9:30 p.m.
Hi guys,
Here's another pylint patch, much of it the same as the last one, but
this one applies to the new_object branch (it's probably a bit better
than the last one).
new_object requires utils.py[1] and linked_lists.py[2] to work, and the
patch requires their presence. Please be aware, I don't have a complete
library of images to test this stuff against, so whilst none of the
changes should break anything, if they do, please let me know and I'll
be happy to fix them up (particularly if you've got an image I can test
them against!). 5:)
I think the load_as function from utils.py (which makes use of the new
address_space voting scheme that scudette wrote) will make a huge
difference to the duplication going on in all the plugins, so my next
step is going to be converting vmodules.py into individual plugin files,
and then converting each one to use the new address_space system. Once
I get good at that, I can start taking on externally written plugins, if
it'll help? I think maintaining backwards compatibility will clutter an
already complicated layout, so I'd sooner offer my time to convert other
people's plugins, than try and maintain two mechanisms side-by-side and
hope people don't get confused about which one they should be using.
With the namespace cleanup happening anyway, this seems like an ideal
time to drop any deprecated code, unless people think otherwise?
After that, I'm going to have a go at converting them from Object to
NewObject calls. Does anyone know whether NewObject is a drop in
replacement for Object, or if there are specific changes required (such
as, does NewObject require Profiles, or will it still work with normal
types arrays)?
Also, I wondered what people's thoughts were (as a long term goal) on
integrating the Object2/NewObject code with the object code, so that all
the familiars like read_string and so on, would be done through the one
single object model?
So, once all the modules are in their own individual files, and the
imports are all explicit, it should become much easier to move things
around, and get volatility into it's own namespace. Once that's been
done, I'll probably do a sweep over the code changing all the direct
imports (from blah.mumble import foo) to slightly more explicit ones
(import blah.mumble) or similar. The reason I'd do this is because the
imports were all over the place (as evidenced by the fact that not one
internal plugin imported forensics.commands!), and the namespaces were
getting messed up (so most of the plugins were importing gmtime from
other volatility modules, rather than from time itself). The main
question becomes, would it be tedious/ugly to have such long names (like
"volatility.forensics.win32.tasks.process_handle(blah)") or are they not
called often enough to make coding cumbersome? What do people think?
That should cover the first three items on the todo list[3], and four
and five I've got existing code[4] that should get everything sorted
with the installation system, and allow volatility.exe binaries to be
created (there'll need to be some code modifications to allow plugins to
be dropped into directories external to the executable, but that's all
doable)...
Then it's just merging the linux stuff in (where does that come from?)
and lots and lots and lots of documentation!!! Anyone want to help out
with that? It'd really help to have some words about how scudette's
NewObject system works from anyone who understands it... 5:)
Mike 5:)
[1]
http://www.pyflag.net/pyflag/src/plugins/MemoryForensics/Volatility-1.3_Lin…
[2]
http://www.pyflag.net/pyflag/src/plugins/MemoryForensics/Volatility-1.3_Lin…
[3] http://code.google.com/p/volatility/wiki/ToDo14
[4]
http://phormat.svn.sourceforge.net/viewvc/phormat/trunk/phormat/setup.py?re…
10:42 p.m.
Hi Mike,
On Sun, Sep 20, 2009 at 11:30 AM, Mike Auty <mike.auty(a)gmail.com> wrote:
Hi guys,
Here's another pylint patch, much of it the same as the last one, but
this one applies to the new_object branch (it's probably a bit better
than the last one).
Thanks for that - the patch didnt seem to make it for me (it ended up
being a 14 byte bz2 file - maybe gmail stole it?).
new_object requires utils.py[1] and linked_lists.py[2]
to work, and the
patch requires their presence. Please be aware, I don't have a complete
Not exactly - the new object scheme itself doesnt need these as these
functions were merged into the new object code. However, since I still
had the old object code lying around there might have been some
references left over. I dont think they are used though. (linked lists
are now handled automatically by overlaying a
class _LIST_ENTRY(CType) definitions on top of the struct member -
defined in memory_objects/Windows/xp_sp2.py). utils.py is in the svn
tree (or it should be).
library of images to test this stuff against, so
whilst none of the
changes should break anything, if they do, please let me know and I'll
be happy to fix them up (particularly if you've got an image I can test
them against!). 5:)
I think the load_as function from utils.py (which makes use of the new
address_space voting scheme that scudette wrote) will make a huge
difference to the duplication going on in all the plugins, so my next
step is going to be converting vmodules.py into individual plugin files,
and then converting each one to use the new address_space system. Once
Some of that work is already done - please have a look at the new
plugins which are doing much the same things - I just left vmodules
there as a guide as to whats left to do. For example get_pslist() is
now powered by a rewritten pslist() in ./forensics/win32/tasks.py and
is used in the module memory_plugins/pstree.py for example.
I get good at that, I can start taking on externally
written plugins, if
it'll help? I think maintaining backwards compatibility will clutter an
already complicated layout, so I'd sooner offer my time to convert other
people's plugins, than try and maintain two mechanisms side-by-side and
I dont think backwards compatibility is a realistic goal we can have
when we change the underlying framework. I am more happy with a linux
style development model where everyone is free to have their own
modules, but committing them to the main tree will ensure they get
maintained as the code evolves.
hope people don't get confused about which one
they should be using.
With the namespace cleanup happening anyway, this seems like an ideal
time to drop any deprecated code, unless people think otherwise?
After that, I'm going to have a go at converting them from Object to
NewObject calls. Does anyone know whether NewObject is a drop in
replacement for Object, or if there are specific changes required (such
as, does NewObject require Profiles, or will it still work with normal
types arrays)?
It is not a drop in replacement at all - Hopefully its easier to use
than the old Object code. The new object code implements the
__getitem__ protocol so you can just do something like:
task_info['image_file_name'] = task.ImageFileName or
'UNKNOWN'
task_info['process_id'] = task.UniqueProcessId.v() or -1
task_info['active_threads'] = task.ActiveThreads or -1
task_info['inherited_from'] =
task.InheritedFromUniqueProcessId.v() or -1
task_info['handle_count'] = task.ObjectTable.HandleCount or -1
task_info['create_time'] = task.CreateTime
If the pointer is NULL it returns a NoneObject which can be used as
the LHS of or to continue assignment (giving defaults).
Also, I wondered what people's thoughts were (as a
long term goal) on
integrating the Object2/NewObject code with the object code, so that all
the familiars like read_string and so on, would be done through the one
single object model?
read_string and friends should be deprecated since the act of reading
from struct members is now fully implemented by the struct members
themselves - not by an external function. As an example here is
moyix's registry code:
class _CM_KEY_NODE(Object):
"""Class representing a _CM_KEY_NODE
Adds the following behavior:
* Name is read as a string.
"""
def __new__(typ, *args, **kwargs):
obj = object.__new__(typ)
return obj
# Custom Attributes
def getName(self):
return read_string(self.vm, types, ['_CM_KEY_NODE', 'Name'],
self.offset, self.NameLength)
Name = property(fget=getName)
implementing getName. This is now replaced by the new object
definition (from ./forensics/win32/overlay.py):
'_CM_KEY_NODE' : [ None, {
'Signature' : [ None, ['String', dict(length=2)]],
'LastWriteTime' : [ None, ['WinTimeStamp', {}]],
'Name' : [ None, ['String', dict(length=lambda x: x.NameLength)]],
}],
So you dont need read_string() at all - the object itself knows how to
do it. If x is a _CM_KEY_NODE then x.Name will return the string via
instantiating the String() object on the right AS.
BTW. The stuff defined in overlay.py can be thought of basically as
"fixups" to the vtypes (which are autogenerated from .h files). Where
we have None we dont override the vtypes definition, and if we have
something we do. So the overlay can be read in conjunction with the
vtypes definition:
'_CM_KEY_NODE' : [ 0x50, {
'Signature' : [ 0x0, ['String', dict(length=2)]],
'Flags' : [ 0x2, ['unsigned short']],
....
In this case I put the String definition into vtypes, but if it comes
from an autogenerated header file parser it might have crap in there
(like void* ) for example. In this case the overlay can fix it up.
Note the lambda in the args for the String class - it gets evaluated
at construction time and has access to the new struct, so it can
easily return a String with length x.NameLength. Therefore we dont
need a special class override for _CM_KEY_NODE to call a read_string
function.
So, once all the modules are in their own individual
files, and the
imports are all explicit, it should become much easier to move things
around, and get volatility into it's own namespace. Once that's been
done, I'll probably do a sweep over the code changing all the direct
imports (from blah.mumble import foo) to slightly more explicit ones
(import blah.mumble) or similar. The reason I'd do this is because the
imports were all over the place (as evidenced by the fact that not one
internal plugin imported forensics.commands!), and the namespaces were
getting messed up (so most of the plugins were importing gmtime from
other volatility modules, rather than from time itself). The main
question becomes, would it be tedious/ugly to have such long names (like
"volatility.forensics.win32.tasks.process_handle(blah)") or are they not
called often enough to make coding cumbersome? What do people think?
i dont like using the "from xxx import *" form because its messy and
pollutes the namespaces. We should use something like "import x.y.z as
z" to make things explicit and also keep module reference short.
That should cover the first three items on the todo
list[3], and four
and five I've got existing code[4] that should get everything sorted
with the installation system, and allow volatility.exe binaries to be
created (there'll need to be some code modifications to allow plugins to
be dropped into directories external to the executable, but that's all
doable)...
The plugin architecture (which came from PyFlag originally) is used to
make management of the code much easier for large project - not so
much to allow other people to maintain their own plugins seperate from
the codebase. I think long term compatibility will be a huge issue and
a maintenance nightmare - we really need to bring all modules to the
same tree. In PF we can add new plugin directories via the --plugins
directive (I think this is already in the volatiltiy version of the
registry code).
Then it's just merging the linux stuff in (where
does that come from?)
and lots and lots and lots of documentation!!! Anyone want to help out
with that? It'd really help to have some words about how scudette's
NewObject system works from anyone who understands it... 5:)
Yeah I should probably start documenting it a bit more .... Its
probably stopping people from adopting it right now :-)
Thanks,
Michael.
Mike 5:)
[1]
http://www.pyflag.net/pyflag/src/plugins/MemoryForensics/Volatility-1.3_Lin…
[2]
http://www.pyflag.net/pyflag/src/plugins/MemoryForensics/Volatility-1.3_Lin…
[3] http://code.google.com/p/volatility/wiki/ToDo14
[4]
http://phormat.svn.sourceforge.net/viewvc/phormat/trunk/phormat/setup.py?re…
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
6:05 a.m.
Michael Cohen wrote:
Hi Mike,
Hiya Michael,
Thanks for that - the patch didnt seem to make it for
me (it ended up
being a 14 byte bz2 file - maybe gmail stole it?).
You're quite right, the patch I attached was entirely and completely
non-existant (it was a bzip2 of an empty file). Sorry about that
everybody! 5:( You should find the full thing attached now.
Not exactly - the new object scheme itself doesnt need
these as these
functions were merged into the new object code. However, since I still
had the old object code lying around there might have been some
references left over.
There were, I think it's just the one call to list_do in
forensics.linux.tasks.
utils.py is in the svn tree (or it should be).
It's not (at least, not the volatility svn tree), it's included in this
giant patch though (as, unfortunately, is linked_list). The only other
thing that the code seemed to be missing before it would work correctly
was a definition of _LDR_DATA_TABLE_ENTRY, which this patch also adds.
Some of that work is already done - please have a look
at the new
plugins which are doing much the same things - I just left vmodules
there as a guide as to whats left to do. For example get_pslist() is
now powered by a rewritten pslist() in ./forensics/win32/tasks.py and
is used in the module memory_plugins/pstree.py for example.
I spotted pstree, it's the plugin I was going to use as the basis for
modifying the others to using load_as! 5:) Unfortunately, I've no idea
which plugins duplicate functionality, and which simply do things a
different way (all of the blahscan2 functions appear *much* quicker than
the blahscan functions, but produce pretty much the same output), so I
was going to convert them all and then ask people to help me cut away
the ones we don't need...
I dont think backwards compatibility is a realistic
goal we can have
when we change the underlying framework. I am more happy with a linux
style development model where everyone is free to have their own
modules, but committing them to the main tree will ensure they get
maintained as the code evolves.
That sounds good to me, although it might be a courtesy to add some kind
of a field in the forensics.commands.command object which specifies
which version of volatility is needed for the plugin, just so that uses
end up with a "this plugin won't work with this version" message, rather
than a python stacktrace. 5;) That'd need some planning to figure out
though (since there may be times a version bumps without breaking
compatibility).
It is not a drop in replacement at all - Hopefully its
easier to use
than the old Object code.
Ok, I was more just asking about code conversion, since the function
siganture for the Object constructor seemed similar to the call for
NewObject, I was wondering if changing the code was going to be as easy
as just changing all Objects to NewObjects. It sounds like I'm going to
have to know a lot more about how it works than I do at the moment to
start converting them (which also means the pylint patch may break some
things in a couple of places as I was doing the import clean-ups).
The new object code implements the
__getitem__ protocol so you can just do something
like:
task_info['image_file_name'] = task.ImageFileName or
'UNKNOWN'
task_info['process_id'] = task.UniqueProcessId.v() or -1
task_info['active_threads'] = task.ActiveThreads or -1
task_info['inherited_from'] =
task.InheritedFromUniqueProcessId.v() or -1
task_info['handle_count'] = task.ObjectTable.HandleCount or -1
task_info['create_time'] = task.CreateTime
If the pointer is NULL it returns a NoneObject which can be used as
the LHS of or to continue assignment (giving defaults).
Sounds pretty ideal though. 5;)
read_string and friends should be deprecated since the
act of reading
from struct members is now fully implemented by the struct members
themselves - not by an external function.
There's still a few places where this is in use and is just reading a
'char', rather than a specifically designated type
(linux.scan/win32.scan2). I think that's what I was asking, will it be
possible to fold in default types (like 'char', 'int', etc) into the
NewObject model, so that we can effectively drop forensics.object, and
then later rename forensics.object2 to its rightful place. 5:)
BTW. The stuff defined in overlay.py can be thought of
basically as
"fixups" to the vtypes (which are autogenerated from .h files).
Ah, yeah, I was wondering where the autogenerator code is (or are you
just saying it could be autogenerated from .h files? Presumably that
should be somewhere in the repository? How does it decide which classes
to yoink from the .h, or does it grab all of them and you weed them out
manually?
Note the lambda in the args for the String class - it
gets evaluated
at construction time and has access to the new struct, so it can
easily return a String with length x.NameLength. Therefore we dont
need a special class override for _CM_KEY_NODE to call a read_string
function.
Yep, that's a nice little trick. 5:)
i dont like using the "from xxx import *"
form because its messy and
pollutes the namespaces. We should use something like "import x.y.z as
z" to make things explicit and also keep module reference short.
I'm completely in agreement with you there. Does anyone have any
problems with converting the code to a style like that?
The plugin architecture (which came from PyFlag
originally) is used to
make management of the code much easier for large project - not so
much to allow other people to maintain their own plugins seperate from
the codebase. I think long term compatibility will be a huge issue and
a maintenance nightmare - we really need to bring all modules to the
same tree. In PF we can add new plugin directories via the --plugins
directive (I think this is already in the volatiltiy version of the
registry code).
Well, it will become difficult, but other large projects do manage
plugins (although granted, developers often have more time to work on
them that our userbase does). This comes back to the compatibility flag
in the plugin. As long as it can safely be discarded if it doesn't work
properly, that should be fine. Bringing modules into the tree is great,
but only if there's someone there to maintain them, otherwise you're
just burdening the developers with access to the tree with more code to
maintain. That's why planning a really good interface for everything,
and then trying hard not to change it, is a worthwhile challenge...
Yeah I should probably start documenting it a bit more
.... Its
probably stopping people from adopting it right now :-)
Well, I'm having a go at it, but I think it's mostly the mix of the two
systems that's hindering adoption. Not knowing whether you can or can't
use read_obj, etc and then whether you can use forensics.addrspace. The
documentation will certainly help, particularly if it shows how to
properly use the latest system for everything, though... 5;)
Mike 5:)
6:51 a.m.
Hi Mike,
On Sun, Sep 20, 2009 at 8:05 PM, Mike Auty <mike.auty(a)gmail.com> wrote:
Ahh the linux tasks is really not even integrated at all yet. Its kind
of neglected since noone seems to be interested in linux atm :-(.
Hiya Michael,
You're quite right, the patch I attached was entirely and completely
non-existant (it was a bzip2 of an empty file). Sorry about that
everybody! 5:( You should find the full thing attached now.
Ok I will push it to the repository. I must admit im not a fan of svn
so im still a bit rusty in using it. Is there any way to get you
access to the new object branch? (this question is directed at project
admins btw).
Not exactly -
the new object scheme itself doesnt need these as these
functions were merged into the new object code. However, since I still
had the old object code lying around there might have been some
references left over.
There were, I think it's just the one call to list_do in
forensics.linux.tasks. It's not (at least, not the volatility svn tree),
it's included in this
giant patch though (as, unfortunately, is linked_list). The only other
thing that the code seemed to be missing before it would work correctly
was a definition of _LDR_DATA_TABLE_ENTRY, which this patch also adds.
heh - see here is my svn ignorance showing again - svn doesnt
automatically tell you you missed adding a file as far as i can see
(like hg does) - sorry I forgot to add that file.
I spotted pstree, it's the plugin I was going to
use as the basis for
modifying the others to using load_as! 5:) Unfortunately, I've no idea
which plugins duplicate functionality, and which simply do things a
different way (all of the blahscan2 functions appear *much* quicker than
The scan2 stuff is faster because its a more optimised scanning
technique - not really related to the new object framework. Basically
I was going to convert all the basic modules to the new framework as
well as we can. It will require a re-engineering of the module rather
than just a search/replace though since the new framework is much more
concise and readable - case in point is the example I gave previously
of _CM_HIVE.
the blahscan functions, but produce pretty much the
same output), so I
was going to convert them all and then ask people to help me cut away
the ones we don't need...
It will be clearer quite quickly which ones we need and which are not
so needed - e.g. the pstree one is basically pslist with some extra
stuff. If you look at the memory_objects//Windows/xp_sp2.py you can
see that the new object classes are starting to implement their own
methods to do stuff they want - for example to iterate over an
_EPROCESS's handles you can just call:
for h in process.handles():
xxx
this basically obsoletes Volatility/forensics/win32/handles.py
So my point is that instead of having a plugin which retrieves all the
handles, or all the processes or whatever, this functionality can be
added to the object classes via object plugins and then anyone else
can just use this method off the relevant object. This will require a
better integrated design and avoid duplication in all the plugins.
That sounds good to me, although it might be a
courtesy to add some kind
of a field in the forensics.commands.command object which specifies
which version of volatility is needed for the plugin, just so that uses
end up with a "this plugin won't work with this version" message, rather
than a python stacktrace. 5;) That'd need some planning to figure out
though (since there may be times a version bumps without breaking
compatibility).
Thats a great idea - although better than a single version string it
might be better to implement separate versions for each subsystem and
let the plugin decide if its ok to work with - e.g. new_object_version
1.0 etc. Maybe just have a version in the command class?
Ok, I was more just asking about code conversion,
since the function
siganture for the Object constructor seemed similar to the call for
NewObject, I was wondering if changing the code was going to be as easy
as just changing all Objects to NewObjects. It sounds like I'm going to
have to know a lot more about how it works than I do at the moment to
start converting them (which also means the pylint patch may break some
things in a couple of places as I was doing the import clean-ups).
It might work this way im not sure - but the intension is to produce
better code, so I would suggest a better replacement for each plugin
should be written in the spirit of the new object design.
There's still a few places where this is in use
and is just reading a
'char', rather than a specifically designated type
(linux.scan/win32.scan2). I think that's what I was asking, will it be
possible to fold in default types (like 'char', 'int', etc) into the
NewObject model, so that we can effectively drop forensics.object, and
then later rename forensics.object2 to its rightful place. 5:)
Well these types are also new objects too - there is no difference
between an int and an _EPROCESS - they are both just objects you can
instantiate at any AS offset you want - the point is that usually, you
would be better off instantiating the entire struct at the offset,
rather than each element using int, char etc. Its more readable what
you are doing and also more maintainable. The reason why many of the
old plugins had to read specific ints etc by hand was because the
vtypes system lacked the ability to define complex ways of reading
data automatically (case in point is that variable sized string i
mentioned in an earlier post). Hopefully we can avoid the need to
resort to that now.
Ah, yeah, I was wondering where the autogenerator code
is (or are you
just saying it could be autogenerated from .h files? Presumably that
should be somewhere in the repository? How does it decide which classes
to yoink from the .h, or does it grab all of them and you weed them out
manually?
Oh i wrote a page about it once -
http://www.pyflag.net/cgi-bin/moin.cgi/Volatility_Object_Framework
This is just me playing around and not any "official" way to generate
vtypes. It should probably be added to the repo.
Well, it will become difficult, but other large
projects do manage
plugins (although granted, developers often have more time to work on
them that our userbase does). This comes back to the compatibility flag
in the plugin. As long as it can safely be discarded if it doesn't work
properly, that should be fine. Bringing modules into the tree is great,
but only if there's someone there to maintain them, otherwise you're
just burdening the developers with access to the tree with more code to
maintain. That's why planning a really good interface for everything,
and then trying hard not to change it, is a worthwhile challenge...
Yeah I agree - the flip side is that you dont want to stop development
because you might break plugins. If people want to keep their plugins
separate thats fine, but they need to maintain them. Hopefully the new
obeject framework will be stable enough to keep things in check. Yeah
version strings are ideal but they only work with stable release
cycles (as in one can advertise their plugin works with volatiltiy 1.3
or 1.4 or whatever) - we have not had enough releases yet to see how
that works out. Developement typically occured ad hoc and people
needed to essentially patch the framework as well as provide plugins
which sort of defeats the whole point of plugins. One of the problems
has been the inability to add complex vtype handling via plugins - a
problem which is addressed in the new branch.
Well, I'm having a go at it, but I think it's
mostly the mix of the two
systems that's hindering adoption. Not knowing whether you can or can't
use read_obj, etc and then whether you can use forensics.addrspace. The
documentation will certainly help, particularly if it shows how to
properly use the latest system for everything, though... 5;)
So read_obj is obsolete - also forensics.addrspace is also obsolete as
the comment suggests:
## Maintained for backward compatibility do not use in new code
class FileAddressSpace:
I was a bit reluctant to completely remove old object support - but I
think I might need to do that to make it clear what files are going to
be removed.
Thanks,
Michael.
6:34 p.m.
Michael Cohen wrote:
Hi Mike,
Hiya Michael!
Ok I will push it to the repository. I must admit im
not a fan of svn
so im still a bit rusty in using it. Is there any way to get you
access to the new object branch? (this question is directed at project
admins btw).
Thanks very much for committing that. I know what you mean about svn, I
tend to use git to track everything, and then it can just push back into
svn when it needs too (and it'll remind you if you missed a file, just
like hg!). 5;)
Ahh the linux tasks is really not even integrated at
all yet. Its kind
of neglected since noone seems to be interested in linux atm :-(.
I think Jon (echo6) might be interested in the Linux side of things.
I've also got the old truecrypt plugin on look at on my todo list (way,
way down on my todo list, but there at least), so we might be able to
help bolster that. It might be more worthwhile persuing the Mac OS
X/BSD side of things though, given the distribution of machines people
might run up against (particularly if people start looking at iPhones on
ARM)... 5:)
heh - see here is my svn ignorance showing again - svn
doesnt
automatically tell you you missed adding a file as far as i can see
(like hg does) - sorry I forgot to add that file.
No problem, thanks for adding it back in. 5:)
The scan2 stuff is faster because its a more optimised
scanning
technique - not really related to the new object framework. Basically
I was going to convert all the basic modules to the new framework as
well as we can. It will require a re-engineering of the module rather
than just a search/replace though since the new framework is much more
concise and readable - case in point is the example I gave previously
of _CM_HIVE.
Thanks, I had a go at starting to convert over some of the modules.
I've done datetime and ident for now, just to get me going. Any chance
you could take a look at them (part of the attached patch, since I
touched other bits of the tree). I'm still not fully up to speed on
everything, so any criticisms would be greatly appreciated! 5:)
It will be clearer quite quickly which ones we need
and which are not
so needed - e.g. the pstree one is basically pslist with some extra
stuff. If you look at the memory_objects//Windows/xp_sp2.py you can
see that the new object classes are starting to implement their own
methods to do stuff they want - for example to iterate over an
_EPROCESS's handles you can just call:
for h in process.handles():
xxx
this basically obsoletes Volatility/forensics/win32/handles.py
That's very cool! The next step I guess will be to start removing the
older/unnecessary stuff to clear it all up. 5:)
Thats a great idea - although better than a single
version string it
might be better to implement separate versions for each subsystem and
let the plugin decide if its ok to work with - e.g. new_object_version
1.0 etc. Maybe just have a version in the command class?
Yep, that seems reasonable. The command class can keep a requirements
list of features, and the framework can check it satisfies them all.
That will allow for newer versions and new features, and to gracefully
deprecate then remove old versions.
It might work this way im not sure - but the intension
is to produce
better code, so I would suggest a better replacement for each plugin
should be written in the spirit of the new object design.
Absolutely, as I say, I've started with the easy ones, but I have every
intention to moving getting rid of vmodules (and then clearing out as
much of the win32.* as are no longer necessary/use the old object model.
Oh i wrote a page about it once -
http://www.pyflag.net/cgi-bin/moin.cgi/Volatility_Object_Framework
This is just me playing around and not any "official" way to generate
vtypes. It should probably be added to the repo.
Brilliant, that's just the kind of documentation I was looking for. It
gives a good overview of what's going on. Thanks! 5:)
Developement typically occured ad hoc and people
needed to essentially patch the framework as well as provide plugins
which sort of defeats the whole point of plugins. One of the problems
has been the inability to add complex vtype handling via plugins - a
problem which is addressed in the new branch.
The overlay idea looks really good, but I'm still a little unclear how
to integrate it cleanly (ie, how to have it affect just a single module,
in case one overlays changes that break another)...
## Maintained for backward compatibility do not use in
new code
Yeah, I saw that, it was just still used all over the place, and unless
it goes away, I think people will keep using it... 5:(
I was a bit reluctant to completely remove old object
support - but I
think I might need to do that to make it clear what files are going to
be removed.
Yeah, I think so too, but it should make everything a lot easier to
follow (and much easier to document!). 5:)
Mike 5:)
5534
days inactive
5534
days old
vol-dev@lists.volatilityfoundation.org
4 comments
2 participants
participants (2)
-
Michael Cohen -
Mike Auty