Request for a plugin to interactively explore a memory image

[GoogleCodeExporter]

Hi guys,

Just figured I'd make a place to watch what goes on with respect to making a 
console that allows people to do "dt" commands and so on.  I've had a first 
stab at converting volshell to 1.4.  It's not completely converted (I'm not 
sure what context offsets are supposed to be, whether from flat or kernel or 
process space) and mostly dt doesn't work properly yet, but it should be a base 
to go from...

Feel free to submit new versions/diffs of fixes, and when it's in a good 
working order, we can commit it as a core plugin.

Original issue reported on code.google.com by mike.auty@gmail.com on 3 Dec 2010 at 4:22

Attachments:

• volshell.py

[GoogleCodeExporter]

Ok, slightly newer version, this time hopefully with a working dt command.  I 
haven't managed to test the list traversal, and run through the remaining code 
to make sure it meets the style guidelines, but definitely getting closer.  I 
also found a couple of issues which present themselves during the use of dt, 
but I've fixed them in r570.

Original comment by mike.auty@gmail.com on 22 Dec 2010 at 2:26

Attachments:

• volshell.py

[GoogleCodeExporter]

Ok, well, since no complaints, I've committed this to contrib in r588.  I'll 
leave this open for bugs/issues, please test it and let me know if there's any 
problems.

Original comment by mike.auty@gmail.com on 12 Jan 2011 at 2:26

[GoogleCodeExporter]

No problems so far - working very nicely, but I've only been using cc, db, and 
dd. At some point we should update the distorm dependency to distorm3 
(http://code.google.com/p/distorm/). I can make this change though, because I 
just converted all the malware plugins from using pydasm to distorm3, so it 
should be a quick copy and paste job. 

Original comment by michael.hale@gmail.com on 13 Jan 2011 at 5:51

[GoogleCodeExporter]

Just jotting down some notes here to myself so I don't forget. db outputs 
addresses in caps but dd uses lowercase. We should keep them consistent:

>>> dd(0x00bde820)
00bde820  00bde778 00bde8ac 004644d0 0000018d
00bde830  00000000 00000003 000002c8 0045b230
00bde840  00000020 00000004 000001c5 00000000
00bde850  00000000 00000000 00000000 00000002
00bde860  00000001 00000000 00467158 00000000
00bde870  00000000 0045b100 00000000 00000003
00bde880  00bde8c8 00000000 00000000 00000000
00bde890  0000009a 0045bd58 0045bd58 00000004
>>> db(0x00bde820)
00BDE820   78 E7 BD 00 AC E8 BD 00 D0 44 46 00 8D 01 00 00    x........DF.....
00BDE830   00 00 00 00 03 00 00 00 C8 02 00 00 30 B2 45 00    ............0.E.
00BDE840   20 00 00 00 04 00 00 00 C5 01 00 00 00 00 00 00     ...............
00BDE850   00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00    ................
00BDE860   01 00 00 00 00 00 00 00 58 71 46 00 00 00 00 00    ........XqF.....
00BDE870   00 00 00 00 00 B1 45 00 00 00 00 00 03 00 00 00    ......E.........
00BDE880   C8 E8 BD 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
00BDE890   9A 00 00 00 58 BD 45 00 58 BD 45 00 04 00 00 00    ....X.E.X.E.....

Original comment by michael.hale@gmail.com on 13 Jan 2011 at 9:35

[GoogleCodeExporter]

Ok, I've converted them to lowercase, and also converted the remaining % 
formatting into .format() formatting.  All checked in in commit r589.  5:)

Original comment by mike.auty@gmail.com on 14 Jan 2011 at 12:52

[GoogleCodeExporter]

What's up. Thanks for those changes. I attached a modified copy of r589 with 
the following mods:

Fixed a bug in dt() when an address is supplied (obj vs objct).
Updated disasm engine from distorm to distorm3. 
Fixed a bug in dis() where it said processs instead of process.

I'd commit myself but there are a few other files I've modified for VAD stuff 
and I don't want to commit those just yet. Is there an easy way to commit 
certain files and not others (like exclude some by name)? I couldn't find a way 
that doesn't involve a ridiculous command involving grep, egrep, xargs, and 
awk...

Original comment by michael.hale@gmail.com on 14 Jan 2011 at 4:28

Attachments:

• volshell.py

[GoogleCodeExporter]

Thanks, I've committed the patch.  5:)

Subversion doesn't have a staging area unfortunately, so it's either all the 
changes you make or none of them.  One method would be to get subversion to 
produce a patch, then modify it until it just contains the changes you want, 
then apply it to another subversion check out, but that's a bit cumbersome.

I tend to use git to handle my subversion check out (git svn clone, edit, git 
commit, git svn dcommit, remote changes, git svn rebase), and that luckily 
comes with a staging area so you can specify what you do and don't want to 
commit (and you can stash temporary changes relatively easily).  I imagine 
mercurial has similar facilities, so one of those might make handling commits 
easier.  5:)

Original comment by mike.auty@gmail.com on 14 Jan 2011 at 12:31

[GoogleCodeExporter]

Ok, so after some much appreciated testing from MHL, this version seems ok, so 
I'm going to close this issue.  If there's any additional features required for 
volshell, please open separate bugs for them...

Original comment by mike.auty@gmail.com on 14 Jan 2011 at 10:34

• Changed state: Fixed