address within the desired range.",
optional = True),
requirements.IntRequirement(
name = 'pid', description = "Process ID to include (all other processes are excluded)",
optional = True),
requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (1, 0, 0)),
requirements.PluginRequirement(name = 'vadinfo', plugin = vadinfo.VadInfo, version = (1, 0, 0)),
]
def get_requirements(cls):
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="vmlinux", description="Linux kernel symbols"),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(1, 0, 0)),
requirements.ListRequirement(
name='pid',
description='Filter on specific process IDs',
element_type=int,
optional=True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="vmlinux", description="Linux kernel symbols"),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(1, 0, 0)),
requirements.ListRequirement(
name='pid',
description='Filter on specific process IDs',
element_type=int,
optional=True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name="darwin",
description="Mac kernel"),
requirements.VersionRequirement(name='macutils',
component=mac.MacUtilities,
version=(1, 1, 0)),
requirements.PluginRequirement(name='lsmod',
plugin=lsmod.Lsmod,
version=(1, 0, 0)),
requirements.PluginRequirement(name='kauth_scopes',
plugin=kauth_scopes.Kauth_scopes,
version=(1, 0, 0))
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.BooleanRequirement(name = 'physical',
description = 'Display physical offsets instead of virtual',
default = cls.PHYSICAL_DEFAULT,
optional = True),
requirements.ListRequirement(name = 'pid',
element_type = int,
description = "Process ID to include (all other processes are excluded)",
optional = True),
requirements.BooleanRequirement(name = 'dump',
description = "Extract listed processes",
default = False,
optional = True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
# TODO: Convert this to a ListRequirement so that people can filter on sets of pids
requirements.BooleanRequirement(
name='physical',
description='Display physical offsets instead of virtual',
default=cls.PHYSICAL_DEFAULT,
optional=True),
requirements.IntRequirement(
name='pid',
description=
"Process ID to include (all other processes are excluded)",
optional=True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name="darwin",
description="Mac kernel"),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(2, 0, 0)),
requirements.VersionRequirement(name='macutils',
component=mac.MacUtilities,
version=(1, 2, 0)),
requirements.ListRequirement(
name='pid',
description='Filter on specific process IDs',
element_type=int,
optional=True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.ListRequirement(
name='pid',
element_type=int,
description=
"Process IDs to include (all other processes are excluded)",
optional=True),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(2, 0, 0))
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.VersionRequirement(name='poolerscanner',
component=poolscanner.PoolScanner,
version=(1, 0, 0)),
requirements.VersionRequirement(name='dlllist',
component=dlllist.DllList,
version=(1, 0, 0)),
requirements.BooleanRequirement(
name='dump',
description="Extract listed modules",
default=False,
optional=True)
]
def get_requirements(cls):
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.IntRequirement(
name='pid',
description=
"Process ID to include (all other processes are excluded)",
optional=True),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(1, 0, 0)),
requirements.PluginRequirement(name='vadinfo',
plugin=vadinfo.VadInfo,
version=(1, 0, 0)),
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.VersionRequirement(name='pslist',
component=pslist.PsList,
version=(2, 0, 0)),
requirements.VersionRequirement(name='dlllist',
component=dlllist.DllList,
version=(2, 0, 0)),
requirements.BooleanRequirement(
name='dump',
description="Extract listed modules",
default=False,
optional=True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
## TODO: we might add a regex option on the name later, but otherwise we're good
## TODO: and we don't want any CLI options from pslist, modules, or moddump
return [
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(1, 0, 0)),
requirements.PluginRequirement(name='modules',
plugin=modules.Modules,
version=(1, 0, 0)),
requirements.PluginRequirement(name='moddump',
plugin=moddump.ModDump,
version=(1, 0, 0)),
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description="Memory layer for the kernel",
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.BooleanRequirement(
name="wide",
description="Match wide (unicode) strings",
default=False,
optional=True),
requirements.StringRequirement(
name="yara_rules",
description="Yara rules (as a string)",
optional=True),
requirements.URIRequirement(name="yara_file",
description="Yara rules (as a file)",
optional=True),
requirements.IntRequirement(
name="max_size",
default=0x40000000,
description="Set the maximum size (default is 1GB)",
optional=True),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(2, 0, 0)),
requirements.VersionRequirement(name='yarascanner',
component=yarascan.YaraScanner,
version=(2, 0, 0)),
requirements.ListRequirement(
name='pid',
element_type=int,
description=
"Process IDs to include (all other processes are excluded)",
optional=True)
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.BooleanRequirement(
name='PARSE_ALL',
description='Parse every directory under the root dir',
optional=True),
requirements.StringRequirement(
name='SUPPLY_ADDR',
description='Parse directories under specific addresses',
optional=True),
requirements.StringRequirement(
name='FULL_PATH',
description='Parse a directory found by full path location',
optional=True),
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
#requirements.VersionRequirement(name = 'info', component = info.Info, version = (1, 0, 0)),
requirements.ListRequirement(
name='pid',
element_type=str,
description=
"Process IDs to include (all other processes are excluded)",
optional=True),
requirements.BooleanRequirement(
name='include-corrupt',
description="Include non-valid records (substitutions)",
default=False,
optional=True),
]
def get_requirements(cls):
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.IntRequirement(
name='pid',
description=
"Process ID to include (all other processes are excluded)",
optional=True),
requirements.StringRequirement(
name="ssdeep",
description="Search single ssdeep value",
optional=True),
requirements.StringRequirement(
name="ssdeeplist",
description="Search ssdeep list file",
optional=True),
requirements.StringRequirement(
name="exefile",
description="Comparing the PE file or direcroty",
optional=True),
requirements.IntRequirement(
name='threshold',
description="Ssdeep threshold (Default 30)",
optional=True),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(1, 0, 0)),
requirements.PluginRequirement(name='vadinfo',
plugin=vadinfo.VadInfo,
version=(1, 0, 0)),
]
def get_requirements(cls):
return (super().get_requirements() + [
requirements.SymbolTableRequirement(name = "vmlinux", description = "Linux kernel symbols"),
requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (1, 0, 0)),
requirements.IntRequirement(name = 'pid', description = "Process ID", optional = True)
])
