LoginSignup
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@ohisama@github

volatilityの作法 その16

Posted at

概要

volatilityの作法、調べてみた。
plugin書いてみた。

サンプルコード

import volatility.plugins.common as common

class TestPlugin(common.AbstractWindowsCommand):
    """Prints Hello world!"""
    def render_text(self, outfd, data):
        outfd.write("Hello world!\n")

実行結果

volatility --plugins=voltest/ -f zeus.vmem/zeus.vmem testplugin
Volatility Foundation Volatility Framework 2.6
Hello world!

サンプルコード

import volatility.plugins.common as common
import volatility.utils as utils
import volatility.win32 as win32

class Test2(common.AbstractWindowsCommand):
    """ Works exactly like pslist """
    def calculate(self):
        addr_space = utils.load_as(self._config)
        tasks = win32.tasks.pslist(addr_space)
        return tasks
    def render_text(self, outfd, data):
        for tasks in data:
            PID = tasks.UniqueProcessId
            CreateTime = tasks.CreateTime
            Process_name = tasks.ImageFileName
            outfd.write("{0}\t {1}\t {2}\n".format(PID, CreateTime, Process_name))

実行結果

volatility --plugins=voltest/ -f zeus.vmem/zeus.vmem test2
Volatility Foundation Volatility Framework 2.6
4	 1970-01-01 00:00:00 UTC+0000	 System
544	 2010-08-11 06:06:21 UTC+0000	 smss.exe
608	 2010-08-11 06:06:23 UTC+0000	 csrss.exe
632	 2010-08-11 06:06:23 UTC+0000	 winlogon.exe
676	 2010-08-11 06:06:24 UTC+0000	 services.exe
688	 2010-08-11 06:06:24 UTC+0000	 lsass.exe
844	 2010-08-11 06:06:24 UTC+0000	 vmacthlp.exe
856	 2010-08-11 06:06:24 UTC+0000	 svchost.exe
936	 2010-08-11 06:06:24 UTC+0000	 svchost.exe
1028	 2010-08-11 06:06:24 UTC+0000	 svchost.exe
1088	 2010-08-11 06:06:25 UTC+0000	 svchost.exe
1148	 2010-08-11 06:06:26 UTC+0000	 svchost.exe
1432	 2010-08-11 06:06:26 UTC+0000	 spoolsv.exe
1668	 2010-08-11 06:06:35 UTC+0000	 vmtoolsd.exe
1788	 2010-08-11 06:06:38 UTC+0000	 VMUpgradeHelper
1968	 2010-08-11 06:06:39 UTC+0000	 TPAutoConnSvc.e
216	 2010-08-11 06:06:39 UTC+0000	 alg.exe
888	 2010-08-11 06:06:49 UTC+0000	 wscntfy.exe
1084	 2010-08-11 06:06:52 UTC+0000	 TPAutoConnect.e
1732	 2010-08-11 06:07:44 UTC+0000	 wuauclt.exe
1724	 2010-08-11 06:09:29 UTC+0000	 explorer.exe
432	 2010-08-11 06:09:31 UTC+0000	 VMwareTray.exe
452	 2010-08-11 06:09:32 UTC+0000	 VMwareUser.exe
468	 2010-08-11 06:09:37 UTC+0000	 wuauclt.exe
124	 2010-08-15 19:17:55 UTC+0000	 cmd.exe

以上。

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?