Tuesday, March 3, 2009

Updates and a New Home for Plugins

As I've now released a number of plugins for Volatility, and some have gone through a couple revisions, I thought I'd put them all up on a single page, which can point to the latest versions and act as a sort of one-stop shop.

I've also updated the registry tools yet again, to fix some bugs and add new functionality, and also made some enhancements to volshell. You can read about the changes below:

Changes to VolReg:
  • New command hivedump: dump keys and timestamps (and optionally value data) from all hives to a CSV file.
  • Many improvements to robustness and error handling when reading key and value data.
  • When checking the registry hive names, catch exceptions and try to continue anyway (reported by chris).
Changes to volshell:
  • A new command, dis, is available. If distorm is installed, it will disassemble bytes from a given memory address as x86 code.
  • db no longer rounds length to a multiple of 4.
  • Use a single profile object throughout all commands (speed improvement)
  • dt can now overlay an arbitrary structure at an address, for example: dt('_EPROCESS', 0x81234567)
Enjoy!

4 comments:

Keydet89 said...

Awesome, thanks!

Keydet89 said...

Awesome, thanks!

Keydet89 said...

Awesome, thanks!

Mike said...

Why I'm I getting this error!

root@bt:~/Desktop/Volatility-1.3_Beta# python volatility hivelist -f /mnt/diskte
o memory.dd
Error: Invalid module [hivelist].

Volatile Systems Volatility Framework v1.3
Copyright (C) 2007,2008 Volatile Systems
Copyright (C) 2007 Komoku, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PART
ICULAR PURPOSE.

usage: volatility cmd [cmd_opts]

Run command cmd with options cmd_opts
For help on a specific command, run 'volatility cmd --help'

Supported Internel Commands:
connections Print list of open connections
connscan Scan for connection objects
connscan2 Scan for connection objects (New)
datetime Get date/time information for image
dlllist Print list of loaded dlls for each process
dmp2raw Convert a crash dump to a raw dump
dmpchk Dump crash dump information
files Print list of open files for each process
hibinfo Convert hibernation file to linear raw image
ident Identify image properties
memdmp Dump the addressable memory for a process
memmap Print the memory map
modscan Scan for modules
modscan2 Scan for module objects (New)
modules Print list of loaded modules
procdump Dump a process to an executable sample
pslist Print list of running processes
psscan Scan for EPROCESS objects
psscan2 Scan for process objects (New)
raw2dmp Convert a raw dump to a crash dump
regobjkeys Print list of open regkeys for each process
sockets Print list of open sockets
sockscan Scan for socket objects
sockscan2 Scan for socket objects (New)
strings Match physical offsets to virtual addresses (may take a while, VERY verbose)
thrdscan Scan for ETHREAD objects
thrdscan2 Scan for thread objects (New)
vaddump Dump the Vad sections to files
vadinfo Dump the VAD info
vadwalk Walk the vad tree

Supported Plugin Commands:
memmap_ex_2 Print the memory map
pslist_ex_1 Print list running processes
pslist_ex_3 Print list running processes
usrdmp_ex_2 Dump the address space for a process

Example: volatility pslist -f /path/to/my/file
root@bt:~/Desktop/Volatility-1.3_Beta#


Thanks,

-Mike