Re: [Vol-users] Need help: Can anyone provide information about plug-ins for volatility framework, especially used for Linux

Hi Yuhang, Welcome to the volatility community!! We have recently developed a new framework for memory analysis in the volatiltiy dev branch. I think this would be ideal to write cross platform code (e.g. linux and windows can use the same framework). The biggest problems I see with linux supprot are: - No use of pool tags so scanning needs to be much more thorough. - The structs are very variable - for example task_struct can have extra members depending on configuration options even for the same kernel version. This really throws out any analysis because your struct definitions need to be tweaked depending on configuration you dont know. The new framework attempts to address these concerns using profiles. A profile is a specific python class which tells the framework how to access specific structs. For example you can have a kernel 2.6.26 profile, a kernel 2.6.30 profile etc. Then the modules can simply ask for a task_struct and the profile does the specific versioning stuff. The idea is that a profile can run a number of tests on the image to figure out what is likely to be the correct struct layout. For example for task_struct, you can test for sanity of members after the optional members in the struct to figure out if these members are turned on. This means that the profile has some capability of adapting to the specific image - not just the kernel version. Of course this kind of stuff also lends itself to windows profiles such as the difference between sp2 and sp3 and even xp and vista - as versions change structs have different versions and the profile is adapted to these. The new scanning framework is also designed to address concern 1 above with very fast performance even with very thorough testing of structs. This should enable us to write scanners which dont depend on pool tags so much - a definite advantage for windows analysis as well since pool tags are easy to maliciously change. The best advice i have is to just come up with a simple task (like scan for task_structs) and then write a plugin to deal with it - you will learn how the new framework works. If you need some specific help, send an email, or just jump on irc - although I have not been on irc much lately :-( Michael. On Sun, Jan 3, 2010 at 8:09 PM, yuhang gao <rainman1919(a)gmail.com> wrote: