atcuno
commented
2 months ago @eve-mem @Abyss-W4tcher tagging for extra feedback
Closed atcuno closed 2 months ago
atcuno
commented
2 months ago @eve-mem @Abyss-W4tcher tagging for extra feedback
ikelos
commented
2 months ago So, with the filtering happening on the rendered value (#1253), you should be able to specify N/A or - for the filter. It won't yet let you differentiate between the different AbsentValues, but this is going to get tricky if we want to let the CLI filter both on rendered value and on underlying meaning.
atcuno
commented
2 months ago This works great!
N/A ->
$ python3 vol.py --filters MappedPath,N/A -f /mnt/samples/Sample14.lime windows.ldrmodules
Volatility 3 Framework 2.10.0
Pid Process Base InLoad InInit InMem MappedPath
836 lsass.exe 0x14894ca0000 False False False N/A
836 lsass.exe 0x14894970000 False False False N/A
836 lsass.exe 0x148949b0000 False False False N/A
836 lsass.exe 0x14894c00000 False False False N/A
4684 mi_x64.exe 0x4f0000 False False False N/A
4684 mi_x64.exe 0x5a0000 False False False N/A
4684 mi_x64.exe 0x2db0000 False False False N/ABy Hex:
$ python3 vol.py --filters Base,0x14894ca0000 -f /mnt/samples/Sample14.lime windows.ldrmodules
Volatility 3 Framework 2.10.0
Pid Process Base InLoad InInit InMem MappedPath
836 lsass.exe 0x14894ca0000 False False False N/A
@ikelos we talked about this, but need a ticket to have it actually happen.
The issue was that there is no direct mechanism, besides specifying
Valueto filter to a column's value that is NotAvailable or NotApplicable. This is problematic as many of our malware reporting plugins will report blank columns when malware is present, so users will often want to see only these rows in the output - especially for plugins that otherwise produce substantial output.ldrmodules is a perfect example:
So 4,624 lines of output versus filtering to what is just the 7 lines related to the malware when using 'Value':
To get this fixed, we just need to come up with a better constant than 'Value'