7:02 a.m.
Hi
I modified threads to also create JSON output (diff and sample attached
to bug).
http://code.google.com/p/volatility/issues/detail?id=289
Everyone who is interested in this kind of features please check the
code and give some feedback.
Thanks
Thorsten Sick
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
6:18 p.m.
Thorsten,
Thanks for the examples. Do you foresee prepending the plugin name string
to most tags? Is that necessary if the json is scoped by a thread
context?
(ie athread["thread_exit_time"]={"value":str(thread.ExitTime)} )
At some point, I envison a data argument passed to the render_* functions
that is composed of a tag-value dictionary that could be generically
rendered by a single render module (table, mysql, json) that is not plugin
specific.
Thanks,
AW
On Thu, 5 Jul 2012, Thorsten Sick wrote:
Hi
I modified threads to also create JSON output (diff and sample attached
to bug).
http://code.google.com/p/volatility/issues/detail?id=289
Everyone who is interested in this kind of features please check the
code and give some feedback.
Thanks
Thorsten Sick
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
2:20 a.m.
Good morning
At the moment I spend most of my brain-cycles on the problem of naming
the tags. And stuff like the exit/start time is quite undecided.
The current solution has:
thread_exit_time
proces_exit_time
process_create_time
thread_create_time
socket_create_time
(Yes, I collected tags for other modules already)
What I prepend is not the plugin name, but the "object" name. By
coincidence it is the threads plugin that generates information about
thread objects....
Maybe we can clean this a bit. Having only create_time and exit_time it
would be easier to generate a kind of chronological event chart.
Also with object names prepended (that could be de-duplicated):
thread_start_address
thread_base_priority
thread_priority
ssdt_id
ssdt_offset
ssdt_function
idt_target_address
driver_size
driver_start
mutant_thread (thread id of mutant)
thread_attached_address
thread_owner_address
(thread_tag_* are to special for cleanup)
file_offset
file_start_address
symlink_creation_time
This is still only a list in a wiki, change is cheap. So please feedback now
By the way: Having a rendering module would be cool.
Thorsten Sick
On 06.07.2012 00:18, AAron Walters wrote:
Thorsten,
Thanks for the examples. Do you foresee prepending the plugin name
string to most tags? Is that necessary if the json is scoped by a
thread context?
(ie athread["thread_exit_time"]={"value":str(thread.ExitTime)} )
At some point, I envison a data argument passed to the render_*
functions that is composed of a tag-value dictionary that could be
generically rendered by a single render module (table, mysql, json) that
is not plugin specific.
Thanks,
AW
On Thu, 5 Jul 2012, Thorsten Sick wrote:
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
Hi
I modified threads to also create JSON output (diff and sample attached
to bug).
http://code.google.com/p/volatility/issues/detail?id=289
Everyone who is interested in this kind of features please check the
code and give some feedback.
Thanks
Thorsten Sick
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
3:22 a.m.
Good morning
I just changed the code and generated a new DB example. Looks better now
IMHO. Thanks for the suggestions.
For more see the issue
http://code.google.com/p/volatility/issues/detail?id=289
Thorsten sick
On 06.07.2012 00:18, AAron Walters wrote:
Thorsten,
Thanks for the examples. Do you foresee prepending the plugin name
string to most tags? Is that necessary if the json is scoped by a
thread context?
(ie athread["thread_exit_time"]={"value":str(thread.ExitTime)} )
At some point, I envison a data argument passed to the render_*
functions that is composed of a tag-value dictionary that could be
generically rendered by a single render module (table, mysql, json) that
is not plugin specific.
Thanks,
AW
On Thu, 5 Jul 2012, Thorsten Sick wrote:
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
Hi
I modified threads to also create JSON output (diff and sample attached
to bug).
http://code.google.com/p/volatility/issues/detail?id=289
Everyone who is interested in this kind of features please check the
code and give some feedback.
Thanks
Thorsten Sick
--
Thorsten Sick, Research
Avira Operations GmbH & Co. KG
Kaplaneiweg 1
88069 Tettnang
Germany
Phone: +49 7542-500 0
Fax: +49 7542-500 3000
Internet: http://www.avira.com
_______________________________________________
Vol-dev mailing list
Vol-dev(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev
4511
days inactive
4515
days old
vol-dev@lists.volatilityfoundation.org
3 comments
2 participants
participants (2)
-
AAron Walters -
Thorsten Sick