Malware threads plugin not yet ported to trunk

[GoogleCodeExporter]

Looks like threads is missing

when run (on windows 7) 

vol.py --profile=WinXPSP2x86  -f e:\DumpIt\prolaco.vmem threads -F OrphanThread

the output
Volatile Systems Volatility Framework 2.1_alpha
Usage: Volatility - A memory forensics analysis platform.
vol.py: error: no such option: -F

i noted threads not listed in vol,py -h, however is listed in commendreference

what is the issue

Thanks in advanced
Tamer Hassan

Original issue reported on code.google.com by tame...@gmail.com on 30 Apr 2012 at 8:44

[GoogleCodeExporter]

That's part of the malware collection of plugins.  It hasn't been converted 
over to the main trunk yet, so if you require it, please install volatility-2.0 
and use the malware.py file from the malware analysts cookbook website[1]...

[1] http://malwarecookbook.googlecode.com/

Original comment by mike.auty@gmail.com on 30 Apr 2012 at 10:45

• Changed title: Malware threads plugin not yet ported to trunk

[GoogleCodeExporter]

Actually, I have ported it to 2.1 and it works on xp/2003/2008/vista/7 x86 and 
x64, but I haven't committed it to trunk yet because I think its kinda ugly. In 
particular, I don't like how it duplicates some of the work done in ssdt.py, 
but as of now there's not a good way to share the code between plugins. 

Here's an attached copy of the plugin you can use for testing.

Tamer, can you please use the plugin and let us know if it needs any usability 
or functionality fixes? 

Ikelos, I'm not sure if you've reviewed this one, but if not can you give it a 
look and let me know any style changes you'd make? 

Thanks guys!

Original comment by michael.hale@gmail.com on 30 Apr 2012 at 12:59

• Added labels: Type-Enhancement
• Removed labels: Type-Defect

Attachments:

• threads.py

[GoogleCodeExporter]

Original comment by jamie.l...@gmail.com on 30 Apr 2012 at 1:28

[GoogleCodeExporter]

Yep, just a couple of points...

BaseThreadCheck should inherit from object, otherwise it's an old style object 
and we don't get some of the new jiggery-pokery that we've come to rely on for 
certain things...

One of which is the __subclasses__ function, that can tell you all the direct 
subclasses of a class (and therefore recursively all the subclasses), since 
this seems like it might be a new "class" of object type, you might want to 
investigate the volatility.registry.get_plugin_classes() [1] for figuring out 
the available classes.  I'd far rather you use that over globals()...

That's just a two minute review, but the rest looks ok.  Lemme know if you want 
a longer/deeper look.  I'd very much like to get all the malware plugins into 
trunk since I believe they're currently the only thing holding up testing for 
the 2.1 release...  5:)

[1] 
http://code.google.com/p/volatility/source/browse/trunk/volatility/registry.py#1
37

Original comment by mike.auty@gmail.com on 30 Apr 2012 at 2:06

[GoogleCodeExporter]

it is working

Thanks alot

Original comment by tame...@gmail.com on 30 Apr 2012 at 6:33

[GoogleCodeExporter]

Thanks for giving it a look guys. I'll work on getting it up to par for 
committing to trunk. 

Original comment by michael.hale@gmail.com on 1 May 2012 at 12:49

[GoogleCodeExporter]

This issue was closed by revision r1678.

Original comment by michael.hale@gmail.com on 8 May 2012 at 3:53

• Changed state: Fixed