def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.IntRequirement(
name='pid',
description=
"Process ID to include (all other processes are excluded)",
optional=True),
requirements.IntRequirement(
name='virtaddr',
description=
"Dump a single _FILE_OBJECT at this virtual address",
optional=True),
requirements.IntRequirement(
name='physaddr',
description=
"Dump a single _FILE_OBJECT at this physical address",
optional=True),
requirements.VersionRequirement(name='pslist',
component=pslist.PsList,
version=(2, 0, 0)),
requirements.VersionRequirement(name='handles',
component=handles.Handles,
version=(1, 0, 0))
]
def get_requirements(cls):
# Since we're calling the plugin, make sure we have the plugin's requirements
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.ListRequirement(
name='pid',
element_type=int,
description=
"Process IDs to include (all other processes are excluded)",
optional=True),
requirements.BooleanRequirement(
name='dump',
description="Extract injected VADs",
default=False,
optional=True),
requirements.VersionRequirement(name='pslist',
component=pslist.PsList,
version=(1, 1, 0)),
requirements.VersionRequirement(name='vadinfo',
component=vadinfo.VadInfo,
version=(1, 1, 0))
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="nt_symbols", description="Windows kernel symbols"),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(2, 0, 0)),
requirements.VersionRequirement(name='info',
component=info.Info,
version=(1, 0, 0)),
requirements.ListRequirement(
name='pid',
element_type=int,
description=
"Process ID to include (all other processes are excluded)",
optional=True),
requirements.BooleanRequirement(
name='dump',
description="Extract listed processes",
default=False,
optional=True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.VersionRequirement(name = 'poolerscanner',
component = poolscanner.PoolScanner,
version = (1, 0, 0)),
requirements.VersionRequirement(name = 'pslist', component = pslist.PsList, version = (2, 0, 0)),
requirements.VersionRequirement(name = 'dlllist', component = dlllist.DllList, version = (2, 0, 0)),
requirements.BooleanRequirement(name = 'dump',
description = "Extract listed modules",
default = False,
optional = True)
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = "Memory layer for the kernel",
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.BooleanRequirement(name = "wide",
description = "Match wide (unicode) strings",
default = False,
optional = True),
requirements.StringRequirement(name = "yara_rules",
description = "Yara rules (as a string)",
optional = True),
requirements.URIRequirement(name = "yara_file", description = "Yara rules (as a file)", optional = True),
requirements.IntRequirement(name = "max_size",
default = 0x40000000,
description = "Set the maximum size (default is 1GB)",
optional = True),
requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (1, 0, 0)),
requirements.VersionRequirement(name = 'yarascanner', component = yarascan.YaraScanner,
version = (2, 0, 0)),
requirements.ListRequirement(name = 'pid',
element_type = int,
description = "Process IDs to include (all other processes are excluded)",
optional = True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.VersionRequirement(name = 'macutils', component = mac.MacUtilities, version = (1, 0, 0)),
requirements.SymbolTableRequirement(name = "darwin", description = "Mac kernel symbols")
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.VersionRequirement(name = 'poolscanner',
component = poolscanner.PoolScanner,
version = (1, 0, 0)),
requirements.VersionRequirement(name = 'info', component = info.Info, version = (1, 0, 0)),
requirements.BooleanRequirement(
name = 'include-corrupt',
description =
"Radically eases result validation. This will show partially overwritten data. WARNING: the results are likely to include garbage and/or corrupt data. Be cautious!",
default = False,
optional = True),
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "darwin", description = "Mac kernel symbols"),
requirements.VersionRequirement(name = 'macutils', component = mac.MacUtilities, version = (1, 0, 0)),
requirements.PluginRequirement(name = 'lsmod', plugin = lsmod.Lsmod, version = (1, 0, 0))
]
def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
## TODO: we might add a regex option on the name later, but otherwise we're good
## TODO: and we don't want any CLI options from pslist, modules, or moddump
return [
requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (2, 0, 0)),
requirements.PluginRequirement(name = 'modules', plugin = modules.Modules, version = (1, 0, 0)),
requirements.VersionRequirement(name = 'dlllist', component = dlllist.DllList, version = (2, 0, 0)),
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Kernel Address Space',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "darwin", description = "Mac Kernel"),
requirements.VersionRequirement(name = 'macutils', component = mac.MacUtilities, version = (1, 0, 0)),
requirements.PluginRequirement(name = 'pslist', plugin = pslist.PsList, version = (2, 0, 0)),
requirements.ListRequirement(name = 'pid',
description = 'Filter on specific process IDs',
element_type = int,
optional = True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="vmlinux", description="Linux kernel symbols"),
requirements.PluginRequirement(name='lsmod',
plugin=lsmod.Lsmod,
version=(1, 0, 0)),
requirements.VersionRequirement(name='linuxutils',
component=linux.LinuxUtilities,
version=(1, 0, 0))
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "nt_symbols", description = "Windows kernel symbols"),
requirements.BooleanRequirement(name = 'physical',
description = 'Display physical offsets instead of virtual',
default = pslist.PsList.PHYSICAL_DEFAULT,
optional = True),
requirements.VersionRequirement(name = 'pslist', component = pslist.PsList, version = (2, 0, 0)),
requirements.ListRequirement(name = 'pid',
element_type = int,
description = "Process ID to include (all other processes are excluded)",
optional = True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(name = 'primary',
description = 'Memory layer for the kernel',
architectures = ["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name = "darwin", description = "Mac kernel symbols"),
requirements.VersionRequirement(name = 'macutils', component = mac.MacUtilities, version = (1, 1, 0)),
requirements.ChoiceRequirement(name = 'pslist_method',
description = 'Method to determine for processes',
choices = cls.pslist_methods,
default = cls.pslist_methods[0],
optional = True),
requirements.ListRequirement(name = 'pid',
description = 'Filter on specific process IDs',
element_type = int,
optional = True)
]
def get_requirements(cls):
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(name="darwin",
description="Mac kernel"),
requirements.VersionRequirement(name='macutils',
component=mac.MacUtilities,
version=(1, 1, 0)),
requirements.PluginRequirement(name='lsmod',
plugin=lsmod.Lsmod,
version=(1, 0, 0)),
requirements.PluginRequirement(name='kauth_scopes',
plugin=kauth_scopes.Kauth_scopes,
version=(1, 0, 0))
]
def get_requirements(
cls) -> List[interfaces.configuration.RequirementInterface]:
return [
requirements.TranslationLayerRequirement(
name='primary',
description='Memory layer for the kernel',
architectures=["Intel32", "Intel64"]),
requirements.SymbolTableRequirement(
name="vmlinux", description="Linux kernel symbols"),
requirements.PluginRequirement(name='pslist',
plugin=pslist.PsList,
version=(1, 0, 0)),
requirements.VersionRequirement(name='linuxutils',
component=linux.LinuxUtilities,
version=(1, 0, 0)),
requirements.ListRequirement(
name='pid',
description='Filter on specific process IDs',
element_type=int,
optional=True)
]
