Re: [Vol-dev] Re: Pylint and code questions
13 Sep
2009
13 Sep
'09
4:13 p.m.
Michael Felber wrote:
Hello Mike,
Hiya Michael!
The firewire-access is quite funny but doesn't
work with Vista at the moment (the raw1394 is unable to see the Vista PC).
I've used it in anger against a Vista box without problem (well, it
appeared to bluescreen *slightly* more often, but that's just an opinion).
I have applied an extension (idea found at
https://www.moonloop.org/bin/view/Moonloop/Stream?tag=ida) to winlockpwn so it works fine
with any uptodate SP3 system I have testet.
That's cool, I was hoping to extend the idea, so there'd be a volatility
plugin that locates DLL images within memory, pieces them back together
using pefile, extracts the version information from the resource section
and then uses the filename and resource to lookup the correct offsets
and patches to apply to the image. I've already got some proof of
concept stuff for extracting version information after finding the page
with the DLL MZ header. The idea is there'd be a big database of useful
patches, and then they could be automatically deployed against a live
system.
All of this, however, would require enhancing the volatility plugin
interface to accept address spaces (and command line options) rather
than just command line options. It should help reduce a bit of the code
duplication that's going on, but it's quite an invasive change, and
might require plugin rewrites (unless we work in a plugin versioning
system, something like plugins based on forensics.commands.commandv2
maybe?). That'll start to get complicated over time though, and in
either situation the input interface will need to be designed carefully.
I'm still at too early a stage with the code to figure out what the
various plugins out there need/use and what they don't, so I can throw
out/mock up suggestions for how it might work, but it'll need someone
with a bit more knowledge of the system to let me know if I've missed
anything or if the interface isn't right for any reason.
It'd be most useful to find out what people think about backwards
compatibility for plugins? Is it worth trying to keep old plugins
working, or do you think people would be happy enough rewriting for the
new architecture?
But a live analysis of the memory may be not the best
idea because its to volatile, even a memory dump is not as consistent as a hiberfil.sys or
memory.dmp would be.
No, I know that, the firewire extension I'm proposing was to use all the
existing plugins to examine a live system from an educational/debugging
perspective, rather than as evidence. I figured that being able to see
how memory gets reallocated and manipulated live might be of interest,
just like the behaviour of live animals is of use to archaeologists... 5;)
Mike 5:)