Volatility : les plugins

Il y a des plugins qui ne sont pas intégrés (ou pas encore) à Volatility, nous allons voir les manipulations à faire pour les utiliser.

Créer un dossier plugins ou vous voulez et y ajouter des plugins (souvent en Python).

1 ll ../plugins/
2 total 80
3 drwxr-xr-x  4 alasta alasta 128 20 oct 12:09 .
4 drwxr-xr-x  7 alasta alasta 224  9 oct 21:22 ..
5 -rwxr-xr-x  1 alasta alasta 15161  6 oct 12:05 psinfo.py

 1 /vol.py --plugins=../plugins/ --profile=WinXPSP2x86  -f /tmp/sample001.bin psinfo
 2 Volatility Foundation Volatility Framework 2.6
 3 Process Information:
 4  Process: svchost.exe PID: 1024
 5  Parent Process: services.exe PPID: 680
 6  Creation Time: 2012-11-26 22:03:32 UTC+0000
 7  Process Base Name(PEB): svchost.exe
 8  Command Line(PEB): C:\WINDOWS\System32\svchost.exe -k netsvcs
 9 
10 VAD and PEB Comparison:
11  Base Address(VAD): 0x1000000
12  Process Path(VAD): \WINDOWS\system32\svchost.exe
13  Vad Protection: PAGE_EXECUTE_WRITECOPY
14  Vad Tag: Vad
15 
16  Base Address(PEB): 0x1000000
17  Process Path(PEB): C:\WINDOWS\System32\svchost.exe
18  Memory Protection: PAGE_EXECUTE_WRITECOPY
19  Memory Tag: Vad
20 
21 Similar Processes:
22 C:\WINDOWS\System32\svchost.exe
23  svchost.exe(1024) Parent:services.exe(680) Start:2012-11-26 22:03:32 UTC+0000
24 C:\WINDOWS\System32\svchost.exe
25  svchost.exe(1068) Parent:services.exe(680) Start:2012-11-26 22:03:32 UTC+0000
26 C:\WINDOWS\system32\svchost.exe
27  svchost.exe(940) Parent:services.exe(680) Start:2012-11-26 22:03:31 UTC+0000
28 C:\WINDOWS\System32\svchost.exe
29  svchost.exe(1116) Parent:services.exe(680) Start:2012-11-26 22:03:33 UTC+0000
30 C:\WINDOWS\system32\svchost.exe
31  svchost.exe(852) Parent:services.exe(680) Start:2012-11-26 22:03:31 UTC+0000
32 
33 Suspicious Memory Regions:
34 ---------------------------------------------------
35 
36 Process Information:
37  Process: alg.exe PID: 1888
38  Parent Process: services.exe PPID: 680
39  Creation Time: 2012-11-26 22:03:35 UTC+0000
40  Process Base Name(PEB): alg.exe
41  Command Line(PEB): C:\WINDOWS\System32\alg.exe
42 
43 VAD and PEB Comparison:
44  Base Address(VAD): 0x1000000
45  Process Path(VAD): \WINDOWS\system32\alg.exe
46  Vad Protection: PAGE_EXECUTE_WRITECOPY
47  Vad Tag: Vad
48 
49  Base Address(PEB): 0x1000000
50  Process Path(PEB): C:\WINDOWS\System32\alg.exe
51  Memory Protection: PAGE_EXECUTE_WRITECOPY
52  Memory Tag: Vad
53 
54 Similar Processes:
55 C:\WINDOWS\System32\alg.exe
56  alg.exe(1888) Parent:services.exe(680) Start:2012-11-26 22:03:35 UTC+0000
57 
58 -SNiP--

Repo Git sur PSinfo