def run(self):
automagics = automagic.choose_automagic(
automagic.available(self._context), netscan.NetScan)
plugin_netscan = plugins.construct_plugin(self.context, automagics,
netscan.NetScan,
self.config_path,
self._progress_callback,
self._file_consumer)
output_netscan = plugin_netscan._generator()
filter_func = pslist.PsList.create_pid_filter(
[self.config.get('pid', None)])
automagics = automagic.choose_automagic(
automagic.available(self._context), malfind.Malfind)
plugin_malfind = plugins.construct_plugin(self.context, automagics,
malfind.Malfind,
self.config_path,
self._progress_callback,
self._file_consumer)
output_malfind = plugin_malfind._generator(
pslist.PsList.list_processes(
context=self.context,
layer_name=self.config['primary'],
symbol_table=self.config['nt_symbols'],
filter_func=filter_func))
malfind_pids = []
for row in output_malfind:
_depth, row_data = row
row_data = [
"N/A" if isinstance(i, renderers.UnreadableValue)
or isinstance(i, renderers.UnparsableValue) else i
for i in row_data
]
malfind_pids.append(int(row_data[0]))
filter_func = pslist.PsList.create_pid_filter(malfind_pids)
return renderers.TreeGrid(
[("PID", int), ("PPID", int), ("Process", str), ("Name", str),
("Path", str), ("PEHeader", str), ("MD5", str),
("VirusTotal", str), ("LocalAddr", str), ("ForeignAddr", str),
("State", str), ("SuspiciousIP", str)],
self._generator(
pslist.PsList.list_processes(
context=self.context,
layer_name=self.config['primary'],
symbol_table=self.config['nt_symbols'],
filter_func=filter_func), output_netscan))
def generate_treegrid(self,
plugin: Type[interfaces.plugins.PluginInterface],
**kwargs) -> interfaces.renderers.TreeGrid:
"""Generates a TreeGrid based on a specific plugin passing in kwarg configuration values"""
path_join = interfaces.configuration.path_join
# Generate a temporary configuration path
plugin_config_suffix = ''.join(
random.choice(string.ascii_uppercase + string.digits)
for _ in range(32))
plugin_path = path_join(self.config_path, plugin_config_suffix)
# Populate the configuration
for name, value in kwargs.items():
self.config[path_join(plugin_config_suffix, plugin.__name__,
name)] = value
try:
constructed = plugins.construct_plugin(self.context, [], plugin,
plugin_path, None,
NullFileConsumer())
return constructed.run()
except exceptions.UnsatisfiedException as excp:
print("Unable to validate the plugin requirements: {}\n".format(
[x for x in excp.unsatisfied]))
def extract_syscall_table(self, event):
ctx = event.context
automagics = event.automagics
plugin_list = event.plugin_list
self.logger.info('Extracting the NT syscall table')
try:
plugin = plugin_list['windows.ssdt.SSDT']
except KeyError as e:
raise RuntimeError("Plugin not found") from e
automagics = automagic.choose_automagic(automagics, plugin)
constructed = plugins.construct_plugin(ctx, automagics, plugin,
BASE_CONFIG_PATH, None, None)
treegrid = constructed.run()
renderer = JsonRenderer()
renderer.render(treegrid)
result = renderer.get_result()
sdt = self.parse_ssdt_output(result)
if self.neo4j_enabled:
self.insert_neo4j_db(sdt)
if self.debug:
# print syscalls on debug output
for table_name, table in sdt.items():
self.logger.debug('Displaying table %s', table_name)
for syscall in table:
self.logger.debug('[%s]: %s %s',
syscall['Index'], syscall['Symbol'],
hex(syscall['Address']))
def configure_plugin(self, plugin_name, **kwargs):
"""Configure and return a plugin
Args:
plugin_name: name of the plugin to configure, as a string.
**kwargs: configuration options passed to the plugin
Returns:
The instantiated and configure volatility plugin.
"""
plugin = self.plugins[plugin_name]
# Set arguments
for key, value in kwargs.items():
config_path = path_join("plugins", plugin.__name__, key)
self.vol_ctx.config[config_path] = value
# Filter automagics
available_automagics = automagic.available(self.vol_ctx)
automagics = automagic.choose_automagic(available_automagics, plugin)
# Instantiate the plugin
return volplugins.construct_plugin(
self.vol_ctx,
automagics,
plugin,
"plugins",
MuteProgress(),
FileHandlerInterface,
)
def run(self):
automagics = automagic.choose_automagic(
automagic.available(self._context), malfind.Malfind)
plugin_malfind = plugins.construct_plugin(self.context, automagics,
malfind.Malfind,
self.config_path,
self._progress_callback,
self._file_consumer)
output_malfind = plugin_malfind._generator(
pslist.PsList.list_processes(
context=self.context,
layer_name=self.config['primary'],
symbol_table=self.config['nt_symbols']))
malfind_pids = []
for row in output_malfind:
_depth, row_data = row
row_data = [
"N/A" if isinstance(i, renderers.UnreadableValue)
or isinstance(i, renderers.UnparsableValue) else i
for i in row_data
]
malfind_pids.append(str(row_data[0]))
return renderers.TreeGrid([("Offset", str), ("EventID", str),
("Valid", str), ("Time", datetime.datetime),
("PID", str), ("ThreadID", str),
("EventRecordID", str), ("Channel", str),
("Provider", str), ("Sec-UserID", str),
("Data", str)],
self._generator(show_corrupt_results=True,
pids=malfind_pids))
def run(self):
"""Isolate each plugin and run it."""
# Use all the plugins if there's no filter
self.usable_plugins = self.usable_plugins or self.get_usable_plugins()
self.automagics = self.automagics or automagic.available(self._context)
plugins_to_run = []
filter_list = self.config['plugin-filter']
# Identify plugins that we can run which output datetimes
for plugin_class in self.usable_plugins:
try:
automagics = automagic.choose_automagic(
self.automagics, plugin_class)
plugin = plugins.construct_plugin(self.context, automagics,
plugin_class,
self.config_path,
self._progress_callback,
self._file_consumer)
if isinstance(plugin, TimeLinerInterface):
if not len(filter_list) or any([
filter in plugin.__module__ + '.' +
plugin.__class__.__name__ for filter in filter_list
]):
plugins_to_run.append(plugin)
except exceptions.UnsatisfiedException as excp:
# Remove the failed plugin from the list and continue
vollog.debug("Unable to satisfy {}: {}".format(
plugin_class.__name__, excp.unsatisfied))
continue
if self.config.get('record-config', False):
total_config = {}
for plugin in plugins_to_run:
old_dict = dict(plugin.build_configuration())
for entry in old_dict:
total_config[interfaces.configuration.path_join(
plugin.__class__.__name__, entry)] = old_dict[entry]
filedata = interfaces.plugins.FileInterface("config.json")
with io.TextIOWrapper(filedata.data, write_through=True) as fp:
json.dump(total_config, fp, sort_keys=True, indent=2)
self.produce_file(filedata)
return renderers.TreeGrid(columns=[
("Plugin", str), ("Description", str),
("Created Date", datetime.datetime),
("Modified Date", datetime.datetime),
("Accessed Date", datetime.datetime),
("Changed Date", datetime.datetime)
],
generator=self._generator(plugins_to_run))
def extract_process_list(self, event):
ctx = event.context
automagics = event.automagics
plugin_list = event.plugin_list
self.logger.info('Extracting the process list')
try:
plugin = plugin_list['windows.pslist.PsList']
except KeyError as e:
raise RuntimeError("Plugin not found") from e
automagics = automagic.choose_automagic(automagics, plugin)
constructed = plugins.construct_plugin(ctx, automagics, plugin, BASE_CONFIG_PATH, None, None)
treegrid = constructed.run()
renderer = JsonRenderer()
renderer.render(treegrid)
result = renderer.get_result()
processes = self.parse_plugin_output(result)
if self.neo4j_enabled:
self.insert_neo4j_db(processes)
else:
# print them on debug output
for p in processes:
self.logger.debug(p)
def run(self):
automagics = automagic.choose_automagic(
automagic.available(self._context), netscan.NetScan)
plugin_netscan = plugins.construct_plugin(self.context, automagics,
netscan.NetScan,
self.config_path,
self._progress_callback,
self._file_consumer)
output_netscan = plugin_netscan._generator()
filter_func = pslist.PsList.create_pid_filter(
[self.config.get('pid', None)])
return renderers.TreeGrid(
[("PID", int), ("PPID", int), ("Process", str), ("Name", str),
("Path", str), ("LocalAddr", str), ("ForeignAddr", str),
("State", str), ("SuspiciousIP", str)],
self._generator(
pslist.PsList.list_processes(
context=self.context,
layer_name=self.config['primary'],
symbol_table=self.config['nt_symbols'],
filter_func=filter_func), output_netscan))
pluginname = str(config["plugin"]["value"])
filename = str(config["location"]["file"])
framework.import_files(volatility.plugins, True)
renderers = dict([
(x.name.lower(), x)
for x in framework.class_subclasses(text_renderer.CLIRenderer)
])
ctx = contexts.Context()
single_location = "file:" + request.pathname2url(filename)
ctx.config['automagic.LayerStacker.single_location'] = single_location
automagics = automagic.available(ctx)
plugin_list = framework.list_plugins()
plugin = plugin_list[pluginname]
automagics = automagic.choose_automagic(automagics, plugin)
if ctx.config.get('automagic.LayerStacker.stackers', None) is None:
ctx.config['automagic.LayerStacker.stackers'] = stacker.choose_os_stackers(
plugin)
base_config_path = "plugins"
plugin_config_path = interfaces.configuration.path_join(
base_config_path, plugin.__name__)
progress_callback = volatility.cli.MuteProgress()
constructed = plugins.construct_plugin(ctx, automagics, plugin,
base_config_path, progress_callback,
volatility.cli)
renderers["syslog"]().render(constructed.run())
