Open Kmasa-cysec opened 4 years ago
In volatility 3 we return the field as bytes (and potentially provide a hint as to how to display it). We don't really have the luxury of multi-line output in the CLI, and we figured that given how long the blocks are, providing the hex output was the most consistent way to communicate the information provided. We're hoping now that vol3 can be used as a library that richer clients can be written that will offer the options and scope to display the output in different ways at the user's choice, but the CLI is rather packed from an options perspective. There is scope for renderer options (to allow choices over how things like byte stream are displayed), but that's quite far down the roadmap...
Maybe a luxury thing, but I must say I am really missing the extra information of process name and PID associated with each search hit. Wouldn't it be great to see that in one or two extra columns? It is must easier to visually correlate output information from different modules if the PID is available.
@ikelos: I suppose these richer clients you mention are not available at the moment and might even first appear as commercial products?
@swepeba The extra information you're after is available if you use the vadyarascan
which is windows specific and is able to understand what a process is and that the information lives within a process's memory space. The standard yarascan
plugin is OS agnostic and will work with memory images for mac, linux and windows, on any intel layer that volatility 3 can construct. The question that was posted is about the hexdump in particular...
There aren't many rich clients out there, but there are already developers starting to work with volatility 3. To my knowledge none of them are commercial. At the moment there's a toy web-based gui, called Volumetric, that the foundation built which is under the same license as volatility 3, and I believe there's also Orochi which I believe is not commercial either.
The main drive of this project is to produce a library that can be used for whatever purpose would be helpful, and the CLI which everyone is familiar with is just one example interface towards that end. If you suitably improve the CLI to produce appropriate output, or wish to modify the CLI (by producing a new CLIRenderer) then we'd be happy to review it and consider it for inclusion. You might also be interested in the renderer-options branch which would allow configuration of specific renderers (but at the cost of exploding the number of options that CLI has to support).
I hope that provides you a bit more information on how you can access the information you're after, and why the library and CLI have been designed the way they have... 5:)
@ikelos Thanks for the tip and extra information about the project! vadyarascan
works perfect for my need. I will take a look on the rich clients you mention as well.
Yarascan(windows.vadyarascan) of volatility3(beta) only shows hexdump of search string.
A sample run would look like the following:
By the way, in volatility2.6, it is displayed as follows.