New versions & new features
by McCash John-GKJN37
Hey Folks,
I was just reading Gleeda's blog & CEIC presentation,
and was interested to discover that Volatility modules had been written
for Linux and Vista. Now I'm wondering why these modules haven't shown
up anywhere I can see them, including in the public view of the SVN
repository. After digging for a bit, I did see that they (or at least a
modified version of the Linux ones) have apparently been incorporated
into the Pyflag distribution, but that just caused me more confusion. If
they're stable enough to release as part of Pyflag, why aren't they in
the public Volatility repository?
Also, are you expecting to release an 'official' update
anytime soon? The last update available from the main Volatility page is
still 1.3_Beta. Is there some defined list of fixes or features that has
to be ready before an 'official' 1.3 version is released? Or has that
been bypassed, so that current work is really going toward 1.4? Maybe a
roadmap section would make a good addition to the main Volatility page.
I'm sure there are a lot of people who would be interested in what's
going on.
Thanks much (Sorry if I sound like I'm
ranting, you guys really have done some awesome work!)
John
----------------------------------------------------------
Quis custodiet ipsos custodes?... I do!
14 years, 10 months
- 3
- 3
[patch] Support for block devices (such as iSCSI exported memory images)
by Mike Auty
Hiya guys,
I had a request from echo6 to allow Volatility to run against iSCSI
exported memory images (which basically show up in Linux as block
devices). The attached patch changes checks from "not isfile" to
"isdir", in order to include block files, regular files and symlinks.
The patch also includes a secondary method for determine filesize, based
on opening the file, seeking to the end, and then asking the file to
tell how far the cursor is. That works fine for block devices, whereas
getsize returns 0.
As you can see form the patch, there's a lot of plugins that reimplement
existing code and handle files directly. That also means that other
existing plugins will need converting if they're to work against block
devices...
Mike 5:)
diff --git a/trunk/Volatility/forensics/addrspace.py b/trunk/Volatility/forensics/addrspace.py
index d0c0dee..c1d7198 100755
--- a/trunk/Volatility/forensics/addrspace.py
+++ b/trunk/Volatility/forensics/addrspace.py
@@ -43,6 +43,12 @@ class FileAddressSpace:
self.name = fname
self.fhandle = open(fname, mode)
self.fsize = os.path.getsize(fname)
+ # getsize returns 0 for block devices
+ if self.fsize < 1:
+ f = open(fname, mode)
+ f.seek(0, os.SEEK_END)
+ self.fsize = f.tell()
+ f.close()
if fast == True:
self.fast_fhandle = open(fname, mode)
diff --git a/trunk/Volatility/forensics/win32/scan.py b/trunk/Volatility/forensics/win32/scan.py
index 3217983..771fe67 100644
--- a/trunk/Volatility/forensics/win32/scan.py
+++ b/trunk/Volatility/forensics/win32/scan.py
@@ -678,7 +678,6 @@ def connection_dump(address, cnt, object):
def conn_scan(addr_space, types, filename, beg, end, slow):
-
if slow == False:
connection_object = ScanObject(addr_space,types)
connection_object.set_fast_beg(beg)
diff --git a/trunk/Volatility/vmodules.py b/trunk/Volatility/vmodules.py
index cd1bf20..5aa0cd1 100644
--- a/trunk/Volatility/vmodules.py
+++ b/trunk/Volatility/vmodules.py
@@ -978,7 +978,7 @@ def psscan(cmdname, argv):
slow = opts.slow
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -993,6 +993,12 @@ def psscan(cmdname, argv):
start = 0
filesize = os.path.getsize(filename)
+ # getsize returns 0 for block devices
+ if filesize < 1:
+ f = open(filename, 'rb')
+ f.seek(0, os.SEEK_END)
+ filesize = f.tell()
+ f.close()
if not opts.end is None:
try:
@@ -1050,7 +1056,7 @@ def thrdscan(cmdname, argv):
slow = opts.slow
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -1065,6 +1071,12 @@ def thrdscan(cmdname, argv):
start = 0
filesize = os.path.getsize(filename)
+ # getsize returns 0 for block devices
+ if filesize < 1:
+ f = open(filename, 'rb')
+ f.seek(0, os.SEEK_END)
+ filesize = f.tell()
+ f.close()
if not opts.end is None:
try:
@@ -1123,7 +1135,7 @@ def sockscan(cmdname, argv):
slow = opts.slow
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -1138,6 +1150,12 @@ def sockscan(cmdname, argv):
start = 0
filesize = os.path.getsize(filename)
+ # getsize returns 0 for block devices
+ if filesize < 1:
+ f = open(filename, 'rb')
+ f.seek(0, os.SEEK_END)
+ filesize = f.tell()
+ f.close()
if not opts.end is None:
try:
@@ -1194,7 +1212,7 @@ def connscan(cmdname, argv):
slow = opts.slow
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -1209,6 +1227,12 @@ def connscan(cmdname, argv):
start = 0
filesize = os.path.getsize(filename)
+ # getsize returns 0 for block devices
+ if filesize < 1:
+ f = open(filename, 'rb')
+ f.seek(0, os.SEEK_END)
+ filesize = f.tell()
+ f.close()
if not opts.end is None:
try:
@@ -1257,7 +1281,7 @@ def mem_map(cmdname, argv):
opts, args = op.parse_args(argv)
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -1354,7 +1378,7 @@ def modscan(cmdname, argv):
slow = opts.slow
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -1368,6 +1392,12 @@ def modscan(cmdname, argv):
start = 0
filesize = os.path.getsize(filename)
+ # getsize returns 0 for block devices
+ if filesize < 1:
+ f = open(filename, 'rb')
+ f.seek(0, os.SEEK_END)
+ filesize = f.tell()
+ f.close()
if not opts.end is None:
try:
@@ -1423,7 +1453,7 @@ def dump_chk(cmdname, argv):
op = get_standard_parser(cmdname)
opts, args = op.parse_args(argv)
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -1492,7 +1522,7 @@ def mem_dump(cmdname, argv):
opts, args = op.parse_args(argv)
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -1601,7 +1631,7 @@ def hibinfo(cmdname, argv):
metavar="FILE", dest="dump")
opts, args = op.parse_args(argv)
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -1923,7 +1953,7 @@ def connscan2(cmdname, argv):
op = get_standard_parser(cmdname)
opts, args = op.parse_args(argv)
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -1968,7 +1998,7 @@ def sockscan2(cmdname, argv):
op = get_standard_parser(cmdname)
opts, args = op.parse_args(argv)
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -2009,7 +2039,7 @@ def modscan2(cmdname, argv):
op = get_standard_parser(cmdname)
opts, args = op.parse_args(argv)
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -2049,7 +2079,7 @@ def thrdscan2(cmdname, argv):
op = get_standard_parser(cmdname)
opts, args = op.parse_args(argv)
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
@@ -2093,7 +2123,7 @@ def psscan2(cmdname, argv):
action='store_true',dest='dot_format', default=False)
opts, args = op.parse_args(argv)
- if (opts.filename is None) or (not os.path.isfile(opts.filename)) :
+ if (opts.filename is None) or (os.path.isdir(opts.filename)) :
op.error("File is required")
else:
filename = opts.filename
15 years, 1 month
- 3
- 4
[Patch] NewObject branch conversion of dlllist module to plugin
by Mike Auty
Hi everybody,
Sorry for the patch spam, but here's a new dlllist. Absolutely no
changes required to the framework for this one (the patch just includes
clean-up of the old module code). So, it looks like everything's going
according to plan! 5:)
Mike 5:)
>From 09832b06c751a06ccab5f7d4f850e7f18bcce279 Mon Sep 17 00:00:00 2001
From: Mike Auty <mike.auty(a)gmail.com>
Date: Sat, 26 Sep 2009 23:47:36 +0100
Subject: [PATCH] Add in dlllist plugin.
---
Volatility/forensics/win32/tasks.py | 55 ---------
Volatility/memory_plugins/internal/dlls.py | 83 +++++++++++++
Volatility/vmodules.py | 176 +---------------------------
Volatility/volatility.py | 4 -
4 files changed, 86 insertions(+), 232 deletions(-)
create mode 100644 Volatility/memory_plugins/internal/dlls.py
diff --git a/Volatility/forensics/win32/tasks.py b/Volatility/forensics/win32/tasks.py
index 8a64778..d78150b 100644
--- a/Volatility/forensics/win32/tasks.py
+++ b/Volatility/forensics/win32/tasks.py
@@ -248,18 +248,6 @@ def create_addr_space(kaddr_space, directory_table_base):
return process_address_space
-def process_command_line(process_address_space, types, peb_vaddr):
- process_parameters = read_obj(process_address_space, types,
- ['_PEB', 'ProcessParameters'], peb_vaddr)
-
-
- if process_parameters is None:
- return None
-
- return read_unicode_string(process_address_space, types,
- ['_RTL_USER_PROCESS_PARAMETERS', 'CommandLine'],
- process_parameters)
-
def peb_number_processors(process_address_space, types, peb_vaddr):
return read_obj(process_address_space, types,
['_PEB', 'NumberOfProcessors'], peb_vaddr)
@@ -279,49 +267,6 @@ def module_base(process_address_space, types, module_vaddr):
return read_obj(process_address_space, types,
['_LDR_DATA_TABLE_ENTRY', 'DllBase'], module_vaddr)
-def process_ldrs(process_address_space, types, peb_vaddr):
- ldr = read_obj(process_address_space, types,
- ['_PEB', 'Ldr'], peb_vaddr)
-
- module_list = []
-
- if ldr is None:
- print "Unable to read ldr for peb 0x%x" % (peb_vaddr)
- return module_list
-
- first_module = read_obj(process_address_space, types,
- ['_PEB_LDR_DATA', 'InLoadOrderModuleList', 'Flink'],
- ldr)
-
- if first_module is None:
- print "Unable to read first module for ldr 0x%x" % (ldr)
- return module_list
-
- this_module = first_module
-
- next_module = read_obj(process_address_space, types,
- ['_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks', 'Flink'],
- this_module)
-
- if next_module is None:
- print "ModuleList Truncated, unable to read module at 0x%x\n" % (this_module)
- return module_list
-
- while next_module != first_module:
- module_list.append(this_module)
- if not process_address_space.is_valid_address(next_module):
- print "ModuleList Truncated, unable to read module at 0x%x\n" % (next_module)
- return module_list
- _prev_module = this_module
- this_module = next_module
- next_module = read_obj(process_address_space, types,
- ['_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks', 'Flink'],
- this_module)
-
-
- return module_list
-
-
def find_csdversion(addr_space, types):
CSDVersionDict = dict()
diff --git a/Volatility/memory_plugins/internal/dlls.py b/Volatility/memory_plugins/internal/dlls.py
new file mode 100644
index 0000000..277a6ca
--- /dev/null
+++ b/Volatility/memory_plugins/internal/dlls.py
@@ -0,0 +1,83 @@
+'''
+Created on 26 Sep 2009
+
+@author: Mike Auty
+'''
+
+#pylint: disable-msg=C0111
+
+import forensics.commands
+import forensics.win32 as win32
+import forensics.object2 as object2
+import forensics.utils as utils
+
+class dlllist(forensics.commands.command):
+ """Print list of loaded dlls for each process"""
+
+ def __init__(self, args=None):
+ forensics.commands.command.__init__(self, args)
+ self.profile = None
+
+ def parser(self):
+ """Sets up the parser before execution"""
+ forensics.commands.command.parser(self)
+
+ self.op.add_option('-o', '--offset',
+ help='EPROCESS Offset (in hex) in physical address space',
+ action='store', type='string', dest='offset')
+
+ self.op.add_option('-p', '--pid',
+ help='Get info for this Pid', default=None,
+ action='store', type='int', dest='pid')
+
+ def render_text(self, outfd, data):
+ first = True
+ for pid in data:
+ if not first:
+ outfd.write("*" * 72 + "\n")
+
+ task = data[pid]['task']
+ outfd.write("%s pid: %-6d\n" % (task.ImageFileName, pid))
+ first = False
+
+ if task.Peb:
+ outfd.write("Command line : %s\n" % (task.Peb.ProcessParameters.CommandLine))
+ outfd.write("%s\n" % task.Peb.CSDVersion)
+ outfd.write("\n")
+ modules = data[pid]['modules']
+ outfd.write("%-12s %-12s %s\n" % ('Base', 'Size', 'Path'))
+ for m in modules:
+ outfd.write("0x%0.8x 0x%0.6x %s\n" % (int(m.BaseAddress), int(m.SizeOfImage), m.FullDllName))
+ else:
+ outfd.write("Unable to read PEB for task.\n")
+
+ def calculate(self):
+ result = {}
+ self.profile = object2.Profile()
+
+ addr_space = utils.load_as(self.opts)
+
+ if self.opts.offset:
+ try:
+ offset = int(self.opts.offset, 16)
+ except ValueError:
+ self.op.error("EPROCESS offset must be a hexadecimal number.")
+
+ tasks = [object2.NewObject("_EPROCESS", offset, addr_space, profile=self.profile)]
+
+ else:
+ tasks = win32.tasks.pslist(addr_space, self.profile)
+
+ for task in tasks:
+ if task.UniqueProcessId:
+ pid = int(task.UniqueProcessId)
+ if self.opts.pid and pid != self.opts.pid:
+ continue
+
+ result[pid] = {'task': task, 'modules': []}
+
+ if task.Peb.Ldr.InLoadOrderModuleList:
+ for l in task.Peb.Ldr.InLoadOrderModuleList.list_of_type("_LDR_MODULE", "InLoadOrderModuleList"):
+ result[pid]['modules'].append(l)
+
+ return result
\ No newline at end of file
diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py
index 2082b73..b4f583f 100644
--- a/Volatility/vmodules.py
+++ b/Volatility/vmodules.py
@@ -36,9 +36,9 @@ from vutils import get_standard_parser, is_hiberfil, is_crash_dump, types, get_d
from forensics.addrspace import FileAddressSpace
from forensics.win32.hiber_addrspace import WindowsHiberFileSpace32
from forensics.win32.crash_addrspace import WindowsCrashDumpSpace32
-from forensics.object import read_unicode_string, read_obj
-from forensics.win32.tasks import module_base, module_path, module_size, create_addr_space, process_addr_space, process_command_line, process_dtb, process_find_pid
-from forensics.win32.tasks import process_imagename, process_ldrs, process_list, process_peb, process_pid, process_handle_table, process_create_time, process_handle_count
+from forensics.object import read_obj
+from forensics.win32.tasks import create_addr_space, process_addr_space, process_dtb, process_find_pid
+from forensics.win32.tasks import process_imagename, process_list, process_peb, process_pid, process_handle_table, process_create_time, process_handle_count
from forensics.win32.tasks import process_inherited_from, process_num_active_threads, process_vadroot
from forensics.win32.handles import handle_entries, handle_process_id, handle_tables
from forensics.win32.vad import vad_dump, vad_info, print_vad_dot_infix, print_vad_dot_prefix, print_vad_table, print_vad_tree, traverse_vad
@@ -125,176 +125,6 @@ def get_pslist(cmdname, argv):
create_time)
###################################
-# dlllist - DLL list
-###################################
-def get_dlllist(cmdname, argv):
- """
- Function prints a list of dlls loaded in each process
- """
- op = get_standard_parser(cmdname)
-
- op.add_option('-o', '--offset',
- help='EPROCESS Offset (in hex) in physical address space',
- action='store', type='string', dest='offset')
- op.add_option('-p', '--pid',
- help='Get info for this Pid',
- action='store', type='int', dest='pid')
-
- opts, _args = op.parse_args(argv)
-
- filename = opts.filename
-
- (addr_space, symtab, types) = load_and_identify_image(op, opts)
-
- if not opts.offset is None:
-
- try:
- offset = int(opts.offset, 16)
- except:
- op.error("EPROCESS offset must be a hexadecimal number.")
-
- try:
- flat_address_space = FileAddressSpace(filename)
- except:
- op.error("Unable to open image file %s" % (filename))
-
- directory_table_base = process_dtb(flat_address_space, types, offset)
-
- process_address_space = create_addr_space(addr_space, directory_table_base)
-
- process_id = process_pid(flat_address_space, types, offset)
-
- if process_address_space is None:
- print "Error obtaining address space for process [%d]" % (process_id)
- return
-
-
- image_file_name = process_imagename(flat_address_space, types, offset)
-
- print "%s pid: %d" % (image_file_name, process_id)
-
- peb = process_peb(flat_address_space, types, offset)
-
- if not process_address_space.is_valid_address(peb):
- print "Unable to read PEB for task."
- return
-
- command_line = process_command_line(process_address_space, types, peb)
-
- if command_line is None:
- command_line = "UNKNOWN"
-
- print "Command line : %s" % (command_line)
-
- print
-
- modules = process_ldrs(process_address_space, types, peb)
-
- if len(modules) > 0:
- print "%-12s %-12s %s" % ('Base', 'Size', 'Path')
-
- for module in modules:
- if not process_address_space.is_valid_address(module):
- return
- path = module_path(process_address_space, types, module)
- if path is None:
- path = "%-10s " % ('UNKNOWN')
-
- base = module_base(process_address_space, types, module)
- if base is None:
- base = "%-10s " % ('UNKNOWN')
- else:
- base = "0x%-10x" % (base)
-
- size = module_size(process_address_space, types, module)
- if size is None:
- size = "%-10s " % ('UNKNOWN')
- else:
- size = "0x%-10x" % (size)
-
- print "%s %s %s" % (base, size, path)
-
- print
-
- else:
-
- # get list of windows processes
- all_tasks = process_list(addr_space, types, symtab)
-
- if not opts.pid == None:
- all_tasks = process_find_pid(addr_space, types, symtab, all_tasks, opts.pid)
- if len(all_tasks) == 0:
- print "Error process [%d] not found" % opts.pid
-
- star_line = '*'*72
-
- for task in all_tasks:
-
- if not addr_space.is_valid_address(task):
- continue
-
- if len(all_tasks) > 1:
- print "%s" % star_line
-
- image_file_name = process_imagename(addr_space, types, task)
-
- process_id = process_pid(addr_space, types, task)
-
-
- print "%s pid: %d" % (image_file_name, process_id)
-
- process_address_space = process_addr_space(addr_space, types, task, opts.filename)
- if process_address_space is None:
- print "Error obtaining address space for process [%d]" % (process_id)
- continue
-
- peb = process_peb(addr_space, types, task)
-
- if not process_address_space.is_valid_address(peb):
- print "Unable to read PEB for task."
- continue
-
- command_line = process_command_line(process_address_space, types, peb)
-
- if command_line is None:
- command_line = "UNKNOWN"
-
- print "Command line : %s" % (command_line)
-
- print read_unicode_string(process_address_space, types,
- ['_PEB', 'CSDVersion'], peb)
-
- print
-
- modules = process_ldrs(process_address_space, types, peb)
-
- if len(modules) > 0:
- print "%-12s %-12s %s" % ('Base', 'Size', 'Path')
-
- for module in modules:
- if not process_address_space.is_valid_address(module):
- continue
- path = module_path(process_address_space, types, module)
- if path is None:
- path = "%-10s " % ('UNKNOWN')
-
- base = module_base(process_address_space, types, module)
- if base is None:
- base = "%-10s " % ('UNKNOWN')
- else:
- base = "0x%-10x" % (base)
-
- size = module_size(process_address_space, types, module)
- if size is None:
- size = "%-10s " % ('UNKNOWN')
- else:
- size = "0x%-10x" % (size)
-
- print "%s %s %s" % (base, size, path)
-
- print
-
-###################################
# strings - identify pid(s) associated with a string
###################################
def print_string(offset, pidlist, string):
diff --git a/Volatility/volatility.py b/Volatility/volatility.py
index baee253..ff50b51 100644
--- a/Volatility/volatility.py
+++ b/Volatility/volatility.py
@@ -44,10 +44,6 @@ modules = {
VolatoolsModule('pslist',
'Print list of running processes',
get_pslist),
- 'dlllist':
- VolatoolsModule('dlllist',
- 'Print list of loaded dlls for each process',
- get_dlllist),
'strings':
VolatoolsModule('strings',
'Match physical offsets to virtual addresses (may take a while, VERY verbose)',
--
1.6.5.rc1
15 years, 1 month
- 4
- 5
[Patch] NewObject branch conversion of files module to plugin
by Mike Auty
Hi everybody,
Another one, hot off the press. This time I went for the files module.
I thought this one was going to be really tricky, but luckily most of
the work had already been done in the xp_sp2.py for _EPROCESS objects.
I spotted that the Array didn't seem to be generated properly, and I
changed the function to return all objects (since I figured whatever was
using them could narrow down the objects based on their type, rather
than only ever returning file objects). Otherwise, it was just the
plugin file that needed changing... 5:)
I've also tried to ensure I don't do repeated checks and/or "is None"
checks... 5;P
Mike 5:)
diff --git a/Volatility/memory_objects/Windows/xp_sp2.py b/Volatility/memory_objects/Windows/xp_sp2.py
index 4cc4956..215a181 100644
--- a/Volatility/memory_objects/Windows/xp_sp2.py
+++ b/Volatility/memory_objects/Windows/xp_sp2.py
@@ -25,11 +25,11 @@
#pylint: disable-msg=C0111
-from forensics.object2 import CType, NewObject, NoneObject, NativeType, Curry
-from forensics.win32.datetime import windows_to_unix_time
+import forensics.object2 as object2
+import forensics.win32 as win32
import vmodules
-class _UNICODE_STRING(CType):
+class _UNICODE_STRING(object2.CType):
"""Class representing a _UNICODE_STRING
Adds the following behavior:
@@ -50,7 +50,7 @@ class _UNICODE_STRING(CType):
def __str__(self):
return self.v()
-class _LIST_ENTRY(CType):
+class _LIST_ENTRY(object2.CType):
""" Adds iterators for _LIST_ENTRY types """
def list_of_type(self, type, member, forward=True):
if not self.is_valid():
@@ -69,10 +69,10 @@ class _LIST_ENTRY(CType):
while 1:
## Instantiate the object
- obj = NewObject(type, offset = lst.offset - offset,
- vm=self.vm,
- parent=self.parent,
- profile=self.profile, name=type)
+ obj = object2.NewObject(type, offset = lst.offset - offset,
+ vm=self.vm,
+ parent=self.parent,
+ profile=self.profile, name=type)
if forward:
@@ -89,7 +89,7 @@ class _LIST_ENTRY(CType):
def __iter__(self):
return self.list_of_type(self.parent.name, self.name)
-class String(NativeType):
+class String(object2.NativeType):
def __init__(self, type, offset, vm=None,
length=1, parent=None, profile=None, name=None, **args):
## Allow length to be a callable:
@@ -99,7 +99,7 @@ class String(NativeType):
pass
## length must be an integer
- NativeType.__init__(self, type, offset, vm, parent=parent, profile=profile,
+ object2.NativeType.__init__(self, type, offset, vm, parent=parent, profile=profile,
name=name, format_string="%ds" % length)
def upper(self):
@@ -113,7 +113,7 @@ class String(NativeType):
## Make sure its null terminated:
return data.split("\x00")[0]
-class WinTimeStamp(NativeType):
+class WinTimeStamp(object2.NativeType):
def __init__(self, type=None, offset=None, vm=None, value=None,
parent=None, profile=None, name=None, **args):
## This allows us to have a WinTimeStamp object with a
@@ -122,17 +122,17 @@ class WinTimeStamp(NativeType):
if value:
self.data = value
else:
- NativeType.__init__(self, type, offset, vm, parent=parent, profile=profile,
- name=name, format_string="q")
+ object2.NativeType.__init__(self, type, offset, vm, parent=parent, profile=profile,
+ name=name, format_string="q")
def value(self):
"""Override the value return, depending on whether we have a data field"""
if self.data is not None:
return self.data
- return NativeType.value(self)
+ return object2.NativeType.value(self)
def v(self):
- return windows_to_unix_time(self.value())
+ return win32.datetime.windows_to_unix_time(self.value())
def __sub__(self, x):
return WinTimeStamp(value = self.value() - x.value())
@@ -143,7 +143,7 @@ class WinTimeStamp(NativeType):
LEVEL_MASK = 0xfffffff8
-class _EPROCESS(CType):
+class _EPROCESS(object2.CType):
""" An extensive _EPROCESS with bells and whistles """
def _Peb(self, _attr):
""" Returns a _PEB object which is using the process address space.
@@ -155,13 +155,13 @@ class _EPROCESS(CType):
process_ad = self.get_process_address_space()
if process_ad:
offset = self.m("Peb").v()
- peb = NewObject("_PEB", offset, vm=process_ad, profile=self.profile,
- name = "Peb", parent=self)
+ peb = object2.NewObject("_PEB", offset, vm=process_ad, profile=self.profile,
+ name = "Peb", parent=self)
if peb.is_valid():
return peb
- return NoneObject("Peb not found")
+ return object2.NoneObject("Peb not found")
def get_process_address_space(self):
""" Gets a process address space for a task given in _EPROCESS """
@@ -177,9 +177,8 @@ class _EPROCESS(CType):
and iterates over them.
"""
- table = NewObject("Array", offset, self.vm,
- count=0x200, parent=self, profile=self.profile,
- target = Curry(NewObject, "_HANDLE_TABLE_ENTRY"))
+ table = object2.Array("_HANDLE_TABLE_ENTRY", offset=offset, vm=self.vm,
+ count=0x200, parent=self, profile=self.profile)
for t in table:
offset = t.dereference_as('unsigned int')
if not offset.is_valid():
@@ -193,13 +192,11 @@ class _EPROCESS(CType):
## OK We got to the bottom table, we just resolve
## objects here:
offset = int(offset) & ~0x00000007
- obj = NewObject("_OBJECT_HEADER", offset, self.vm,
- parent=self, profile=self.profile)
+ obj = object2.NewObject("_OBJECT_HEADER", offset, self.vm,
+ parent=self, profile=self.profile)
try:
- if obj.Type.Name.__str__()=='File':
- filevar = NewObject("_FILE_OBJECT", obj.Body.offset, self.vm,
- parent=self, profile=self.profile)
- yield filevar
+ if obj.Type.Name:
+ yield obj
except Exception, _e:
pass
@@ -227,7 +224,7 @@ class _EPROCESS(CType):
import socket, struct
-class _TCPT_OBJECT(CType):
+class _TCPT_OBJECT(object2.CType):
def _RemoteIpAddress(self, attr):
return socket.inet_ntoa(struct.pack("<I", self.m(attr).v()))
diff --git a/Volatility/memory_plugins/internal/files.py b/Volatility/memory_plugins/internal/files.py
new file mode 100644
index 0000000..7bce080
--- /dev/null
+++ b/Volatility/memory_plugins/internal/files.py
@@ -0,0 +1,78 @@
+'''
+Created on 26 Sep 2009
+
+@author: Mike Auty
+'''
+
+#pylint: disable-msg=C0111
+
+import forensics.commands
+import forensics.win32 as win32
+import forensics.object2 as object2
+import forensics.utils as utils
+
+class files(forensics.commands.command):
+ """Print list of open files for each process"""
+
+ def __init__(self, args=None):
+ forensics.commands.command.__init__(self, args)
+ self.profile = None
+
+ def parser(self):
+ """Sets up the parser before execution"""
+ forensics.commands.command.parser(self)
+
+ self.op.add_option('-o', '--offset',
+ help='EPROCESS Offset (in hex) in physical address space',
+ action='store', type='string', dest='offset')
+
+ self.op.add_option('-p', '--pid',
+ help='Get info for this Pid', default=None,
+ action='store', type='int', dest='pid')
+
+ def render_text(self, outfd, data):
+ first = True
+ for pid in data:
+ if not first:
+ outfd.write("*" * 72 + "\n")
+ outfd.write("Pid: %-6d\n" % pid)
+ first = False
+
+ handles = data[pid]
+ for h in handles:
+ if h.FileName:
+ outfd.write("%-6s %-40s\n" % ("File", h.FileName))
+
+ def calculate(self):
+ result = {}
+ self.profile = object2.Profile()
+
+ addr_space = utils.load_as(self.opts)
+
+ if self.opts.offset:
+ try:
+ offset = int(self.opts.offset, 16)
+ except ValueError:
+ self.op.error("EPROCESS offset must be a hexadecimal number.")
+
+ tasks = [object2.NewObject("_EPROCESS", offset, addr_space, profile=self.profile)]
+
+ else:
+ tasks = win32.tasks.pslist(addr_space, self.profile)
+
+ for task in tasks:
+ if task.ObjectTable.HandleTableList:
+ pid = int(task.ObjectTable.UniqueProcessId)
+ if self.opts.pid and pid != self.opts.pid:
+ continue
+ handles = task.handles()
+
+ # Weed out just the file handles:
+ for h in handles:
+ if str(h.Type.Name) == 'File':
+ filevar = object2.NewObject("_FILE_OBJECT", h.Body.offset, task.vm, parent=task, profile=task.profile)
+ hlist = result.get(pid, [])
+ hlist.append(filevar)
+ result[pid] = hlist
+
+ return result
\ No newline at end of file
diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py
index a910b03..2082b73 100644
--- a/Volatility/vmodules.py
+++ b/Volatility/vmodules.py
@@ -40,7 +40,7 @@ from forensics.object import read_unicode_string, read_obj
from forensics.win32.tasks import module_base, module_path, module_size, create_addr_space, process_addr_space, process_command_line, process_dtb, process_find_pid
from forensics.win32.tasks import process_imagename, process_ldrs, process_list, process_peb, process_pid, process_handle_table, process_create_time, process_handle_count
from forensics.win32.tasks import process_inherited_from, process_num_active_threads, process_vadroot
-from forensics.win32.handles import handle_entries, handle_process_id, handle_tables, handle_entry_object, is_object_file, object_data, file_name
+from forensics.win32.handles import handle_entries, handle_process_id, handle_tables
from forensics.win32.vad import vad_dump, vad_info, print_vad_dot_infix, print_vad_dot_prefix, print_vad_table, print_vad_tree, traverse_vad
from forensics.win32.scan import module_scan, conn_scan, ps_scan_dot, ps_scan, socket_scan, thrd_scan
from forensics.win32.crashdump import crash_to_dd, dd_to_crash
@@ -295,87 +295,6 @@ def get_dlllist(cmdname, argv):
print
###################################
-# files - List open files
-###################################
-def print_entry_file(addr_space, types, entry):
-
- if not addr_space.is_valid_address(entry):
- return
-
- obj = handle_entry_object(addr_space, types, entry)
- if obj is None:
- return
-
- if addr_space.is_valid_address(obj):
- if is_object_file(addr_space, types, obj):
- f = object_data(addr_space, types, obj)
- fname = file_name(addr_space, types, f)
- if fname != "":
- print "%-6s %-40s" % ("File", fname)
-
-def get_open_files(cmdname, argv):
- """
- Function prints a list of open files for each process.
- """
- htables = []
-
- op = get_standard_parser(cmdname)
-
- op.add_option('-o', '--offset',
- help='EPROCESS Offset (in hex) in physical address space',
- action='store', type='string', dest='offset')
-
- op.add_option('-p', '--pid',
- help='Get info for this Pid',
- action='store', type='int', dest='pid')
-
- opts, _args = op.parse_args(argv)
-
- filename = opts.filename
- pid = opts.pid
-
- (addr_space, symtab, types) = load_and_identify_image(op, opts)
-
- if not opts.offset is None:
-
- try:
- offset = int(opts.offset, 16)
- except:
- op.error("EPROCESS offset must be a hexadecimal number.")
-
- try:
- flat_address_space = FileAddressSpace(filename)
- except:
- op.error("Unable to open image file %s" % (filename))
-
- ObjectTable = process_handle_table(flat_address_space, types, offset)
-
- if addr_space.is_valid_address(ObjectTable):
- htables.append(ObjectTable)
-
- else:
-
- htables = handle_tables(addr_space, types, symtab, pid)
-
-
- star_line = '*' * 72
-
- for table in htables:
- if len(htables) > 1:
- print "%s" % star_line
-
- process_id = handle_process_id(addr_space, types, table)
- if process_id == None:
- continue
-
- print "Pid: %-6d" % (process_id)
-
- entries = handle_entries(addr_space, types, table)
- for hentry in entries:
- print_entry_file(addr_space, types, hentry)
-
-
-###################################
# strings - identify pid(s) associated with a string
###################################
def print_string(offset, pidlist, string):
diff --git a/Volatility/volatility.py b/Volatility/volatility.py
index a765579..baee253 100644
--- a/Volatility/volatility.py
+++ b/Volatility/volatility.py
@@ -48,10 +48,6 @@ modules = {
VolatoolsModule('dlllist',
'Print list of loaded dlls for each process',
get_dlllist),
- 'files':
- VolatoolsModule('files',
- 'Print list of open files for each process',
- get_open_files),
'strings':
VolatoolsModule('strings',
'Match physical offsets to virtual addresses (may take a while, VERY verbose)',
15 years, 1 month
- 1
- 0
[Patch] NewObject branch conversion of internal connections module to plugin
by Mike Auty
Hiya guys,
A slightly bigger and more complex one this time round. This is the
next module I've attempted to convert into a plugin. It seems a bit
fiddly, because you've got to jump around in memory looking for the
right spot (depending on the sys file that created it), so the error
checking on it could probably do with some improvements, but hopefully
the object model will automatically detect and mark as None any invalid
addresses we might ask for.
Again, any comments or criticisms would be gratefully received, I'm not
sure if I'm allowed to just invent type names like I've done for the
table pointers, and I'd also like to know whether the result of a
calculation can contain types, or whether I should be putting the data
into dicts/lists?
I'm also wondering what could be done about the plugin namespace,
because at the moment, there's no way of extending another plugin from a
different module (because relative addressing only works within a python
module, and we haven't been adding __init__.py files to the
memory_plugins directory). Is there a good way of inheriting from a
plugin, or should we just be putting the main functionality under
forensics.win32 and then make the plugins as empty as possible?
The *scan/scan2 functions look like they'll be trickier to convert, if
anyone with a good understanding of the NewObject model would like to
have a go at converting one of them, it'd help me a lot as a template to
get the others converted. If not, I'll have to wing it... 5;P
Mike 5:)
diff --git a/Volatility/forensics/object2.py b/Volatility/forensics/object2.py
index 29552d8..f4f9181 100644
--- a/Volatility/forensics/object2.py
+++ b/Volatility/forensics/object2.py
@@ -99,6 +99,9 @@ class NoneObject(object):
def __iter__(self):
return self
+ def __len__(self):
+ return 0
+
def next(self):
raise StopIteration()
@@ -588,8 +591,14 @@ class Profile:
system. We parse the abstract_types and join them with
native_types to make everything work together.
"""
- def __init__(self, native_types=x86_native_types, abstract_types=types,
- overlay=xpsp2overlays, strict=False):
+ def __init__(self, native_types=None, abstract_types=None,
+ overlay=None, strict=False):
+ if native_types is None:
+ native_types = x86_native_types
+ if abstract_types is None:
+ abstract_types = types
+ if overlay is None:
+ overlay = xpsp2overlays
self.types = {}
self.strict = strict
diff --git a/Volatility/forensics/win32/network.py b/Volatility/forensics/win32/network.py
index 5ee84d6..b4598dd 100644
--- a/Volatility/forensics/win32/network.py
+++ b/Volatility/forensics/win32/network.py
@@ -29,6 +29,8 @@
#pylint: disable-msg=C0111
import struct
+import forensics.win32 as win32
+import forensics.object2 as object2
from forensics.object import read_value, read_obj, get_obj_offset
from forensics.win32.datetime import read_time, windows_to_unix_time
from forensics.win32.modules import module_find_baseaddr, modules_list
@@ -60,10 +62,10 @@ module_versions = { \
'AddrObjTableSizeOffset' : [0x48664], \
},
'3394': {
- 'TCBTableOff': [0x49768], \
- 'SizeOff': [0x3F73C], \
- 'AddrObjTableOffset': [0x486E0], \
- 'AddrObjTableSizeOffset': [0x486E4], \
+ 'TCBTableOff': [0x49768], \
+ 'SizeOff': [0x3F73C], \
+ 'AddrObjTableOffset': [0x486E0], \
+ 'AddrObjTableSizeOffset': [0x486E4], \
},
'5625' : { \
'TCBTableOff' : [0x49ae8], \
@@ -80,6 +82,35 @@ module_versions = { \
}
+def determine_connections(addr_space, profile):
+ """Determines all connections for each module"""
+ all_modules = win32.modules.lsmod(addr_space, profile)
+
+ profile.add_types({'_TCPT_OBJECT_POINTER': [0x4,
+ {'Pointer': [0x0, ['pointer', ['_TCPT_OBJECT']]]}
+ ]})
+
+ connections = []
+
+ for m in all_modules:
+ if str(m.ModuleName).lower() == 'tcpip.sys':
+ for attempt in module_versions:
+ table_size = object2.NewObject("unsigned long", m.BaseAddress + module_versions[attempt]['SizeOff'][0], addr_space, profile=profile)
+ table_addr = object2.NewObject("unsigned long", m.BaseAddress + module_versions[attempt]['TCBTableOff'][0], addr_space, profile=profile)
+ if int(table_size) > 0:
+ table = object2.Array('Array', table_addr, addr_space, count=table_size, profile=profile,
+ target=object2.Curry(object2.NewObject, '_TCPT_OBJECT_POINTER'))
+ for entry in table:
+ if entry is None:
+ break
+ conn = entry.Pointer.dereference()
+ while conn.is_valid():
+ connections.append(conn)
+ conn = conn.Next
+ return connections
+
+ return object2.NoneObject("Unable to determine connections")
+
def tcb_connections(addr_space, types, symbol_table):
all_modules = modules_list(addr_space, types, symbol_table)
base_addr = module_find_baseaddr(addr_space, types, all_modules,"tcpip")
diff --git a/Volatility/memory_plugins/internal/connections.py b/Volatility/memory_plugins/internal/connections.py
new file mode 100644
index 0000000..91a1fff
--- /dev/null
+++ b/Volatility/memory_plugins/internal/connections.py
@@ -0,0 +1,40 @@
+'''
+Created on 25 Sep 2009
+
+@author: Mike Auty
+'''
+
+#pylint: disable-msg=C0111
+
+import forensics.commands
+import forensics.win32 as win32
+import forensics.object2 as object2
+import forensics.utils as utils
+
+class connections(forensics.commands.command):
+ """Print list of open connections"""
+
+ def __init__(self, args=None):
+ forensics.commands.command.__init__(self, args)
+ self.profile = None
+
+ def render_text(self, outfd, data):
+ if len(data):
+ outfd.write("%-25s %-25s %-6s\n" % ('Local Address', 'Remote Address', 'Pid'))
+
+ for conn in data:
+ local = "%s:%s" % (conn.LocalIpAddress, conn.LocalPort)
+ remote = "%s:%s" % (conn.RemoteIpAddress, conn.RemotePort)
+ outfd.write("%-25s %-25s %-6d\n" % (local, remote, conn.Pid))
+
+
+ def calculate(self):
+ result = {}
+ self.profile = object2.Profile()
+
+ addr_space = utils.load_as(self.opts)
+
+ # Get the Image Datetime
+ result = win32.network.determine_connections(addr_space, self.profile)
+
+ return result
\ No newline at end of file
diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py
index ec642f8..46bef38 100644
--- a/Volatility/vmodules.py
+++ b/Volatility/vmodules.py
@@ -41,7 +41,6 @@ from forensics.win32.tasks import module_base, module_path, module_size, create_
from forensics.win32.tasks import process_imagename, process_ldrs, process_list, process_peb, process_pid, process_handle_table, process_create_time, process_handle_count
from forensics.win32.tasks import process_inherited_from, process_num_active_threads, process_vadroot
from forensics.win32.modules import modules_list
-from forensics.win32.network import connection_laddr, connection_lport, connection_raddr, connection_rport, connection_pid, tcb_connections
from forensics.win32.network import socket_create_time, socket_local_port, socket_pid, socket_protocol, open_sockets
from forensics.win32.handles import handle_entries, handle_process_id, handle_tables, handle_entry_object, is_object_file, object_data, file_name
from forensics.win32.modules import module_baseaddr, module_imagename, module_imagesize, module_modulename
@@ -336,39 +335,6 @@ def get_dlllist(cmdname, argv):
print
###################################
-# connections - List open connections
-###################################
-def get_connections(cmdname, argv):
- """
- Function prints a list of open connections
- """
- op = get_standard_parser(cmdname)
- opts, _args = op.parse_args(argv)
-
- (addr_space, symtab, types) = load_and_identify_image(op, opts)
-
- connections = tcb_connections(addr_space, types, symtab)
-
- if len(connections) > 0:
- print "%-25s %-25s %-6s" % ('Local Address', 'Remote Address', 'Pid')
-
- for connection in connections:
-
- if not addr_space.is_valid_address(connection):
- continue
-
- pid = connection_pid(addr_space, types, connection)
- lport = connection_lport(addr_space, types, connection)
- laddr = connection_laddr(addr_space, types, connection)
- rport = connection_rport(addr_space, types, connection)
- raddr = connection_raddr(addr_space, types, connection)
-
- local = "%s:%d" % (laddr, lport)
- remote = "%s:%d" % (raddr, rport)
-
- print "%-25s %-25s %-6d" % (local, remote, pid)
-
-###################################
# sockets - List open sockets
###################################
def get_sockets(cmdname, argv):
diff --git a/Volatility/volatility.py b/Volatility/volatility.py
index 4e04aeb..ebdf02e 100644
--- a/Volatility/volatility.py
+++ b/Volatility/volatility.py
@@ -56,10 +56,6 @@ modules = {
VolatoolsModule('files',
'Print list of open files for each process',
get_open_files),
- 'connections':
- VolatoolsModule('connections',
- 'Print list of open connections',
- get_connections),
'modules':
VolatoolsModule('modules',
'Print list of loaded modules',
15 years, 1 month
- 2
- 1
[Patch] NewObject branch conversion of modules and sockets to plugins
by Mike Auty
Hi again,
Michael, thanks for adding in my patches (and fixing up my antiquated
python!)... 5:) I'm still working towards moving all the modules over
to plugins, and so here's a couple more. I've been cleaning up the
various forensics.win32 files as I go once a function's no longer
called. It will break compatibility with old plugins, but I think we've
already covered this and decided that cleaning things up is the best way
to let new people get into it, and old devs figure out what they should
use and what they shouldn't.
As ever, do let me know if there's any stylistic changes, or
functionality issues, and please feel free to improve them in any way! 5;)
Mike 5:)
>From e31e38da3b559715f735afd5f112092e6d0ad60e Mon Sep 17 00:00:00 2001
From: Mike Auty <mike.auty(a)gmail.com>
Date: Sat, 26 Sep 2009 12:49:47 +0100
Subject: [PATCH] Add in modules plugin.
---
Volatility/forensics/win32/network.py | 73 -------------------------
Volatility/memory_plugins/internal/modules.py | 39 +++++++++++++
Volatility/vmodules.py | 39 -------------
Volatility/volatility.py | 4 --
4 files changed, 39 insertions(+), 116 deletions(-)
create mode 100644 Volatility/memory_plugins/internal/modules.py
diff --git a/Volatility/forensics/win32/network.py b/Volatility/forensics/win32/network.py
index b4598dd..7ebad10 100644
--- a/Volatility/forensics/win32/network.py
+++ b/Volatility/forensics/win32/network.py
@@ -111,79 +111,6 @@ def determine_connections(addr_space, profile):
return object2.NoneObject("Unable to determine connections")
-def tcb_connections(addr_space, types, symbol_table):
- all_modules = modules_list(addr_space, types, symbol_table)
- base_addr = module_find_baseaddr(addr_space, types, all_modules,"tcpip")
-
- if base_addr is None:
- return []
-
- connection_list = []
-
- connection_list = find_connections(addr_space, types, symbol_table, base_addr)
-
- return connection_list
-
-def get_tcb_connections(addr_space, types, _symbol_table, base_addr, TCBTableOff, SizeOff):
-
- TCBTable = base_addr + TCBTableOff
- MaxHashTableSize = base_addr + SizeOff
-
-
- TCBTableAddr = read_value(addr_space, 'unsigned long', TCBTable)
-
- if TCBTableAddr == None:
- return []
-
- if not addr_space.is_valid_address(TCBTableAddr):
- return []
-
- TableSize = read_value(addr_space, 'unsigned long', MaxHashTableSize)
-
- if TableSize == None:
- return []
-
- connection_list = []
- for cnt in range(0, TableSize):
- EntryAddress = TCBTableAddr + 4*cnt
-
- if not addr_space.is_valid_address(EntryAddress):
- continue
-
- TableEntry = read_value(addr_space, 'unsigned long', EntryAddress)
- if TableEntry == 0 or TableEntry == None:
- continue
-
- next = read_obj(addr_space, types,
- ['_TCPT_OBJECT', 'Next'], TableEntry)
-
- while next != 0x0:
- if not addr_space.is_valid_address(next):
- print "ConnectionList Truncated Invalid 0x%x" % next
- return connection_list
- connection_list.append(next)
- next = read_obj(addr_space, types,
- ['_TCPT_OBJECT', 'Next'], next)
-
- connection_list.append(TableEntry)
-
- return connection_list
-
-
-def find_connections(addr_space, types, symbol_table, base_addr):
-
- connection_list = []
-
- for offsets in module_versions:
- offsets = module_versions[offsets]
-
- connection_list = get_tcb_connections(addr_space, types, symbol_table, base_addr, offsets['TCBTableOff'][0], offsets['SizeOff'][0])
- if len(connection_list) > 0:
- return connection_list
-
- return connection_list
-
-
def connection_pid(addr_space, types, connection_vaddr):
return read_obj(addr_space, types,
['_TCPT_OBJECT', 'Pid'], connection_vaddr)
diff --git a/Volatility/memory_plugins/internal/modules.py b/Volatility/memory_plugins/internal/modules.py
new file mode 100644
index 0000000..7436b2a
--- /dev/null
+++ b/Volatility/memory_plugins/internal/modules.py
@@ -0,0 +1,39 @@
+'''
+Created on 25 Sep 2009
+
+@author: Mike Auty
+'''
+
+#pylint: disable-msg=C0111
+
+import forensics.commands
+import forensics.win32 as win32
+import forensics.object2 as object2
+import forensics.utils as utils
+
+class modules(forensics.commands.command):
+ """Print list of loaded modules"""
+
+ def __init__(self, args=None):
+ forensics.commands.command.__init__(self, args)
+ self.profile = None
+
+ def render_text(self, outfd, data):
+ header = False
+
+ for module in data:
+ if not header:
+ outfd.write("%-50s %-12s %-8s %s\n" % ('File', 'Base', 'Size', 'Name'))
+ header = True
+ outfd.write("%-50s 0x%0.10x 0x%0.6x %s\n" % (module.FullDllName, int(module.BaseAddress.value()), int(module.SizeOfImage), module.ModuleName))
+
+
+ def calculate(self):
+ result = {}
+ self.profile = object2.Profile()
+
+ addr_space = utils.load_as(self.opts)
+
+ result = win32.modules.lsmod(addr_space, self.profile)
+
+ return result
\ No newline at end of file
diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py
index 46bef38..80748fd 100644
--- a/Volatility/vmodules.py
+++ b/Volatility/vmodules.py
@@ -40,10 +40,8 @@ from forensics.object import read_unicode_string, read_obj
from forensics.win32.tasks import module_base, module_path, module_size, create_addr_space, process_addr_space, process_command_line, process_dtb, process_find_pid
from forensics.win32.tasks import process_imagename, process_ldrs, process_list, process_peb, process_pid, process_handle_table, process_create_time, process_handle_count
from forensics.win32.tasks import process_inherited_from, process_num_active_threads, process_vadroot
-from forensics.win32.modules import modules_list
from forensics.win32.network import socket_create_time, socket_local_port, socket_pid, socket_protocol, open_sockets
from forensics.win32.handles import handle_entries, handle_process_id, handle_tables, handle_entry_object, is_object_file, object_data, file_name
-from forensics.win32.modules import module_baseaddr, module_imagename, module_imagesize, module_modulename
from forensics.win32.vad import vad_dump, vad_info, print_vad_dot_infix, print_vad_dot_prefix, print_vad_table, print_vad_tree, traverse_vad
from forensics.win32.scan import module_scan, conn_scan, ps_scan_dot, ps_scan, socket_scan, thrd_scan
from forensics.win32.crashdump import crash_to_dd, dd_to_crash
@@ -75,43 +73,6 @@ def format_time(time):
return ts
###################################
-# modules list
-###################################
-def get_modules(cmdname, argv):
- """
- Function prints a formatted table of module information
- """
- op = get_standard_parser(cmdname)
- opts, _args = op.parse_args(argv)
-
- (addr_space, symtab, types) = load_and_identify_image(op, opts)
-
- all_modules = modules_list(addr_space, types, symtab)
-
- print "%-50s %-12s %-8s %s" % ('File', 'Base', 'Size', 'Name')
-
- for module in all_modules:
- if not addr_space.is_valid_address(module):
- continue
- module_image = module_imagename(addr_space, types, module)
- if module_image is None:
- module_image = "UNKNOWN"
-
- module_name = module_modulename(addr_space, types, module)
- if module_name is None:
- module_name = "UNKNOWN"
-
- module_base = module_baseaddr(addr_space, types, module)
- if module_base is None:
- module_base = "UNKNOWN"
- else:
- module_base = "0x%010x" % module_base
-
- module_size = module_imagesize(addr_space, types, module)
-
- print "%-50s %s 0x%06x %s" % (module_image, module_base, module_size, module_name)
-
-###################################
# pslist - process list
###################################
def get_pslist(cmdname, argv):
diff --git a/Volatility/volatility.py b/Volatility/volatility.py
index ebdf02e..dc7b894 100644
--- a/Volatility/volatility.py
+++ b/Volatility/volatility.py
@@ -56,10 +56,6 @@ modules = {
VolatoolsModule('files',
'Print list of open files for each process',
get_open_files),
- 'modules':
- VolatoolsModule('modules',
- 'Print list of loaded modules',
- get_modules),
'strings':
VolatoolsModule('strings',
'Match physical offsets to virtual addresses (may take a while, VERY verbose)',
--
1.6.5.rc1
>From 8d39cba526fed7885bdfece50d981f1856487555 Mon Sep 17 00:00:00 2001
From: Mike Auty <mike.auty(a)gmail.com>
Date: Sat, 26 Sep 2009 13:00:01 +0100
Subject: [PATCH] Add in sockets plugin.
---
Volatility/forensics/win32/modules.py | 46 +-----------
Volatility/forensics/win32/network.py | 96 ++++++++-----------------
Volatility/memory_plugins/internal/sockets.py | 39 ++++++++++
Volatility/vmodules.py | 30 --------
Volatility/volatility.py | 4 -
5 files changed, 71 insertions(+), 144 deletions(-)
create mode 100644 Volatility/memory_plugins/internal/sockets.py
diff --git a/Volatility/forensics/win32/modules.py b/Volatility/forensics/win32/modules.py
index 7b20ff1..9f438aa 100644
--- a/Volatility/forensics/win32/modules.py
+++ b/Volatility/forensics/win32/modules.py
@@ -25,8 +25,8 @@
#pylint: disable-msg=C0111
-from forensics.object import read_obj, read_unicode_string, get_obj_offset
-from forensics.win32.info import find_psloadedmodulelist, kpcr_addr
+from forensics.object import read_obj, read_unicode_string
+from forensics.win32.info import kpcr_addr
from forensics.object2 import NewObject
def lsmod(addr_space, profile):
@@ -55,48 +55,6 @@ def lsmod(addr_space, profile):
"_LDR_MODULE", "InLoadOrderModuleList"):
yield l
-def modules_list(addr_space, types, _symbol_table):
- """
- Get the virtual addresses of all Windows modules
- """
- modules_list = []
-
- PsLoadedModuleList = find_psloadedmodulelist(addr_space, types)
-
- if not PsLoadedModuleList is None:
- (offset, _tmp) = get_obj_offset(types, \
- ['_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks'])
-
- first_module = PsLoadedModuleList - offset
-
- current = read_obj(addr_space, types, \
- ['_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks', 'Flink'],
- first_module)
-
- this_module = current - offset
-
- next = read_obj(addr_space, types, \
- ['_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks', 'Flink'],
- this_module)
-
- while this_module != PsLoadedModuleList:
-
- if not addr_space.is_valid_address(this_module):
- print "Module list truncated, unable to read 0x%x." % (this_module)
- return modules_list
-
- modules_list.append(this_module)
- current = read_obj(addr_space, types, \
- ['_LDR_DATA_TABLE_ENTRY', 'InLoadOrderLinks', 'Flink'],
- this_module)
- this_module = current - offset
-
- if not addr_space.is_valid_address(this_module):
- print "ModuleList Truncated Invalid Module"
- return modules_list
-
- return modules_list
-
def module_imagename(address_space, types, module_vaddr):
return read_unicode_string(address_space, types,
['_LDR_DATA_TABLE_ENTRY', 'FullDllName'], module_vaddr)
diff --git a/Volatility/forensics/win32/network.py b/Volatility/forensics/win32/network.py
index 7ebad10..bb1f182 100644
--- a/Volatility/forensics/win32/network.py
+++ b/Volatility/forensics/win32/network.py
@@ -31,9 +31,8 @@
import struct
import forensics.win32 as win32
import forensics.object2 as object2
-from forensics.object import read_value, read_obj, get_obj_offset
+from forensics.object import read_obj, get_obj_offset
from forensics.win32.datetime import read_time, windows_to_unix_time
-from forensics.win32.modules import module_find_baseaddr, modules_list
from socket import ntohs, inet_ntoa
module_versions = { \
@@ -111,6 +110,35 @@ def determine_connections(addr_space, profile):
return object2.NoneObject("Unable to determine connections")
+def determine_sockets(addr_space, profile):
+ """Determines all sockets for each module"""
+ all_modules = win32.modules.lsmod(addr_space, profile)
+
+ profile.add_types({'_ADDRESS_OBJECT_POINTER': [0x4,
+ {'Pointer': [0x0, ['pointer', ['_ADDRESS_OBJECT']]]}
+ ]})
+
+ sockets = []
+
+ for m in all_modules:
+ if str(m.ModuleName).lower() == 'tcpip.sys':
+ for attempt in module_versions:
+ table_size = object2.NewObject("unsigned long", m.BaseAddress + module_versions[attempt]['AddrObjTableSizeOffset'][0], addr_space, profile=profile)
+ table_addr = object2.NewObject("unsigned long", m.BaseAddress + module_versions[attempt]['AddrObjTableOffset'][0], addr_space, profile=profile)
+ if int(table_size) > 0:
+ table = object2.Array('Array', table_addr, addr_space, count=table_size, profile=profile,
+ target=object2.Curry(object2.NewObject, '_ADDRESS_OBJECT_POINTER'))
+ for entry in table:
+ if entry is None:
+ break
+ sock = entry.Pointer.dereference()
+ while sock.is_valid():
+ sockets.append(sock)
+ sock = sock.Next
+ return sockets
+
+ return object2.NoneObject("Unable to determine sockets")
+
def connection_pid(addr_space, types, connection_vaddr):
return read_obj(addr_space, types,
['_TCPT_OBJECT', 'Pid'], connection_vaddr)
@@ -133,70 +161,6 @@ def connection_raddr(addr_space, types, connection_vaddr):
['_TCPT_OBJECT', 'RemoteIpAddress'], connection_vaddr)
return inet_ntoa(struct.pack('=L', raddr))
-def open_sockets(addr_space, types, symbol_table):
- all_modules = modules_list(addr_space, types, symbol_table)
- base_addr = module_find_baseaddr(addr_space, types, all_modules,"tcpip")
-
- if base_addr is None:
- return []
-
- socket_list = []
-
- socket_list = find_sockets(addr_space, types, symbol_table, base_addr)
-
- return socket_list
-
-def get_open_sockets(addr_space, types, _symbol_table, base_addr, AddrObjTableOffset, AddrObjTableSizeOffset):
-
- AddrObjTable = base_addr + AddrObjTableOffset
- AddrObjTableSize = base_addr + AddrObjTableSizeOffset
-
- AddrObjAddr = read_value(addr_space, 'unsigned long', AddrObjTable)
- AddrTableSize = read_value(addr_space, 'unsigned long', AddrObjTableSize)
-
- if AddrObjAddr == None or AddrTableSize == None:
- return []
-
- socket_list = []
- for cnt in range(0, AddrTableSize):
- EntryAddress = AddrObjAddr + 4*cnt
-
- if not addr_space.is_valid_address(EntryAddress):
- continue
-
- TableEntry = read_value(addr_space, 'unsigned long', EntryAddress)
- if TableEntry == 0 or TableEntry == None:
- continue
-
- socket_list.append(TableEntry)
- next = read_obj(addr_space, types,
- ['_ADDRESS_OBJECT', 'Next'], TableEntry)
-
- while next != 0x0:
- if not addr_space.is_valid_address(next):
- print "SocketList Truncated Invalid 0x%x" % next
- return socket_list
- socket_list.append(next)
- next = read_obj(addr_space, types,
- ['_ADDRESS_OBJECT', 'Next'], next)
-
- return socket_list
-
-
-def find_sockets(addr_space, types, symbol_table, base_addr):
-
- socket_list = []
-
- for offsets in module_versions:
- offsets = module_versions[offsets]
-
- socket_list = get_open_sockets(addr_space, types, symbol_table, base_addr, offsets['AddrObjTableOffset'][0], offsets['AddrObjTableSizeOffset'][0])
- if len(socket_list) > 0:
- return socket_list
-
- return socket_list
-
-
def socket_pid(addr_space, types, socket_vaddr):
return read_obj(addr_space, types,
['_ADDRESS_OBJECT', 'Pid'], socket_vaddr)
diff --git a/Volatility/memory_plugins/internal/sockets.py b/Volatility/memory_plugins/internal/sockets.py
new file mode 100644
index 0000000..b931964
--- /dev/null
+++ b/Volatility/memory_plugins/internal/sockets.py
@@ -0,0 +1,39 @@
+'''
+Created on 25 Sep 2009
+
+@author: Mike Auty
+'''
+
+#pylint: disable-msg=C0111
+
+import forensics.commands
+import forensics.win32 as win32
+import forensics.object2 as object2
+import forensics.utils as utils
+import socket
+
+class sockets(forensics.commands.command):
+ """Print list of open sockets"""
+
+ def __init__(self, args=None):
+ forensics.commands.command.__init__(self, args)
+ self.profile = None
+
+ def render_text(self, outfd, data):
+ if len(data):
+ outfd.write("%-6s %-6s %-6s %-26s\n" % ('Pid', 'Port', 'Proto', 'Create Time'))
+
+ for sock in data:
+ outfd.write("%-6s %-6s %-6s %-26s\n" % (int(sock.Pid), socket.ntohs(sock.LocalPort), int(sock.Protocol), sock.CreateTime))
+
+
+ def calculate(self):
+ result = {}
+ self.profile = object2.Profile()
+
+ addr_space = utils.load_as(self.opts)
+
+ # Get the Image Datetime
+ result = win32.network.determine_sockets(addr_space, self.profile)
+
+ return result
\ No newline at end of file
diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py
index 80748fd..8633c7a 100644
--- a/Volatility/vmodules.py
+++ b/Volatility/vmodules.py
@@ -40,7 +40,6 @@ from forensics.object import read_unicode_string, read_obj
from forensics.win32.tasks import module_base, module_path, module_size, create_addr_space, process_addr_space, process_command_line, process_dtb, process_find_pid
from forensics.win32.tasks import process_imagename, process_ldrs, process_list, process_peb, process_pid, process_handle_table, process_create_time, process_handle_count
from forensics.win32.tasks import process_inherited_from, process_num_active_threads, process_vadroot
-from forensics.win32.network import socket_create_time, socket_local_port, socket_pid, socket_protocol, open_sockets
from forensics.win32.handles import handle_entries, handle_process_id, handle_tables, handle_entry_object, is_object_file, object_data, file_name
from forensics.win32.vad import vad_dump, vad_info, print_vad_dot_infix, print_vad_dot_prefix, print_vad_table, print_vad_tree, traverse_vad
from forensics.win32.scan import module_scan, conn_scan, ps_scan_dot, ps_scan, socket_scan, thrd_scan
@@ -296,35 +295,6 @@ def get_dlllist(cmdname, argv):
print
###################################
-# sockets - List open sockets
-###################################
-def get_sockets(cmdname, argv):
- """
- Function prints a list of open sockets.
- """
- op = get_standard_parser(cmdname)
- opts, _args = op.parse_args(argv)
-
- (addr_space, symtab, types) = load_and_identify_image(op, opts)
-
- sockets = open_sockets(addr_space, types, symtab)
-
- if len(sockets) > 0:
- print "%-6s %-6s %-6s %-26s" % ('Pid', 'Port', 'Proto', 'Create Time')
-
- for socket in sockets:
-
- if not addr_space.is_valid_address(socket):
- continue
-
- pid = socket_pid(addr_space, types, socket)
- proto = socket_protocol(addr_space, types, socket)
- port = socket_local_port(addr_space, types, socket)
- time = socket_create_time(addr_space, types, socket)
-
- print "%-6d %-6d %-6d %-26s" % (pid, port, proto, format_time(time))
-
-###################################
# files - List open files
###################################
def print_entry_file(addr_space, types, entry):
diff --git a/Volatility/volatility.py b/Volatility/volatility.py
index dc7b894..65f6732 100644
--- a/Volatility/volatility.py
+++ b/Volatility/volatility.py
@@ -48,10 +48,6 @@ modules = {
VolatoolsModule('dlllist',
'Print list of loaded dlls for each process',
get_dlllist),
- 'sockets':
- VolatoolsModule('sockets',
- 'Print list of open sockets',
- get_sockets),
'files':
VolatoolsModule('files',
'Print list of open files for each process',
--
1.6.5.rc1
15 years, 1 month
- 1
- 0
[Patch] NewObject load_as error checking improvements
by Mike Auty
Hiya guys,
Here's the first of a few patches. This one should improve the error
checking during the utils.load_as function call. Now if the base
address space can't be instantiated, it raises it's own form of
exception allowing the main program to catch it and report back
gracefully what went wrong.
Without this, just running volatility followed by a plugin name would
fail as the filename address space assumed a filename option would
always be present...
Mike 5:)
diff --git a/Volatility/forensics/utils.py b/Volatility/forensics/utils.py
index 69eccd2..0ff3151 100644
--- a/Volatility/forensics/utils.py
+++ b/Volatility/forensics/utils.py
@@ -19,7 +19,12 @@ def load_as(opts):
## selecting us means we are done:
if not found:
break
+
+ if base_as is None:
+ raise AddrSpaceError("No suitable address space maaping found")
return base_as
-
+class AddrSpaceError(Exception):
+ """Address Space Exception, so we can catch and deal with it in the main program"""
+ pass
\ No newline at end of file
diff --git a/Volatility/memory_objects/Windows/xp_sp2.py b/Volatility/memory_objects/Windows/xp_sp2.py
index 7cd97e0..2a8887e 100644
--- a/Volatility/memory_objects/Windows/xp_sp2.py
+++ b/Volatility/memory_objects/Windows/xp_sp2.py
@@ -25,7 +25,7 @@
#pylint: disable-msg=C0111
-from forensics.object2 import CType, NewObject, NativeType, Curry
+from forensics.object2 import CType, NewObject, NoneObject, NativeType, Curry
from vtypes import xpsp2types as types
from forensics.win32.datetime import windows_to_unix_time
import vmodules
diff --git a/Volatility/memory_plugins/address_spaces/standard.py b/Volatility/memory_plugins/address_spaces/standard.py
index 2712e09..1d4844e 100644
--- a/Volatility/memory_plugins/address_spaces/standard.py
+++ b/Volatility/memory_plugins/address_spaces/standard.py
@@ -23,6 +23,7 @@ class FileAddressSpace(addrspace.BaseAddressSpace):
def __init__(self, base, opts):
addrspace.BaseAddressSpace.__init__(self, base, opts)
assert(base == None)
+ assert(opts['filename'] is not None)
self.name = opts['filename']
self.fname = self.name
self.mode = opts.get('mode','rb')
diff --git a/Volatility/vmodules.py b/Volatility/vmodules.py
index 46737d1..ec642f8 100644
--- a/Volatility/vmodules.py
+++ b/Volatility/vmodules.py
@@ -37,7 +37,6 @@ from forensics.addrspace import FileAddressSpace
from forensics.win32.hiber_addrspace import WindowsHiberFileSpace32
from forensics.win32.crash_addrspace import WindowsCrashDumpSpace32
from forensics.object import read_unicode_string, read_obj
-from forensics.win32.datetime import local_time, windows_to_unix_time
from forensics.win32.tasks import module_base, module_path, module_size, create_addr_space, process_addr_space, process_command_line, process_dtb, process_find_pid
from forensics.win32.tasks import process_imagename, process_ldrs, process_list, process_peb, process_pid, process_handle_table, process_create_time, process_handle_count
from forensics.win32.tasks import process_inherited_from, process_num_active_threads, process_vadroot
diff --git a/Volatility/volatility.py b/Volatility/volatility.py
index a377749..4e04aeb 100644
--- a/Volatility/volatility.py
+++ b/Volatility/volatility.py
@@ -35,6 +35,7 @@
import sys
import os
import forensics.registry as MemoryRegistry
+import forensics.utils
from vmodules import *
@@ -201,12 +202,15 @@ def main(argv=sys.argv):
print "Error: Invalid module [%s]." % (argv[1])
usage(argv[0])
- if modules.has_key(argv[1]):
- modules[argv[1]].execute(argv[1], argv[2:])
- elif MemoryRegistry.PLUGIN_COMMANDS.commands.has_key(argv[1]):
- command = MemoryRegistry.PLUGIN_COMMANDS[argv[1]](argv[2:])
- command.execute()
-
+ try:
+ if modules.has_key(argv[1]):
+ modules[argv[1]].execute(argv[1], argv[2:])
+ elif MemoryRegistry.PLUGIN_COMMANDS.commands.has_key(argv[1]):
+ command = MemoryRegistry.PLUGIN_COMMANDS[argv[1]](argv[2:])
+ command.execute()
+ except forensics.utils.AddrSpaceError:
+ print "Error: No suitable address space found, please check your options."
+ usage(argv[0])
if __name__ == "__main__":
main()
15 years, 1 month
- 2
- 1
[Patch] NewObject branch wintimestamp subtraction improvement
by Mike Auty
Hi again,
This one's a very quick one, it just ensures that subtraction happens on
the raw value of the data (by overriding type.value rather than just
type.v). This allows two wintimestamps to be subtracted, without
passing them through windows_to_unix_time first (which maps a number of
small windows times down to 0).
I'm not certain of the difference between type.v and type.value, so if
there's some reason we shouldn't be overriding this, do please let me
know... 5;)
Without this, subtracting a TimeZoneBias (in the form of a wintimestamp)
from another wintimestamp will probably leave the original wintimestamp
the same (since the TimeZoneBias will register as unixtime 0)...
Mike 5:)
diff --git a/Volatility/memory_objects/Windows/xp_sp2.py b/Volatility/memory_objects/Windows/xp_sp2.py
index 2a8887e..4cc4956 100644
--- a/Volatility/memory_objects/Windows/xp_sp2.py
+++ b/Volatility/memory_objects/Windows/xp_sp2.py
@@ -26,7 +26,6 @@
#pylint: disable-msg=C0111
from forensics.object2 import CType, NewObject, NoneObject, NativeType, Curry
-from vtypes import xpsp2types as types
from forensics.win32.datetime import windows_to_unix_time
import vmodules
@@ -42,10 +41,10 @@ class _UNICODE_STRING(CType):
try:
length = self.Length.v()
if length > 1024:
- length=0
+ length = 0
data = self.vm.read(self.Buffer.v(), length)
return data.decode("utf16","ignore").encode("ascii",'backslashreplace')
- except Exception, e:
+ except Exception, _e:
return ''
def __str__(self):
@@ -119,20 +118,24 @@ class WinTimeStamp(NativeType):
parent=None, profile=None, name=None, **args):
## This allows us to have a WinTimeStamp object with a
## predetermined value
+ self.data = None
if value:
self.data = value
else:
NativeType.__init__(self, type, offset, vm, parent=parent, profile=profile,
name=name, format_string="q")
- def v(self):
- try:
+ def value(self):
+ """Override the value return, depending on whether we have a data field"""
+ if self.data is not None:
return self.data
- except:
- return windows_to_unix_time(NativeType.v(self))
+ return NativeType.value(self)
+
+ def v(self):
+ return windows_to_unix_time(self.value())
def __sub__(self, x):
- return WinTimeStamp(value = self.v() - x.v())
+ return WinTimeStamp(value = self.value() - x.value())
def __str__(self):
return vmodules.format_time(self.v())
@@ -142,7 +145,7 @@ LEVEL_MASK = 0xfffffff8
class _EPROCESS(CType):
""" An extensive _EPROCESS with bells and whistles """
- def _Peb(self,attr):
+ def _Peb(self, _attr):
""" Returns a _PEB object which is using the process address space.
The PEB structure is referencing back into the process address
@@ -198,7 +201,7 @@ class _EPROCESS(CType):
parent=self, profile=self.profile)
yield filevar
- except Exception, e:
+ except Exception, _e:
pass
def handles(self):
15 years, 1 month
- 1
- 0
Re: [Vol-dev] [patch] Pylint improvements for new_object
by Michael Cohen
Hi Mike,
Thanks for the patch. I tried to update it in the spirit of the new
object framework.
Im sure you already know what im about to say but this is to clarify
for other members of the list.
When you add a vtype overlay like
+ '_KUSER_SHARED_DATA' : [ None, { \
+ 'SystemTime' : [ None, ['WinTimeStamp', {}]], \
+ 'TimeZoneBias' : [ None, ['WinTimeStamp', {}]], \
+ }],
You are saying that a WinTimeStamp object should be used to decode
these fields. This overrides the standard definition in vtypes.py:
'_KUSER_SHARED_DATA' : [ 0x338, { \
'SystemTime' : [ 0x14, ['_KSYSTEM_TIME']], \
'TimeZoneBias' : [ 0x20, ['_KSYSTEM_TIME']], \
'SuiteMask' : [ 0x2d0, ['unsigned long']], \
'NumberOfPhysicalPages' : [ 0x2e8, ['unsigned long']], \
so in your ident module when you do this:
k = object2.NewObject("_KUSER_SHARED_DATA",
win32.info.KUSER_SHARED_DATA, addr_space, profile=self.profile)
you will actually get an instance of WinTimeStamp back. Since adding
and subtracting time is quite common its worth adding a __sub__ method
to this class so you can just do:
return k.SystemTime - k.TimeZoneBias
Which is more readable and easier to understand - also note that this
should return a WinTimeStamp object - typically with the new command
reorg we try to ensure that we dont pass strings until the very end -
so as not to lose information. Note that expanding a WinTimeStamp into
a string will format it. You should try to use construct like
outfd.write(" Datetime: %s\n" % data['ImageDatetime'])
instead of
outfd.write(" Datetime: " + data['ImageDatetime'])
The latter breaks when data is not a string (which it should not usually be)
Finally try to return NoneObject( reason) from functions rather than
None - this allows you to do stuff like:
for task in win32.tasks.pslist(addr_space, self.profile):
if task.Peb.CSDVersion:
instead of
+ for task in win32.tasks.pslist(addr_space, self.profile):
+ if task.Peb is not None:
+ if task.Peb.CSDVersion is not None:
Which is more error prone because you can forget to check for None at
a certain level for a timebomb bug. Admittadly I fixed a bug where
pslist() didnt do this it was my fault - but thats what we aim for.
Note that NoneObjects can be deferenced as much as you like to produce
the same NoneObject (i.e. the original fault is propagated).
This is important since in memory forensics sometime you will fail to
dereference a point which you thought was there (e.g. if its paged
out) so at least this allows the code to proceed without raising and
prevents you from having to check every single dereference for
success.
Hope this help,
Michael.
On Mon, Sep 21, 2009 at 8:34 AM, Mike Auty <mike.auty(a)gmail.com> wrote:
> Michael Cohen wrote:
>> Hi Mike,
>
> Hiya Michael!
>
>> Ok I will push it to the repository. I must admit im not a fan of svn
>> so im still a bit rusty in using it. Is there any way to get you
>> access to the new object branch? (this question is directed at project
>> admins btw).
>
> Thanks very much for committing that. I know what you mean about svn, I
> tend to use git to track everything, and then it can just push back into
> svn when it needs too (and it'll remind you if you missed a file, just
> like hg!). 5;)
>
>> Ahh the linux tasks is really not even integrated at all yet. Its kind
>> of neglected since noone seems to be interested in linux atm :-(.
>
> I think Jon (echo6) might be interested in the Linux side of things.
> I've also got the old truecrypt plugin on look at on my todo list (way,
> way down on my todo list, but there at least), so we might be able to
> help bolster that. It might be more worthwhile persuing the Mac OS
> X/BSD side of things though, given the distribution of machines people
> might run up against (particularly if people start looking at iPhones on
> ARM)... 5:)
>
>> heh - see here is my svn ignorance showing again - svn doesnt
>> automatically tell you you missed adding a file as far as i can see
>> (like hg does) - sorry I forgot to add that file.
>
> No problem, thanks for adding it back in. 5:)
>
>> The scan2 stuff is faster because its a more optimised scanning
>> technique - not really related to the new object framework. Basically
>> I was going to convert all the basic modules to the new framework as
>> well as we can. It will require a re-engineering of the module rather
>> than just a search/replace though since the new framework is much more
>> concise and readable - case in point is the example I gave previously
>> of _CM_HIVE.
>
> Thanks, I had a go at starting to convert over some of the modules.
> I've done datetime and ident for now, just to get me going. Any chance
> you could take a look at them (part of the attached patch, since I
> touched other bits of the tree). I'm still not fully up to speed on
> everything, so any criticisms would be greatly appreciated! 5:)
>
>> It will be clearer quite quickly which ones we need and which are not
>> so needed - e.g. the pstree one is basically pslist with some extra
>> stuff. If you look at the memory_objects//Windows/xp_sp2.py you can
>> see that the new object classes are starting to implement their own
>> methods to do stuff they want - for example to iterate over an
>> _EPROCESS's handles you can just call:
>>
>> for h in process.handles():
>> xxx
>>
>> this basically obsoletes Volatility/forensics/win32/handles.py
>
> That's very cool! The next step I guess will be to start removing the
> older/unnecessary stuff to clear it all up. 5:)
>
>> Thats a great idea - although better than a single version string it
>> might be better to implement separate versions for each subsystem and
>> let the plugin decide if its ok to work with - e.g. new_object_version
>> 1.0 etc. Maybe just have a version in the command class?
>
> Yep, that seems reasonable. The command class can keep a requirements
> list of features, and the framework can check it satisfies them all.
> That will allow for newer versions and new features, and to gracefully
> deprecate then remove old versions.
>
>> It might work this way im not sure - but the intension is to produce
>> better code, so I would suggest a better replacement for each plugin
>> should be written in the spirit of the new object design.
>
> Absolutely, as I say, I've started with the easy ones, but I have every
> intention to moving getting rid of vmodules (and then clearing out as
> much of the win32.* as are no longer necessary/use the old object model.
>
>> Oh i wrote a page about it once -
>> http://www.pyflag.net/cgi-bin/moin.cgi/Volatility_Object_Framework
>>
>> This is just me playing around and not any "official" way to generate
>> vtypes. It should probably be added to the repo.
>
> Brilliant, that's just the kind of documentation I was looking for. It
> gives a good overview of what's going on. Thanks! 5:)
>
>> Developement typically occured ad hoc and people
>> needed to essentially patch the framework as well as provide plugins
>> which sort of defeats the whole point of plugins. One of the problems
>> has been the inability to add complex vtype handling via plugins - a
>> problem which is addressed in the new branch.
>
> The overlay idea looks really good, but I'm still a little unclear how
> to integrate it cleanly (ie, how to have it affect just a single module,
> in case one overlays changes that break another)...
>
>> ## Maintained for backward compatibility do not use in new code
>
> Yeah, I saw that, it was just still used all over the place, and unless
> it goes away, I think people will keep using it... 5:(
>
>> I was a bit reluctant to completely remove old object support - but I
>> think I might need to do that to make it clear what files are going to
>> be removed.
>
> Yeah, I think so too, but it should make everything a lot easier to
> follow (and much easier to document!). 5:)
>
> Mike 5:)
>
15 years, 1 month
- 2
- 1
[patch] Pylint improvements for new_object
by Mike Auty
Hi guys,
Here's another pylint patch, much of it the same as the last one, but
this one applies to the new_object branch (it's probably a bit better
than the last one).
new_object requires utils.py[1] and linked_lists.py[2] to work, and the
patch requires their presence. Please be aware, I don't have a complete
library of images to test this stuff against, so whilst none of the
changes should break anything, if they do, please let me know and I'll
be happy to fix them up (particularly if you've got an image I can test
them against!). 5:)
I think the load_as function from utils.py (which makes use of the new
address_space voting scheme that scudette wrote) will make a huge
difference to the duplication going on in all the plugins, so my next
step is going to be converting vmodules.py into individual plugin files,
and then converting each one to use the new address_space system. Once
I get good at that, I can start taking on externally written plugins, if
it'll help? I think maintaining backwards compatibility will clutter an
already complicated layout, so I'd sooner offer my time to convert other
people's plugins, than try and maintain two mechanisms side-by-side and
hope people don't get confused about which one they should be using.
With the namespace cleanup happening anyway, this seems like an ideal
time to drop any deprecated code, unless people think otherwise?
After that, I'm going to have a go at converting them from Object to
NewObject calls. Does anyone know whether NewObject is a drop in
replacement for Object, or if there are specific changes required (such
as, does NewObject require Profiles, or will it still work with normal
types arrays)?
Also, I wondered what people's thoughts were (as a long term goal) on
integrating the Object2/NewObject code with the object code, so that all
the familiars like read_string and so on, would be done through the one
single object model?
So, once all the modules are in their own individual files, and the
imports are all explicit, it should become much easier to move things
around, and get volatility into it's own namespace. Once that's been
done, I'll probably do a sweep over the code changing all the direct
imports (from blah.mumble import foo) to slightly more explicit ones
(import blah.mumble) or similar. The reason I'd do this is because the
imports were all over the place (as evidenced by the fact that not one
internal plugin imported forensics.commands!), and the namespaces were
getting messed up (so most of the plugins were importing gmtime from
other volatility modules, rather than from time itself). The main
question becomes, would it be tedious/ugly to have such long names (like
"volatility.forensics.win32.tasks.process_handle(blah)") or are they not
called often enough to make coding cumbersome? What do people think?
That should cover the first three items on the todo list[3], and four
and five I've got existing code[4] that should get everything sorted
with the installation system, and allow volatility.exe binaries to be
created (there'll need to be some code modifications to allow plugins to
be dropped into directories external to the executable, but that's all
doable)...
Then it's just merging the linux stuff in (where does that come from?)
and lots and lots and lots of documentation!!! Anyone want to help out
with that? It'd really help to have some words about how scudette's
NewObject system works from anyone who understands it... 5:)
Mike 5:)
[1]
http://www.pyflag.net/pyflag/src/plugins/MemoryForensics/Volatility-1.3_Lin…
[2]
http://www.pyflag.net/pyflag/src/plugins/MemoryForensics/Volatility-1.3_Lin…
[3] http://code.google.com/p/volatility/wiki/ToDo14
[4]
http://phormat.svn.sourceforge.net/viewvc/phormat/trunk/phormat/setup.py?re…
15 years, 1 month
- 2
- 4