Closed GoogleCodeExporter closed 8 years ago
That's part of the malware collection of plugins. It hasn't been converted
over to the main trunk yet, so if you require it, please install volatility-2.0
and use the malware.py file from the malware analysts cookbook website[1]...
[1] http://malwarecookbook.googlecode.com/
Original comment by mike.auty@gmail.com
on 30 Apr 2012 at 10:45
Actually, I have ported it to 2.1 and it works on xp/2003/2008/vista/7 x86 and
x64, but I haven't committed it to trunk yet because I think its kinda ugly. In
particular, I don't like how it duplicates some of the work done in ssdt.py,
but as of now there's not a good way to share the code between plugins.
Here's an attached copy of the plugin you can use for testing.
Tamer, can you please use the plugin and let us know if it needs any usability
or functionality fixes?
Ikelos, I'm not sure if you've reviewed this one, but if not can you give it a
look and let me know any style changes you'd make?
Thanks guys!
Original comment by michael.hale@gmail.com
on 30 Apr 2012 at 12:59
Attachments:
Original comment by jamie.l...@gmail.com
on 30 Apr 2012 at 1:28
Yep, just a couple of points...
BaseThreadCheck should inherit from object, otherwise it's an old style object
and we don't get some of the new jiggery-pokery that we've come to rely on for
certain things...
One of which is the __subclasses__ function, that can tell you all the direct
subclasses of a class (and therefore recursively all the subclasses), since
this seems like it might be a new "class" of object type, you might want to
investigate the volatility.registry.get_plugin_classes() [1] for figuring out
the available classes. I'd far rather you use that over globals()...
That's just a two minute review, but the rest looks ok. Lemme know if you want
a longer/deeper look. I'd very much like to get all the malware plugins into
trunk since I believe they're currently the only thing holding up testing for
the 2.1 release... 5:)
[1]
http://code.google.com/p/volatility/source/browse/trunk/volatility/registry.py#1
37
Original comment by mike.auty@gmail.com
on 30 Apr 2012 at 2:06
it is working
Thanks alot
Original comment by tame...@gmail.com
on 30 Apr 2012 at 6:33
Thanks for giving it a look guys. I'll work on getting it up to par for
committing to trunk.
Original comment by michael.hale@gmail.com
on 1 May 2012 at 12:49
This issue was closed by revision r1678.
Original comment by michael.hale@gmail.com
on 8 May 2012 at 3:53
Original issue reported on code.google.com by
tame...@gmail.com
on 30 Apr 2012 at 8:44