Hiya guys, I had a request from echo6 to allow Volatility to run against iSCSI exported memory images (which basically show up in Linux as block devices). The attached patch changes checks from "not isfile" to "isdir", in order to include block files, regular files and symlinks. The patch also includes a secondary method for determine filesize, based on opening the file, seeking to the end, and then asking the file to tell how far the cursor is. That works fine for block devices, whereas getsize returns 0. As you can see form the patch, there's a lot of plugins that reimplement existing code and handle files directly. That also means that other existing plugins will need converting if they're to work against block devices... Mike 5:) diff --git a/trunk/Volatility/forensics/addrspace.py b/trunk/Volatility/forensics/addrspace.py index d0c0dee..c1d7198 100755 --- a/trunk/Volatility/forensics/addrspace.py +++ b/trunk/Volatility/forensics/addrspace.py @@ -43,6 +43,12 @@ class FileAddressSpace: self.name = fname self.fhandle = open(fname, mode) self.fsize = os.path.getsize(fname) + # getsize returns 0 for block devices + if self.fsize < 1: + f = open(fname, mode) + f.seek(0, os.SEEK_END) + self.fsize = f.tell() + f.close() if fast == True: self.fast_fhandle = open(fname, mode) diff --git a/trunk/Volatility/forensics/win32/scan.py b/trunk/Volatility/forensics/win32/scan.py index 3217983..771fe67 100644 --- a/trunk/Volatility/forensics/win32/scan.py +++ b/trunk/Volatility/forensics/win32/scan.py @@ -678,7 +678,6 @@ def connection_dump(address, cnt, object): def conn_scan(addr_space, types, filename, beg, end, slow): - if slow == False: connection_object = ScanObject(addr_space,types) connection_object.set_fast_beg(beg) diff --git a/trunk/Volatility/vmodules.py b/trunk/Volatility/vmodules.py index cd1bf20..5aa0cd1 100644 --- a/trunk/Volatility/vmodules.py +++ b/trunk/Volatility/vmodules.py @@ -978,7 +978,7 @@ def psscan(cmdname, argv): slow = opts.slow - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -993,6 +993,12 @@ def psscan(cmdname, argv): start = 0 filesize = os.path.getsize(filename) + # getsize returns 0 for block devices + if filesize < 1: + f = open(filename, 'rb') + f.seek(0, os.SEEK_END) + filesize = f.tell() + f.close() if not opts.end is None: try: @@ -1050,7 +1056,7 @@ def thrdscan(cmdname, argv): slow = opts.slow - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -1065,6 +1071,12 @@ def thrdscan(cmdname, argv): start = 0 filesize = os.path.getsize(filename) + # getsize returns 0 for block devices + if filesize < 1: + f = open(filename, 'rb') + f.seek(0, os.SEEK_END) + filesize = f.tell() + f.close() if not opts.end is None: try: @@ -1123,7 +1135,7 @@ def sockscan(cmdname, argv): slow = opts.slow - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -1138,6 +1150,12 @@ def sockscan(cmdname, argv): start = 0 filesize = os.path.getsize(filename) + # getsize returns 0 for block devices + if filesize < 1: + f = open(filename, 'rb') + f.seek(0, os.SEEK_END) + filesize = f.tell() + f.close() if not opts.end is None: try: @@ -1194,7 +1212,7 @@ def connscan(cmdname, argv): slow = opts.slow - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -1209,6 +1227,12 @@ def connscan(cmdname, argv): start = 0 filesize = os.path.getsize(filename) + # getsize returns 0 for block devices + if filesize < 1: + f = open(filename, 'rb') + f.seek(0, os.SEEK_END) + filesize = f.tell() + f.close() if not opts.end is None: try: @@ -1257,7 +1281,7 @@ def mem_map(cmdname, argv): opts, args = op.parse_args(argv) - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -1354,7 +1378,7 @@ def modscan(cmdname, argv): slow = opts.slow - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -1368,6 +1392,12 @@ def modscan(cmdname, argv): start = 0 filesize = os.path.getsize(filename) + # getsize returns 0 for block devices + if filesize < 1: + f = open(filename, 'rb') + f.seek(0, os.SEEK_END) + filesize = f.tell() + f.close() if not opts.end is None: try: @@ -1423,7 +1453,7 @@ def dump_chk(cmdname, argv): op = get_standard_parser(cmdname) opts, args = op.parse_args(argv) - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -1492,7 +1522,7 @@ def mem_dump(cmdname, argv): opts, args = op.parse_args(argv) - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -1601,7 +1631,7 @@ def hibinfo(cmdname, argv): metavar="FILE", dest="dump") opts, args = op.parse_args(argv) - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -1923,7 +1953,7 @@ def connscan2(cmdname, argv): op = get_standard_parser(cmdname) opts, args = op.parse_args(argv) - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -1968,7 +1998,7 @@ def sockscan2(cmdname, argv): op = get_standard_parser(cmdname) opts, args = op.parse_args(argv) - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -2009,7 +2039,7 @@ def modscan2(cmdname, argv): op = get_standard_parser(cmdname) opts, args = op.parse_args(argv) - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -2049,7 +2079,7 @@ def thrdscan2(cmdname, argv): op = get_standard_parser(cmdname) opts, args = op.parse_args(argv) - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename @@ -2093,7 +2123,7 @@ def psscan2(cmdname, argv): action='store_true',dest='dot_format', default=False) opts, args = op.parse_args(argv) - if (opts.filename is None) or (not os.path.isfile(opts.filename)) : + if (opts.filename is None) or (os.path.isdir(opts.filename)) : op.error("File is required") else: filename = opts.filename