Sunday, August 17, 2008

Introducing Volshell

This one's for all the command line lovers out there: I'm happy to release volshell, an interactive shell built on Python and designed with memory analysis research in mind. I gave a demo of this at my OMFW talk, "Interactive Memory Exploration with Volatility"; since it was more of a live demo, I don't have slides from that, but you can find my notes here. You should be able to follow the notes as a sort of walkthrough that will get you up and running with volshell, and introduce some of the more advanced features.

Briefly, here are some of the features of volshell:
  • Shell is a full Python interpreter, so all the power of Python can be leveraged.
  • Uses Volatility 1.3 object model for easy access to data structures in memory.
  • Can use iPython for the underlying shell if available, which enables some nice features.
  • Commands modelled after WinDbg.
  • Works with any memory image format that Volatility supports (dd, crash, vmem, hibernation file)
To use it, just download and drop it in your memory_plugins directory in Volatility 1.3. Then start the shell with:

$ python volatility volshell -f $IMAGE



JL said...

I just played around with this - Very cool! :-)

All the best,


Lakshmi N said...

Hello Brendan,

The OMFW Volshell notes is no more available at the site that you posted earlier. If you have a copy, can you please re-post it here.

Lakshmi N

narayana p said...

I like your blog, I read this blog please update more content on hacking, further check it once at python online training