def __init__(self): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on #sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION)) #sys.stderr.flush() self.config = conf.ConfObject() self.cmds = {} #self.profile = "--profile=Linuxcentos5_5x86" self.vmprocessMap = {} self.config.add_option("INFO", default = None, action = "store_true", cache_invalidator = False, help = "Print information about all registered objects") # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(self.config, addrspace.BaseAddressSpace) registry.register_global_options(self.config, commands.Command) # Reset the logging level now we know whether debug is set or not debug.setup(self.config.DEBUG) #pdb.set_trace() ## Try to find the first thing that looks like a module name self.cmds = registry.get_plugin_classes(commands.Command, lower = True)
def main(): if len(sys.argv) != 4: print "Usage: %s %s %s %s" % (sys.argv[0], "profile", "memdump", "targetprocname") sys.exit(1) registry.PluginImporter() config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = sys.argv[1] config.LOCATION = sys.argv[2] processes = taskmods.PSList(config) target = filter_by_name(processes, sys.argv[3]) # .text info imagebase, va, rawsize = get_text_section_info(target) if imagebase == None: print "[-] Error: probably wrong .text section name" sys.exit(1) text_start = imagebase + va text_end = imagebase + va + rawsize permissions = get_vad_protect_flags(target, text_start, text_end) print "0x%x-0x%x %s %s" % (text_start, text_end, permissions, TEXT_TAG) # dll info modules = get_dll_info(target) # printing dll info for name, info in modules.items(): dll_start = info[0] dll_end = info[0] + info[1] permissions = get_vad_protect_flags(target, dll_start, dll_end) print "0x%x-0x%x %s %s" % (dll_start, dll_end, permissions, name) # heap info hs = get_heap_info(target) # printing heap info for h in hs: heap_start = h.BaseAddress.v() heap_end = h.LastValidEntry.v() permissions = get_vad_protect_flags(target, heap_start, heap_end) print "0x%x-0x%x %s %s" % (h.BaseAddress, h.LastValidEntry, permissions, HEAP_TAG) # stack info tebs = get_stack_info(target) # printing stack info for t in tebs: stack_start = t.NtTib.StackBase.v() stack_end = t.NtTib.StackLimit.v() permissions = get_vad_protect_flags(target, stack_start, stack_end) print "0x%x-0x%x %s %s" % (stack_start, stack_end, permissions, STACK_TAG)
def init_config(self): """ Volatility 설정 초기화 :return: """ if self.config is not None and self.addr_space is not None: return self.config self.config = conf.ConfObject() self.config.optparser.set_conflict_handler("resolve") registry.register_global_options(self.config, commands.Command) registry.register_global_options(self.config, addrspace.BaseAddressSpace) base_conf = { "profile": "WinXPSP2x86", "use_old_as": None, "kdbg": None, "help": False, "kpcr": None, "tz": None, "pid": None, "output_file": None, "physical_offset": None, "conf_file": None, "dtb": None, "output": None, "info": None, "location": "file://" + self.memdump, "plugins": 'plugins', "debug": 4, "filename": None, "cache_directory": None, "verbose": None, "write": False } self.config.parse_options() if self.osprofile: base_conf["profile"] = self.osprofile self.update_config(base_conf) # 사용가능한 플러그인 목록 저장 # self.plugins = Dictionary # key: 플러그인 클래스 이름 # value: 플러그인 클래스 인스턴스 self.plugins = registry.get_plugin_classes(commands.Command, lower=True) profs = registry.get_plugin_classes(obj.Profile) profile = profs[self.config.PROFILE]() # self.plugins에서 플러그인 리스트 추출 for cmd_name, command in self.plugins.items(): if command.is_valid_profile(profile): self.plugin_list.append(cmd_name) return self.config
def get_config(profile, target_path): config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = profile config.LOCATION = "file://{0}".format(target_path) return config
def main(argv=None): setupLogging("admemanalysis.log",logging.INFO) registry.PluginImporter() config = conf.ConfObject() config.add_option('OUTPUT-PATH', default=None, help='Where to create output files', action='store', type='str') config.process_id = None registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) if not os.path.isfile("inputdata.json"): raise NameError("Input file(inpudata.json) was not found") data = None with open("inputdata.json") as data_file: data = json.load(data_file) operations = data['operationdata'] sys.argv.append("-f") sys.argv.append(data["filestreamtoanalyze"]) sys.argv.append("--profile") profile = data["profiletypename"] or ProfileGeneratorClass().GetProfile() logging.info('profile detected is {0}'.format(profile)) sys.argv.append(profile) output_path = data.get('outputpath') or '' config.parse_options(False) sys.argv.append("--output-path") sys.argv.append(output_path) config.parse_options() if utils.getConfigValue(operations,'process') == True: adprocessesfactory.ADProcesses().execute(operations,config) if utils.getConfigValue(operations,'drivers') == True: addriveranddevicefactory.DriverDeviceScan().execute(config) if utils.getConfigValue(operations,'modules') == True: adkernelmodulesfactory.ADKernelModules().execute(config) if utils.getConfigValue(operations,'sdts')== True: adsdtfactory.ADSdtGenerator().execute(config) if utils.getConfigValue(operations,'yarascan') == True: adyarascanfactory.ADYaraScan().execute("",config) if utils.getConfigValue(operations,'idt') == True: processors = kpcr.doProcessors(config) f = open(config.OUTPUT_PATH + 'processors.xml','w') #f.write(processors.SerializeToString()) f.write(proto2xml(processors,indent=0)) if utils.getConfigValue(operations,'registry') == True: adregistryfactory.ADRegistryExtractor().execute(config)
def init_volatility_config(): global config global addr_space registry.PluginImporter() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = 'Win7SP1x86' mem_image_path = os.path.abspath(sys.argv[1]) config.LOCATION = 'file://' + mem_image_path addr_space = utils.load_as(config)
def volmain(argv): # Few modifications in original code config.set_usage(usage = "Volatility - A memory forensics analysis platform.") config.add_help_hook(list_plugins) argv = argv.split(" ") sys.argv = argv #print sys.argv # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION)) # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) if config.INFO: print_info() #sys.exit(0) ## Parse all the options now config.parse_options(False) # Reset the logging level now we know whether debug is set or not debug.setup(config.DEBUG) module = None ## Try to find the first thing that looks like a module name cmds = registry.get_plugin_classes(commands.Command, lower = True) for m in config.args: if m in cmds.keys(): module = m break if not module: config.parse_options() #debug.error("You must specify something to do (try -h)") try: if module in cmds.keys(): command = cmds[module](config) ## Register the help cb from the command itself config.set_help_hook(obj.Curry(command_help, command)) config.parse_options() if not config.LOCATION: debug.error("Please specify a location (-l) or filename (-f)") #print config.LOCATION command.execute() except exceptions.VolatilityException, e: print e
def __config(self): """Creates a volatility configuration.""" if self.config != None and self.addr_space != None: return self.config self.config = conf.ConfObject() self.config.optparser.set_conflict_handler("resolve") registry.register_global_options(self.config, commands.Command) base_conf = { "profile": "WinXPSP2x86", "use_old_as": None, "kdbg": None, "help": False, "kpcr": None, "tz": None, "pid": None, "output_file": None, "physical_offset": None, "conf_file": None, "dtb": None, "output": None, "info": None, "location": "file://" + self.memdump, "plugins": None, "debug": None, "cache_dtb": True, "filename": None, "cache_directory": None, "verbose": None, "write": False } if self.osprofile: base_conf["profile"] = self.osprofile for key, value in base_conf.items(): self.config.update(key, value) # Deal with Volatility support for KVM/qemu memory dump. # See: #464. try: self.addr_space = utils.load_as(self.config) except exc.AddrSpaceError as e: if self._get_dtb(): self.addr_space = utils.load_as(self.config) else: raise self.plugins = registry.get_plugin_classes(commands.Command, lower=True) return self.config
def __init__(self, image_path): """ Create a new Analyzer, with a given image_path """ registry.PluginImporter() self.config = conf.ConfObject() registry.register_global_options(self.config, commands.Command) registry.register_global_options(self.config, addrspace.BaseAddressSpace) # self.config.PROFILE = "WinXPSP3x86" self.config.LOCATION = image_path self.config.parse_options()
def run_plugin_process(name, queue, config, cmds): registry.PluginImporter() registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) config.parse_options() command = cmds[name](config) print 'running: ' + name try: calc = command.calculate() command.render_sqlite(config.OUTPUT_FILE, calc) except Exception as err: print name + ': ' + err.message finally: queue.put(name) return
def get_address_space(service_path, profile, yara_path): log.info("Obtaining address space and generating config for volatility") registry.PluginImporter() config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = profile config.LOCATION = service_path config.YARA_FILE = yara_path return utils.load_as(config)
def add_registry(self, config, deb): self._config = config #conf.ConfObject() self._debug = deb self._debug.setup() registry.PluginImporter() registry.register_global_options(self._config, commands.Command) registry.register_global_options(self._config, addrspace.BaseAddressSpace) self._config.add_option('ENABLEDB', short_option='e', default=False, action='store_true', help='Enable database storage for reuse purpose') self._config.add_option('DBPATH', short_option='m', default='mongodb://localhost:27017', help='Specify mongodb connection url', action='store', type='str') self._config.parse_options() self._debug.setup(self._config.DEBUG) self._filename = self._config.FILENAME
def GetConfig(theFile): #define Baseline Config base_conf = {'profile': None, 'use_old_as': None, 'kdbg': None, 'help': False, 'kpcr': None, 'tz': None, 'pid': None, 'output_file': None, 'physical_offset': None, 'conf_file': None, 'dtb': None, 'output': 'text', 'info': None, 'location': theFile, 'plugins': None, 'debug': None, 'cache_dtb': True, 'filename': theFile, 'cache_directory': None, 'verbose': None, 'write':False} #create volatility config object configs = conf.ConfObject() #set location value to file name configs.LOCATION = theFile #register global options for volatility functions/plugins to use registry.register_global_options(configs, commands.Command) registry.register_global_options(configs, addrspace.BaseAddressSpace) #run imgageinfo plug to get extract image profile version = GetVersion(configs) if not version == None: #using the base line config update our config object for k,v in base_conf.items(): configs.update(k, v) #set config object profile to the version extracted configs.update('profile', version) #return config object to be used with our plugins return configs else: return None
def __init__(self, profile, kdbg, memimg): ''' @profile: a Volatality profile string @kdbg: a kdbg address string @memimg: a memory image file name ''' # volatility black magic registry.PluginImporter() self.config = conf.ConfObject() self.config.optparser.set_conflict_handler(handler="resolve") registry.register_global_options(self.config, commands.Command) if memimg: self.base_conf = {'profile': profile, 'use_old_as': None, 'kdbg': None if kdbg is None else int(kdbg, 16), 'help': False, 'kpcr': None, 'tz': None, 'pid': None, 'output_file': None, 'physical_offset': None, 'conf_file': None, 'dtb': None, 'output': None, 'info': None, 'location': "file://" + memimg, 'plugins': None, 'debug': None, 'cache_dtb': True, 'filename': None, 'cache_directory': None, 'verbose': None, 'write': False} # set the default config for k, v in self.base_conf.items(): self.config.update(k, v) if profile == None: profile = self.guess_profile(memimg) sys.stderr.write("Using profile: %s\n" % profile)
def init_config(self): """Creates a volatility configuration.""" if self.config is not None and self.addr_space is not None: return self.config self.config = conf.ConfObject() self.config.optparser.set_conflict_handler("resolve") registry.register_global_options(self.config, commands.Command) registry.register_global_options(self.config, addrspace.BaseAddressSpace) base_conf = { "profile": "WinXPSP2x86", "use_old_as": None, "kdbg": None, "help": False, "kpcr": None, "tz": None, "pid": None, "output_file": None, "physical_offset": None, "conf_file": None, "dtb": None, "output": None, "info": None, "location": "file://" + self.memdump, "plugins": None, "debug": 4, "cache_dtb": True, "filename": None, "cache_directory": None, "verbose": None, "write": False } if self.osprofile: base_conf["profile"] = self.osprofile for key, value in base_conf.items(): self.config.update(key, value) self.plugins = registry.get_plugin_classes(commands.Command, lower=True) return self.config
def run_plugin_process(name, queue, config, cmds): registry.PluginImporter() registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) config.parse_options() command = cmds[name](config) print 'running: ' + name errstr = '' try: calc = command.calculate() command.render_sqlite(config.OUTPUT_FILE, calc) #AddColumn(config.OUTPUT_FILE, name, 'profile', config.PROFILE) except Exception as err: print name + ': ' + err.message errstr = err.message finally: result = {name:errstr} queue.put(result) #queue.put(name) return
def _init_volatility(self): #import sys # for mod in sys.modules.keys(): # if 'parse' in mod: # del sys.modules[mod] # print "deleted",mod #import sys # if len(sys.argv) > 3: # #sys.args=[sys.args[3]] # sys.argv=[sys.argv[0],'-f',sys.argv[3]] # print 'after modif',sys.argv import volatility.conf as conf import volatility.registry as registry registry.PluginImporter() config = conf.ConfObject() import volatility.commands as commands import volatility.addrspace as addrspace import volatility.utils as volutils registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) # Dying because it cannot parse argv options # apparently, it was not required to parse options. hey. # config.parse_options() #addr_space = volutils.load_as(config,astype = 'any') #print config.PROFILE #import code #code.interact(local=locals()) config.PROFILE = self.profile #_target_platform.LOCATION = "file:///media/memory/private/image.dmp" config.LOCATION = "file://%s" % self.imgname config.PID = str(self.pid) self.config = config import volatility.plugins.vadinfo as vadinfo command = vadinfo.VADWalk(config) command.render_text = partial(my_render_text, self, command) command.execute()
def init_volatility(): import volatility.conf as volconf import volatility.registry as registry import volatility.commands as commands import volatility.addrspace as addrspace if hasattr(volconf, "PyREBoxVolatility"): registry.PluginImporter() vol_config = volconf.ConfObject() registry.register_global_options(vol_config, commands.Command) registry.register_global_options(vol_config, addrspace.BaseAddressSpace) vol_config.PROFILE = conf_m.vol_profile # Set global volatility configuration conf_m.vol_conf = vol_config return True else: pp_error("""The imported volatility version is not appropriate for PyREBox: * Your local volatility installation may be in conflict with PyREBox's volatility installation... ... set up a virtual env to avoid the conflict (see installation instructions). * You have a virtual env for PyREBox's python dependencies, and you forgot to activate it! ... you know what to do!\n""") return False
def _init_volatility(self): #import sys # for mod in sys.modules.keys(): # if 'parse' in mod: # del sys.modules[mod] # print "deleted",mod #import sys # if len(sys.argv) > 3: # #sys.args=[sys.args[3]] # sys.argv=[sys.argv[0],'-f',sys.argv[3]] # print 'after modif',sys.argv import volatility.conf as conf import volatility.registry as registry registry.PluginImporter() config = conf.ConfObject() import volatility.commands as commands import volatility.addrspace as addrspace registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = self.profile #_target_platform.LOCATION = "file:///media/memory/private/image.dmp" config.LOCATION = "file://%s" % self.imgname config.PID = str(self.pid) self.config = config import volatility.plugins.vadinfo as vadinfo #import code #print _target_platform.__dict__ # code.interact(local=locals()) command = vadinfo.VADWalk(config) command.render_text = partial(my_render_text, self, command) command.execute()
def init_config(self): """Creates a volatility configuration.""" if self.config is not None and self.addr_space is not None: return if not self.osprofile: raise CuckooOperationalError( "Can't continue to process the VM memory dump if no OS " "profile has been defined for it. One may define its OS " "profile using the 'osprofile' field for the VM in its " "machinery configuration or set a global default using " "'guest_profile' in memory.conf" ) if self.osprofile not in self.profiles: raise CuckooOperationalError( "The profile '%s' does not exist! Please pick one of the " "following profiles for your VMs: %s" % (self.osprofile, ", ".join(sorted(self.profiles))) ) self.config = conf.ConfObject() self.config.optparser.set_conflict_handler("resolve") registry.register_global_options(self.config, commands.Command) base_conf = { "profile": self.osprofile, "use_old_as": None, "kdbg": None, "help": False, "kpcr": None, "tz": None, "pid": None, "output_file": None, "physical_offset": None, "conf_file": None, "dtb": None, "output": None, "info": None, "location": "file://%s" % self.memdump, "plugins": None, "debug": None, "cache_dtb": True, "filename": None, "cache_directory": None, "verbose": None, "write": False } for key, value in base_conf.items(): self.config.update(key, value) # Deal with Volatility support for KVM/qemu memory dump. # See: #464. try: self.addr_space = utils.load_as(self.config) except exc.AddrSpaceError as e: if self.get_dtb(): self.addr_space = utils.load_as(self.config) elif "No suitable address space mapping found" in e.message: raise CuckooOperationalError( "An incorrect OS has been specified for this machine! " "Please provide the correct one or Cuckoo won't be able " "to provide Volatility-based results for analyses with " "this VM." ) else: raise self.plugins = ( registry.get_plugin_classes(commands.Command, lower=True) )
def main(): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on sys.stderr.write("Volatility Foundation Volatility Framework {0}\n".format(constants.VERSION)) sys.stderr.flush() # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) if config.INFO: print_info() sys.exit(0) ## Parse all the options now config.parse_options(False) # Reset the logging level now we know whether debug is set or not debug.setup(config.DEBUG) module = None ## Try to find the first thing that looks like a module name cmds = registry.get_plugin_classes(commands.Command, lower = True) for m in config.args: if m in cmds.keys(): module = m break if not module: config.parse_options() debug.error("You must specify something to do (try -h)") try: if module in cmds.keys(): command = cmds[module](config) import traceback ## Register the help cb from the command itself config.set_help_hook(obj.Curry(command_help, command)) config.parse_options() if config.XENDOMAIN: conn = libvirt.open("xen:///") if conn == None: debug.error("Failed to open connection to the hypervisor") try: dom = conn.lookupByName(config.XENDOMAIN) if dom == None: debug.error("Cannot find guest to be dumped") print "Domain: id %d running %s" % (dom.ID(), dom.OSType()) filepath = "/tmp/" + config.XENDOMAIN os.remove(filepath) if os.path.exists(filepath) else None snapshot = False if snapshot: if dom.save(filepath) < 0: debug.error("Unable save guest to %s" % filepath) print "Chosen guest saved to %s" % filepath id = conn.restore(filepath) if id < 0: debug.error('Unable to restore chosen guest from file %s' % filepath) dom = conn.lookupByName(config.XENDOMAIN) if dom == None: debug.error("Domain wasn't restored from file %s" % filepath) print "Guest memory snapshot complete! Location: %s" % filepath else: if dom.coreDump(filepath, flags = libvirt.VIR_DUMP_LIVE) < 0: debug.error("Unable to dump guest") print "Chosen guest dumped to %s" % filepath if dom == None: debug.error("Domain crashed!") print "Guest memory dump complete! Location: %s" % filepath conn.close() config.LOCATION = "file://" + filepath except: print traceback.format_exc() debug.error("Failed to find domain") if not config.LOCATION and not config.XENDOMAIN: debug.error("Please specify filename (-f) or XEN domain (-x)") command.execute() except exceptions.VolatilityException, e: print e
for row in rows: print format % tuple(row) # imports from filecmp import dircmp import volatility.conf as conf import volatility.registry as registry import volatility.commands as commands import volatility.addrspace as addrspace import volatility.utils as utils import volatility.plugins.linux as linux # load up some pseudo data registry.PluginImporter() config = conf.ConfObject() registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) # default config base_conf = {'profile': 'LinuxUbuntu1404x64', 'use_old_as': None, 'kdbg': None, 'help': False, 'kpcr': None, 'tz': None, 'pid': None, 'output_file': None, 'physical_offset': None, 'conf_file': None, 'dtb': None, 'output': None,
def main(argv=None): setupLogging("admemanalysis.log", logging.INFO) registry.PluginImporter() config = conf.ConfObject() config.add_option('OUTPUT-PATH', default=None, help='Where to create output files', action='store', type='str') config.process_id = None registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) if not os.path.isfile("inputdata.json"): raise NameError("Input file(inputdata.json) was not found") data = None with open("inputdata.json") as data_file: data = json.load(data_file) operations = data['operationdata'] sys.argv.append("-f") sys.argv.append(data["filestreamtoanalyze"]) sys.argv.append("--profile") profile = data["profiletypename"] or ProfileGeneratorClass().GetProfile() logging.info('profile detected is {0}'.format(profile)) sys.argv.append(profile) output_path = data.get('outputpath') or '' yrd = data.get('yararulesdirectory') or '' config.parse_options(False) sys.argv.append("--output-path") sys.argv.append(output_path) if os.path.isfile("kdcopydatablock.txt"): with open("kdcopydatablock.txt") as kdfile: kddata = kdfile.readline() logging.debug('read from file %s', kddata) sys.argv.append("--kdbg") sys.argv.append(kddata) config.parse_options() if utils.getConfigValue(operations, 'process') == True: adprocessesfactory.ADProcesses().execute(operations, config, yrd) if utils.getConfigValue(operations, 'drivers') == True: addriveranddevicefactory.DriverDeviceScan().execute(config) if utils.getConfigValue(operations, 'modules') == True: adkernelmodulesfactory.ADKernelModules().execute(config) if utils.getConfigValue(operations, 'sdts') == True: adsdtfactory.ADSdtGenerator().execute(config) if utils.getConfigValue(operations, 'idt') == True: processors = kpcr.doProcessors(config) f = open(config.OUTPUT_PATH + 'processors.xml', 'w') #f.write(processors.SerializeToString()) f.write(proto2xml(processors, indent=0)) if utils.getConfigValue(operations, 'registry') == True: adregistryfactory.ADRegistryExtractor().execute(config)
# basic recreation of the connections # command using Volatility Framework # as a Library import volatility.conf as conf import volatility.registry as registry import volatility.commands as commands import volatility.win32.network as network import volatility.utils as utils # configure volatility registry.PluginImporter() config = conf.ConfObject() registry.register_global_options(config, commands.Command) the_file = "file:///winxpsp3_analysis_img.bin" # default config (note my .volatilityrc is missing some values, # so I just used pdb to figure out which values needed setting base_conf = {'profile': 'WinXPSP3x86', 'use_old_as': None, 'kdbg': None, 'help': False, 'kpcr': None, 'tz': None, 'pid': None, 'output_file': None, 'physical_offset': None, 'conf_file': None, 'dtb': None, 'output': None,
def __init__(self, data_buffer_in, data_condition_in, src, filepath, profile, memcache): Input.__init__(self, data_buffer_in, data_condition_in, src) self.name = 'Input Volatility' self.module_id = Module.INPUT_VOLATILITY self.machineguid = "" self.memcache = memcache if self.memcache: self.console_print("Memcache is:" + self.memcache) # WE CHECK IF THIS MEMORY HAS CACHE cache_process = self.memcache+"_"+"process" cache = False if os.path.exists(cache_process): with open (cache_process, 'r') as outfile: vprocess = json.load(outfile) cache = True outfile.close() cache_threads = self.memcache+"_"+"threads" if os.path.exists(cache_threads): with open (cache_threads, 'r') as outfile: vthreads = json.load(outfile) #cache = True outfile.close() cache_vads = self.memcache+"_"+"vads" if os.path.exists(cache_vads): with open (cache_vads, 'r') as outfile: vvads = json.load(outfile) #cache = True outfile.close() cache_tokens = self.memcache+"_"+"tokens" if os.path.exists(cache_tokens): with open (cache_tokens, 'r') as outfile: vtokens = json.load(outfile) #cache = True outfile.close() if cache: self.console_print("Using process cache file: "+cache_process) self.console_print("Using threads cache file: "+cache_threads) self.console_print("Using vads cache file: "+cache_vads) self.console_print("Using tokens cache file: "+cache_tokens) self.send_message(vprocess) self.send_message(vthreads) self.send_message(vvads) self.send_message(vtokens) self.terminate() sys.exit(0) else: self.console_print("Memcache is not found") sys.exit(0) self.console_print("Starting INPUT VOLATILITY analysis") # Relative Path filepath2 = "" if filepath.find(":\\") == -1: filepath2 = os.getcwd()+"\\"+filepath self.filepath = filepath2 filepath = "file:///" + filepath2 else: # Absolute path self.filepath = filepath filepath = "file:///" + filepath self._config = conf.ConfObject() self._config.PROFILE = profile self._config.LOCATION = filepath self._config.hive_offset = None self._config.HIVE_OFFSET = None registry.PluginImporter() registry.register_global_options(self._config, commands.Command) registry.register_global_options(self._config, addrspace.BaseAddressSpace)
def main(): # Get the version information on every output from the beginning # Exceptionally useful for debugging/telling people what's going on sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION)) sys.stderr.flush() # Setup the debugging format debug.setup() # Load up modules in case they set config options registry.PluginImporter() ## Register all register_options for the various classes registry.register_global_options(config, addrspace.BaseAddressSpace) registry.register_global_options(config, commands.Command) if config.INFO: print_info() sys.exit(0) ## Parse all the options now config.parse_options(False) # Reset the logging level now we know whether debug is set or not debug.setup(config.DEBUG) module = None ## Try to find the first thing that looks like a module name cmds = registry.get_plugin_classes(commands.Command, lower = True) for m in config.args: if m in cmds.keys(): module = m break if not module: config.parse_options() debug.error("You must specify something to do (try -h)") try: if module in cmds.keys(): command = cmds[module](config) ## Register the help cb from the command itself config.set_help_hook(obj.Curry(command_help, command)) config.parse_options() if not config.LOCATION and not config.GDB: debug.error("Please specify a location (-l) or filename (-f)") # from pprint import pprint # print "g_dict" # pprint(config.g_dict) # print "cnf_opts" # pprint(config.cnf_opts) # print "opts" # pprint(config.opts) # print "args" # pprint(config.args) # print "default_opts" # pprint(config.default_opts) # print "docstrings" # pprint(config.docstrings) # print "optparse_opts" # pprint(config.optparse_opts) # print "_filename" # pprint(config._filename) # print "_filenames" # pprint(config._filenames) # print "readonly" # pprint(config.readonly) # print "_absolute" # pprint(config._absolute) # print "options" # pprint(config.options) command.execute() except exceptions.VolatilityException, e: print e
sc_fd = open("cmeasure.bin","rb") sc = sc_fd.read() sc_fd.close() sys.path.append("/Users/justin/Downloads/volatility-2.3.1") import volatility.conf as conf import volatility.registry as registry registry.PluginImporter() config = conf.ConfObject() import volatility.commands as commands import volatility.addrspace as addrspace registry.register_global_options(config, commands.Command) registry.register_global_options(config, addrspace.BaseAddressSpace) config.parse_options() config.PROFILE = "WinXPSP2x86" config.LOCATION = "file://%s" % memory_file import volatility.plugins.taskmods as taskmods p = taskmods.PSList(config) for process in p.calculate(): if str(process.ImageFileName) == "calc.exe": print "[*] Found calc.exe with PID %d" % process.UniqueProcessId