def __init__(self):
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
#sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
#sys.stderr.flush()
self.config = conf.ConfObject()
self.cmds = {}
#self.profile = "--profile=Linuxcentos5_5x86"
self.vmprocessMap = {}
self.config.add_option("INFO", default = None, action = "store_true",
cache_invalidator = False,
help = "Print information about all registered objects")
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
registry.register_global_options(self.config, commands.Command)
# Reset the logging level now we know whether debug is set or not
debug.setup(self.config.DEBUG)
#pdb.set_trace()
## Try to find the first thing that looks like a module name
self.cmds = registry.get_plugin_classes(commands.Command, lower = True)
def __init__(self):
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
#sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
#sys.stderr.flush()
self.config.add_option("INFO", default = None, action = "store_true",
cache_invalidator = False,
help = "Print information about all registered objects")
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(self.config, addrspace.BaseAddressSpace)
registry.register_global_options(self.config, commands.Command)
# Reset the logging level now we know whether debug is set or not
debug.setup(self.config.DEBUG)
#pdb.set_trace()
## Try to find the first thing that looks like a module name
self.cmds = registry.get_plugin_classes(commands.Command, lower = True)
def __init__(self, profile, mem_path):
# Setup Vol Debugger
debug.setup()
registry.PluginImporter()
self.memdump = mem_path
self.osprofile = profile
self.config = None
self.addr_space = None
self.init_config()
def __init__(self, profile, mem_path):
# Setup Vol Debugger
debug.setup()
registry.PluginImporter()
self.memdump = mem_path
self.osprofile = profile
self.config = None
self.addr_space = None
self.init_config()
def main():
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
sys.stderr.write(
"Volatility Foundation Volatility Framework {0}\n".format(
constants.VERSION
)
)
sys.stderr.flush()
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
if config.INFO:
print_info()
sys.exit(0)
## Parse all the options now
config.parse_options(False)
# Reset the logging level now we know whether debug is set or not
debug.setup(config.DEBUG)
module = None
## Try to find the first thing that looks like a module name
cmds = registry.get_plugin_classes(commands.Command, lower=True)
for m in config.args:
if m in list(cmds.keys()):
module = m
break
if not module:
config.parse_options()
debug.error("You must specify something to do (try -h)")
try:
if module in list(cmds.keys()):
command = cmds[module](config)
## Register the help cb from the command itself
config.set_help_hook(obj.Curry(command_help, command))
config.parse_options()
if not config.LOCATION:
debug.error("Please specify a location (-l) or filename (-f)")
command.execute()
except exceptions.VolatilityException as e:
print(e)
def volmain(argv):
# Few modifications in original code
config.set_usage(usage = "Volatility - A memory forensics analysis platform.")
config.add_help_hook(list_plugins)
argv = argv.split(" ")
sys.argv = argv
#print sys.argv
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
if config.INFO:
print_info()
#sys.exit(0)
## Parse all the options now
config.parse_options(False)
# Reset the logging level now we know whether debug is set or not
debug.setup(config.DEBUG)
module = None
## Try to find the first thing that looks like a module name
cmds = registry.get_plugin_classes(commands.Command, lower = True)
for m in config.args:
if m in cmds.keys():
module = m
break
if not module:
config.parse_options()
#debug.error("You must specify something to do (try -h)")
try:
if module in cmds.keys():
command = cmds[module](config)
## Register the help cb from the command itself
config.set_help_hook(obj.Curry(command_help, command))
config.parse_options()
if not config.LOCATION:
debug.error("Please specify a location (-l) or filename (-f)")
#print config.LOCATION
command.execute()
except exceptions.VolatilityException, e:
print e
def __init__(self, profile, mem_path):
"""
setup base config
:param profile:
:param mem_path:
:return:
"""
debug.setup()
registry.PluginImporter()
self.memdump = mem_path
self.osprofile = profile
self.config = None
self.addr_space = None
self.init_config()
def __init__(self, profile, mem_path):
"""
setup base config
:param profile:
:param mem_path:
:return:
"""
debug.setup()
registry.PluginImporter()
self.memdump = mem_path
self.osprofile = profile
self.config = None
self.addr_space = None
self.init_config()
def main():
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
sys.stderr.write("Volatile Systems Volatility Framework {0}\n".format(constants.VERSION))
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
MemoryRegistry.Init()
## Parse all the options now
config.parse_options(False)
# Reset the logging level now we know whether debug is set or not
debug.setup(config.DEBUG)
module = None
## Try to find the first thing that looks like a module name
for m in config.args:
if m in MemoryRegistry.PLUGIN_COMMANDS.commands:
module = m
break
if not module:
config.parse_options()
debug.error("You must specify something to do (try -h)")
if module not in MemoryRegistry.PLUGIN_COMMANDS.commands:
config.parse_options()
debug.error("Invalid module [{0}].".format(module))
try:
if module in MemoryRegistry.PLUGIN_COMMANDS.commands:
command = MemoryRegistry.PLUGIN_COMMANDS[module](config)
## Register the help cb from the command itself
config.set_help_hook(obj.Curry(command_help, command))
config.parse_options()
if not config.LOCATION:
debug.error("Please specify a location (-l) or filename (-f)")
command.execute()
except utils.VolatilityException, e:
print e
def __init__(self, profile='WinXPSP2x86', mem_path=''):
"""
Volatility 기본 설정 초기화
:param profile:
:param mem_path:
"""
# Volatility 디버그 모듈 설정
debug.setup()
# 사용 가능한 플러그인 모듈 임포트
registry.PluginImporter()
self.memdump = mem_path
self.osprofile = profile
self.config = None
self.addr_space = None
self.plugins = None
self.plugin_list = []
self.init_config()
def main():
# Get the version information on every output from the beginning
# Exceptionally useful for debugging/telling people what's going on
sys.stderr.write("Volatility Foundation Volatility Framework {0}\n".format(constants.VERSION))
sys.stderr.flush()
# Setup the debugging format
debug.setup()
# Load up modules in case they set config options
registry.PluginImporter()
## Register all register_options for the various classes
registry.register_global_options(config, addrspace.BaseAddressSpace)
registry.register_global_options(config, commands.Command)
if config.INFO:
print_info()
sys.exit(0)
## Parse all the options now
config.parse_options(False)
# Reset the logging level now we know whether debug is set or not
debug.setup(config.DEBUG)
module = None
## Try to find the first thing that looks like a module name
cmds = registry.get_plugin_classes(commands.Command, lower = True)
for m in config.args:
if m in cmds.keys():
module = m
break
if not module:
config.parse_options()
debug.error("You must specify something to do (try -h)")
try:
if module in cmds.keys():
command = cmds[module](config)
import traceback
## Register the help cb from the command itself
config.set_help_hook(obj.Curry(command_help, command))
config.parse_options()
if config.XENDOMAIN:
conn = libvirt.open("xen:///")
if conn == None:
debug.error("Failed to open connection to the hypervisor")
try:
dom = conn.lookupByName(config.XENDOMAIN)
if dom == None:
debug.error("Cannot find guest to be dumped")
print "Domain: id %d running %s" % (dom.ID(), dom.OSType())
filepath = "/tmp/" + config.XENDOMAIN
os.remove(filepath) if os.path.exists(filepath) else None
snapshot = False
if snapshot:
if dom.save(filepath) < 0:
debug.error("Unable save guest to %s" % filepath)
print "Chosen guest saved to %s" % filepath
id = conn.restore(filepath)
if id < 0:
debug.error('Unable to restore chosen guest from file %s' % filepath)
dom = conn.lookupByName(config.XENDOMAIN)
if dom == None:
debug.error("Domain wasn't restored from file %s" % filepath)
print "Guest memory snapshot complete! Location: %s" % filepath
else:
if dom.coreDump(filepath, flags = libvirt.VIR_DUMP_LIVE) < 0:
debug.error("Unable to dump guest")
print "Chosen guest dumped to %s" % filepath
if dom == None:
debug.error("Domain crashed!")
print "Guest memory dump complete! Location: %s" % filepath
conn.close()
config.LOCATION = "file://" + filepath
except:
print traceback.format_exc()
debug.error("Failed to find domain")
if not config.LOCATION and not config.XENDOMAIN:
debug.error("Please specify filename (-f) or XEN domain (-x)")
command.execute()
except exceptions.VolatilityException, e:
print e
def main():
args = get_parser().parse_args()
sys.argv = [sys.argv[0]]
import volatility.plugins.taskmods as taskmods
import volatility.plugins.malware.malfind as malfind
import volatility.plugins.volshell as volshell
import volatility.commands as commands
import volatility.registry as registry
import volatility.obj as obj
import volatility.conf as conf
import volatility.constants as constants
import volatility.exceptions as exceptions
import volatility.debug as debug
import volatility.addrspace as addrspace
import volatility.scan as scan
try:
debug.setup()
except:
pass
service_name = "pmem"
unload = args.unload
load = args.load
plugins = args.plugins
output = "text"
out = sys.stdout
debugg = args.debug
dump = args.dumpdir
kdbg = args.kdbg
if args.output:
output = args.output
if args.service:
service_name = args.service
if args.outfile:
try:
out = open(args.outfile, "wb")
except:
print "Unable to open file: {}\nUsing stdout".format(args.outfile)
pass
if not unload and not load and plugins == None:
print "You must specify a plugin (or list of plugins) to run!"
get_parser().print_help()
out.close()
return
if plugins:
plugins = plugins.split(",")
profs = registry.get_plugin_classes(obj.Profile)
if platform.system() != "Windows":
print "cannot run on a non-Windows machine"
out.close()
return
profile = "Win10x64_18362"
version = get_version_number("ntdll.dll")
if platform.machine() == "AMD64":
driver = "winpmem_x64.sys"
profile = WindowsVersionsX64.get(version, "UNKNOWN")
else:
driver = "winpmem_x86.sys"
profile = WindowsVersionsX86.get(version, "UNKNOWN")
if profile == "UNKNOWN":
profile = first_try_brute_force(debugg, version)
if profile == "UNKNOWN":
profile = brute_force_profile(version)
if profile not in profs:
if debugg:
print "Incorrect profile found: {0}, version: {1}".format(
profile, version)
profile = "Win10x64_18362"
if debugg:
print "Trying profile", profile
if debugg:
print "Suggested profile: {0}".format(profile)
driver = resource_path(driver)
if not service_name or not os.access(driver, os.R_OK):
out.write("Make sure the driver is in place: {0}".format(driver))
sys.exit(-1)
pmem_service = Service(driver=driver, service=service_name, debug=debugg)
if not service_running(service_name):
setup(driver, service_name, pmem_service, debugg)
try:
pmem_service.start()
except:
print "Unable to start winpmem service"
out.close()
return
if unload:
setup(driver, service_name, pmem_service, debugg)
out.close()
return
if load:
return
myconfigs = Configs(path="\\\\.\\" + service_name,
kdbg=kdbg,
profile=profile,
debug_enabled=debugg)
if myconfigs.config.KDBG == None:
print "Unable to find valid KDBG value... quitting"
if not load:
setup(driver, service_name, pmem_service, debugg)
out.close()
return
dovolshell = False
cmds = registry.get_plugin_classes(commands.Command, lower=True)
if dump:
import errno
if not os.path.isdir(dump):
try:
os.makedirs(dump)
except OSError as e:
if e.errno != errno.EEXIST:
print "Unable to create directory", dump
out.close()
return
for p in plugins:
items = plugin_cols.get(p.strip(), None)
if items == None:
print "Unable to process plugin", p
continue
cols = items["cols"]
myconfigs.config.DUMP_DIR = None
if p.strip() == "volshell":
dovolshell = True
continue
if "YARA_RULES" not in items["options"]:
myconfigs.config.YARA_RULES = None
else:
myconfigs.config.YARA_RULES = str(args.yararules)
if "YARA_FILE" not in items["options"]:
myconfigs.config.YARA_FILE = None
else:
myconfigs.config.YARA_FILE = args.yarafile
if "KERNEL" not in items["options"]:
myconfigs.config.KERNEL = None
else:
myconfigs.config.KERNEL = args.kernel
if "ALL" not in items["options"]:
myconfigs.config.ALL = None
else:
myconfigs.config.ALL = args.all
if "CASE" not in items["options"]:
myconfigs.config.CASE = None
else:
myconfigs.config.CASE = args.case
if "WIDE" not in items["options"]:
myconfigs.config.WIDE = None
else:
myconfigs.config.WIDE = args.case
if "SIZE" not in items["options"]:
myconfigs.config.SIZE = None
elif not args.size:
myconfigs.config.SIZE = 256
else:
try:
myconfigs.config.SIZE = int(args.size)
except ValueError:
try:
myconfigs.config.SIZE = int(args.size, 16)
except TypeError:
myconfigs.config.SIZE = None
if "REVERSE" not in items["options"]:
myconfigs.config.REVERSE = None
elif not args.reverse:
myconfigs.config.REVERSE = 0
else:
try:
myconfigs.config.REVERSE = int(args.reverse)
except ValueError:
try:
myconfigs.config.REVERSE = int(args.reverse, 16)
except TypeError:
myconfigs.config.REVERSE = None
if "BASE" not in items["options"]:
myconfigs.config.BASE = None
else:
myconfigs.config.BASE = args.base
if "MEMORY" not in items["options"]:
myconfigs.config.MEMORY = None
else:
myconfigs.config.MEMORY = args.memory
if "REGEX" not in items["options"]:
myconfigs.config.REGEX = None
else:
myconfigs.config.REGEX = args.regex
if "PID" not in items["options"]:
myconfigs.config.PID = None
else:
myconfigs.config.PID = args.pid
if "OFFSET" not in items["options"]:
myconfigs.config.OFFSET = None
else:
try:
myconfigs.config.OFFSET = int(args.offset)
except ValueError:
try:
myconfigs.config.OFFSET = int(args.offset, 16)
except:
print "Unable to use offset: {0}".format(args.offset)
except TypeError:
myconfigs.config.OFFSET = None
if "NAME" not in items["options"]:
myconfigs.config.NAME = None
else:
myconfigs.config.NAME = args.name
if "KEEPNAME" not in items["options"]:
myconfigs.config.NAME = None
else:
myconfigs.config.NAME = args.keepname
if "GET_DICT" not in items["options"]:
myconfigs.config.GET_DICT = 'no'
else:
myconfigs.config.GET_DICT = str(args.getdict)
if "ADDR" not in items["options"]:
myconfigs.config.ADDR = None
else:
myconfigs.config.ADDR = str(args.addr)
if "STRUCT" not in items["options"]:
myconfigs.config.STRUCT = None
else:
myconfigs.config.STRUCT = str(args.struct)
if "PHYSOFFSET" not in items["options"]:
myconfigs.config.PHYSOFFSET = None
else:
try:
myconfigs.config.PHYSOFFSET = hex(int(args.physoffset))
except:
myconfigs.config.PHYSOFFSET = args.physoffset
if "PHYSICAL_OFFSET" not in items["options"] or not args.physical:
myconfigs.config.PHYSICAL_OFFSET = None
else:
myconfigs.config.PHYSICAL_OFFSET = args.physical
cols[0] = cols[0].replace("V", "P")
if "IGNORE_CASE" not in items["options"]:
myconfigs.config.IGNORE_CASE = None
else:
myconfigs.config.IGNORE_CASE = args.ignore
if p.strip() in dumpers and dump:
myconfigs.config.DUMP_DIR = dump
elif p.strip() in dumpers and not dump and p.strip() not in [
"malfind", "yarascan"
]:
print "You must supply a dump directory (--dumpdir=DIRECTORY) to dump to"
print "Skipping plugin", p
continue
myconfigs.config.parse_options()
if p.strip() == "yarascan":
if output == "text":
out.write("{1}Plugin: {0}{1}\n".format(p.strip(), "*" * 20))
parse_yarascan_data(myconfigs.getdata(malfind.YaraScan),
out,
output=output)
if output == "text":
out.write("{0}\n\n".format("*" * 60))
else:
out.write("\n\n")
continue
if p.strip() == "malfind":
if output == "text":
out.write("{1}Plugin: {0}{1}\n".format(p.strip(), "*" * 20))
parse_malfind_data(myconfigs.getdata(malfind.Malfind),
out,
output=output)
if output == "text":
out.write("{0}\n\n".format("*" * 60))
else:
out.write("\n\n")
continue
data = myconfigs.getdata(cmds.get(p.strip(), None))
if data == None:
print "Plugin", p, "not found"
continue
if output == "text":
out.write("{1}Plugin: {0}{1}\n".format(p.strip(), "*" * 20))
printinfos(data, out, cols, output=output)
if output == "text":
out.write("{0}\n\n".format("*" * 60))
else:
out.write("\n\n")
if dovolshell:
for option in all_options:
setattr(myconfigs.config, option, None)
myconfigs.config.parse_options()
myconfigs.gettext(volshell.volshell)
if not args.leave:
setup(driver, service_name, pmem_service, debugg)
out.close()
def main():
args = get_parser().parse_args()
sys.argv = [sys.argv[0]]
import volatility.plugins.taskmods as taskmods
import volatility.plugins.malware.malfind as malfind
import volatility.plugins.volshell as volshell
import volatility.commands as commands
import volatility.registry as registry
import volatility.obj as obj
import volatility.conf as conf
import volatility.constants as constants
import volatility.exceptions as exceptions
import volatility.debug as debug
import volatility.addrspace as addrspace
import volatility.scan as scan
try:
debug.setup()
except:
pass
service_name = "pmem"
unload = args.unload
load = args.load
plugins = args.plugins
output = "text"
out = sys.stdout
debugg = args.debug
dump = args.dumpdir
if args.output:
output = args.output
if args.service:
service_name = args.service
if args.outfile:
try:
out = open(args.outfile, "wb")
except:
print "Unable to open file: {}\nUsing stdout".format(args.outfile)
pass
if not unload and not load and plugins == None:
print "You must specify a plugin (or list of plugins) to run!"
get_parser().print_help()
out.close()
return
if plugins:
plugins = plugins.split(",")
profs = registry.get_plugin_classes(obj.Profile)
if platform.system() != "Windows":
print "cannot run on a non-Windows machine"
out.close()
return
profile = "Win10x64_16299"
version = get_version_number("ntdll.dll")
if platform.machine() == "AMD64":
driver = "winpmem_x64.sys"
profile = WindowsVersionsX64.get(version, "UNKNOWN")
else:
driver = "winpmem_x86.sys"
profile = WindowsVersionsX86.get(version, "UNKNOWN")
if profile == "UNKNOWN":
profile = brute_force_profile(version)
if profile not in profs:
if debugg:
print "Incorrect profile found: {0}, version: {1}".format(profile, version)
profile = "Win10x64_16299"
if debugg:
print "Trying profile", profile
if debugg:
print "Suggested profile: {0}".format(profile)
driver = resource_path(driver)
if not service_name or not os.access(driver, os.R_OK):
out.write("Make sure the driver is in place: {0}".format(driver))
sys.exit(-1)
pmem_service = Service(driver = driver, service = service_name, debug = debugg)
if not service_running(service_name):
setup(driver, service_name, pmem_service, debugg)
try:
pmem_service.start()
except:
print "Unable to start winpmem service"
out.close()
return
if unload:
setup(driver, service_name, pmem_service, debugg)
out.close()
return
if load:
return
myconfigs = Configs(path = "\\\\.\\" + service_name, profile = profile, debug = debugg)
if myconfigs.kdbg == None:
print "Unable to find valid KDBG value... quitting"
setup(driver, service_name, pmem_service, debugg)
out.close()
return
dovolshell = False
cmds = registry.get_plugin_classes(commands.Command, lower = True)
if dump:
import errno
if not os.path.isdir(dump):
try:
os.makedirs(dump)
except OSError as e:
if e.errno != errno.EEXIST:
print "Unable to create directory", dump
out.close()
return
for p in plugins:
items = plugin_cols.get(p.strip(), None)
if items == None:
print "Unable to process plugin", p
continue
cols = items["cols"]
myconfigs.config.DUMP_DIR = None
if p.strip() == "volshell":
dovolshell = True
continue
if "BASE" not in items["options"]:
myconfigs.config.BASE = None
else:
myconfigs.config.BASE = args.base
if "MEMORY" not in items["options"]:
myconfigs.config.MEMORY = None
else:
myconfigs.config.MEMORY = args.memory
if "REGEX" not in items["options"]:
myconfigs.config.REGEX = None
else:
myconfigs.config.REGEX = args.regex
if "PID" not in items["options"]:
myconfigs.config.PID = None
else:
myconfigs.config.PID = args.pid
if "OFFSET" not in items["options"]:
myconfigs.config.OFFSET = None
else:
try:
myconfigs.config.OFFSET = int(args.offset)
except ValueError:
try:
myconfigs.config.OFFSET = int(args.offset, 16)
except:
print "Unable to use offset: {0}".format(args.offset)
except TypeError:
myconfigs.config.OFFSET = None
if "NAME" not in items["options"]:
myconfigs.config.NAME = None
else:
myconfigs.config.NAME = args.name
if "KEEPNAME" not in items["options"]:
myconfigs.config.NAME = None
else:
myconfigs.config.NAME = args.keepname
if "PHYSOFFSET" not in items["options"]:
myconfigs.config.PHYSOFFSET = None
else:
try:
myconfigs.config.PHYSOFFSET = hex(int(args.physoffset))
except:
myconfigs.config.PHYSOFFSET = args.physoffset
if "PHYSICAL_OFFSET" not in items["options"] or not args.physical:
myconfigs.config.PHYSICAL_OFFSET = None
else:
myconfigs.config.PHYSICAL_OFFSET = args.physical
cols[0] = cols[0].replace("V", "P")
if "IGNORE_CASE" not in items["options"]:
myconfigs.config.IGNORE_CASE = None
else:
myconfigs.config.IGNORE_CASE = args.ignore
if p.strip() in dumpers and dump:
myconfigs.config.DUMP_DIR = dump
elif p.strip() in dumpers and not dump and p.strip() != "malfind":
print "You must supply a dump directory (--dumpdir=DIRECTORY) to dump to"
print "Skipping plugin", p
continue
myconfigs.config.parse_options()
if p.strip() == "malfind":
if output == "text":
out.write("{1}Plugin: {0}{1}\n".format(p.strip(), "*" * 20))
parse_malfind_data(myconfigs.getdata(malfind.Malfind), out, output = output)
if output == "text":
out.write("{0}\n\n".format("*" * 60))
else:
out.write("\n\n")
continue
data = myconfigs.getdata(cmds.get(p.strip(), None))
if data == None:
print "Plugin", p, "not found"
continue
if output == "text":
out.write("{1}Plugin: {0}{1}\n".format(p.strip(), "*" * 20))
printinfos(data, out, cols, output = output)
if output == "text":
out.write("{0}\n\n".format("*" * 60))
else:
out.write("\n\n")
if dovolshell:
for option in all_options:
setattr(myconfigs.config, option, None)
myconfigs.config.parse_options()
myconfigs.gettext(volshell.volshell)
if not args.leave:
setup(driver, service_name, pmem_service, debugg)
out.close()
