Add first version of regex scanning plugins

eve-mem commented 1 week ago

Hello :wave:

This PR introduces new regex scanning plugins for Linux and Windows, providing a simple way to search memory for specific patterns using regular expressions. While the existing yarascan plugins can achieve similar results, they require Yara to be installed and involve writing full Yara rules. For some users, crafting simple regex patterns is faster and more intuitive. I know I've struggled explaining to some people about using yara rules in this way.

This feature was inspired by a question from a user who asked if a plugin like this could be created. I hope it simplifies some work and makes memory analysis more accessible.

Here is some example output:

Generic kernel version:

$ python3 vol.py -f linux-sample-1.dmp regexscan.RegExScan --pattern "(Linux version|Darwin Kernel Version) [0-9]+\.[0-9]+\.[0-9]+"
Volatility 3 Framework 2.11.0
Progress:  100.00               PDB scanning finished                      
Offset  Text    Hex

0x880001400070  Linux version 3.2.0     4c 69 6e 75 78 20 76 65 72 73 69 6f 6e 20 33 2e 32 2e 30
0x880001769027  Linux version 3.2.0     4c 69 6e 75 78 20 76 65 72 73 69 6f 6e 20 33 2e 32 2e 30
0xffff81400070  Linux version 3.2.0     4c 69 6e 75 78 20 76 65 72 73 69 6f 6e 20 33 2e 32 2e 30
0xffff81769027  Linux version 3.2.0     4c 69 6e 75 78 20 76 65 72 73 69 6f 6e 20 33 2e 32 2e 30

Windows version:

$ python3 vol.py -r pretty -f win-xp-laptop-2005-06-25.img windows.vadregexscan --pattern '((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}' --pid 944
Volatility 3 Framework 2.11.0
Formatting...0.00               PDB scanning finished                        
  | PID |      Process |     Offset |            Text |                                          Hex
* | 944 | PluckSvr.exe |   0x162cfc |   66.179.81.247 |       36 36 2e 31 37 39 2e 38 31 2e 32 34 37
* | 944 | PluckSvr.exe |   0x185a54 |   66.179.81.247 |       36 36 2e 31 37 39 2e 38 31 2e 32 34 37
* | 944 | PluckSvr.exe |   0x18cc84 |   66.179.81.247 |       36 36 2e 31 37 39 2e 38 31 2e 32 34 37
* | 944 | PluckSvr.exe | 0x2009fe1c |        49.1.1.4 |                      34 39 2e 31 2e 31 2e 34
* | 944 | PluckSvr.exe | 0x2026117d |       2.6.32.68 |                   32 2e 36 2e 33 32 2e 36 38
* | 944 | PluckSvr.exe | 0x4d4f16aa | 255.255.255.255 | 32 35 35 2e 32 35 35 2e 32 35 35 2e 32 35 35
* | 944 | PluckSvr.exe | 0x749c1848 |       127.0.0.1 |                   31 32 37 2e 30 2e 30 2e 31
* | 944 | PluckSvr.exe | 0x76f235dc | 255.255.255.255 | 32 35 35 2e 32 35 35 2e 32 35 35 2e 32 35 35

Linux version:

$ python3 vol.py -r pretty -f linux-sample-1.dmp linux.vmaregexscan --pattern '((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}' --pid 8503
Volatility 3 Framework 2.11.0
Formatting...0.00               Stacking attempts finished                 
  |  PID | Process |         Offset |            Text |                                          Hex
* | 8503 |    bash |      0x135dcc8 |   192.168.201.1 |       31 39 32 2e 31 36 38 2e 32 30 31 2e 31
* | 8503 |    bash |      0x135dd13 |   192.168.201.1 |       31 39 32 2e 31 36 38 2e 32 30 31 2e 31
* | 8503 |    bash |      0x135ddc8 |   192.168.201.1 |       31 39 32 2e 31 36 38 2e 32 30 31 2e 31
* | 8503 |    bash |      0x135dddc | 192.168.201.161 | 31 39 32 2e 31 36 38 2e 32 30 31 2e 31 36 31
* | 8503 |    bash |      0x135de17 |   192.168.201.1 |       31 39 32 2e 31 36 38 2e 32 30 31 2e 31
* | 8503 |    bash |      0x135de2b | 192.168.201.161 | 31 39 32 2e 31 36 38 2e 32 30 31 2e 31 36 31
* | 8503 |    bash |      0x1361a93 |   192.168.201.1 |       31 39 32 2e 31 36 38 2e 32 30 31 2e 31
* | 8503 |    bash |      0x1362417 |   192.168.201.1 |       31 39 32 2e 31 36 38 2e 32 30 31 2e 31
* | 8503 |    bash |      0x136242b | 192.168.201.161 | 31 39 32 2e 31 36 38 2e 32 30 31 2e 31 36 31
* | 8503 |    bash | 0x7fff765b1f29 |   192.168.201.1 |       31 39 32 2e 31 36 38 2e 32 30 31 2e 31
* | 8503 |    bash | 0x7fff765b1f4f |   192.168.201.1 |       31 39 32 2e 31 36 38 2e 32 30 31 2e 31
* | 8503 |    bash | 0x7fff765b1f63 | 192.168.201.161 | 31 39 32 2e 31 36 38 2e 32 30 31 2e 31 36 31

Let me know what you think, thanks! :fox_face:

eve-mem commented 4 days ago

Resolved import issue and updated as per suggestions—thanks for the guidance @ikelos.

:fox_face:

eve-mem commented 4 days ago

I think this is ready for a review now. :heart: Thanks!

ikelos commented 15 hours ago

Yep, looks good, thanks! 5:)

volatilityfoundation / volatility3

Add first version of regex scanning plugins #1353