search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

Volatility 3 as library example #854

Closed IridiumXOR closed 1 year ago

IridiumXOR commented 1 year ago

Is it possible to have an example of a minimal python script using Volatility 3 as library? The documentation is very cryptic and incomplete (no imports etc..) ...

ikelos commented 1 year ago

Hiya, the documentation is there as a guide. I'm a little concerned that if we write a minimal script that people can just copy and paste, we'll end up seeing hundreds of little programs using that script as way to get to volatility rather than, for example, writing a volshell snippet that could do the same thing?

It would be helpful to know which bits of https://volatility3.readthedocs.io/en/latest/using-as-a-library.html you found cryptic, so that we can improve them. We're not aiming for a "copy/paste/use" solution for the reasons I've given above, but we would like to make it easy to create your own tool using volatility 3 as a library? There are several existing examples around:

We'd hope developers would use these as templates, but equally if it's just a toy example to get volatility to a point where it's working and usable, I'd suggest volshell or the volshell snippets, which are small chunks of code run within the context of a instantiated plugin?

IridiumXOR commented 1 year ago

I don't ask a "minimal script" to just copy and paste but an example of multiple things that it is possible to do with volatility in library mode, IMHO the documenttion about volatility library behaviour is very poor: for example, how to load a dump and configure the automagic to operate on it without using vol.py or vollshell? why not include an example of it? If I want to perform operations on a memory dump (so memory address translations, get objects from symbols etc.) how start? If I only want to load a layer how to? using volshell is not an option if volatility have to be used as a part of a bigger python program...

github-actions[bot] commented 1 year ago

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] commented 1 year ago

This issue was closed because it has been inactive for 60 days since being marked as stale.