search

misael1986 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

volshell's shell commands located under render_text #375

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
the current windows volshell command stores shell commands inside render_text, 
so if we need to make changes to, say, the list_entry function to support linux 
or mac, we'd need to override the entire render_text function (and that's where 
90% of the code is). 

for more information see:

http://code.google.com/p/volatility/source/detail?r=3017
http://code.google.com/p/volatility/source/detail?r=3021

for example currently in linux_volshell, the windows list_entry function bleeds 
through:

>>> hh()
....
list_entry(head, objname, offset=-1, fieldname=None, forward=True) : Traverse a 
_LIST_ENTRY.
.....

if we want to modify list_entry() to walk linux lists (instead of _LIST_ENTRY) 
it would be difficult. also if we wanted to remove the 'list_entry' command 
entirely from the shell so it doesn't show up in hh() for linux_volshell, we'd 
also have to override render_text because that's where the commands are set:

http://code.google.com/p/volatility/source/browse/trunk/volatility/plugins/volsh
ell.py#377

Original issue reported on code.google.com by michael.hale@gmail.com on 4 Feb 2013 at 2:40

GoogleCodeExporter commented 8 years ago 
also if we did something like this:

class volshell(....
    def __init__(.....
        self.process_struct = "_EPROCESS"

class linux_volshell(.....
    def __init__(....
        self.process_struct = "task_struct"

then approximately 30-40 lines of code could be shared between the two plugins 
by making volshell.set_context reference self.process_struct instead of 
hard-coding "_EPROCESS" and "task_struct"

Original comment by michael.hale@gmail.com on 4 Feb 2013 at 2:53

GoogleCodeExporter commented 8 years ago 
er, nevermind on the set_context sharing, it also must be customized for 
process id and name etc

Original comment by michael.hale@gmail.com on 4 Feb 2013 at 2:59

GoogleCodeExporter commented 8 years ago 
I've just released some code that might progress this issue? The same code 
might also be of some relevance to issue #28 (since the code attempts to work 
around some of the issues associated with conf.ConfObject)?

The code is available within the volshell directory at (it's designed as 
replacement code rather than as "plugin" code):
  https://github.com/carlpulley/volatility

Here's the relevant text from the README:

  volshell.py - this plugin is a reworking of the existing Volatility volshell
    plugin. Major changes are as follows:
      + hh has been deleted. All help information is now available as Python
        documentation strings. For example, help(self) and dir(self) give general
        command help, whilst help(<command>) provides help on a specific command.
        TODO: when using the IPython command line prompt, __builtin__.help currently 
          overwrites the defined help alias (to self.help), so it is necessary to 
          manually correct this by entering 'help = self.help' after the IPython 
          shell starts. Failing to do this means that individual plugin help will
          be limited.
      + the type of volshell instance launched (i.e. WinVolshell, LinuxVolshell, 
        MacVolshell, etc.) is chosen using the profile metadata (specifically the 
        os attribute). When the OS is unknown, a base Volshell is launched - so 
        just load the image and go!
      + all Volatility plugins are potentially available as commands. These are 
        filtered using the image's profile. Any plugin without a render_text is 
        additionally filtered out. Plugin commands can produce three types of 
        output:
          * with render=True, the plugin prints to stdout
          * with render=False and table_data=True, the plugin hooks the table_header 
            and table_row methods and returns a list of hashes representing the 
            displayed tabular data
          * with render=False and table_data=False, the plugin returns the plugin's 
            calculate result.
        Plugin arguments are scraped by hooking the singleton class conf.ConfObject 
        and grabbing command line options. These are used (after filtering out generic 
        options from commands.Command) to generate valid keyword arguments with 
        defaults (if specified). Plugin commands are dynamically added to the Volshell 
        class and are accessed via self.<command>. For convenience, aliases are 
        generated using '<command> = self.<command>'.
      + it is now possible to override exiting commands in BaseVolshell (e.g. see ps 
        in WinVolshell, LinuxVolshell and MacVolshell) and to add in commands that 
        are OS specific (e.g. see WinVolshell for list_entry).
      + a source command has been added to ease loading Volshell scripts into the 
        current session. Any function in the loaded file matching the pattern:

          def func(self, ..):
            ..

        is blindly bound to the current Volshell instance and made available as self.func(..) 
        or func(self, ..). If this code was located in /path/to/func.py then it can be sourced
        using the Volshell command (for convenience, sys.path is also searched):

          source("/path/to/func.py")

        TODO: implement code to assign 'func = self.func' in the Volshell session.
      + [EXPERIMENTAL] it is possible to use the Volshell plugin in a Volatility as a library 
        like manner [1]. The following simple code demonstrates the idea by printing out a 
        (sorted) process tree:

          from volatility.plugins.volshell import Volshell
          from itertools import groupby

          def analyse(mem_image):
            shell = Volshell(filename=mem_image)
            data = groupby(sorted(shell.pslist(), key=lambda x: x['PPID']), lambda x: x['PPID'])
            for ppid, pids in data:
              print "PPID: {0}".format(ppid)
              for pid in pids:
                print "  PID: {0}".format(pid['PID'])

        In library mode, the Volshell plugin related methods (i.e. the help, calculate  
        and render_* methods) are disabled.
        TODO: generate examples demonstrating the potential uses for Volshell script 
          and library code.
      + [EXPERIMENTAL] based on [2] and [3], there appears to be a longer term preference 
        for IPython being the default command line experience (+1 from myself!). So, when 
        we failover to a basic Python Volshell, an IPython "nag" banner is displayed on 
        startup.

    INSTALLATION: run the following commands to install (WARNING: the existing Volshell 
      code is deleted):

        rm $VOLATILITY_SRC/volatility/plugins/linux/linux_volshell.py
        rm $VOLATILITY_SRC/volatility/plugins/mac/mac_volshell.py
        cp -f volshell/volshell.py $VOLATILITY_SRC/volatility/plugins/
        cp -fr volshell/linux $VOLATILITY_SRC/volatility/plugins/
        cp -fr volshell/mac $VOLATILITY_SRC/volatility/plugins/
        cp -fr volshell/windows $VOLATILITY_SRC/volatility/plugins/

REFERENCES:
===========

[1] Using Volatility as a Library (accessed 24/Mar/2013):
      https://code.google.com/p/volatility/wiki/VolatilityUsage23#Using_Volatility_as_a_Library
[2] Volatility Roadmap: Volatility 3.0 (Official Tech Preview Merge) (accessed 
24/Mar/2013):
      https://code.google.com/p/volatility/wiki/VolatilityRoadmap#Volatility_3.0_(Official_Tech_Preview_Merge)
[3] Volatility Technology Preview Documentation: Tutorial (accessed 
24/Mar/2013):
      https://volatility.googlecode.com/svn/branches/scudette/docs/tutorial.html

Original comment by carl.pulley on 25 Mar 2013 at 9:47

GoogleCodeExporter commented 8 years ago

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 9:20

GoogleCodeExporter commented 8 years ago

Original comment by jamie.l...@gmail.com on 20 Nov 2014 at 8:34