Hi,
Is it possible to get the symbol table of a module? The module structure
has a member called symtab but, is it possible to get the symbol names and
values from it.
Thanks!
Hi,
I'm currently attempting to get caching working with some library code that exists outside a plugin. The code is parsing debugging symbol tables and so some caching would be useful for performance purposes.
The use of caching is normally controlled at the command line via the --cache option. Within running library code, I'm using the following pattern to detect if the --cache option was specified:
import volatility.conf as conf
class Library(object):
def __init__(self, *args, **kwargs):
config = conf.ConfObject() # singleton object
if config.CACHE:
print "cache enabled"
else:
print "cache disabled"
BTW, I'm aware that one can use the --debug option to see if caching is enabled at the terminal.
If one now places this code within the volatility directory and then calls it via a plugin - for example with say:
import volatility.plugins.common as common
from volatility.library import Library
class TestPlugin(common.AbstractWindowsCommand):
def __init__(self, *args, **kwargs):
common.AbstractWindowsCommand.__init__(self, *args, **kwargs)
lib = Library()
and now if we run the plugin, I consistently observe that the --cache option is reported as disabled.
I've tried triggering cache enabling via a callback to cache.enable_caching with no joy.
Any help is greatly appreciated.
Many thanks,
Carl.
Hello,
We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. We think our results will be of great
interest to the DFIR community and look forward to your feed back.
The blog post can be found here:
http://www.504ensics.com/android-application-dalvik-memory-analysis-the-chu…
---
Joe T. Sylve, M.S.
Co-Founder
504ENSICS Labs
www.504ensics.com | (504) 210-8270
Hello guys,
I would like to ask you some questions about the plugin contest.
First of all, if I decide to submit my new plugin to the contest do i have
to keep it private until the notification (August)?
Second point, is it possible to post here some screencasts to have some
feedbacks and then submit my cool plugin to the contest?
I'm a PhD student so I would like to make my work public once I have
submitted the paper.
Regards,
/emdel
We are pleased to announce the next public Volatility training
opportunity: the Windows Malware and Memory Forensics Training by The
Volatility Project. This course will take place in Reston, VA from
Monday, June 10th through Friday, June 14th 2013. For details, please
see our blog:
http://volatility-labs.blogspot.com/2013/03/official-training-by-volatility…
or email us at: voltraining(a)memoryanalysis.net
All the best,
-gleeda
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
Hi all,
We (Alex Joss and Dario Schwab) worked on a set of Volatility plugins for a
generic and automated analysis of Android apps that we would like to share
with you. This work resulted from our bachelor thesis at Security
Engineering Lab of Bern University of Applied Sciences in Switzerland. For
now, this is just a proof of concept and it will be developed further in
the future.
Our approach is based on the dalvik-plugins from Holger Macht, published to
this mailing list on 2012-10-16.
Our plugins are the following:
- android_find_class_instances (scans the heap of the app)
- android_app_generic (analyses the contents of the found objects)
There are a few more files which have to be added or modified. Under the
following link you will find the complete Volatility 2.3-alpha framework
with our plugins and modifications already intergrated:
https://dl.dropbox.com/u/12931232/volatility-2.3-devel-android.zip
Unfortunately we can't provide a patch set, because our work's based on
Volatility 2.3-alpha, which can't be downloaded anymore as reference. Maybe
someone could do this for us.
The Plugins, their usage and each needed modification of existing files are
explained in the attached README file.
Please let us know if you need help to get things running or if you have
any suggestions.
Regards Alex and Dario
Hello everyone,
You've seen me around for the past two weeks, and I thought I might
introduce myself.
My name's Edwin and I've just started working on my masters thesis
(University of Twente, The Netherlands) and internship. I'm doing
research into user space memory forensics, and at this moment
volatility seems like the best tool to use for my research.
Last week I wrote a small plugin to get familiar with the framework,
it's available at [1]. I'll leave it up to you if it is useful enough
to include in volatility.
Currently I'm finalizing the approach to my research. Is it ok to use
this list (or vol-users) if I have any ideas or questions related to
my research that I need to bounce off of somebody?
If it isn't taking too much time away from my thesis, I also plan to
enter my research into the contest[2]. I hope that asking questions
here still makes me eligible :)
Cheers,
Edwin
[1] https://gist.github.com/Dutchy-/348cf96f56ea35e2b893
[2] http://volatility-labs.blogspot.nl/2013/01/the-1st-annual-volatility-framew…
Hi all,
We (Alex Joss and Dario Schwab) worked on a set of Volatility plugins for a
generic and automated analysis of Android apps that we would like to share
with you. This work resulted from our bachelor thesis at Security
Engineering Lab of Bern University of Applied Sciences in Switzerland. For
now, this is just a proof of concept and it will be developed further in
the future.
Our approach is based on the dalvik-plugins from Holger Macht, published to
this mailing list on 2012-10-16.
Our plugins are the following:
- android_find_class_instances (scans the heap of the app)
- android_app_generic (analyses the contents of the found objects)
There are a few more files which have to be added or modified. Under the
following link you will find the complete Volatility 2.3-alpha framework
with our plugins and modifications already intergrated:
https://dl.dropbox.com/u/12931232/volatility-2.3-devel-android.zip
Unfortunately we can't provide a patch set, because our work's based on
Volatility 2.3-alpha, which can't be downloaded anymore as reference. Maybe
someone could do this for us.
The Plugins, their usage and each needed modification of existing files are
explained in the attached README file.
Please let us know if you need help to get things running or if you have
any suggestions.
Regards Alex and Dario
Hello Volatility Devs,
I'm currently a student in a Digital Forensics class. We have used your
wonderful tool to do memory dumps. We now have a project to contribute to
an open source project. I was wondering if there was anything that I could
contribute to the Volatility project. My strong point isn't in programming,
but I have had an introduction to it. I don't know if there's any
documentation you'd like to have updated, or whatever. I look forward to a
response.
Warm Regards,
*Joel Anderson*
Brigham Young University - April 2014
Masters of Information Systems Management
(208) 570-7253
Hey Guys,
I've been waiting patiently while drooling for the new 2.3 release since October. I have several old cases where all I have is a memory image, and I'd like to be able to go back and dump out the registry hive files for manual examination. I keep checking back, but there's still no sign of dumpfiles being committed to the source repository. Does anyone have a good idea of when 2.3 is really likely to come out, and whether dumpfiles will actually be included?
If it's not coming soon, would there be any chance of getting a prerelease copy for testing? I'd be happy to send back debug info for any cases where it's broken.
Thanks much
John McCash
