8:18 a.m.
Hello
My name is Thorsten Sick, I am Researcher at Avira. Currently I am part
of the ITES project. This project's aim is to develop
detection/protection technology using the benefits from a guest system
running in a virtual machine. Short: Sensors in the VM and in the
hypervisor layer.
One of my first steps would be to automate Malware analysis and use some
big guns. Volatility would be a big gun. Combined with cuckoobox it
could be very powerful.
But for that volatility needs:
- A log format that could be parsed in a simple way (JSON ?) for the plugins
- Maybe some nice API to control it from Cuckoobox
I am ready to implement that. But before doing stuff only half I would
love to hear your opinion.
Especially if you have some whishes what exactly should be in those
logs, please tell me. If you maintain a plugin, please tell me. I am
ready to write the log code or we try to figure out a format and you can
code it yourself.
What I am doing here should have benefits for the community-if done right.
You can also find me in the IRC.
Thanks
Thorsten
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
11:08 a.m.
Hi Thorsten,
Sorry for the delayed reply, we've been cramming to get some things
fixed for the 2.1 release and your question required a little more
thought. So, yes, being able to use volatility in cuckoo (or any other
framework) via flexible API and easily integrated/parsed output
formatting is a major goal of ours. Especially if the product of the
work is going back into another open-source project. We're aware of
SRI's "malgram" sandbox [1] which they built using cuckoo and
volatility for introspection, but its a proprietary system.
So I thought we had some documentation on rendering output, but I
can't find it right now, so I'll just give you a quick walk-through.
Each plugin has a render_text method, which is used by default from
the command line. For example when you run python vol.py -f image.dmp
pslist, the following rendering function executes to print the values
to your terminal:
https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins…
Assuming you wanted the output in JSON format, you could write a new
method called render_json to the PSList class. I attached a simple
example patch to this email. After applying the patch, you could run
the pslist command again, but using the --output=json parameter like
this:
$ python vol.py -f image.dmp pslist --output=json
Volatile Systems Volatility Framework 2.1_alpha
{"Start": "2012-05-31 13:58:55 ", "Sess": "",
"Exit": "", "Name":
"System", "Wow64": false, "Offset": 2215873656,
"PPid": 0, "Pid": 4,
"Thds": 444}{"Start": "2012-05-31 13:58:55 ",
"Sess": "", "Exit": "",
"Name": "smss.exe", "Wow64": false, "Offset":
2242990112, "PPid": 4,
"Pid": 276, "Thds": 30}<snip>
So the information you want to log would really be up to you. Any data
carved/produced by the plugins could be output in JSON format. Also in
the past one of our developers, Gleeda, wrote some example render_sql
functions which output data directly to an sqlite3 database [2], that
would be an option for you as well.
If there's anything else we can help with, please let us know!
MHL
[1]. public.mtc.sri.com/MalgramIntroduction.pptx
[2]. http://gleeda.blogspot.com/2010/02/briefly-volatility-news-214.html
On Mon, Jun 25, 2012 at 8:18 AM, Thorsten Sick <thorsten.sick(a)avira.com> wrote:
Hello
My name is Thorsten Sick, I am Researcher at Avira. Currently I am part
of the ITES project. This project's aim is to develop
detection/protection technology using the benefits from a guest system
running in a virtual machine. Short: Sensors in the VM and in the
hypervisor layer.
One of my first steps would be to automate Malware analysis and use some
big guns. Volatility would be a big gun. Combined with cuckoobox it
could be very powerful.
But for that volatility needs:
- A log format that could be parsed in a simple way (JSON ?) for the plugins
- Maybe some nice API to control it from Cuckoobox
I am ready to implement that. But before doing stuff only half I would
love to hear your opinion.
Especially if you have some whishes what exactly should be in those
logs, please tell me. If you maintain a plugin, please tell me. I am
ready to write the log code or we try to figure out a format and you can
code it yourself.
What I am doing here should have benefits for the community-if done right.
You can also find me in the IRC.
Thanks
Thorsten
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
4:29 a.m.
Hi Michael
Currently I am developing in the VolatilityNG/scudette branch. But as
soon as it is running I am willing to port it to Volatility 2.x.
Your documentation will help a lot. Thank you.
Thorsten Sick
On 02.07.2012 17:08, Michael Hale Ligh wrote:
Hi Thorsten,
Sorry for the delayed reply, we've been cramming to get some things
fixed for the 2.1 release and your question required a little more
thought. So, yes, being able to use volatility in cuckoo (or any other
framework) via flexible API and easily integrated/parsed output
formatting is a major goal of ours. Especially if the product of the
work is going back into another open-source project. We're aware of
SRI's "malgram" sandbox [1] which they built using cuckoo and
volatility for introspection, but its a proprietary system.
So I thought we had some documentation on rendering output, but I
can't find it right now, so I'll just give you a quick walk-through.
Each plugin has a render_text method, which is used by default from
the command line. For example when you run python vol.py -f image.dmp
pslist, the following rendering function executes to print the values
to your terminal:
https://code.google.com/p/volatility/source/browse/trunk/volatility/plugins…
Assuming you wanted the output in JSON format, you could write a new
method called render_json to the PSList class. I attached a simple
example patch to this email. After applying the patch, you could run
the pslist command again, but using the --output=json parameter like
this:
$ python vol.py -f image.dmp pslist --output=json
Volatile Systems Volatility Framework 2.1_alpha
{"Start": "2012-05-31 13:58:55 ", "Sess": "",
"Exit": "", "Name":
"System", "Wow64": false, "Offset": 2215873656,
"PPid": 0, "Pid": 4,
"Thds": 444}{"Start": "2012-05-31 13:58:55 ",
"Sess": "", "Exit": "",
"Name": "smss.exe", "Wow64": false, "Offset":
2242990112, "PPid": 4,
"Pid": 276, "Thds": 30}<snip>
So the information you want to log would really be up to you. Any data
carved/produced by the plugins could be output in JSON format. Also in
the past one of our developers, Gleeda, wrote some example render_sql
functions which output data directly to an sqlite3 database [2], that
would be an option for you as well.
If there's anything else we can help with, please let us know!
MHL
[1]. public.mtc.sri.com/MalgramIntroduction.pptx
[2]. http://gleeda.blogspot.com/2010/02/briefly-volatility-news-214.html
On Mon, Jun 25, 2012 at 8:18 AM, Thorsten Sick <thorsten.sick(a)avira.com> wrote:
>
> Hello
>
> My name is Thorsten Sick, I am Researcher at Avira. Currently I am part
> of the ITES project. This project's aim is to develop
> detection/protection technology using the benefits from a guest system
> running in a virtual machine. Short: Sensors in the VM and in the
> hypervisor layer.
>
> One of my first steps would be to automate Malware analysis and use some
> big guns. Volatility would be a big gun. Combined with cuckoobox it
> could be very powerful.
>
> But for that volatility needs:
> - A log format that could be parsed in a simple way (JSON ?) for the plugins
> - Maybe some nice API to control it from Cuckoobox
>
> I am ready to implement that. But before doing stuff only half I would
> love to hear your opinion.
>
> Especially if you have some whishes what exactly should be in those
> logs, please tell me. If you maintain a plugin, please tell me. I am
> ready to write the log code or we try to figure out a format and you can
> code it yourself.
>
> What I am doing here should have benefits for the community-if done right.
>
> You can also find me in the IRC.
>
> Thanks
> Thorsten
>
> --
> Thorsten Sick, Research
>
> Avira Operations GmbH & Co. KG
> Kaplaneiweg 1
> 88069 Tettnang
> Germany
> Phone: +49 7542-500 0
> Fax: +49 7542-500 3000
> Internet: http://www.avira.com
>
> _______________________________________________
> Vol-dev mailing list
> Vol-dev(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
4517
days inactive
4525
days old
vol-dev@lists.volatilityfoundation.org
2 comments
2 participants
participants (2)
-
Michael Hale Ligh -
Thorsten Sick