def main():
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
sys.stderr.write(
"Volatility Foundation Volatility Framework {0}\n".format(
constants.VERSION
)
)
sys.stderr.flush()
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
if config.INFO:
print_info()
sys.exit(0)
## Parse all the options now
config.parse_options(False)
# Reset the logging level now we know whether debug is set or not
debug.setup(config.DEBUG)
module = None
## Try to find the first thing that looks like a module name
cmds = registry.get_plugin_classes(commands.Command, lower=True)
for m in config.args:
if m in list(cmds.keys()):
module = m
break
if not module:
config.parse_options()
debug.error("You must specify something to do (try -h)")
try:
if module in list(cmds.keys()):
command = cmds[module](config)
## Register the help cb from the command itself
config.set_help_hook(obj.Curry(command_help, command))
config.parse_options()
if not config.LOCATION:
debug.error("Please specify a location (-l) or filename (-f)")
command.execute()
except exceptions.VolatilityException as e:
print(e)
def determine_connections(addr_space):
"""Determines all connections for each module"""
all_modules = win32.modules.lsmod(addr_space)
version = (
addr_space.profile.metadata.get('major', 0),
addr_space.profile.metadata.get('minor', 0),
)
if version <= (5, 1):
module_versions = module_versions_xp
else:
module_versions = module_versions_2003
for m in all_modules:
if str(m.BaseDllName).lower() == 'tcpip.sys':
for attempt in module_versions:
table_size = obj.Object(
"long",
offset=m.DllBase + module_versions[attempt]['SizeOff'][0],
vm=addr_space,
)
table_addr = obj.Object(
"address",
offset=m.DllBase
+ module_versions[attempt]['TCBTableOff'][0],
vm=addr_space,
)
if table_size > 0:
table = obj.Object(
"Array",
offset=table_addr,
vm=addr_space,
count=table_size,
target=obj.Curry(obj.Pointer, '_TCPT_OBJECT'),
)
if table:
for entry in table:
conn = entry.dereference()
seen = set()
while (
conn.is_valid() and conn.obj_offset not in seen
):
yield conn
seen.add(conn.obj_offset)
conn = conn.Next.dereference()
def determine_sockets(addr_space):
"""Determines all sockets for each module"""
all_modules = win32.modules.lsmod(addr_space)
if (
addr_space.profile.metadata.get('major', 0) <= 5.1
and addr_space.profile.metadata.get('minor', 0) == 1
):
module_versions = module_versions_xp
else:
module_versions = module_versions_2003
for m in all_modules:
if str(m.BaseDllName).lower() == 'tcpip.sys':
for attempt in module_versions:
table_size = obj.Object(
"unsigned long",
offset=m.DllBase
+ module_versions[attempt]['AddrObjTableSizeOffset'][0],
vm=addr_space,
)
table_addr = obj.Object(
"address",
offset=m.DllBase
+ module_versions[attempt]['AddrObjTableOffset'][0],
vm=addr_space,
)
if int(table_size) > 0 and int(table_size) < MAX_SOCKETS:
table = obj.Object(
"Array",
offset=table_addr,
vm=addr_space,
count=table_size,
target=obj.Curry(obj.Pointer, "_ADDRESS_OBJECT"),
)
if table:
for entry in table:
sock = entry.dereference()
seen = set()
while (
sock.is_valid() and sock.obj_offset not in seen
):
yield sock
seen.add(sock.obj_offset)
sock = sock.Next.dereference()
'MFT_FILE_RECORD': [ 0x400, {
'Signature': [ 0x0, ['unsigned int']],
'FixupArrayOffset': [ 0x4, ['unsigned short']],
'NumFixupEntries': [ 0x6, ['unsigned short']],
'LSN': [ 0x8, ['unsigned long long']],
'SequenceValue': [ 0x10, ['unsigned short']],
'LinkCount': [ 0x12, ['unsigned short']],
'FirstAttributeOffset': [0x14, ['unsigned short']],
'Flags': [0x16, ['unsigned short']],
'EntryUsedSize': [0x18, ['int']],
'EntryAllocatedSize': [0x1c, ['unsigned int']],
'FileRefBaseRecord': [0x20, ['unsigned long long']],
'NextAttributeID': [0x28, ['unsigned short']],
'RecordNumber': [0x2c, ['unsigned long']],
'FixupArray': lambda x: obj.Object("Array", offset = x.obj_offset + x.FixupArrayOffset, count = x.NumFixupEntries, vm = x.obj_vm,
target = obj.Curry(obj.Object, "unsigned short")),
'ResidentAttributes': lambda x : obj.Object("RESIDENT_ATTRIBUTE", offset = x.obj_offset + x.FirstAttributeOffset, vm = x.obj_vm),
'NonResidentAttributes': lambda x : obj.Object("NON_RESIDENT_ATTRIBUTE", offset = x.obj_offset + x.FirstAttributeOffset, vm = x.obj_vm),
}],
'ATTRIBUTE_HEADER': [ 0x10, {
'Type': [0x0, ['int']],
'Length': [0x4, ['int']],
'NonResidentFlag': [0x8, ['unsigned char']],
'NameLength': [0x9, ['unsigned char']],
'NameOffset': [0xa, ['unsigned short']],
'Flags': [0xc, ['unsigned short']],
'AttributeID': [0xe, ['unsigned short']],
}],
'RESIDENT_ATTRIBUTE': [0x16, {
